Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.oval:org.mitre.oval:def:868Updated kernel packages available for Red Hat Enterprise Linux 3 Update 1bid 9429Linux kernel ptrace allows elevated privilegesRed Hat Enterprise Linux kernel-2.4.21 does not perform adequate checking of eflags when in 32-bit ptrace emulation modeGLSA-200402-06The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function.cvs commit: src/sys/netinet ip_icmp.c tcp.h tcp_input.c tcp_subr.c tcp_usrreq.c tcp_var.hbid 9572Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Updated Fedora Core 1 testing kernelUpdated kernel packages resolve minor security vulnerabilitiesSUSE Security Announcement: Linux Kernel (SuSE-SA:2004:005)DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491DSA-495RHSA-2004:065SuSE-SA:2004:005OVAL1017OVAL834MDKSA-2004:029RHSA-2004:106RHSA-2004:166TLSA-2004-14O-082O-121O-126O-127O-1459570107821091110912112021136111362113691137011376114641189112075linux-r128-gain-priviliges(15029)oval:org.mitre.oval:def:1017oval:org.mitre.oval:def:834The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.OpenCA Security Advisorybid 943520040116 [OpenCA Advisory] Vulnerability in signature verificationVU#336446openca-improper-signature-verification(14847)3615Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte.Advisory 01/2004: 12 x Gaim remote overflows12 x Gaim remote overflowsDSA-434-1 gaim -- several vulnerabilitiesVU#190366VU#226974VU#404470VU#65597420040126 Advisory 01/2004: 12 x Gaim remote overflowsGLSA-200401-04SuSE-SA:2004:004gaim-mime-decoder-bo(14942)gaim-mime-decoder-oob(14944)gaim-yahoodecode-offbyone-bo(14935)gaim-sscanf-oob(14938)CLA-2004:813SSA:2004-02637361008850Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.Gentoo Linux Security Advisory12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesAdvisory 01/2004: 12 x Gaim remote overflowsRHSA-2004:033RHSA-2004:045MDKSA-2004:006SuSE-SA:2004:004DSA-43420040201-01-UOVAL818VU#297198VU#371382VU#444158VU#503030VU#527142VU#87183820040126 Advisory 01/2004: 12 x Gaim remote overflows9489gaim-http-proxy-bo(14947)gaim-login-name-bo(14940)gaim-login-value-bo(14941)gaim-urlparser-bo(14945)gaim-yahoopacketread-keyname-bo(14943)gaim-yahoowebpending-cookie-bo(14939)20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeCLA-2004:813SSA:2004-026oval:org.mitre.oval:def:818MDKSA-2004:00620040202-01-U373137321008850Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.DSA-434-1 gaim -- several vulnerabilities12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesUltramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeRHSA-2004:032MDKSA-2004:006GLSA-200401-04VU#197142OVAL81920040126 Advisory 01/2004: 12 x Gaim remote overflowsSuSE-SA:2004:0049489gaim-extractinfo-bo(14946)VU#19714220040126 Advisory 01/2004: 12 x Gaim remote overflowsCLA-2004:813SSA:2004-026oval:org.mitre.oval:def:819MDKSA-2004:00637331008850Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.GLSA-200401-04OVAL82020040126 Advisory 01/2004: 12 x Gaim remote overflowsgaim-directim-bo(14937)20040126 Advisory 01/2004: 12 x Gaim remote overflowsCLA-2004:81320040127 [slackware-security] GAIM security update (SSA:2004-026-01)oval:org.mitre.oval:def:820MDKSA-2004:00620040202-01-U37341008850Gaim contains an integer overflow vulnerability when parsing DirectIM packets12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesUltramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeRHSA-2004:033MDKSA-2004:006DSA-434RHSA-2004:04520040201-01-UApache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.http://www.apache-ssl.org/advisory-20040206.txtApache-SSL security advisory - apache_1.3.28+ssl_1.52 and priorbid 9590Apache-SSL has a default password20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior3877Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Updated kernel packages fix security vulnerabilitybid 9691Linux Kernel ncp_lookup allows elevated privilegesDSA-479-1 linux-kernel-2.4.18-alpha+i386+powerpc -- several vulnerabilitiesDSA-480DSA-481DSA-482DSA-489DSA-491DSA-495RHSA-2004:065RHSA-2004:188SuSE-SA:2004:005OVAL1035OVAL835FEDORA-2004-079MDKSA-2004:015TLSA-2004-05O-082CLA-2004:820oval:org.mitre.oval:def:1035oval:org.mitre.oval:def:835Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code.fsp -- buffer overflow, directory traversalDebian FSP VulnerabilitiesFSP boundary error buffer overflowO-048jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash).jabber -- denial of servicebid 9376Updated jabber packages fix DoS vulnerabilityJabber SSL connections denial of service334510559Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings.New nd packages fix buffer overflowsbid 9365nd -- buffer overflowsnd long string buffer overflow10086161054910550vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges.vbox3 -- privilege leakbid 9381vbox3-gain-privileges(14170)The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files.phpgroupware -- missing filename sanitising, SQL injectionbid 9387phpgroupware-calendar-file-include(13489)6860Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations.phpgroupware -- missing filename sanitising, SQL injectionbid 9386100866210591jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands.jitterbug -- improperly sanitised inputbid 9397jitterbug-execute-code(14207)Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges.bid 9366Lotus Notes and Domino notes.ini file has insecure permissions20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions3424100862310566PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code.PhpGedView $PGV_BASE_DIRECTORY PHP file include936833431056520040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem1008632PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView allows administrative password modification105653403Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView search.php cross-site scripting9369340210565admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView admin.php information disclosure9371340410565Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php.Multiple Vulnerabilities in Phorum 3.4.5bid 9361Phorum common.php, profile.php, and login.php script cross-site scripting105673434350635101008633SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter.Multiple Vulnerabilities in Phorum 3.4.5bid 9363Phorum register.php script SQL injection350810567SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter.http://www.vbulletin.com/forum/showthread.php?postid=588825vBulletin Forum 2.3.xx calendar.php SQL InjectionvBulletin Forum 2.3.xx calendar.php script SQL Injection93603344FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages.FirstClass Client 7.1: Command Execution via Email Web LinkOpen Text Corporation FirstClass Local File Reference Command Execution VulnerabilityFirstClass Client executes code without displaying a warning dialog3442105561008609McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81.20040510 McAfee ePolicy Orchestrator Remote Compromise Vulnerabilityepolicy-execute-commands(14166)bugtraq id 10200Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI.HTTP Parsing Vulnerabilities in Check Point Firewall-1Check Point FireWall-1 format stringbid 9581Two checkpoint fw-1/vpn-1 vulns20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities20040205 Two checkpoint fw-1/vpn-1 vulnshttp://www.checkpoint.com/techsupport/alerts/security_server.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-036A.htmlO-072Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet.Check Point ISAKMP vulnerable to buffer overflow via Certificate RequestCheck Point VPN-1 IKE buffer overflowbid 9582 Two checkpoint fw-1/vpn-1 vulnshttp://www.us-cert.gov/cas/techalerts/TA04-036A.html20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer OverflowO-07338214432The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions.mod-auth-shadow -- password expirationbid 94043454100867510612vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames.vsftpd Discloses Whether Usernames are Valid or Not1008628Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature.20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow938320040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow3437100865110573yahoo-messenger-filename-bo(14171)Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username.Cisco Personal Assistant User Password Bypass Vulnerability9384ciscopersonalassistant-config-file-access(14172)3430Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code.Buffer overflow in control message handlingOpenPKG Security Advisory (inn)bid 9382SSA:2004-014-02VU#75902010578inn-artpost-control-message-bo(14190)Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character.SnapStream PVS LITE Cross Site Scripting Vulnerabillitybid 93753440100864610575snapstream-quotation-xss(14164)Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges.trr19 -- missing privilege releasebid 9520trr19-gain-privileges(14975)107443747100887510745Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port.Potential Server/Proxy Denial-of-Service Vulnerabilitybid 9421http://service.real.com/help/faq/security/security022604.html20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer OverflowVerity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others.20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issueultraseek-error-path-disclosure(16066)20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issueMultiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issuemime-contenttransfer-filter-bypass(17337)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients.Multiple vendor MIME separator issueNISCC Vulnerability Advisory 380375/MIMEbid 11157mime-separator-filtering-bypass(17334)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issuemime-rfc2047-filtering-bypass(17331)Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Vulnerabilities in H.323 Message ProcessingCERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationshttp://www.uniras.gov.uk/vuls/2004/006489/h323.htm94061008685The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.bid 7090tcpdump contains vulnerability in RADIUS decoding function print_attr_string() in print-radius.cUpdated tcpdump packages fix various vulnerabilitiesDSA-425MDKSA-2004:00820040103-01-Uhttp://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlOVAL850OVAL853APPLE-SA-2004-02-23[tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.120040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)oval:org.mitre.oval:def:850oval:org.mitre.oval:def:853CLSA-2003:832FLSA:1222MDKSA-2004:00820040202-01-U1008735Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationshttp://www.uniras.gov.uk/vuls/2004/006489/h323.htm94061008687The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.multiple vulnerabilities in tcpdump 3.8.1Updated tcpdump packages fix various vulnerabilitiesbid 9423DSA-425-1 tcpdump -- multiple vulnerabilitiesRHSA-2004:008MDKSA-2004:00820040103-01-Uhttp://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlOVAL851OVAL854APPLE-SA-2004-02-23VU#17408610636tcpdump-rawprint-isakmp-dos(14837)20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)oval:org.mitre.oval:def:851oval:org.mitre.oval:def:854FLSA:1222MDKSA-2004:00820040202-01-U1008716Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file.20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower)3496100870210620antivir-tmpfile-insecure(14214)Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity.FishCart Integer Overflow / Rounding Errorbid 94261008731The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number.payShield library may verify bad requests20040114 nCipher Advisory #8: payShield library may verify bad requests9422payshield-incorrect-request-verification(14832)3537The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory.bid 941134601062320040113 SuSE linux 9.0 YaST config Skribt [exploit]1008703Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php.More phpGedView Vulnerabilities1191011925phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php.More phpGedView Vulnerabilities3464phpgedview-path-disclosure(14215)Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.More phpGedView Vulnerabilities20070827 PhpGedView login page multiple XSS118681188011882118881189011891118941190311904119051190611907ADV-2007-2995347334743475347634773478101861326628phpgedview-login-xss(36285)phpgedview-multiple-xss(14212)PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code.PhpDig 1.6.x: remote command executionbid 9424phpdig-config-file-include(14826)Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function.Windows FTP Server Format String Vulnerabilityexploit for HD Soft Windows FTP Server 1.6bid 93851008658PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code.Remote Code Execution in ezContentsbid 9396http://www.ezcontents.org/forum/viewtopic.php?t=361ezcontents-php-file-include(14199)6878Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php.PHP Manpage lookup directory transversal / file disclosing9395manpagelookup-directory-traversal(14203)1008689Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request.Directory Traversal in Accipiter Direct Server 6.0Accipiter Direct Server dot dot directory traversalbid 938920040109 Directory Traversal in Accipiter Direct Server 6.0343310600PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script.bid 93383318100858410535easydynamicpages-php-file-include(14136)340820040102 include() vuln in EasyDynamicPages v.2.0Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949.bid 9352bid 9341xsok long -xsokdir buffer overflowxsok-lang-bo(14910)20040102 xsok local games exploit20040103 xsok local games exploit (2)The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.Updated kernel packages resolve security vulnerabilitiesLinux kernel Vicam USB driver denial of servicebid 9690CLA-2004:846MDKSA-2004:015RHSA-2005:293SuSE-SA:2004:005O-082oval:org.mitre.oval:def:836** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none.The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txtSecond critical mremap() bug found in all Linux, kernel,slinux-kernel-2.4.16-arm -- several vulnerabilitiesLinux kernel do_mremap allows elevated privilegesbid 9686Linux kernel do_mremap local privilege escalation vulnerability20040218 Second critical mremap() bug found in all Linux kernelsCLA-2004:820DSA-438DSA-440DSA-441DSA-442DSA-444DSA-450DSA-453DSA-454DSA-456DSA-466DSA-470DSA-514DSA-475FEDORA-2004-079MDKSA-2004:015RHSA-2004:065RHSA-2004:066RHSA-2004:069RHSA-2004:106SSA:2004-049SuSE-SA:2004:0052004-00072004-0008VU#981222O-0823986oval:org.mitre.oval:def:825oval:org.mitre.oval:def:837Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.http://bugs.debian.org/126336Updated mutt packages fix remotely-triggerable crashmuttUpdated mutt packages fix remotely-triggerable crashbid 9641Mutt index menu buffer overflow20040211 Mutt-1.4.2 fixes buffer overflow.CSSA-2004-013.0MDKSA-2004:010SSA:2004-04320040215 LNSA-#2004-0001: mutt remote crash20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt)3918oval:org.mitre.oval:def:811oval:org.mitre.oval:def:838The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Multiple Vulnerabilities in OpenSSLOpenSSL do_change_cipher_spec function denial of serviceOpenSSL Denial of Service Vulnerabilities20040317 New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.openssl.org/news/secadv_20040317.txthttp://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834DSA-465ESA-20040317-003FreeBSD-SA-04:05MDKSA-2004:023NetBSD-SA2004-005RHSA-2004:121SCOSA-2004.10SuSE-SA:2004:00757524http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00045.htmlVU#288574OVAL2621OVAL870OVAL97520040317 Cisco OpenSSL Implementation VulnerabilityFEDORA-2004-095GLSA-200403-03RHSA-2004:120RHSA-2004:1392004-0012O-101APPLE-SA-2005-08-15APPLE-SA-2005-08-17RHSA-2005:8301113917401FEDORA-2005-1042RHSA-2005:8291738117398SSRT4717SSA:2004-07718247oval:org.mitre.oval:def:2621oval:org.mitre.oval:def:870oval:org.mitre.oval:def:975MDKSA-2004:023The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.Updated util-linux packages fix information leakbid 9558GLSA-200404-0620040201-01-U20040406-01-U20040331 OpenLinux: util-linux could leak sensitive data20040408 LNSA-#2004-0010: login may leak sensitive dataVU#801526379610773utillinux-information-leak(15016)OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.OpenSSL does not properly handle unknown message typesOpenSSL unknown TLS message types denial of serviceOpenSSL Denial of Service Vulnerabilities20040317 Re: New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834ESA-20040317-003DSA-465RHSA-2004:119RHSA-2004:121SCOSA-2004.1020040304-01-U5752420040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerabilityTA04-078AOVAL871OVAL90220040317 Cisco OpenSSL Implementation VulnerabilityFEDORA-2004-095GLSA-200403-03RHSA-2004:120RHSA-2004:1392004-001211139oval:org.mitre.oval:def:871oval:org.mitre.oval:def:902The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txthttp://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.htmlUpdated samba packages fix security vulnerabilitybid 9637Samba mksmbpasswd.sh could allow an attacker to gain access to user's accountO-0783919oval:org.mitre.oval:def:827Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Recent Changes to XFree86bid 9636XFree86FontInformationFileBufferOverflowXFree86 font.alias file buffer overflowXFree86 Font Information File Buffer Overflowhttp://www.idefense.com/application/poi/display?id=72DSA-443RHSA-2004:059RHSA-2004:060RHSA-2004:061SuSE-SA:2004:006MDKSA-2004:012OVAL806OVAL830VU#82000620040211 XFree86 vulnerability exploitCLA-2004:821FLSA:2314SSA:2004-04357768oval:org.mitre.oval:def:806oval:org.mitre.oval:def:830MDKSA-2004:012Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Updated XFree86 packages fix privilege escalation vulnerabilityUpdated XFree86 packages fix privilege escalation vulnerabilitybid 9652XFree86 CopyISOLatin1Lowered buffer overflowhttp://www.idefense.com/application/poi/display?id=73CLA-2004:821DSA-443FLSA:2314RHSA-2004:059SSA:2004-043SuSE-SA:2004:006MDKSA-2004:012OVAL807OVAL831VU#66750220040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II57768oval:org.mitre.oval:def:807oval:org.mitre.oval:def:831MDKSA-2004:012Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086.Apple Security UpdatesMac OS X mail undisclosed security issuebid 9504http://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-26APPLE-SA-2004-01-26Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504APPLE-SA-2004-01-26The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504macosx-configd-file-manipulation(14997)APPLE-SA-2004-01-266819The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504APPLE-SA-2004-01-266820Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable.Apple Security Updatesbid 9509A012704-1APPLE-SA-2004-01-26VU#9023746821macosx-trublue-environmentvariable-bo(14968)Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors.APPLE-SA-2004-01-26ESB-2004.0072950410723** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft."vBulletin Security VulnerabilityvBulletin Security Vulnerability RE: vBulletin Security Vulnerability: Re: vBulletin Security Vulnerabilityhttp://securitytracker.com/alerts/2004/Jan/1008780.html1008780Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact.Apple Security UpdatesAPPLE-SA-2004-01-269504APPLE-SA-2004-01-26XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI).xfree86 -- several vulnerabilitiesbid 9701XFree86 GLX array index denial of serviceCLSA-2004:824RHSA-2004:15220040406-01-UInteger signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI).xfree86 -- several vulnerabilitiesXFree86 GLX integer signedness denial of serviceCLSA-2004:824RHSA-2004:15220040406-01-U9701McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow.http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zipbid 9476epolicy-contentlength-post-dos(14989)3744Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973.Mod_python 2.7.10GLSA-200401-03RHSA-2004:058RHSA-2004:063Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Updated PWLib packages fix protocol security issuesCERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationsPWLib message denial of serviceDSA-448-1 pwlib -- several vulnerabilitiesOVAL803OVAL826oval:org.mitre.oval:def:803oval:org.mitre.oval:def:8269406mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions.mksnap_ffs clears file system optionsbid 9533freebsd-mksnapffs-bypass-security(15005)3790crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow.crawl -- buffer overflow956610788crawl-long-environment-bo(15032)Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.Updated metamail packages fix vulnerabilitiesbid 9692Metamail header format string attack20040218 metamail format string bugs and buffer overflowsDSA-449MDKSA-2004:014metamail-contenttype-format-string(15245)VU#51851810908O-08320040218 metamail format string bugs and buffer overflowsSSA:2004-049MDKSA-2004:014Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.Updated metamail packages fix vulnerabilitiesMetamail splitmail file Subject header buffer overflow20040218 metamail format string bugs and buffer overflowsDSA-449MDKSA-2004:014metamail-printheader-nonascii-bo(15247)VU#51306210908O-083969220040218 metamail format string bugs and buffer overflowsSSA:2004-049MDKSA-2004:014Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Updated XFree86 packages fix privilege escalation vulnerabilityUpdated XFree86 packages fix privilege escalation vulnerabilityXFree86 security updatebid 9655XFree86 improper handling of multiple font filesDSA-443RHSA-2004:059SuSE-SA:2004:006MDKSA-2004:012OVAL809OVAL832CLA-2004:821FLSA:2314oval:org.mitre.oval:def:809oval:org.mitre.oval:def:832MDKSA-2004:012The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Updated sysstat packages fix security vulnerabilitiesSGI Advanced Linux Environment security update #14bid 9838RHSA-2004:093O-0976884OVAL849OVAL862sysstat-post-trigger-symlink(15428)oval:org.mitre.oval:def:849oval:org.mitre.oval:def:862The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107.Updated sysstat packages fix security vulnerabilitiesSGI Advanced Linux Environment security update #14bid 9844DSA-460sysstat-isag-symlink(15437)Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.2004-0020ESA-20040428-00420040405-01-URHSA-2004:166DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491DSA-495GLSA-200407-02MDKSA-2004:02920040504-01-UOVAL940RHSA-2004:105RHSA-2004:106RHSA-2004:183SuSE-SA:2004:009TLSA-2004-14O-121O-127101411136111362113731146411469114701148611494115181162611861118911198612003linux-iso9660-bo(15866)CLA-2004:846oval:org.mitre.oval:def:940MDKSA-2004:029Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Updated libxml2 packages fix security vulnerabilitybid 9718Libxml2 nanohttp buffer overflow[OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml)DSA-455GLSA-200403-01RHSA-2004:091libxml2-nanoftp-bo(15302)10958OVAL833OVAL875VU#493966O-086http://www.xmlsoft.org/news.html20040306 TSLSA-2004-0010 - libxml2RHSA-2004:650oval:org.mitre.oval:def:833oval:org.mitre.oval:def:875 SUSE-SR:2005:001gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Updated gdk-pixbuf packages fix crashbid 9842DSA-464FLSA:2005MDKSA-2004:020RHSA-2004:102gdk-pixbuf-bitmap-dos(15426)oval:org.mitre.oval:def:845oval:org.mitre.oval:def:846The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.OpenSSL Denial of Service VulnerabilitiesMultiple Vulnerabilities in OpenSSLOpenSSL on a server configured with Kerberos ciphersuites denial of service20040317 New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.openssl.org/news/secadv_20040317.txthttp://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834MDKSA-2004:023NetBSD-SA2004-005RHSA-2004:121SCOSA-2004.10SuSE-SA:2004:00757524SSRT4717http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00045.htmlVU#484726OVAL1049OVAL92820040317 Cisco OpenSSL Implementation VulnerabilityGLSA-200403-03RHSA-2004:1202004-0012O-101APPLE-SA-2005-08-15APPLE-SA-2005-08-1711139SSA:2004-077oval:org.mitre.oval:def:1049oval:org.mitre.oval:def:928MDKSA-2004:023Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106Apache HTTP Server mod_ssl plain HTTP request denial of servicecvs commit: httpd-2.0/modules/ssl ssl_engine_io.cOverview of security vulnerabilities in Apache httpd 2.0bid 9826APPLE-SA-2004-05-03CLSA-2004:839GLSA-200403-04SSRT4717MDKSA-2004:043RHSA-2004:084RHSA-2004:1822004-001720040325 LNSA-#2004-0006: bug workaround for Apache 2.0.484182oval:org.mitre.oval:def:876The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges.http://www.pine.nl/press/pine-cert-20040201.txtshmat reference counting bugMultiple vendor BSD platforms allows elevated privilegesbid 9586 [PINE-CERT-20040201] reference count overflow in shmat()NetBSD-SA2004-0043836VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file.Vulnerability in Virtual PC for Mac Could Allow Privilege Elevation (835150)bid 9632Virtual PC Services Insecure Temporary File CreationO-076virtual-pc-gain-privileges(15113)3893An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.AD20040413AMS04-012TA04-104AVU#417052MS04-012OVAL955OVAL957OVAL958O-11510127100975811065win-rpcss-rpcmessage-dos(15708)oval:org.mitre.oval:def:955oval:org.mitre.oval:def:957oval:org.mitre.oval:def:958Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.MS04-011TA04-104AVU#353956MS04-011OVAL907OVAL946OVAL964O-114win-h323-bo(15710)oval:org.mitre.oval:def:907oval:org.mitre.oval:def:946oval:org.mitre.oval:def:964The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.20040413 EEYE: Windows VDM TIB Local Privilege EscalationAD20040413EMS04-011TA04-104AVU#78374820040413 EEYE: Windows VDM TIB Local Privilege EscalationOVAL1512OVAL1718O-11410117win-vdm-gain-privileges(15714)oval:org.mitre.oval:def:1512oval:org.mitre.oval:def:1718The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.MS04-011TA04-104AVU#63854820040414 NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol DecodingMS04-011OVAL1808OVAL1962OVAL1997O-11410113win-spp-bo(15715)oval:org.mitre.oval:def:1808oval:org.mitre.oval:def:1962oval:org.mitre.oval:def:1997The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.MS04-011TA04-104AVU#150236MS04-011OVAL885OVAL886OVAL892O-11410115ssl-message-dos(15712)oval:org.mitre.oval:def:885oval:org.mitre.oval:def:886oval:org.mitre.oval:def:892Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.Microsoft Outlook "mailto:" Parameter Passing VulnerabilityVulnerability in Microsoft Outlook Could Allow Code Execution (828040)bid 982720040310 Outlook mailto: URL argument injection vulnerabilityTA04-070AVU#305206O-096oval:org.mitre.oval:def:843outlook-mailtourl-execute-code(15414)outlook-ms04009-patch(15429)Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)bid 9828VU#688094oval:org.mitre.oval:def:844msn-ms04010-patch(15427)msn-request-view-files(15415)Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.MS04-011TA04-104AVU#255924MS04-011OVAL1007OVAL1076OVAL924O-11410118win-asn1-double-free(15713)oval:org.mitre.oval:def:1007oval:org.mitre.oval:def:1076oval:org.mitre.oval:def:924The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."MS04-012TA04-104AVU#212892MS04-012OVAL1041OVAL1062OVAL1066OVAL1072O-1151012111065win-objectidentifier-open-port(15711)oval:org.mitre.oval:def:1041oval:org.mitre.oval:def:1062oval:org.mitre.oval:def:1066oval:org.mitre.oval:def:1072The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table.FreeBSD jail() Process Unauthorized Routing Table Modification VulnerabilityFreeBSD jailed process routing table modificationFreeBSD-SA-04:12The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail.Jailed processes can attach to other jailsbid 9762FreeBSD jail_attach allows elevated privileges4101Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter.PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and priorbid 9529376810753phpgedview-editconfig-directory-traversal(15129)1008892PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.Code Injection Vulnerabilities in phpGedView 2.65.1 and priorPhpGedView v2.65.2bid 9531376910753phpgedview-gedfilconf-file-include(14987)Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.http://sourceforge.net/forum/forum.php?forum_id=350228http://www.phpmyadmin.net/home_page/relnotes.php?rel=0Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and priorphpMyAdmin < 2.5.6-rc1: possible attack against export.phpbid 9564380010769phpmyadmin-dotdot-directory-traversal(15021)login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message.PhpGedView Path Disclosure Vulnerability1008844phpgedview-loginphp-path-disclosure(15128)6886The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote atackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference.http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gzGNU Radius Remote Denial of Service VulnerabilityGNU Radius accounting service fails to properly handle exceptional Acct-Status-Type and Acct-Session-Id attributesbid 9578GNU Radius rad_print_request denial of service20040204 GNU Radius Remote Denial of Service Vulnerability382410799Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php.PHP Code Injection Vulnerabilities in ezContents 2.0.2 and priorbid 9638ezContents multiple .php PHP file inclusionThe XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.MDKSA-2004:02920040405-01-UESA-20040428-0042004-0020GLSA-200407-02MDKSA-2004:0291015111362linux-xfs-info-disclosure(15901)MDKSA-2004:029cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process.IRIX Checkpoint and Restart libcpr Library Loading Privilege Escalation VulnerabilitySGI IRIX cpr allows elevated privileges20040507-01-PThe syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory.SGI IRIX SGI_IOPROBE allows root privilegesSGI IRIX SYSSGI() System Call Unprivileged User Kernel Memory Access Vulnerability20040601-01-P712211872The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary."SGI IRIX Undisclosed MapElf32Exec Local Denial Of Service VulnerabilitySGI IRIX mapelf32exec denial of serviceUpdated kernel packages fix security vulnerabilities20040601-01-P712311872RHSA-2004:504Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues."SGI IRIX Undisclosed Init Denial Of Service VulnerabilitySGI IRIX page denial of service20040601-01-P712411872The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.DSA-1070DSA-1067DSA-1069201622016320202DSA-10821817420338RHSA-2004:549RHSA-2004:504linux-kernel-elfloader-dos(43124)Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors.SGI IRIX T_Bind/T_UnBind Undisclosed VulnerabilitySGI IRIX bsd.a kernel t_bind and t_unbind20040905-01-P12682Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows.ptl-2004-01: Multiple vulnerabilities in Nokia phonesMultiple vulnerabilities in Nokia phonesbid 9603Nokia OBEX denial of service20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phoneswu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.wu-ftpd -- several vulnerabilitiesUpdated wu-ftpd package fixes security issuesbid 9832SSRT4704ADV-2006-1867oval:org.mitre.oval:def:1147oval:org.mitre.oval:def:1636oval:org.mitre.oval:def:1637oval:org.mitre.oval:def:6481105520168102356wuftpd-restrictedgid-gain-access(15423)Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges.DSA-451-1 xboing -- buffer overflowsxboing Local Buffer Overflow Vulnerabilitiesxboing buffer overflowBuffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.python2.2 -- buffer overflowpythonbid 9836GLSA-200409-03MDKSA-2004:0194172python-getaddrinfo-bo(15409)Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands.xitalk -- missing privilege releasebid 9851xitalk allows attacker to gain elevated privilegeshttp://shellcode.org/Advisories/XITALK.txt11114Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames.emil email multiple buffer overflowsNew emil packages fix multiple vulnerabilitiesemil -- several vulnerabilitiesMultiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages.New emil packages fix multiple vulnerabilitiesemil -- several vulnerabilitiesemil format string attackrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.RHSA-2004:0722004-0009nfs-utils-dns-dos(15418)bugtraq id 9813OVAL861oval:org.mitre.oval:def:861The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.20040407 CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connectionsMDKSA-2004:027APPLE-SA-2004-05-03RHSA-2004:165GLSA-200406-17MDKSA-2004:027MDKSA-2004:069SCOSA-2005.10OVAL945VU#55239811328oval:org.mitre.oval:def:945MDKSA-2004:027Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code.DSA-48520040426 [ GLSA 200404-18 ] Multiple Vulnerabilities in ssmtpGLSA-200404-181015053605361100978811378113841148511571ssmtp-die-logevent-format-string(15872)20040507 [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp)x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program.DSA-484101495358100978911382xonix-privilege-dropping(15873)Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c.lbreakout2 < 2.4beta-2 local exploit lbreakout2 -- buffer overflowbid 9712LBreakout2 HOME environment variable buffer overflowhttp://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gzFormat string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command.New hsftp packages fix format string vulnerabilityNew hsftp packages fix format string vulnerabilitybid 9715hsftp format string attack20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability4029Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file.synaesthesia -- insecure file creationSynaesthesia configuration file symlink attackbid 9713Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC2231 encoding issuemime-tools-parameter-encoding(9274)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issuemime-rfc822-filtering-bypass(17332)Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session.Sygate Secure Enterprise replay issueSygate Secure Enterprise replay denial of service20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issueKAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoonOpenBSD ISAKMP daemon Invalid SPI could allow an attacker to delete IPsec SAsNetBSD-SA2004-001http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlopenbsd-isakmp-initialcontact-delete-sa(14118)9417OVAL947APPLE-SA-2004-02-2320040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon9416oval:org.mitre.oval:def:947Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlMac OS X pppd Format String VulnerabilityApple Security UpdatesMac OS X ppp daemon format string attackbid 9730Apple Mac OS X Point-to-Point Protocol daemon (pppd) contains format string vulnerabilityAPPLE-SA-2004-02-236822Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar."Apple Security UpdatesMac OS X Safari Web browser undisclosed security issueApple Mac OS X Safari fails to properly display URLs in the status barhttp://lists.apple.com/mhonarc/security-announce/msg00046.htmlmacosx-safari-unknown(14993)APPLE-SA-2004-02-2310959DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlApple Security UpdatesMac OS X unknown issue in DiskArbitration implementationAPPLE-SA-2004-02-23VU#5788869731682410959macos-diskarbitration-unknown(15300)Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging."Apple Security UpdatesMac OS X unknown issue in CoreFoundation notification logginghttp://lists.apple.com/mhonarc/security-announce/msg00046.htmlmacos-corefoundation-unknown(15299)APPLE-SA-2004-02-2310959QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlApple Security UpdatesDarwin Streaming Server DESCRIBE request denial of serviceDarwin Streaming Server Remote Denial of Service Vulnerabilitybid 9735Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requestsAPPLE-SA-2004-02-2320040223 Darwin Streaming Server Remote Denial of Service Vulnerability68266837FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections.FreeBSD memory buffers (mbufs) denial of serviceFreeBSD Memory Buffer Exhaustion Denial of Service Vulnerabilitybid 9792APPLE-SA-2004-05-28FreeBSD-SA-04:04VU#3956704124Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed.ltrace bugltrace Heap Overflow May Let Local Users Execute Arbitrary Code With Root Privilegesltrace search_for_command buffer overflowbid 879020031008 ltrace bug20031008 ltrace bug1007896Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.http://www.apacheweek.com/issues/04-03-12http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152Apache for cygwin directory traversal vulnerabilitybid 9733Apache for Cygwin dot dot directory traversal20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability10962Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."[ANNOUNCE] Apache HTTP Server 2.0.49 ReleasedTSLSA-2004-0017 - apacheApache HTTP Server socket starvation denial of serviceStronghold 4: New release fixes Apache, mod_ssl, and PHP issues2004-0027GLSA-200405-22MDKSA-2004:046OVAL1982VU#132110111705762899211009495OVAL100110APPLE-SA-2004-05-0320040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)SSA:2004-133SSRT4717101555oval:org.mitre.oval:def:100110oval:org.mitre.oval:def:1982MDKSA-2004:046Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.OpenSSH SCP Client File Corruption Vulnerability[suse-security-announce] SUSE Security Announcement: Linux Kernel (SuSE-SA:2004:009)Vulnerabilidade no comando scphttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147http://www.juniper.net/support/security/alerts/adv59739.txtCLSA-2004:831SuSE-SA:2004:009RHSA-2005:106O-212openssh-scp-file-overwrite(16323)RHSA-2005:074RHSA-2005:165RHSA-2005:481RHSA-2005:495RHSA-2005:562RHSA-2005:567SCOSA-2006.111924317135 9550Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Advisory 03/2004: Multiple (13) Ethereal remote overflowsLNSA-#2004-0007: Multiple security problems in EtherealEthereal multiple dissectors buffer overflowsDSA-511-1 ethereal -- buffer overflowshttp://security.e-matters.de/advisories/032004.htmlhttp://www.ethereal.com/appnotes/enpa-sa-00013.htmlGLSA-200403-07RHSA-2004:136RHSA-2004:137MDKSA-2004:024OVAL878OVAL887VU#119876VU#125156VU#433596VU#591820VU#644886VU#659140VU#740188VU#864884VU#93158811185CLA-2004:83520040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal)oval:org.mitre.oval:def:878oval:org.mitre.oval:def:887MDKSA-2004:0246893The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.2004-0020RHSA-2004:166MDKSA-2004:029ESA-20040428-004DSA-495DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491FLSA:2336GLSA-200407-02MDKSA-2004:029http://linux.bkbits.net:8080/linux-2.4/cset@4056b368s6vpJbGWxDD_LhQNYQrdzQO-121O-126O-12710152linux-ext3-info-disclosure(15867)RHSA-2005:293CLA-2004:846RHSA-2004:504RHSA-2004:505MDKSA-2004:029The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.MDKSA-2004:029DSA-495DSA-491DSA-489DSA-482DSA-479DSA-480DSA-481GLSA-200407-02MDKSA-2004:029RHSA-2004:413RHSA-2004:43720040804-01-Uhttp://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFAO-121O-127O-1939985linux-sound-blaster-dos(15868)CLA-2004:846MDKSA-2004:029Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.DSA-487RHSA-2004:15720040404-01-UFEDORA-2004-1552RHSA-2004:158RHSA-2004:159RHSA-2004:160GLSA-200405-01GLSA-200405-04OVAL1065SuSE-SA:2004:008SuSE-SA:2004:009MDKSA-2004:0321013653651136320040416 void.at - neon format string bugs20040416 [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon)oval:org.mitre.oval:def:1065The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.DSA-486FreeBSD-SA-04:07MDKSA-2004:028RHSA-2004:153RHSA-2004:154MDKSA-2004:02820040404-01-Uftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patchOVAL1042GLSA-200404-1311368113711137411375113771138011391114001140511548cvs-rcs-create-files(15864)FEDORA-2004-1620SSA:2004-108-02oval:org.mitre.oval:def:1042MDKSA-2004:028The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.MDKSA-2004:029ESA-20040428-0042004-0020GLSA-200407-02MDKSA-2004:029TLSA-2004-1410143linux-jfs-info-disclosure(15902)RHSA-2005:66317002RHSA-2004:504ADV-2005-1878MDKSA-2004:029Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field.RHSA-2004:15620040404-01-UTCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.DSA-478-1 tcpdump -- denial of servicehttp://www.rapid7.com/advisories/R7-0017.htmlhttp://www.tcpdump.org/tcpdump-changes.txtFEDORA-2004-1468RHSA-2004:219tcpdump-isakmp-delete-bo(15680)10003OVAL972VU#240790100959311258113202004-001520040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilitiesoval:org.mitre.oval:def:972Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.DSA-478-1 tcpdump -- denial of serviceRapid7 Advisory R7-0017emil format string attack20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilitieshttp://www.tcpdump.org/tcpdump-changes.txtFEDORA-2004-1468RHSA-2004:219VU#49255810004OVAL976tcpdump-isakmp-integer-underflow(15679)1009593112582004-0015oval:org.mitre.oval:def:976Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name.http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txtWu-FTPd SKEY Stack Overflow VulnerabilityWU-FTPD SKEY authentication buffer overflowDSA-457-1 wu-ftpd -- several vulnerabilitiesUpdated wu-ftpd package fixes security issues8893smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.Samba 3.x + kernel 2.6.x local root vulnerabilitySamba smbmnt allows elevated privilegesbid 9619DSA-463-1 samba -- privilege escalation20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability3916** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password.Calife heap corrupt / potential local root exploitbid 9756Calife long password buffer overflowDSA-461-1 calife -- buffer overflow9776The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Squid Proxy Cache Security Update Advisory SQUID-2004:1bid 9778Squid url_regex ACL bypassCLA-2004:838DSA-474GLSA-200403-11MDKSA-2004:025RHSA-2004:133RHSA-2004:134SCOSA-2005.1620040404-01-U20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid)5916oval:org.mitre.oval:def:877oval:org.mitre.oval:def:941Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges.Symantec, Firewall/VPN Appliance, model 200 leak of securitybid 9784Symantec Firewall/VPN caches administrative password in plain text Symantec FireWall/VPN Appliance model 200 leak of security20040216 Symantec FireWall/VPN Appliance model 200 leak of security4117Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Sandblad #13: Cross-domain exploit on zombie document with eventCross-domain exploit on zombie document with event handlersbid 9747Mozilla event handler cross-site scriptingRHSA-2004:110RHSA-2004:112SSRT47224062oval:org.mitre.oval:def:874oval:org.mitre.oval:def:937Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page.Symantec Gateway Security Management Service Cross Site Scriptingbid 9755Symantec Gateway Security error page cross-site scriptingHeap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username.Vulnerability in SMB Parsing in ISS ProductsInternet Security Systems' BlackICE and RealSecure contain a heap overflow in the processing of SMB packets20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing OverflowAD200402269752407210988pam-smb-protocol-bo(15207)Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data.Adobe Acrobat Reader XFDF buffer overflowAdobe Acrobat Reader XML Forms Data Format Buffer Overflowbid 980220040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow4135Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.MS04-014MS04-014OVAL968VU#74071610112msjet-query-execute-code(15703)TA04-104Aoval:org.mitre.oval:def:968Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).bugtraq id 10321win-hcp-code-execution(16095)VU#484814MS04-01520040512 MS04-015 - Windows Help Center - Dvdupgradehttp://www.exploitlabs.com/files/advisories/EXPL-A-2004-001-helpctr.txtOVAL1008OVAL103220040512 MS04-015 - Windows Help Center - Dvdupgradeoval:org.mitre.oval:def:1008oval:org.mitre.oval:def:1032Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Microsoft Security Bulletin MS04-028Microsoft Windows JPEG buffer overflowTA04-260AVU#297462OVAL1105OVAL1721OVAL2706OVAL3038OVAL3082OVAL3320OVAL3810OVAL3881OVAL4003OVAL4216OVAL430720040914 Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflowoval:org.mitre.oval:def:1105oval:org.mitre.oval:def:1721oval:org.mitre.oval:def:2706oval:org.mitre.oval:def:3038oval:org.mitre.oval:def:3082oval:org.mitre.oval:def:3320oval:org.mitre.oval:def:3810oval:org.mitre.oval:def:3881oval:org.mitre.oval:def:4003oval:org.mitre.oval:def:4216oval:org.mitre.oval:def:4307Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Microsoft Windows HTML Help could allow execution of codeMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Windows HTML Help component fails to properly validate input dataVulnerability in HTML Help Could Allow Code Execution (840315)Microsoft Windows HTML Help Heap Overflow Vulnerability20040714 HtmlHelp - .CHM File Heap OverflowOVAL1503OVAL1530OVAL2155OVAL3179oval:org.mitre.oval:def:1503oval:org.mitre.oval:def:1530oval:org.mitre.oval:def:2155oval:org.mitre.oval:def:3179IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Microsoft Security Bulletin MS04-016Microsoft DirectX DirectPlay Remote Malformed Packet Denial Of Service VulnerabilityMS04-016OVAL1027OVAL2190OVAL2413OVAL2516OVAL2705674211802ms-directx-directplay-dos(16306)oval:org.mitre.oval:def:1027oval:org.mitre.oval:def:2190oval:org.mitre.oval:def:2413oval:org.mitre.oval:def:2516oval:org.mitre.oval:def:2705Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)VU#948750OVAL2016exchange-owa-execute-code(16583)oval:org.mitre.oval:def:2016Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.Business Objects Crystal Reports Web Form Viewer Directory Traversal VulnerabilityCrystal Reports file deletionhttp://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.aspMS04-017OVAL115767481180020040502 Crystal Reports Vulnerabilities20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reportsoval:org.mitre.oval:def:1157Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.Microsoft IIS 4 Redirect Remote Buffer Overflow VulnerabilityMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Internet Information Server (IIS) 4.0 contains a buffer overflow in the redirect functionMicrosoft Internet Information Server (IIS) redirect buffer overflowMS04-021O-179OVAL220410706779912061oval:org.mitre.oval:def:2204Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Vulnerability in NetDDE Could Allow Remote Code Execution (841533Microsoft Windows contains an unchecked buffer in the NetDDE servicesMicrosoft Windows NetDDE buffer overflowMicrosoft Internet Information Server MS04-031 patch is not installedOVAL1852OVAL2394OVAL3120OVAL3242OVAL4592OVAL5074OVAL67881280320041013 Microsoft Windows NetDDE Service Buffer Overflowoval:org.mitre.oval:def:1852oval:org.mitre.oval:def:2394oval:org.mitre.oval:def:3120oval:org.mitre.oval:def:3242oval:org.mitre.oval:def:4592oval:org.mitre.oval:def:5074oval:org.mitre.oval:def:678811372"Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions.Security Update for Microsoft Windows (840987)Microsoft Windows Window Management API allows elevated privilegesMicrosoft Windows MS04-032 patch is not installedMicrosoft Windows contains vulnerability in Window Management API20041013 SetWindowLong Shatter AttacksThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Security Update for Microsoft Windows (840987)Microsoft Windows MS04-032 patch is not installedMicrosoft Windows Virtual DOS Machine (VDM) allows elevated privilegesMicrosoft Windows kernel fails to properly handle invalid opcodes used in DOS emulationOVAL1751OVAL3161OVAL3953OVAL4316OVAL476220041013 EEYE: Windows VDM #UD Local Privilege Escalationoval:org.mitre.oval:def:1751oval:org.mitre.oval:def:3161oval:org.mitre.oval:def:3953oval:org.mitre.oval:def:4316oval:org.mitre.oval:def:4762Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Security Update for Microsoft Windows (840987)[EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) HeapMicrosoft Windows Enhanced Metafile (EMF) buffer overflowOVAL1872OVAL2114OVAL2428VU#80627811375win-ms04032-patch(17658)oval:org.mitre.oval:def:1872oval:org.mitre.oval:def:2114oval:org.mitre.oval:def:2428The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Microsoft Windows POSIX Subsystem Buffer Overflow Local Privilege Escalation VulnerabilityMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Windows contains a buffer overflow in the POSIX subsystemMicrosoft Windows POSIX buffer overflow allows local attacker to gain privilegesVulnerability in POSIX Could Allow Code Execution (841872)MS04-020OVAL2166OVAL2847oval:org.mitre.oval:def:2166oval:org.mitre.oval:def:2847The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program.Security Update for Microsoft Windows (840987)Microsoft Windows Server 2003 kernel CPU denial of serviceMicrosoft Windows MS04-032 patch is not installedMicrosoft Windows kernel fails to reset values in CPU data structuresOVAL4893oval:org.mitre.oval:def:4893Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Microsoft Windows Task Scheduler Remote Buffer Overflow VulnerabilityMicrosoft Windows Task Scheduler buffer overflowVulnerability in Task Scheduler Could Allow Code Execution (841873)Multiple Vulnerabilities in Microsoft Windows Components and Outlook Expresshttp://www.ngssoftware.com/advisories/mstaskjob.txt20040714 Unchecked buffer in mstask.dllMS04-022VU#228028OVAL1344OVAL1781OVAL1964OVAL34281206020040714 Microsoft Windows Task Scheduler '.job' Stack Overflowoval:org.mitre.oval:def:1344oval:org.mitre.oval:def:1781oval:org.mitre.oval:def:1964oval:org.mitre.oval:def:3428Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.Microsoft Windows Utility Manager gain privilegesMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Window Utility Manager Local Elevation of PrivilegesVulnerability in Utility Manager Could Allow Code Execution (842526)Microsoft Windows Utility Manager Local Privilege Escalation Variant VulnerabilityVU#868580OVAL2495oval:org.mitre.oval:def:2495Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Bugtraq: Microsoft's Explorer and Internet Explorer long share name buffer overflow.FullDisclosure: Microsoft's Explorer and Internet Explorer long share name buffer overflow.Microsoft Windows long file share name buffer overflowMicrosoft Windows MS04-037 patch is not installed32285710213OVAL1601OVAL1749OVAL2638OVAL4345OVAL530711482MS04-037VU#6162001011647http://www.securiteam.com/windowsntfocus/5JP0M1PCKI.html5687oval:org.mitre.oval:def:1601oval:org.mitre.oval:def:1749oval:org.mitre.oval:def:2638oval:org.mitre.oval:def:4345oval:org.mitre.oval:def:5307Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Microsoft Outlook Express Malformed Email Header Denial Of Service VulnerabilityMicrosoft Outlook Express malformed email header denial of serviceCumulative Security Update for Outlook Express (823353)Multiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Outlook Express fails to properly validate malformed e-mail headersMS04-018OVAL1950OVAL2137OVAL2657OVAL3376oval:org.mitre.oval:def:1950oval:org.mitre.oval:def:2137oval:org.mitre.oval:def:2657oval:org.mitre.oval:def:3376Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Microsoft Internet Explorer Install Engine Control Buffer OverflowCumulative Security Update for Internet Explorer (834707)Multiple Vulnerabilities in Microsoft Internet Explorerwww.kb.cert.orgMicrosoft Internet Explorer InstallEngineCtl SetCifFile buffer overflowhttp://www.ngssoftware.com/advisories/msinsengfull.txtOVAL5316OVAL5329OVAL6100OVAL6600OVAL7717OVAL7865ie-ms04038-patch(17651)20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a)20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a)oval:org.mitre.oval:def:5316oval:org.mitre.oval:def:5329oval:org.mitre.oval:def:6100oval:org.mitre.oval:def:6600oval:org.mitre.oval:def:7717oval:org.mitre.oval:def:7865The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log.Possible race condition in Symantec AntiVirus Scan Engine for RedSymantec Antivirus Scan Engine race conditionbid 9662isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP zero-length payload denial of servicehttp://www.rapid7.com/advisories/R7-0018.htmlVU#34911311156100281009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.OpenBSD ISAKMP zero-length payload denial of serviceOpenBSD ISAKMP IPSEC SA payload denial of serviceR7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitieshttp://www.rapid7.com/advisories/R7-0018.html20040317 015: RELIABILITY FIX: March 17, 2004VU#78594599071009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via a an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP Cert Request payload integer underflowhttp://www.rapid7.com/advisories/R7-0018.htmlVU#22327399071009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP delete payload denial of servicehttp://www.rapid7.com/advisories/R7-0018.htmlVU#52449799071009468Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP memory leakhttp://www.rapid7.com/advisories/R7-0018.htmlVU#996177100281009468Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."Courier Mail Serverbid 9845Courier Japanese Codeset Conversion Buffer Overflow Vulnerabilitiescourier-codeset-converter-bo(15434)Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.Updated mc packages resolve several vulnerabilitiesMidnight Commander allows local elevation of privilegesMidnight Commander Multiple Unspecified VulnerabilitiesDSA-497MDKSA-2004:039SuSE-SA:2004:012GLSA-200405-21MDKSA-2004:039Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string.zoneminder-zms-bo(16136)bugtraq 10340Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.Linux Kernel: Multiple vulnerabilities[SECURITY] Updated kernel packages fix security issues.MDKSA-2004:050SuSE-SA:2004:0101142911464114861149111683linux-cpufreq-info-disclosure(15951)CLA-2004:852FEDORA-2004-111MDKSA-2004:050The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact.Linux kernel Framebuffer Code Unspecified VulnerabilityLinux kernel framebuffer undisclosed issueLinux Kernel: Multiple vulnerabilitiesMDKSA-2004:037SuSE-SA:2004:010CLA-2004:852MDKSA-2004:037TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Multiple Vendor TCP Sequence Number Approximation VulnerabilityTCP spoofed reset denial of serviceVulnerabilities in TCP20040403-01-A20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Productshttp://www.juniper.net/support/alert.htmlNetBSD-SA2004-006MS05-019SCOSA-2005.3SCOSA-2005.9SCOSA-2005.14VU#415294http://www.uniras.gov.uk/vuls/2004/236929/index.htm20040425 Perl code exploting TCP not checking RST ACK.40301144011458OVAL4791OVAL2689OVAL3508SSRT4696MS06-064ADV-2006-398322341HPSBST02161oval:org.mitre.oval:def:4791oval:org.mitre.oval:def:2689oval:org.mitre.oval:def:3508oval:org.mitre.oval:def:270Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." Gentoo Linux Security AdvisoryMidnight Commander creates insecure filesDSA-497-1 mc -- several vulnerabilitiesMidnight Commander Multiple Unspecified VulnerabilitiesMDKSA-2004:039SuSE-SA:2004:012RHSA-2004:172MDKSA-2004:039Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.Midnight Commander Multiple Unspecified VulnerabilitiesMidnight Commander format stringUpdated mc packages fix vulnerabilitiesDSA-497SuSE-SA:2004:012RHSA-2004:172GLSA-200405-21MDKSA-2004:039Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.UTempter Multiple Local VulnerabilitiesUtempter symlink attackUpdated utempter package fixes vulnerabilityMDKSA-2004:031RHSA-2004:175GLSA-200405-05OVAL979SSA:2004-110oval:org.mitre.oval:def:979MDKSA-2004:031Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.Multiple LHA Buffer Overflow/Directory Traversal VulnerabilitiesLHA multiple buffer overflows[Ulf Harnhammar]: LHA Advisory + Patch20040501 LHa buffer overflows and directory traversal problems20040502 Lha local stack overflow Proof Of Concept CodeDSA-515FLSA:1833RHSA-2004:178RHSA-2004:179GLSA-200405-02FEDORA-2004-119OVAL977CLA-2004:84020060403 Barracuda LHA archiver security bug leads to remote compromiseADV-2006-122057535754101586619514oval:org.mitre.oval:def:977Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").Multiple LHA Buffer Overflow/Directory Traversal VulnerabilitiesLHA directory traversal[Ulf Harnhammar]: LHA Advisory + Patch20040501 LHa buffer overflows and directory traversal problemsDSA-515FLSA:1833RHSA-2004:178RHSA-2004:179GLSA-200405-02FEDORA-2004-119OVAL978CLA-2004:840oval:org.mitre.oval:def:978SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field.SteelID thePhotoTool Login.ASP SQL Injection VulnerabilitythePHOTOtool login.asp script SQL injectionthePHOTOtool SQL Injection VulnerabilityDirectory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter.Aprox Portal File Disclosure VulnerabilityAprox Portal File Disclosure Vulnerability Directory Traversal in Aprox PHP Portal.108591008915Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function.0verkill Game Client Multiple Local Buffer Overflow VulnerabilitiesOverkill client has multiple buffer overflows0verkill - little simple vulnerability.20040202 0verkill - little simple vulnerability.http://www.securiteam.com/securitynews/5AP010KC0C.htmloverkill-server-parsecommandline-bo(15000)SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable.All Enthusiast Photopost PHP Pro SQL Injection VulnerabilityPhotoPost PHP Pro SQL injectionhttp://www.securiteam.com/securitynews/5KP010UC0W.html20040202 ZH2004-03SA (security advisory): Photopost PHP Pro 4.6 SqlDirectory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php.X-Cart "dot dot" directory traversal X-Cart vulnerabilityX-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php.Qualiteam X-Cart Remote Command Execution VulnerabilityX-Cart perl_binary variable command execution X-Cart vulnerabilityX-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command.Qualiteam X-Cart Multiple Remote Information Disclosure VulnerabilitiesX-Cart general.php information disclosureX-Cart vulnerabilityAIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. Re: sqwebmail web login20040206 AIX password enumeration possibleaix-password-enumeration(15172)Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet.Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service VulnerabilityCisco 6000, 6500, and 7600 series systems frame containing a packet denial of serviceCisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame VulnerabilityVU#81006210780Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero.Web Crossing Web Server Component Remote Denial Of Service VulnerabilityWeb Crossing 4.x/5.x Denial of Service Vulnerability9576webcrossing-contentlength-post-dos(15022)Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter.Laurent Adda Les Commentaires PHP Script Multiple Module File Include VulnerabilityLes Commentaires multiple PHP file include Les Commentaires (PHP) Include file10768The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory.Cauldron Chaser Remote Denial Of Service VulnerabilityChaser memory denial of serviceRemote crash of Chaser game <= 1.50Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum.This vulnerability is addressed in the following product release: PHPX, PHPX, 3.2.4PHPX Multiple VulnerabilitiesPHPX subject HTML injectionPHPX main.inc.php and help.inc.php cross-site scriptingMultiple Vulnerabilities in PHPX10797PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID.PHPX Multiple VulnerabilitiesPHPX could allow an attacker to modify cookie to hijack another user's account Multiple Vulnerabilities in PHPX20040316 PHPX 2.x - 3.2.410797phpx-session-hijack(15512)SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php.All Enthusiast Photopost PHP Pro SQL Injection VulnerabilityPhotoPost PHP Pro SQL injectionZH2004-04SA (security advisory): Multiple Sql Injectionhttp://www.zone-h.org/en/advisories/read/id=3864/Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter.RXGoogle.CGI Cross Site Scripting VulnerabilityRxGoogle query cross-site scripting rxgoogle.cgi XSS Vulnerability.TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name.TYPSoft FTP Server Remote Denial Of Service VulnerabilityTYPSoft FTP Server empty username denial of service TYPSoft FTP Server 1.10 may be crashed1008943IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability.IBM Cloudscape Database Remote Command Execution VulnerabilityIBM Cloudscape SQL injectionIBM cloudscape SQL Database (DB2J) vulnerable to remote commandCross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag.Crossday Discuz! Cross Site Scripting VulnerabilityDiscuz! Board image tag cross-site scriptingPossible Cross Site Scripting in Discuz! BoardXlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow.XLight FTP Server Long Directory Request Remote Denial Of Service VulnerabilityXlight ftp server long string denial of serviceRemote crash Xlight ftp server 1.52GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.GNU LibTool Local Insecure Temporary Directory Creation VulnerabilityGNU Libtool creates insecure temporary directory20040130 Symlink Vulnerability in GNU libtool <1.5.2CLA-2004:811379510777OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port.http://www.guninski.com/obsdmtu.htmlhttp://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.cBSD ICMPV6 Handling Routines Remote Denial Of Service VulnerabilityOpenBSD IPv6 packet denial of serviceOpenBSD IPv6 remote kernel crash20040204 Remote openbsd crash with ip6, yet still openbsd much better than windowsNetBSD-SA2004-0023825Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files.Multiple RealPlayer/RealOne Player Supported File Type Buffer Overrun VulnerabilitiesRealOne Player multiple file buffer overflows Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayerMultiple Real media players vulnerable to buffer overflow when parsing crafted media files20040204 [VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer20040204 Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayerhttp://www.nextgenss.com/advisories/realone.txthttp://www.service.real.com/help/faq/security/040123_player/EN/O-075The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue.Joe Lumbroso Jack&#39;s Formmail.php Unauthorized Remote File Upload VulnerabilityJack's FormMail.php PHP file uploadformmail (PHP) Upload file using CSSThe AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||.Cactusoft CactuShop Lite Remote Arbitrary File Deletion Backdoor VulnerabilityCactuShop Lite contains a backdoor CactuSoft CactuShop 5.0 Lite shopping cart software backdoor20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdooroj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter.http://www.grohol.com/downloads/oj/latest/changelog.txtOpenJournal Authentication Bypassing VulnerabilityOpenJournal uid could allow an attacker administrative accessOpen Journal Blog Authenticaion Bypassing Vulnerability3872Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string.The Palace Graphical Chat Client Remote Buffer Overflow VulnerabilityPalace long server address buffer overflowThe Palace 3.x (Client) Stack Overflow Vulnerabilityhttp://www.elitehaven.net/thepalace.txt20040207 The Palace 3.x (Client) Stack Overflow VulnerabilityPHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.Apache mod_php Global Variables Information Disclosure WeaknessPHP virtual host information disclosurePHP setting leaks from .htaccess files on virtual hostsGLSA-200402-013878palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue.Shaun2k2 Palmhttpd Server Remote Denial of Service Vulnerabilitypalmhttpd accept function buffer overflowPalmOS httpd accept() queue overflow DoS vulnerability.Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules.PHP-Nuke 'News' Module Cross-Site Scripting VulnerabilityPHP-Nuke News and Reviews modules cross-site scripting[waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0PHP-Nuke 'Reviews' Module Cross-Site Scripting VulnerabilitySQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers obtain the administrator password via the c_mid parameter.PHP-Nuke Public Message SQL Injection VulnerabilityPHP-Nuke public message feature SQL injection[waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust InoculateIT for Linux 6.0 allow local users to overwrite arbitrary files via a symlink attack on files in /tmp.Computer Associates eTrust InoculateIT For Linux VulnerabilitieseTrust InoculateIT for Linux symlink attack[local problems] eTrust Virus Protection 6.0 InoculateIT for linuxhttp://www.excluded.org/advisories/advisory10.txt47354855485610833Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote attackers to cause a denial of service (hang) via (1) a long cd command to the FTP server, or (2) a long dir command to the telnet server.EvolutionX Multiple Remote Buffer Overflow VulnerabilitiesEvolutionX command line denial of service20040210 XBOX EvolutionX ftp cd command and telnet dir buffer overflow20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflowSQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module.PHPNuke Category Parameter SQL Injection VulnerabilityPHP-Nuke Search and Web_links modules SQL injection [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple modulehttp://www.scan-associates.net/papers/phpnuke69.txtlibclamav in Clam AntiVirus 0.65 allows remote attackers to cause a denial of service (crash) via a uuencoded e-mail message with an invalid line length (e.g., a lowercase character), which causes an assert error in clamd that terminates the calling program.http://www.freebsd.org/cgi/query-pr.cgi?pr=62586ClamAV Daemon Malformed UUEncoded Message Denial Of Service VulnerabilityClam AntiVirus uuencoded message denial of serviceClam Antivirus DoS vulnerability clamav 0.65 remote DOS exploit3894Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form.This vulnerability is addressed in the following product release: MaxWebPortal, MaxWebPortal, 1.32MaxWebPortal Multiple Input Validation VulnerabilitiesMaxWebPortal register form cross-site scripting XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortalmaxwebportal-multiple-xss(15120)SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages.MaxWebPortal Multiple Input Validation VulnerabilitiesMaxWebPortal Personal Messages SQL injection XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortalDirectory traversal vulnerability in RealOne Player, RealOne Player 2.0, and RealOne Enterprise Desktop allows remote attackers to upload arbitrary files via an RMP file that contains .. (dot dot) sequences in a .rjs skin file.Directory traversal in RealPlayer allows code executionRealPlayer/RealOne Player RMP Skin File Handler Directory Traversal VulnerabilityRealNetworks, Inc. Releases Update to Address Security Vulnerabilities.VU#514734realoneplayer-rmp-directory-traversal(15123)Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistakenly assign STAT_OFFERED status to a bot that is not a sharebot, which allows remote attackers to use STAT_OFFERED to promote a bot to a sharebot and conduct unauthorized activities.http://mogan.nonsoloirc.com/egg_advisory.txtEggdrop Share Module Arbitrary Share Bot Add VulnerabilityEggdrop share.mod module allows unauthorized access Eggrop bugRe: Eggrop bug3928SQL injection vulnerability in calendar_download.php in BosDates 3.2 and earlier allows remote attackers to obtain sensitive information and gain access via the calendar parameter.BosDev BosDates SQL Injection VulnerabilityBosDates calendar SQL injectionZH2004-05SA (security advisory): Sql Injection Vulnerability inhttp://www.zone-h.org/en/advisories/read/id=3925/The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field.http://monkeyd.sourceforge.net/Monkey HTTP Daemon Missing Host Field Denial Of Service VulnerabilityMonkey httpd get_real_string denial of serviceDenial of Service in Monkey httpd <= 0.8.13921Format string vulnerability in Dream FTP 1.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the username.BolinTech Dream FTP Server User Name Format String VulnerabilityDream FTP Server username format string20040207 DreamFTP Server 1.02 Buffer Overflowhttp://www.security-protocols.com/modules.php?name=News&file=article&sid=172220040211 Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer OverflowRatbag game engine, as used in products such as Dirt Track Racing, Leadfoot, and World of Outlaws Spring Cars, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet that specifies the length of data to read and then sends a second TCP packet that contains less data than specified, which causes Ratbag to repeatedly check the socket for more data.Ratbag Game Engine Denial of Service VulnerabilityRatbag data length denial of serviceDenial of Service in Ratbag's game engineAIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary files via a symlink attack on /tmp/AS.log.AIM Sniff Temporary File Symlink Attack VulnerabilityAIM Sniff symlink attackaimSniff.pl file "deletion" (local)Caucho Technology Resin 2.1.12 allows remote attackers to view JSP source via an HTTP request to a .jsp file that ends in a "%20" (encoded space character), e.g. index.jsp%20.Caucho Technology Resin Source Code Disclosure VulnerabilityResin index.jsp information disclosure Apache Http Server Reveals Script Source Code to Remote Users AndCaucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for "WEB-INF..", which is equivalent to "WEB-INF" in Windows.Caucho Technology Resin Directory Listings Disclosure VulnerabilityResin "dot dot" directory traversal Apache Http Server Reveals Script Source Code to Remote Users AndCrob FTP daemon 3.5.2 allows remote attackers to cause a denial of service (crash) by repeatedly connecting to and disconnecting from the server.Crob FTP Server Remote Denial Of Service VulnerabilityCrob FTP Server multiple connections denial of service crob ftpd Denial of Service662110882Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/mailmgr.unsort, (2) /tmp/mailmgr.tmp, or (3) /tmp/mailmgr.sort.Mailmgr Insecure Temporary File Creation VulnerabilitiesMailmgr insecure temporary directorySymlink vulnerabilities in mailmgrMicrosoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name.Microsoft Internet Explorer Double-Null URI Denial Of Service VulnerabilityMicrosoft Internet Explorer and Outlook null character in host name denial of serviceASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoSPHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter.Voice Of Web AllMyPHP Remote File Include VulnerabilitiesAllMyLinks PHP file includeAllMyLinks PHP Code Injection vulnerabilityAllMyGuests PHP file includeallmyvisitors-file-include(15228)20040214 AllMyVisitors PHP Code Injection vulnerability20040214 AllMyGuests PHP Code Injection vulnerability6721Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long username.RobotFTP Server Username Buffer Overflow VulnerabilityRobot FTP Server username buffer overflowbuffer overflow in Robot FTP ServerXlight FTP server 1.52 allows remote authenticated users to cause a denial of service (crash) via a RETR command with a long argument containing a large number of / (slash) characters, possibly triggering a buffer overflow.XLight FTP Server Remote Denial Of Service VulnerabilityXlight ftp RETR denial of serviceXlight ftp server 1.52 RETR bug9668Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 through 3.2.15 could allow remote attackers to execute arbitrary code by indexing a large document.mnoGoSearch UdmDocToTextBuf Buffer Overflow VulnerabilitymnoGoSearch UdmDocToTextBuf function buffer overflowBuffer overflow in mnoGoSearchBuffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to cause a denial of service (segmentation fault) via a database file that contains a large key parameter.Paul Daniels SignatureDB sdbscan Local Buffer Overflow VulnerabilitySignatureDB sdbscan buffer overflowproblems with database files in 'SignatureDB'Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game servers to execute arbitrary code via an information packet that contains large (1) battle type and (2) map name fields.Freeform Interactive Purge/Purge Jihad Game Client Remote Buffer Overflow VulnerabilityPurge and Purge Jihad battle type and map name buffer overflowBroadcast client buffer-overflow in Purge Jihad <= 2.0.1http://purge.worthplaying.com/phpbb/viewtopic.php?t=1167SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 allows remote attackers to obtain hashed passwords via the quote parameter.YABB SE Quote Parameter SQL Injection VulnerabilityYaBB SE post.php SQL injection20040216 Another YabbSE SQL InjectionBuffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request.KarjaSoft Sami HTTP Server GET Request Buffer Overflow VulnerabilitySami HTTP Server HTTP GET request buffer overflowKarjaSoft Sami HTTP Server 1.0.4 Buffer OverflowDirectory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi.ShopCartCGI Remote File Disclosure VulnerabilityShopCartCGI "dot dot" directory traversalZH2004-06SA (security advisory): ShopCartCGI v2.3 Remotehttp://www.zone-h.org/en/advisories/read/id=3962/YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack.YaBB Information Leakage WeaknessYABB invalid messages allow attacker to obtain username and password20040217 YABB information leakage on failed loginTsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a denial of service (CPU consumption) via an open idle connection.TransSoft Broker FTP Server Denial of Service VulnerabilitiesBroker FTP Server TsFtpSrv.exe denial of serviceBroker FTP DoS (Message Server)=?iso-8859-1?q?=0A?=http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.htmlTsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a TsFtpSrv.exe to exit with an exception by opening and immediately closing a connection.TransSoft Broker FTP Server 6.1 .0.0Broker FTP Server denial of serviceBroker FTP DoS (Message Server)=?iso-8859-1?q?=0A?=http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.htmlBuffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length.http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.htmlIpswitch IMail Server Remote LDAP Daemon Buffer Overflow VulnerabilityIpswitch IMail LDAP daemon large tag buffer overflowIMail Server LDAP daemon buffer overflow iDEFENSE Security Advisory 02.17.04: Ipswitch IMail LDAP Daemon Remote Buffer Overflow20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow3984CesarFTP 0.99e allows remote attackers to cause a denial of service (CPU consumption) via a long RETR parameter.ACLogic CesarFTP Remote Resource Exhaustion VulnerabilityCesarFTP user:pass command denial of serviceCesarFTP 0.99 : 100% employment of computer resourcesBuffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters.SmallFTPD Remote Denial Of Service VulnerabilitySmall ftpd forward slash in request denial of serviceSmallftpd 1.0.3 DoSSQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php.Ecommerce Corporation Online Store Kit More.PHP Multiple VulnerabilitiesEcommerce Corporation Online Store Kit Multiple SQL Injection VulnerabilitiesOnline Store Kit more.php SQL injectionZH2004-07SA (security advisory): Multiple Sql injectionhttp://www.zone-h.org/en/advisories/read/id=3972/http://www.systemsecure.org/advisories/ssadvisory16022004.php1090239731009092Cross-site scripting (XSS) vulnerability in more.php for Online Store Kit 3.0 allows remote attackers to inject arbitrary HTML via the id parameter.Ecommerce Corporation Online Store Kit More.PHP Multiple VulnerabilitiesOnline Store Kit more.php cross-site scriptinghttp://www.systemsecure.org/advisories/ssadvisory16022004.php1009079Directory traversal vulnerability in OWLS 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter in index.php, (2) editfile in glossary.php, or (3) editfile in newmultiplechoice.php.Owl&#39;s Workshop Multiple Remote File Disclosure VulnerabilitiesOWLS file retrievalZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary fileshttp://www.zone-h.org/en/advisories/read/id=3973/OWLS 1.0 allows remote attackers to retrieve arbitrary files via absolute pathnames in (1) the file parameter in /glossaries/index.php, (2) the filename parameter in /readings/index.php, or (3) the filename parameter in /multiplechoice/resultsignore.php, as demonstrated using /etc/passwd.Owl&#39;s Workshop Multiple Remote File Disclosure VulnerabilitiesOWLS file retrieval ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary fileshttp://www.zone-h.org/en/advisories/read/id=3973/SQL injection vulnerability in browse_items.asp in WebCortex WebStores 2000 6.0 allows remote attackers to gain unauthorized access and execute arbitrary commands via the Search_Text parameter.WebCortex WebStores2000 SQL Injection VulnerabilityWebStores 2000 browse_items.asp SQL injectionWebCortex Webstores2000 version 6.0 multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040218.txtCross-site scripting (XSS) vulnerability in error.asp in WebCortex WebStores 2000 6.0 allows remote attackers to execute arbitrary script as other users and steal session IDs via the Message_id parameter.WebCortex WebStores2000 Error.ASP Cross-Site Scripting VulnerabilityWebStores 2000 error.asp cross-site scriptingWebCortex Webstores2000 version 6.0 multiple security vulnerabilitiesCisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories.Cisco ONS Platform VulnerabilitiesCisco ONS multiple devices could allow file upload and retrievalCisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 VulnerabilitiesCisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead.Cisco ONS Platform VulnerabilitiesCisco ONS multiple devices ACK denial of serviceCisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities4009Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell.Cisco ONS Platform VulnerabilitiesCisco ONS multiple devices allow unauthorized accessCisco Security Advisory: Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities4010Stack-based buffer overflow in the SMTP service support in vsmon.exe in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client 4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote attackers to execute arbitrary code via a long RCPT TO argument.http://download.zonelabs.com/bin/free/securityAlert/8.htmlZone Labs ZoneAlarm SMTP Remote Buffer Overflow VulnerabilityZone Labs desktop security products fail to properly validate RCPT TO command argumentEEYE: ZoneLabs SMTP Processing Buffer OverflowZoneAlarm multiple products buffer overflowO-0843991Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 allows remote attackers to execute Javascript as other users via the stylesheet, which does not strip the semicolon or parentheses, as demonstrated using a background:url.LiveJournal HTML Injection VulnerabilityLiveJournal URL cross-site scripting LiveJournal XSSAmerican Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access.APC SmartSlot Web/SNMP Management Card Default Password VulnerabilityAPC's Web/SNMP Management SmartSlot Card default passwordhttp://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=107713912920040216 APC 9606 SmartSlot Web/SNMP management card "backdoor"20040219 Re: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor"Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2.Linksys WAP55AG SNMP Community String Insecure Configuration VulnerabilityLinksys WAP55AG SNMP strings disclosureSNMP community string disclosure in Linksys WAP55AGRe: SNMP community string disclosure in Linksys WAP55AGBuffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name.PSOProxy Remote Buffer Overflow VulnerabilityPSOProxy long HTTP GET request buffer overflowRemote Buffer Overflow in PSOProxy 0.91Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 and earlier allows remote attackers to execute arbitrary script as other users via the message parameter.WebzEdit done.jsp cross-site scripting20040221 Cross Site Scripting in WebzEditBuffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080.Avirt Voice HTTP GET Remote Buffer Overrun VulnerabilityRemote Buffer Overflow in Avirt Voice 4.0avirt-voice-get-bo(15288)Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a denial of service (crash) via (1) a large GET request to port 1080 or (2) a large GET request of % characters to port 8080.Avirt Soho Server HTTP GET Buffer Overrun VulnerabilityAvirt Soho Web Service HTTP GET Buffer Overrun VulnerabilityAvirt SOHO multiple buffer overflowsMultiple Remote Buffer Overflow in Avirt Soho 4.3Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x allows local users or remote attackers within the LSF cluster to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long LSF_From_PC parameter.Platform Load Sharing Facility EAuth Component Buffer Overflow VulnerabilityLoad Sharing Facility eauth component allows code execution Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads toLoad Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges.Platform Load Sharing Facility EAuth Privilege Escalation VulnerabilityLoad Sharing Facility eauth component could allow attacker to hijack other user's process Lam3rZ Security Advisory #2/2004: LSF eauth vulnerability leads toCross-site scripting (XSS) vulnerability in the font tag in ezBoard 7.3u allows remote attackers to execute arbitrary script as other users, as demonstrated using the background:url in a (1) font color or (2) font face argument.EZBoard Font Tag HTML Injection Vulnerabilityezboard font tag cross-site scriptingezBoard Cross Site Scripting VulnerabilityUnknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands.nCipher Hardware Security Module Firmware Secrets Disclosure VulnerabilitynCipher HSM information disclosurenCipher Advisory #9: Host-side attackers can access secret data4055Team Factor 1.25 and earlier allows remote attackers to cause a denial of service (crash) via a packet that uses a negative number to specify the size of the data block that follows, which causes Team Factor to read unallocated memory.Singularity Software Team Factor Integer Handling Memory Corruption VulnerabilityTeam Factor packet denial of serviceRemote server crash in Team Factor <= 1.25http://www.zone-h.org/advisories/read/id=4006Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed.20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2xmb-multiple-scripts-xss(15292)972620040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2http://www.xmbforum.com/community/boards/viewthread.php?tid=746859xmb-bbcode-execute-code(15294)Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta.20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8xmb-multiple-sql-injection(15295)972620040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2http://www.xmbforum.com/community/boards/viewthread.php?tid=74685920040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta]Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $.20040223 Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command executionconfirm-header-gain-access(15290)9728TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty".20040223 TYPSoft FTP Server 1.10 multiple vulnerabilities9702typsoft-ftp-command-dos(15306)Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request.Proxy-Pro Professional GateKeeper Web Proxy Buffer Overrun VulnerabilityProxy-Pro GateKeeper Pro long HTTP GET buffer overflowGateKeeper Pro 4.7 buffer overflowGateKeeper Pro 4.7 buffer overflow20040222 GateKeeper Pro 4.7 buffer overflowDirectory traversal vulnerability in functions.php in PhpNewsManager 1.46 allows remote attackers to retrieve arbitrary files via .. (dot dot) sequences in the clang parameter.phpNewsManager Functions Script File Disclosure VulnerabilityPhpNewsManager "dot dot" directory traversalZH2004-09SA (security advisory): PhpNewsManager Remote arbitraryhttp://www.zone-h.org/advisories/read/id=4024Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 allows local users on the same local network as the router to bypass authentication by using a copy of the router's html menu on a separate system.Gigabyte Gn-B46B Wireless Router Authentication Bypass VulnerabilityGigabyte Technology GN-B46B router allows authentication to be bypassedGigabyte Broadband Router - Multiple VulnerabilitiesFreeChat 1.1.1a allows remote attackers to cause a denial of service (crash) via certain unexpected strings, as demonstrated using "aaaaa".FreeChat Remote Denial Of Service VulnerabilityFreeChat string denial of serviceDenial Of Service in FreeChat 1.1.1aBuffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command.RhinoSoft Serv-U FTP Server MDTM Command Time Argument Buffer Overflow VulnerabilityServ-U MDTM buffer overflow [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerabilityhttp://www.cnhonker.com/advisory/serv-u.mdtm.txtHeap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable.Dell OpenManage Web Server POST Request Heap Overflow VulnerabilityDell OpenManage Web Server OCSGetOEMINIPathFile function buffer overflowDell OpenManage Web Server Heap Overflow (Pre-Auth)http://sh0dan.org/files/domadv.txtExtremail 1.5.9 does not check passwords correctly when they are all digits or begin with a digit, which allows remote attackers to gain privileges.eXtremail Authentication Bypass VulnerabilityeXtremail all digit password allows unauthorized access Extremail Security ProblemBuffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters.This was fixed in WinZip 8.1 SR-2 in March of 2004. You can find more information on the subject on the following pages of the winzip site: http://www.winzip.com/wz81sr2.htm http://www.winzip.com/fmwz90.htmUUDeview MIME Archive Buffer Overrun VulnerabilityWinZip UUDeview package MIME buffer overflowWinZip vulnerable to buffer overflow in handling of MIME archive parametersiDEFENSE Security Advisory 02.27.04a: WinZip MIME Parsing Bufferhttp://www.winzip.com/fmwz90.htmO-092http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html41191099511019uudeview-multiple-bo(15490)20040227 WinZip MIME Parsing Buffer Overflow VulnerabilityInnoMedia VideoPhone allows remote attackers to bypass Basic Authorization via an HTTP request to (1) videophone_admindetail.asp, (2) videophone_syscfg.asp, (3) videophone_upgrade.asp, or (4) videophone_sysctrl.asp that contains a trailing / (slash). NOTE: the original report mentioned AXIS 2100 Network Camera, but this was likely a cut-and-paste error.Axis Network Camera HTTP Authentication Bypass Vulnerability20040227 InnoMedia VideoPhone Authorization Bypass48091009522InnoMedia-videophone-bypass-authentication(15636)LAN SUITE Web Mail 602Pro, when configured to use the "Directory browsing" feature, allows remote attackers to obtain a directory listing via an HTTP request to (1) index.html, (2) cgi-bin/, or (3) users/.602Pro LAN SUITE could disclose directory listing20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities978020040228 LAN SUITE Web Mail 602Pro Multiple VulnerabilitiesLAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive information via the mail login form, which contains the path to the mail directory.Software602 602Pro LAN Suite Web Mail Installation Path Disclosure Vulnerability602Pro LAN SUITE path disclosure LAN SUITE Web Mail 602Pro Multiple Vulnerabilities20040310 Re: LAN SUITE Web Mail 602Pro Multiple VulnerabilitiesCross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro allows remote attackers to execute arbitrary script or HTML as other users via a URL to index.html, followed by a / (slash) and the desired script. NOTE: the vendor states that this bug could not be reproduced, so this issue may be REJECTed in the future.Software602 602Pro LAN Suite Web Mail Cross-Site Scripting Vulnerability602Pro LAN SUITE index.html cross-site scripting20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities20040228 LAN SUITE Web Mail 602Pro Multiple VulnerabilitiesSQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter.Invision Power Board search.php SQL injectionInvision Power Board SQL injection!9766Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter.This vulnerability is addressed in the following product release: phpBB Group, phpBB, 2.0.7phpBB viewtopic.php script allows cross-site scriptingNew phpBB ViewTopic.php Cross Site Scripting Vulnerability9765Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Server 3.20 Release 2, Server 3.21 Release 1, and Server 3.10 allows local users to execute arbitrary code via long (1) LIST, (2) NLST, or (3) STAT commands.Multiple WFTPD VulnerabilitiesWFTPD Pro Server and Server FTP commands buffer overflowCritical WFTPD buffer overflow vulnerability11001WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a 0Ah byte (newline) is sent, which allows local users to cause a denial of service (CPU consumption) by continuing to send a long command that does not contain a newline.Multiple WFTPD VulnerabilitiesWFTPD Pro Server long strings without an 0Ah byte causes denial of service Multiple WFTPD Denial of Service vulnerabilities411511001WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error.Multiple WFTPD VulnerabilitiesWFTPD Pro MKD or XMKD FTP commands can cause denial of service Multiple WFTPD Denial of Service vulnerabilities411611001Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php.YABB SE Multiple Input Validation VulnerabilitiesYaBB SE multiple modules allow SQL injection20040301 YabbSE (3 on 1)Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter.YABB SE Multiple Input Validation Vulnerabilities20040301 YabbSE (3 on 1)Buffer overflow in Red Faction client 1.20 and earlier allows remote servers to execute arbitrary code via a long server name.Volition Red Faction Game Client Remote Buffer Overflow VulnerabilityRed Faction buffer overflowClients broadcast buffer overflow in Red Faction <= 1.20Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command.ProFTPD _xlate_ascii_write() Buffer Overrun VulnerabilityProFTPD off-by-one _xlate_ascii_write function buffer overflow20040302 The Cult of a Cardinal NumberCross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797) allows remote authenticated users to execute arbitrary script as other users via the row parameter.NetScreen SA 5000 Series delhomepage.cgi Cross-Site Scripting Vulnerability 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN applianceNetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN applianceVU#114070netscreen-delhomepagecgi-xss(15368)SQL injection vulnerability in viewCart.asp in SpiderSales shopping cart software allows remote attackers to execute arbitrary SQL via the userId parameter.SpiderSales Shopping Cart Multiple VulnerabilitiesSpider Sales userId SQL injectionSpider Sales shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040303.txtDirectory traversal vulnerability in GWeb HTTP Server 0.6 allows remote attackers to view arbitrary files via a .. (dot dot) in the URL.GWeb HTTP Server Directory Traversal VulnerabilityGWeb HTTP Server directory traversaldirectory traversal in GWeb 0.6SpiderSales shopping cart does not enforce a minimum length for the private key, which can make it easier for local users to obtain the private key by factoring.SpiderSales Shopping Cart Multiple VulnerabilitiesSpider Sales weak encryptionSpider Sales shopping cart software multiple security vulnerabilities20040303 Spider Sales shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040303.txtSpider Sales shopping cart stores the private key in the same database and table as the public key, which allows local users with access to the database to decrypt data.SpiderSales Shopping Cart Multiple VulnerabilitiesSpider Sales weak encryptionSpider Sales shopping cart software multiple security vulnerabilities20040303 Spider Sales shopping cart software multiple security vulnerabilitiesCisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002.Cisco Content Service Switch Management Port UDP Denial Of Service VulnerabilityCisco CSS switches UDP packet denial of serviceCisco CSS 11000 Series Content Services Switch vulnerable to DoS via malformed UDP packetsCisco Security Advisory: Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet VulnerabilityMultiple buffer overflows in auth_ident() function in auth.c for GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to gain privileges via a long string.GNU Anubis Multiple Remote Buffer Overflow and Format String VulnerabilitiesAnubis IDENT buffer overflowGNU Anubis 3.6.2 remote root exploitGNU Anubis buffer overflows and format string bugs[bug-anubis] 20040228 Important security updateMultiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c.GNU Anubis Multiple Remote Buffer Overflow and Format String VulnerabilitiesAnubis format string errorGNU Anubis buffer overflows and format string bugs[bug-anubis] 20040228 Important security updateInvision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message.Invision Power Board Error Message Path Disclosure VulnerabilityInvision Power Board invalid character could disclose pathInvision Power Board 1.3 Final Path Disclosure VulnerabilityStack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version.http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdfhttp://www.nextgenss.com/advisories/slmailsrc.txtSeattle Lab Software SLMail Pro Remote Buffer Overflow VulnerabilitySLMail Pro Supervisor Report Center stack-based buffer overflowSLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a)Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attackers to execute arbitrary code via (1) user.dll, (2) loadpageadmin.dll or (3) loadpageuser.dll.Seattle Lab Software SLWebMail Multiple Buffer Overflow VulnerabilitiesSLMail Pro SLWebmail buffer overflowsSLWebMail Multiple Buffer Overflow Vulnerabilities (#NISR05022004b)http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdfhttp://www.nextgenss.com/advisories/slmailwm.txtCross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php.VirtuaSystems VirtuaNews Multiple Module Cross-Site Scripting VulnerabilitiesVirtuaSystems VirtuaNews Admin.PHP Cross-Site Scripting VulnerabilityVirtuaNews Admin Panel multiple cross-site scriptingVirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity20040307 RE: VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting VulnerabillityCross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters.Invision Power Board Multiple Cross-Site Scripting VulnerabilitiesInvision Power Board cross-site scriptingInvision Power Board v1.3 Final Cross Site Scripting Vulnerabillity415411053Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors.Sun Solaris Unspecified Passwd Local Root Compromise VulnerabilitySolaris passwd(1) allows elevated privilegesSun Solaris passwd command allows for privilege escalationO-088: Sun passwd(1) Command Vulnerability57454O-088The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array.Apple Safari Large JavaScript Array Handling Denial Of Service VulnerabilitySafari Web browser application large array denial of serviceSafari javascript array overflowhttp://www.insecure.ws/article.php?story=2004021918172533Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm.EEYE: Internet Security Systems PAM ICQ Server Response Processing VulnerabilityVulnerability in ICQ Parsing in ISS ProductsInternet Security Systems Protocol Analysis Module (PAM) does not properly handle ICQ server response messagesbid 9913pam-icq-parsing-bo(15442)AD20040318O-104435511073witty-worm-propagation(15543)Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method.Symantec Norton AntiSpam 2004 LaunchCustomRuleWizard buffer overflowNorton AntiSpam Remote Buffer Overrunbid 9916Norton AntiSpam Remote Buffer Overrun (#NISR19042004a)http://www.sarc.com/avcenter/security/Content/2004.03.19.htmlVU#3447181116920040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004bThe WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method.Norton Internet Security LaunchURL command executionNorton Internet Security Remote Command Executionbid 9915Norton Internet Security Remote Command Execution (#NISR19042004b)http://www.sarc.com/avcenter/security/Content/2004.03.19.htmlVU#5490541116820040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004bThe dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference.[Ethereal-dev] ethereal radius dissector vulnerabilityLNSA-#2004-0007: Multiple security problems in Ethereal[ GLSA 200403-07 ] Multiple remote overflows and vulnerabilities in EtherealMultiple remote overflows and vulnerabilities in EtherealEthereal RADIUS packet denial of servicehttp://www.ethereal.com/appnotes/enpa-sa-00013.htmlMDKSA-2004:024RHSA-2004:136RHSA-2004:137VU#124454OVAL879OVAL89111185CLA-2004:83520040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal)oval:org.mitre.oval:def:879oval:org.mitre.oval:def:891MDKSA-2004:024SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements.DSA-469-1 pam-pgsql -- missing input sanitisingpam-pgsql authentication module SQL injection1026611237Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector.LNSA-#2004-0007: Multiple security problems in Ethereal[ GLSA 200403-07 ] Multiple remote overflows and vulnerabilities in EtherealDiversas vulnerabilidades remotasEthereal zero-length presentation protocol selector denial of serviceUpdated Ethereal packages fix security issueshttp://www.ethereal.com/appnotes/enpa-sa-00013.html[Ethereal-dev] 20040416 Possibly incorrect CVE entry CAN-2004-0367GLSA-200403-07MDKSA-2004:024RHSA-2004:136VU#792286OVAL880OVAL90511185oval:org.mitre.oval:def:880oval:org.mitre.oval:def:905MDKSA-2004:024Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet.[VulnWatch] how much fun can you have with UDP?[Dailydave] dtlogin advisoryCommon Desktop Environment dtlogin utility double-freeCommon Desktop Environment (CDE) dtlogin XDMCP parser improperly deallocates memoryhttp://www.immunitysec.com/downloads/dtlogin.sxw.pdf20040801-01-PO-129OVAL14361121011214116141149599589958HPSBUX0103857539101478oval:org.mitre.oval:def:1436Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload.20040826 Entrust LibKmp Library Buffer Overflowhttp://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.htmlESB-2004.0538O-20611039isakmp-spi-size-bo(15669)The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic.FreeBSD KAME Project IPv6 implementation denial of serviceFreeBSD-SA-04:06999211233Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path.DSA-476-1 heimdal -- cross-realm[ GLSA 200404-09 ] Cross-realm trust vulnerability in HeimdalHeimdal cross-realm spoofingCross-realm trust vulnerability in Heimdalhttp://www.pdc.kth.se/heimdal/advisory/2004-04-01/FreeBSD-SA-04:0820040530 009: SECURITY FIX: May 30, 2004xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts.xine-check/xine-bugreport symlink vulnerability.xine xine-bugreport and xine-check symlink attackbid 9939DSA-477-1 xine-ui -- insecure temporary file creationGLSA-200404-20Interchange before 5.0.1 allows remote attackers to "expose the content of arbitrary variables" and read or modify sensitive SQL information via an HTTP request ending with the "__SQLUSER__" string.DSA-471-1 interchange -- missing input sanitisingInterchange URL could allow an attacker to obtain informationhttp://ftp.icdevgroup.org/interchange/5.0/WHATSNEW1000511234[interchange-announce] 20040329 Security Problem in InterchangeSYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero.Symantec Client Firewall Products SYMNDIS.SYS Driver Remote Denial Of Service VulnerabilitySymantec Firewalls TCP attack denial of servicehttp://www.symantec.com/avcenter/security/Content/2004.04.20.htmlhttp://www.eeye.com/html/Research/Upcoming/20040309.html10093791009380norton-firewalls-dos(15433)20040423 EEYE: Symantec Multiple Firewall TCP Options Denial of Serviceoftpd 0.3.6 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command with a large value.[ GLSA 200403-08 ] oftpd DoS vulnerabilityDSA-473-1 oftpd -- denial of serviceOFTPD Port Argument Denial Of Service Vulnerabilityoftpd PORT denial of serviceGLSA-200403-08http://www.time-travellers.org/oftpd/oftpd-dos.html11220Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character.[Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Buffer Overflow VulnerabilityPerl and ActivePerl win32_stat buffer overflowPerl vulnerable to buffer overflow in win32_stat()20040405 iDEFENSE Security Advisory 04.05.04: Perl win32_stat Functionhttp://public.activestate.com/cgi-bin/perlbrowse?patch=2255220040405 [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat FunctionMultiple cross-site scripting (XSS) vulnerabilities in Microsoft SharePoint Portal Server 2001 allow remote attackers to process arbitrary web content and steal cookies via certain server scripts.Multiple XSS vulnerabilities in Microsoft SharePoint Portal ServerMicrosoft SharePoint Portal Server cross-site scriptingThe MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability."Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658)IE ms-its: and mk:@MSITStore: vulnerabilityCumulative Security Update for Outlook Express (837009)Microsoft Outlook Express MHTML URL allows execution of codehttp://www.k-otik.net/bugtraq/02.18.InternetExplorer.phpVU#3230709658OVAL1010OVAL1028OVAL882OVAL990TA04-104A9105oval:org.mitre.oval:def:1010oval:org.mitre.oval:def:1028oval:org.mitre.oval:def:882oval:org.mitre.oval:def:99010523mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file.mysqlbug tmpfile/symlink vulnerability[OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql)mysqlbugMySQL mysqlbug script symlink attack20040324 mysqlbug tmpfile/symlink vulnerability.DSA-483GLSA-200405-20MDKSA-2004:034RHSA-2004:569RHSA-2004:59720040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql)P-018MDKSA-2004:034Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting.Mac OS X CUPS undisclosed configuration security issuehttp://lists.apple.com/mhonarc/security-announce/msg00047.htmlhttp://docs.info.apple.com/article.html?artnum=61798Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email."Mac OS X undisclosed Mail security issuehttp://lists.apple.com/mhonarc/security-announce/msg00047.htmlhttp://docs.info.apple.com/article.html?artnum=61798Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities."Heap Overflow in Oracle 9iAS / 10g Application Server Web CacheSecurity Alert 66VU#41300620040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache20040316 new security alert #66 issued in Oracle web cache9868oracle-web-cache-vulnerabilities(15463)42491111820040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web CacheBuffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header.MPlayer header buffer overflow20040330 Heap overflow in MPlayer20040330 MPlayer Security Advisory #002 - HTTP parsing vulnerabilityhttp://www.mplayerhq.hu/homepage/design6/news.htmlGLSA-200403-13VU#7239101000811259MDKSA-2004:026Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file.20040307 REAL One Player R3T File Format Stack OverflowREAL One Player R3T File Format Stack Overflowrealplayer-r3t-bo(15774)20040307 REAL One Player R3T File Format Stack Overflow20040307 REAL One Player R3T File Format Stack Overflow10070497711314The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack.DSA-48320040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql)Insecure Temporary File Creation In MySQLMDKSA-2004:034RHSA-2004:569RHSA-2004:59720040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql)P-018101426421100978411223mysql-mysqldmulti-symlink(15883)MDKSA-2004:034RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests.20040415 [Full-Disclosure] iDEFENSE Security Advisory 04.15.04: RealNetworks Helix Universal Server Denial of Service VulnerabilityRealNetworks Helix Universal Server Denial of Service Vulnerability20040415 RealNetworks Helix Universal Server Denial of Service Vulnerability1015711395helix-get-dos(15880)SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods.20040510 OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocolSCOSA-2004.5openserver-x-session-insecure(16113)Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration.20040407 A Default Username and Password in WLSE and HSE DevicesVU#659228O-111cisco-default-password(15773)10076racoon before 20040407b allows remote attackers to cause a denial of service (infinite loop and dropped connections) via an IKE message with a malformed Generic Payload Header containing invalid (1) "Security Association Next Payload" and (2) "RESERVED" fields.40fcf20f-8891-11d8-90d1-0020ed76ef5aracoon-isakmp-dos(15893)http://orange.kame.net/dev/query-pr.cgi?SCOSA-2005.10Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function.20040624 Rlpr AdvisoryDSA-524Bugtraq id 10578rlpr-msg-format-string(16453)10578A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic.Linux Kernel panic function buffer overflowSUSE Security Announcement: kernelLinux Kernel: Multiple vulnerabilitiesCorrees para vulnerabilidades do kernelMDKSA-2004:037[fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel)ESA-20040428-00420040504-01-U20040505-01-USuSE-SA:2004:010DSA-1070DSA-1067DSA-106910233201622016320202DSA-108220338MDKSA-2004:037The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call.DSA-509bugtraq id 10437gatos-xatitv-gain-privileges(16273)Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines.VU#19203820040520 [ GLSA 200405-12 ] CVS heap overflow vulnerabilityRHSA-2004:190DSA-50520040519 Advisory 07/2004: CVS remote vulnerabilityhttp://security.e-matters.de/advisories/072004.htmlTA04-147AFreeBSD-SA-04:10NetBSD-SA2004-008SuSE-SA:2004:013MDKSA-2004:048GLSA-200405-12OVAL97020040519 Advisory 07/2004: CVS remote vulnerability20040519 Advisory 07/2004: CVS remote vulnerabilityO-147cvs-entry-line-bo(16193)103841164111647116511165211674630520040520 cvs server buffer overflow vulnerabilityFEDORA-2004-1620SSA:2004-140-0120040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs)oval:org.mitre.oval:def:970MDKSA-2004:048Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command.bugtraq id 10386subversion-date-parsing-command-execution(16191)20040519 [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion)20040519 Advisory 08/2004: Subversion remote vulnerabilityFEDORA-2004-12820040519 Advisory 08/2004: Subversion remote vulnerabilityhttp://security.e-matters.de/advisories/082004.htmlFLSA:1748http://subversion.tigris.org/svn-sscanf-advisory.txtGLSA-200405-1463011164211675Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client.20040520 [ GLSA 200405-15 ] cadaver heap-based buffer overflow20040520 [ GLSA 200405-13 ] neon heap-based buffer overflowMDKSA-2004:049CLA-2004:841RHSA-2004:191DSA-506DSA-507FEDORA-2004-1552GLSA-200405-13GLSA-200405-1520040519 Advisory 06/2004: libneon date parsing vulnerabilityO-14810385neon-library-nerfc1036parse-bo(16192)630211638116501167320040519 Advisory 06/2004: libneon date parsing vulnerability20040519 [OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon)MDKSA-2004:049Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.20040506 Buffer overflows in exim, yet still exim much better than windowsGeorgi Guninski security advisory #68DSA-501DSA-502exim-requireverify-bo(16079)20040506 Buffer overflows in exim, yet still exim much better than windows11558Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check.20040506 Buffer overflows in exim, yet still exim much better than windowsGeorgi Guninski security advisory #68DSA-501DSA-502exim-headerschecksyntax-bo(16077)20040506 Buffer overflows in exim, yet still exim much better than windowsUnknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.libtasn1-der-parsing(16157)http://packages.debian.org/changelogs/pool/main/libt/libtasn1-2/libtasn1-2_0.2.13-1/changelog10360151261010159Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code.DSA-508XPCD XPCD-SVGA Buffer Overflow Vulnerabilityxpcd xpcd-svga pcd_open buffer overflowMDKSA-2004:053MDKSA-2004:053Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.ccd698df-8e20-11d8-90d1-0020ed76ef5a20040424 [ GLSA 200404-17 ] ipsec-tools and iputils contain a remote DoS vulnerabilityAPPLE-SA-2004-05-03RHSA-2004:165GLSA-200404-17MDKSA-2004:069SCOSA-2005.1020040506-01-UOVAL98410172549110099371141011877racoon-isakmp-dos(15893)oval:org.mitre.oval:def:984logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp.DSA-4881016211399logcheck-directory-symlink(15888)MDKSA-2004:155CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180.DSA-486FreeBSD-SA-04:0720040404-01-U [FLSA-2004:1620] Updated cvs resolves security vulnerabilitiesOVAL1060GLSA-200404-13cvs-dotdot-directory-traversal(15891)SSA:2004-108-02oval:org.mitre.oval:def:1060The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish.20040416 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted]MPSB04-06101585402100982511392coldfusion-upload-file-dos(15882)Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code.DSA-494-1 ident2 -- buffer overflowMichael Bacarella IDent2 Daemon Child_Service Remote Buffer Overflow Vulnerabilityident2 child_service buffer overflowStack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code.[xchat-announce] 20040405 xchat 2.0.x Socks5 VulnerabilityDSA-493RHSA-2004:17720040419 [ GLSA 200404-15 ] XChat 2.0.x SOCKS5 VulnerabilityRHSA-2004:585GLSA-200404-15FLSA:123013** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.20040513 Opera Telnet URI Handler Vulnerability also applies to other browsers20040519 [ GLSA 200405-11 ] KDE URI Handler VulnerabilitiesRHSA-2004:222SuSE-SA:2003:014GLSA-200405-11DSA-518OVAL954O-14610358610711602kde-url-handler-gain-access(16163)FEDORA-2004-121FEDORA-2004-12220040517 KDE Security Advisory: URI Handler VulnerabilitiesCLA-2004:843SSA:2004-238oval:org.mitre.oval:def:954Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server.Mailman: Member password disclosure vulnerabilityDiversas correes para mailman [FLSA-2004:1734] Updated mailman resolves security vulnerabilityGNU Mailman Unspecified Password Retrieval Vulnerability[Mailman-Announce] 20040515 RELEASED Mailman 2.1.5https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559MDKSA-2004:05111701mailman-obtain-password(16256)libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow.Subversion SVN Protocol Parser Remote Integer Overflow VulnerabilitySubversion svn protocol buffer overflowSubversion: Remote heap overflowhttp://subversion.tigris.org/security/CAN-2004-0413-advisory.txtFEDORA-2004-165FLSA:1748SuSE-SA:2004:01820041012 [FMADV] Subversion <= 1.04 Heap OverflowCVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution.[OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)CVS: additional DoS and arbitrary code execution vulnerabilitiesDSA-517-1 cvs -- buffer overflowCVS Multiple Vulnerabilities20040609 Advisory 09/2004: More CVS remote vulnerabilitieshttp://security.e-matters.de/advisories/092004.htmlRHSA-2004:233MDKSA-2004:05820040605-01-U20040604-01-UOVAL993oval:org.mitre.oval:def:993MDKSA-2004:058Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory.Updated kernel packages fix security issuesLinux kernel offset pointer information disclosureLinux Kernel File 64-Bit Offset Pointer Handling Kernel Memory Disclosure VulnerabilityGLSA-200408-24MDKSA-2004:087RHSA-2004:41320040804-01-UCLA-2004:879Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)DSA-519-1 cvs -- several vulnerabilitiesCVS Multiple Vulnerabilities20040609 Advisory 09/2004: More CVS remote vulnerabilitieshttp://security.e-matters.de/advisories/092004.htmlGLSA-200406-06RHSA-2004:233MDKSA-2004:05820040605-01-U20040604-01-UOVAL994oval:org.mitre.oval:def:994MDKSA-2004:058Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space.[OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)CVS: additional DoS and arbitrary code execution vulnerabilitiesDSA-519-1 cvs -- several vulnerabilitiesCVS Multiple Vulnerabilities20040609 Advisory 09/2004: More CVS remote vulnerabilitieshttp://security.e-matters.de/advisories/092004.htmlRHSA-2004:233MDKSA-2004:05820040605-01-UOVAL1001oval:org.mitre.oval:def:1001MDKSA-2004:058serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data.[OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs)CVS: additional DoS and arbitrary code execution vulnerabilitiesDSA-519-1 cvs -- several vulnerabilitiesCVS Multiple Vulnerabilities20040609 Advisory 09/2004: More CVS remote vulnerabilitieshttp://security.e-matters.de/advisories/092004.htmlRHSA-2004:233MDKSA-2004:05820040604-01-U20040605-01-UOVAL1003oval:org.mitre.oval:def:1003MDKSA-2004:058XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions.XFree86, X.org: XDM ignores requestPort settingXFree86 XDM RequestPort Random Open TCP Socket VulnerabilityMandrakeSoft Security Advisory MDKSA-2004:073 : XFree86http://bugs.xfree86.org/show_bug.cgi?id=1376https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=12490020040526 008: SECURITY FIX: May 26, 2004RHSA-2004:478P-001101030612019xdm-socket-gain-access(16264)The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.20040127 GOOROO CROSSING: File Spoofing Internet Explorer 6bugtraq id 9510Multiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMS04-024VU#106324OVAL2245OVAL2381OVAL2894OVAL3533OVAL3386OVAL360420040127 RE: GOOROO CROSSING: File Spoofing Internet Explorer 610736ie-clsid-file-extension-spoofing(14964)oval:org.mitre.oval:def:2245oval:org.mitre.oval:def:2381oval:org.mitre.oval:def:2894oval:org.mitre.oval:def:3533oval:org.mitre.oval:def:3386oval:org.mitre.oval:def:3604The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message.libpng PNG image denial of serviceLibPNG Broken PNG Out Of Bounds Access Denial Of Service VulnerabilityUpdated libpng packages fix crashAPPLE-SA-2004-09-09DSA-498MDKSA-2004:040RHSA-2004:18120040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png)2004-0025FEDORA-2004-105FEDORA-2004-106OVAL971oval:org.mitre.oval:def:971MDKSA-2006:212MDKSA-2006:2132295722958MDKSA-2004:040MDKSA-2006:212MDKSA-2006:213flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack.DSA-500flim-insecure-temporary-file(16027)RHSA-2004:344The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file.20040418 ssmtp insecure file creationInteger overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflow20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflowESA-20040428-004bugtraq id 10179linux-ipsetsockopt-integer-bo(15907)RHSA-2004:183MDKSA-2004:03720040504-01-USuSE-SA:2004:010OVAL939CLA-2004:852SSA:2004-119RHSA-2004:183oval:org.mitre.oval:def:939MDKSA-2004:037Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows remote attackers to execute arbitrary code via a large SMPROFILE cookie.Netegrity SiteMinder Affiliate Agent Heap Overflow VulnerabilitySiteMinder Affiliate Agent SMPROFILE cookie buffer overflowSiteMinder Affiliate Agent Cookie Overflowrsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.DSA-499MDKSA-2004:04220040521 [OpenPKG-SA-2004.025] OpenPKG Security Advisory (rsync)RHSA-2004:192GLSA-200407-10OVAL967TSL-2004-0024O-134O-21210247115141151511523115371158311669116881199312054rsync-write-files(16014)SSA:2004-124-01oval:org.mitre.oval:def:967MDKSA-2004:042The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.[linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leakMDKSA-2004:037ESA-20040428-00420040504-01-U20040505-01-UCLA-2004:846FEDORA-2004-111GLSA-200407-02SuSE-SA:2004:010RHSA-2004:255http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHAhttp://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726AOVAL2819RHSA-2004:260RHSA-2004:327TLSA-2004-14O-1641022111429114641148611541118611189111892linux-dofork-memory-leak(16002)DSA-1070DSA-1067DSA-1069201622016320202DSA-108220338oval:org.mitre.oval:def:2819MDKSA-2004:037Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact.APPLE-SA-2004-05-03ESB-2004.0314http://securitytracker.com/id?10100451027011539macos-corefoundation-environment(16051)Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors.20040503 [product-security@apple.com: APPLE-SA-2004-05-03 Security Update 2004-05-03]http://www.securitytracker.com/alerts/2004/May/1010045.htmlAPPLE-SA-2004-05-03ESB-2004.0314115391010045O-138macos-radmin-large-request(16053)Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.A050304-1applefileserver-afp-pathname-bo(16049)APPLE-SA-2004-05-03http://www.securiteam.com/securitynews/5QP0115CUO.htmlVU#648406115391010039Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow.20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflowquicktime-heap-bo(16026)APPLE-SA-2004-04-30VU#782958ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions.ProFTPD CIDR Access Control Rule Bypass VulnerabilityProFTPD CIDR entry ACL bypasshttp://bugs.proftpd.org/show_bug.cgi?id=2267MDKSA-2004:0412004-00251152720040430 [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd)MDKSA-2004:041Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets.MPlayer and xine-lib RTSP RDT buffer overflowMPlayer, xine-lib: vulnerabilities in RTSP stream handlingMPlayer/Xine-Lib Multiple RealRTSP Buffer Overrun Vulnerabilitieshttp://www.xinehq.de/index.php/security/XSA-2004-3k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow.20040505 Advisory: Heimdal kadmind version4 remote heap overflow20040506 Advisory: Heimdal kadmind version4 remote heap overflowDSA-50420040527 [ GLSA 200405-23 ] Heimdal: Kerberos 4 buffer overflow in kadminheimdal-kadmind-bo(16071)20040506 Advisory: Heimdal kadmind version4 remote heap overflowFreeBSD-SA-04:09GLSA-200405-23Certain "programming errors" in the msync system call for FreeBSD 5.2.1 and earlier, and 4.10 and earlier, do not properly handle the MS_INVALIDATE operation, which leads to cache consistency problems that allow a local user to prevent certain changes to files from being committed to disk.FreeBSD Msync(2) System Call Buffer Cache Implementation VulnerabilityFreeBSD-SA-04:111041611714freebsd-msync-gain-privileges(16254)Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket.20040505 Titan FTP Server Aborted LIST DoS20040505 Titan FTP Server Aborted LIST DoStitan-list-command-dos(16057)Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components.20040512 EEYE: Symantec Multiple Firewall NBNS Response Processing Stack Overflow20040512 EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption20040512 EEYE: Symantec Multiple Firewall Remote DNS KERNEL OverflowVU#634414VU#29499820040512 EEYE: Symantec Multiple Firewall NBNS Response Processing Stack Overflow20040512 EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption20040512 EEYE: Symantec Multiple Firewall Remote DNS KERNEL Overflowhttp://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.htmlVU#63731810333103341033511066O-141609961016102101014410101451010146symantec-dns-response-bo(16137)symantec-firewalls-nbns-bo(16135)symantec-nbns-response-bo(16134)The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself.20040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-ServiceCAN 2004-0445VU#68211020040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service1106610336symantec-firewall-dns-dos(16132)O-1416100101014410101451010146Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS.Linux 2.4.26-ow2Linux Kernel Unspecified Local Denial of Service VulnerabilityRHSA-2004:41320040804-01-UGLSA-200407-16O-193linux-ia64-dos(16661)DSA-1070DSA-1067DSA-1069201622016320202DSA-108220338Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages.DSA-510bugtraq id 10438jftpgw-log-format-string(16271)Format string vulnerability in the printlog function in log2mail before 0.2.5.2 allows local users or remote attackers to execute arbitrary code via format string specifiers in a logfile monitored by log2mail.DSA-513-1 log2mail -- format stringMichael Krax log2mail Log File Writing Format String Vulnerability67111176811769log2mail-syslog-format-string(16311)Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog.DSA-521bugtraq id 10571sup-format-string(16459)DSA-5211010539Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack.20041223 [USN-44-1] perl information leakDSA-620GLSA-200501-38RHSA-2005:10320050111 [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl)perl-filepathrmtree-insecure-permissions(18650)20060101-01-U120721299118517FLSA-2006:152845RHSA-2005:105Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string.VICE Monitor Memory Dump Format String VulnerabilityVICE memory dump command format string attackVICE emulator format string vulnerabilityBuffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code.DSA-524bugtraq id 10578rlpr-msg-bo(16454)Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql.DSA-523wwwsql-cgi-command-execution(16455)bugtraq id 10577Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header.20040702 pavuk buffer overflowGLSA-200406-22DSA-527pavuk-location-bo(16551)Bugtraq id 1063320040702 pavuk buffer overflowThe mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files.DSA-540-1 mysql -- insecure file creationMySQL mysqlhotcopy insecure temoprary fileRHSA-2004:597P-018mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference.DSA-503-1 mah-jong -- missing argument checkMah-Jong Server NULL Pointer Dereference Remote Denial Of Service Vulnerabilitymah-jong NULL pointer denial of serviceThe Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data.AA-2004.02VU#10667820040513 802.11b (others) single packet DoS10342160341010152ieee80211-cca-dos(16138)Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file.ISC DHCPD Hostname Options Logging Buffer Overflow VulnerabilityISC DHCP daemon ASCII characters in log lines buffer overflowISC DHCP overflowsMultiple Vulnerabilities in ISC DHCP 3MDKSA-2004:061VU#317350SuSE-SA:2004:01920040622 DHCP Vuln // no code 0day //20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)ADV-2006-4791101733723265MDKSA-2004:061The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code.ISC DHCPD VSPRINTF Buffer Overflow VulnerabilityISC DHCP daemon C include file buffer overflow ISC DHCP overflowsMultiple Vulnerabilities in ISC DHCP 3MDKSA-2004:061VU#654390SuSE-SA:2004:01920040622 DHCP Vuln // no code 0day //20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd)ADV-2006-4791101733723265MDKSA-2004:061The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server.VU#546483network-device-secure-plaintext(17702)Directory traversal vulnerability in jretest.html in WebConnect 6.5 and 6.4.4, and possibly earlier versions, allows remote attackers to read keys within arbitrary INI formatted files via "..//" sequences in the WCP_USER parameter.20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilitieshttp://www.cirt.dk/advisories/cirt-29-advisory.pdfhttp://www.kb.cert.org/vuls/id/JSHA-69HVPKVU#62841114006webconnect-wcpuser-directory-traversal(19394)WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1.20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilitieshttp://www.cirt.dk/advisories/cirt-29-advisory.pdfhttp://www.kb.cert.org/vuls/id/JSHA-69FVMMVU#55256114006webconnect-device-name-dos(19393)Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed.http://www.niscc.gov.uk/niscc/docs/al-20050126-00067.html?lang=enVU#409555http://www.kb.cert.org/vuls/id/JSHA-68ZJCQ12379junos-dos(19094)101303914049RHSA-2005:081Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets.VU#658859juniper-ipv6-dos(16548)Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation.20040504 ISAKMP Vulnerabilityvpn1-isakmp-bo(16060)bugtraq id 10273BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.BEA04-59.00BEA WebLogic Server contains vulnerability in handling of certain tags when editing 103286076101012811593weblogic-application-unauth-access(16123)BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown).103276077101012911594weblogic-server-policy-bypass(16121)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a reservation duplicate of CVE-2004-0434. Notes: All CVE users should reference CVE-2004-0434 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux.20040525 [ GLSA 200405-19 ] Opera telnet URI handler filehttp://www.opera.com/linux/changelogs/750/index.dmlGLSA-200405-19103411010142opera-telnet-file-overwrite(16139)20040512 Opera Telnet URI Handler File Creation/Truncation VulnerabilityHelp Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue.20040207 HelpCtr - allow open any page or run20040211 Re: HelpCtr - allow open any page or run20040210 Re: HelpCtr - allow open any page or runbugtraq id 9621winxp-helpctr-hcp-xss(15101)20040210 Re: HelpCtr - allow open any page or run20040213 Re: HelpCtr - allow open any page or runThe showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. NOTE: this bug may overlap CVE-2003-1041.20040513 Showhelp() local CHM file executionie-showhelp-chm-execution(16147)bugtraq id 10348Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 allows remote attackers to cause a denial of service (reboot or packet loss) via a long string containing Telnet escape characters to the Telnet port.3Com OfficeConnect Remote 812 ADSL Router Telnet Buffer Overflow Vulnerability[Full-Disclosure] iDEFENSE Security Advisory 05.26.04: 3Com OfficeConnect Remote 8123Com OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability20040526 OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability117163com-officeconnect-telnet-bo(16257)Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. NOTE: this identifier was inadvertently re-used for another issue due to a typo; that issue was assigned CVE-2004-0447. This candidate is ONLY for the ADSL router bypass.20040527 [Full-Disclosure] iDEFENSE Security Advisory 05.27.04: 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability3com-officeconnect-gain-access(16267)Bugtraq id 1042611716Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U.[Dailydave] 20040514 Mozilla bug might even get fixed!243540mozilla-javascript-dos(16225)Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference.20040514 IE Crash - Anyone Seen This Before?20040514 IE Crash - Anyone Seen This Before?20040516 Re: IE Crash - Anyone Seen This Before?20040514 IE Crash - Anyone Seen This Before?Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe.20040627 Lotus Notes URL argument injection vulnerabilitylotus-notes-xss(16496)bugtraq id 10600The logging feature in kcms_configure in the KCMS package on Solaris 8 and 9, and possibly other versions, allows local users to corrupt arbitrary files via a symlink attack on the KCS_ClogFile file.20050223 Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability57706Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities.[openbsd-security-announce] 20040513 procfs vulnerabilityopenbsd-procfs-gain-privileges(16226)20040513 [3.4] 020: SECURITY FIX: May 13, 200420040513 [3.5] 006: SECURITY FIX: May 13, 200461141160520040517 OpenBSD procfsUnknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests.20040503-01-P103726201101018511628rpcmountd-rpc-dos(16175)mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference.20040518 Unknown IE bug with css-styles10382ie-css-dos(16189)The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume.SA11622Mac OS X runscript code executionAPPLE-SA-2004-05-28VU#210606APPLE-SA-2004-05-21APPLE-SA-2004-05-28HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler.SA11622Mac OS X runscript code executionVU#578798Apple Mac OS X Help Protocol Remote Code Execution VulnerabilityAPPLE-SA-2004-05-2120040516 Vuln. MacOSX/Safari: Remote help-call, execute scripts61841010167A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs.Symantec Norton AntiVirus ActiveX Control Remote Code Execution VulnerabilitySymantec Norton AntiVirus 2004 ActiveX control fails to properly validate inputNorton AntiVirus 2004 ActiveX code executionhttp://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/72_e.htmlhttp://www.symantec.com/avcenter/security/Content/2004.05.20.htmlO-14911676630320040521 [SNS Advisory No.72] Symantec Norton AntiVirus 2004 ActiveX Control VulnerabilityStack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.20040517 mod_ssl ssl_util_uuencode_binary potential problembugtraq id 10355Apache mod_ssl ssl_util_uuencode_binary buffer overflow20040517 mod_ssl ssl_util_uuencode_binary potential problemDSA-532FLSA:1888SSRT4777SSRT4788MDKSA-2004:054MDKSA-2004:0552004-003120040601 TSSA-2004-008 - apacheGLSA-200406-05RHSA-2004:245RHSA-2004:342RHSA-2004:40520040605-01-U20040527 [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache)RHSA-2005:816MDKSA-2004:054MDKSA-2004:055Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option.20040524 SSH URI handler remote arbitrary code executionsafari_0x06Mac OS X SSH URL handler code execution20040524 SSH URI handler remote arbitrary code executioncPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529.cPanel Local Privilege Escalation VulnerabilitycPanel mod_phpsuexec allows command executioncPanel Multiple Vulnerabilities Testing Script20040524 cPanel mod_phpsuexec Vulnerabilityhttp://www.a-squad.com/audit/explain10.htmlhttp://bugzilla.cpanel.net/show_bug.cgi?id=283http://bugzilla.cpanel.net/show_bug.cgi?id=664The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit.[linux-kernel] 20040402 Re: disable-cap-mlockOVAL1117RHSA-2005:47213769oval:org.mitre.oval:def:1117 20060402-01-U 19607Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied.Apache HTTP Server mod_proxy Content-Length buffer overflow[OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache)DSA-525-1 apache -- buffer overflowApache Mod_Proxy Remote Negative Content-Length Buffer Overflow VulnerabilityUpdated httpd and mod_ssl packages fix minor Apache security vulnerabilities20040610 Buffer overflow in apache mod_proxy,yet still apache much better than windowshttp://www.guninski.com/modproxy1.htmlFLSA:1737MDKSA-2004:06520040605-01-UOVAL4863VU#5413101184157628OVAL100112101555101841oval:org.mitre.oval:def:4863oval:org.mitre.oval:def:100112MDKSA-2004:065The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters.Apache ap_escape_html Memory Allocation Denial Of Service VulnerabilityApache HTTP Server ap_get_mime_headers_core denial of service20040628 DoS in apache httpd 2.0.49, yet still apache much better than windowshttp://www.guninski.com/httpd1.htmlhttp://www.apacheweek.com/features/security-20GLSA-200407-03SSRT4777MDKSA-2004:064RHSA-2004:3422004-003920040629 TSSA-2004-012 - apacheMDKSA-2004:064Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI.GNOME VFS extfs scripts gain accessGnome VFS &#39;extfs&#39; Scripts Undisclosed VulnerabilityGNOME VFS updates address extfs vulnerabilityFLSA:1944Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool.Linux Kernel Multiple Device Driver VulnerabilitiesLinux Kernel multiple drivers allows elevated privilegesLinux Kernel: Multiple vulnerabilitiesUpdated kernel packages fix security vulnerabilitiesCLA-2004:845CLA-2004:846FEDORA-2004-186MDKSA-2004:066RHSA-2004:260SUSE-SA:2004:020OVAL2961oval:org.mitre.oval:def:2961Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool.SUSE-SA:2004:020linux-gain-privileges(16625)SUSE-SA:2004:020Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4.CLA-2004:852MDKSA-2004:066RHSA-2004:354SUSE-SA:2004:020linux-fchown-groupid-modify(16599)RHSA-2004:360SUSE-SA:2004:020The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none.Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call.Gaim: MSN protocol parsing function buffer overflowFEDORA-2004-278FEDORA-2004-279GLSA-200408-27MDKSA-2004:081RHSA-2004:400SUSE-SA:2004:025http://gaim.sourceforge.net/security/?id=010865gaim-msn-bo(16920)Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information.Microsoft Outlook Mail Client E-mail Address Verification WeaknessMicrosoft Outlook VML information disclosure PING: Outlook 2003 Spam20040604 RE: PING: Outlook 2003 Spam20040604 RE: PING: Outlook 2003 SpamOutlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI.Microsoft Outlook 2003 Predictable File Location Weakness OUTLOOK 2003: OuchLook RE: PING: Outlook 2003 Spam11572outlook-file-location-predictable(16104)20040604 RE: PING: Outlook 2003 SpamMicrosoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502.Microsoft Outlook 2003 Media File Script Execution VulnerabilityMicrosoft Outlook 2003 OLE object bypass restricted security zone ROCKET SCIENCE: Outllook 200320040517 ROCKET SCIENCE: Outllook 2003621711629Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients.Ethereal: Multiple security problemsEthereal Multiple Protocol Dissector VulnerabilitiesUpdated Ethereal packages fix security issueshttp://www.ethereal.com/appnotes/enpa-sa-00014.html[Ethereal-users] 20040503 Re: HotSIP sip-messages crasching etherealCLA-2005:91620040605-01-U20040604-01-UOVAL982O-15061311010158116081177611836ethereal-sip-packet-dos(16148)oval:org.mitre.oval:def:982The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors.Ethereal Multiple Protocol Dissector VulnerabilitiesEthereal: Multiple security problemsUpdated Ethereal packages fix security issueshttp://www.ethereal.com/appnotes/enpa-sa-00014.htmlCLA-2005:91620040604-01-U20040605-01-UOVAL986O-15061321010158116081177611836ethereal-aim-dissector-dos(16150)oval:org.mitre.oval:def:986The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference.Ethereal Multiple Protocol Dissector VulnerabilitiesUpdated Ethereal packages fix security issuesEthereal: Multiple security problemshttp://www.ethereal.com/appnotes/enpa-sa-00014.htmlCLA-2005:91620040605-01-U20040604-01-UOVAL987O-1501010158116081177611836ethereal-spnego-dos(16151)oval:org.mitre.oval:def:987Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.Multiple security problems in Ethereal 0.10.3Ethereal: Multiple security problemsUpdated httpd and mod_ssl packages fix minor Apache security vulnerabilitiesCLA-2005:916RHSA-2004:23420040605-01-U20040604-01-UOVAL988O-1501034761341010158116081177611836ethereal-mmse-bo(16152)oval:org.mitre.oval:def:988Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program.bid 10758SCO OpenServer MMDF buffer overflowhttp://www.deprotect.com/advisories/DEPROTECT-20040206.txtSCOSA-2004.720041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference.OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows and other security issuesbid 10758SCO OpenServer MMDF name denial of serviceMultiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump.OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows and other security issuesbid 10758SCO OpenServer MMDF denial of serviceUnspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls."Apple Security UpdatesAPPLE-SA-2004-05-28104321010329macosx-nfs-logging(16291)APPLE-SA-2004-05-28Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups."Apple Mac OS X vulnerable to privilege escalation when using Directory ServicesApple Security UpdatesApple Mac OS X Multiple Unspecified Security VulnerabilitiesAPPLE-SA-2004-05-281010330macosx-loginwindow-gain-privileges(16289)Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files."Apple Security UpdatesApple Mac OS X Multiple Unspecified Security VulnerabilitiesAPPLE-SA-2004-05-281010330macosx-loginwindow-gain-privileges(16289)Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517.Apple Security UpdatesApple Mac OS X Multiple Unspecified Security VulnerabilitiesAPPLE-SA-2004-05-281010331macosx-package-installation(16290)Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516.Apple Security UpdatesApple Mac OS X Multiple Unspecified Security VulnerabilitiesAPPLE-SA-2004-05-281010331macosx-package-installation(16290)Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors.Apple Security UpdatesApple Mac OS X Multiple Unspecified Security VulnerabilitiesAPPLE-SA-2004-05-281010333applefileserver-reporting-error(16288)Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php.SquirrelMail Folder Name Cross-Site Scripting VulnerabilitySquirrelMail compose.php script cross-site scriptingMultiple XSS Vulnerabilities in SquirrelMail20040430 Re: SquirrelMail Cross Scripting Attacks....DSA-535FEDORA-2004-1733RHSA-2004:24020040604-01-UOVAL1006FEDORA-2004-160115311168611870122891024620040429 SquirrelMail Cross Scripting Attacks....CLA-2004:858SUSE-SR:2005:019oval:org.mitre.oval:def:1006Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php.SquirrelMail Email Header HTML Injection VulnerabilityRS-2004-1: SquirrelMail Squirrelmail: Another XSS vulnerabilityhttp://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txtDSA-535FEDORA-2004-1733RHSA-2004:24020040604-01-UOVAL1012FEDORA-2004-1601187012289[squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28CLA-2004:858oval:org.mitre.oval:def:1012SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php.SquirrelMail Unspecified SQL Injection Vulnerability[SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2Multiple XSS Vulnerabilities in SquirrelMailDSA-535FEDORA-2004-1733RHSA-2004:24020040604-01-UOVAL1033O-21211685squirrelmail-sql-injection(16235)APPLE-SA-2004-09-07FEDORA-2004-1606841116861187012289[squirrelmail-devel] 20040511 [SM-DEVEL] SquirrelMail 1.4.3-RC1 ReleaseCLA-2004:858oval:org.mitre.oval:def:1033Gallery 1.4.3 and earlier allows remote attackers to bypass authentication and obtain Gallery administrator privileges.Gallery user bypass authenticationDSA-512-1 gallery -- unauthenticated accessGallery Authentication Bypass VulnerabilityGLSA-200406-1011752Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflowsDSA-520-1 krb5 -- buffer overflowsMIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun VulnerabilitiesCLA-2004:860FEDORA-2004-149GLSA-200406-21MDKSA-2004:056RHSA-2004:2362004-003220040602 TSSA-2004-009 - kerberos520040605-01-U20040604-01-UOVAL991OVAL200210448Kerberos-krb5anametolocalname-bo(16268)20040601 MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname101512oval:org.mitre.oval:def:991oval:org.mitre.oval:def:2002oval:org.mitre.oval:def:724Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name.SquirrelMail Change_Passwd Plug-in Buffer Overrun VulnerabilitySquirrelMail chpasswd binary buffer overflowSquirrelmail Chpasswod bofRe: Squirrelmail Chpasswod bofhttp://www.squirrelmail.org/plugin_view.php?id=11711415HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero.HP Integrated Lights Out Remote Denial of Service VulnerabilityHP Integrated Lights-Out port zero denial of serviceSSRT4724Unknown versions of Internet Explorer and Outlook allow remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack.Microsoft Internet Explorer Embedded Image URI Obfuscation WeaknessMicrosoft Internet Explorer and Outlook Express A HREF URL spoofing DEEP SEA PHISHING: Internet Explorer / Outlook Express20040517 Microsoft Internet Explorer ImageMap URL Spoof Vulnerabilityhttp://www.kurczaba.com/securityadvisories/0405132poc.htmKDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack.KDE Konqueror Embedded Image URI Obfuscation Weakness6579ie-ahref-url-spoofing(16102)Netscape Navigator 7.1 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack.Netscape Navigator Embedded Image URI Obfuscation Weakness6580ie-ahref-url-spoofing(16102)The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490.cPanel mod_php suEXEC Taint VulnerabilityClueCentral Apache Suexec Patch Security Weaknesshttp://bugzilla.cpanel.net/show_bug.cgi?id=668101041111798cpanel-suexec-command-execute(16347)The PHP package in Slackware 8.1, 9.0, and 9.1, when linked against a static library, includes /tmp in the search path, which allows local users to execute arbitrary code as the PHP user by inserting shared libraries into the appropriate path.[slackware-security] PHP local security issue (SSA:2004-154-02)Slackware Linux PHP Packages Insecure Linking Configuration Vulnerability1046111760linux-php-gain-privileges(16310)Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client.20040907 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue20040917 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue1120812587webintelligence-url-delete-files(17422)Cross-site scripting (XSS) vulnerability in Business Objects InfoView 5.1.4 through 5.1.8 for WebIntelligence 2.7.0 through 2.7.4 allows remote attackers to inject arbitrary web script or HTML via document names when uploading a document.20040907 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue20040917 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue12587webintelligence-input-document-xss(17419)11209The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources.Linux Kernel e1000 Ethernet Card Driver Kernel Memory Disclosure VulnerabilityLinux Kernel e1000 driver buffer overflowLinux Kernel: Multiple vulnerabilitiesUpdated kernel packages fix security vulnerabilitieshttp://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.loghttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168CLA-2004:845FEDORA-2004-186MDKSA-2004:062RHSA-2004:41820040804-01-USUSE-SA:2004:020MDKSA-2004:062Format string vulnerability in Tripwire commercial 4.0.1 and earlier, including 2.4, and open source 2.3.1 and earlier, allows local users to gain privileges via format string specifiers in a file name, which is used in the generation of an email report.tripwire: Format string vulnerabilityTripwire Email Reporting Format String Vulnerability10454tripwire-fprintf-format-string(16309)20040602 Format String Vulnerability in Tripwire20040603 Re: Format String Vulnerability in TripwireRHSA-2004:244Opera 7.50 and earlier allows remote web sites to provide a "Shortcut Icon" (favicon) that is wider than expected, which could allow the web sites to spoof a trusted domain and facilitate phishing attacks using a wide icon and extra spaces.Phishing for Opera (GM#007-OP)Opera Browser Favicon Address Bar Spoofing Weakness20040603 Phishing for Opera (GM#007-OP)http://security.greymagic.com/security/advisories/gm007-op/http://www.opera.com/linux/changelogs/751/index.dml659011762opera-favicon-spoofing(16307)LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers and executes new applications, which could allow attackers to execute arbitrary code without warning the user.bid 10486The "Show in Finder" button in the Safari web browser in Mac OS X 10.3.4 and 10.2.8 may execute downloaded applications, which could allow remote attackers to execute arbitrary code.bid 10486VU#773190Microsoft Windows 2000, when running in a domain whose Fully Qualified Domain Name (FQDN) is exactly 8 characters long, does not prevent users with expired passwords from logging on to the domain.Users who have expired passwords can still log on to the domain if the FQDN is exactly eight characters long in Windows 200011746Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable).Squid Web Proxy Cache NTLM buffer overflowSquid: NTLM authentication helper buffer overflowUpdated squid package fixes security vulnerabilityhttp://www.idefense.com/application/poi/display?id=107&type=vulnerabilities2004-003320040604-01-UOVAL980FLSA-2006:15280910500oval:org.mitre.oval:def:980PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function.PHP escapeshellarg and escapeshellcmd execute commandhttp://www.idefense.com/application/poi/display?id=108http://www.php.net/release_4_3_7.phpMultiple SQL injection vulnerabilities in Oracle Applications 11.0 and Oracle E-Business Suite 11.5.1 through 11.5.8 allow remote attackers to execute arbitrary SQL procedures and queries.Oracle E-Business SQL injectionSQL Injection Vulnerabilities in Oracle E-Business SuiteOracle E-Business Suite SQL Injection vulnerabilitiesOracle E-Business Suite Multiple Unspecified SQL Injection Vulnerabilitieshttp://www.integrigy.com/alerts/OraAppsSQLInjection.htmhttp://otn.oracle.com/deploy/security/pdf/2004alert67.pdf20040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business SuiteO-15320040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business SuiteMultiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands.AIX Getlvcb Command Line Argument Buffer Overflow VulnerabilityIBM AIX getlvcb and putlvcb utilities buffer overflowO-131: AIX Symlink and Buffer Overflow Vulnerabilities in LVM CommandsMSS-OAR-E01-2004.0544IY55681IY5568211158990643924393aix-getlvcb-bo(18317)LVM for AIX 5.1 and 5.2 allows local users to overwrite arbitrary files via a symlink attack.Multiple IBM AIX Unspecified LVM Utilities Symbolic Link VulnerabilitiesIBM AIX LVM commands symlink attackMSS-OAR-E01-2004.0544O-131Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash).PostgreSQL ODBC driver buffer overflowDSA-516-1 postgresql -- buffer overflowPostgreSQL ODBC Driver Unspecified Remote Buffer Overflow VulnerabilityMDKSA-2004:072Multiple stack-based buffer overflows in the word-list-compress functionality in compress.c for Aspell allow local users to execute arbitrary code via a long entry in the wordlist that is not properly handled when using the (1) "c" compress option or (2) "d" decompress option.Aspell 'word-list-compress' stack overflow vulnerabilityaspell: Buffer overflow in word-list-compressGNU Aspell Stack Buffer Overflow VulnerabilityThe WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object.Cross-Domain Redirect Vulnerability in Internet Explorer20040602 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits)20040606 Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)20040628 JS.Scob.Trojan Source Code ...http://62.131.86.111/analysis.htmhttp://umbrella.name/originalvuln/msie/InsiderPrototype/MS04-025TA04-212AVU#713878OVAL1133OVAL207OVAL241OVAL519TA04-184Aie-location-restriction-bypass(16348)20040621 IE/0DAY -> Insider Prototypeoval:org.mitre.oval:def:1133oval:org.mitre.oval:def:207oval:org.mitre.oval:def:241oval:org.mitre.oval:def:519Buffer overflow in Real Networks RealPlayer 10 allows remote attackers to execute arbitrary code via a URL with a large number of "." (period) characters.RealPlayer dot file buffer overflowReal Networks RealPlayer URL Parsing Buffer Overflow Vulnerabilityhttp://www.idefense.com/application/poi/display?id=109&type=vulnerabilities&flashstatus=falseCisco CatOS 5.x before 5.5(20) through 8.x before 8.2(2) and 8.3(2)GLX, as used in Catalyst switches, allows remote attackers to cause a denial of service (system crash and reload) by sending invalid packets instead of the final ACK portion of the three-way handshake to the (1) Telnet, (2) HTTP, or (3) SSH services, aka "TCP-ACK DoS attack."Cisco Catalyst CatOS ACK denial of serviceCisco CatOS TCP ACK handling vulnerabilityCisco CatOS TCP-ACK Denial Of Service Vulnerability20040609 Cisco CatOS Telnet, HTTP and SSH VulnerabilitySophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed.Kurt Seifried Security Advisory 005 (KSSA-005)Sophos Small Business Suite bypass security20040922 Sophos Small Business Suite Reserved Device Name Handling VulnerabilityLinux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program.Linux Kernel Multiple Device Driver VulnerabilitiesLinux Kernel fsave and frstor denial of serviceLinux kernel fails to properly handle floating point signals generated by http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html[linux-kernel] 20040609 timer + fpu stuff locks my console raceCLA-2004:845ESA-20040621-005FEDORA-2004-186GLSA-200407-02MDKSA-2004:062RHSA-2004:255RHSA-2004:260SuSE-SA:2004:0172004-0034OVAL291520040620 TSSA-2004-011 - kernelDSA-1070DSA-1067DSA-1069201622016320202DSA-108220338oval:org.mitre.oval:def:2915MDKSA-2004:06210538Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 may allow remote attackers to execute arbitrary code.DSA-643http://www.securitytracker.com/alerts/2005/Jan/1012929.htmlqueue-bo(18945)1012929Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields.SoX WAV File Buffer Overflow VulnerabilitySoX .wav file buffer overflowSoX: Multiple buffer overflowsUpdated sox packages fix buffer overflows20040728 SoX buffer overflows when handling .WAV files20040728 SoX buffer overflows when handling .WAV filesDSA-565FEDORA-2004-244FEDORA-2004-235FLSA:1945MDKSA-2004:07612175CLA-2004:855MDKSA-2004:07620040728 SoX buffer overflows when handling .WAV filesThe Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port.Updated CUPS packages fix security vulnerabilityAPPLE-SA-2004-09-30DSA-545FLSA:20722004-0047cups-udp-dos(17389)SCOSA-2004.15CLA-2004:8725764611183The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory.Webmin, Usermin: Multiple vulnerabilities in UserminUsermin Shell Command Injection and Insecure Installation VulnerabilitiesUsermin installation of directory prior to installation of interface causes unspecified issuebid 11153http://www.webmin.com/uchanges-1.089.htmlInteger overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow.DSA-63813855Format string vulnerability in the log routine for gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code.DSA-63813855The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password.freenet6 -- wrong file permissionsbid 11280Freenet6 permissions are world-readable101146012705Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer's warnings.rp-pppoe -- missing privilege droppingPPPoE allows attacker to overwrite filesbid 11315 MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerabilityFLSA:15279420041208 Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerabilityFloating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit.124734[owl-users] 20040619 Linux 2.4.26-ow2MDKSA-2004:066linux-ia64-info-disclosure(16644)DSA-1070DSA-1067DSA-1069106872016220163RHSA-2004:50420202DSA-108220338MDKSA-2004:066Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value.BID:966320040215 GAYER THAN AIDS ADVISORY #01: IE 5 remote code executionie-bmp-integer-overflow(15210)Critical Vulnerabilities in Microsoft WindowsMS04-025VU#266926OVAL216OVAL306OVAL322OVAL507OVAL515oval:org.mitre.oval:def:216oval:org.mitre.oval:def:306oval:org.mitre.oval:def:322oval:org.mitre.oval:def:507oval:org.mitre.oval:def:515The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability."MS04-045VU#378160P-054wins-memory-pointer-hijack(18259)1192212370101251713466HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow.Hilgraeve HyperTerminal Session Data Buffer Overflow VulnerabilityVulnerability in HyperTerminal Could Allow Code Execution (873339)HyperTerminal - Buffer Overflow In .ht FileOVAL1603OVAL2545OVAL3138OVAL3973OVAL4508OVAL4741win-hyperterminal-session-bo(18336)oval:org.mitre.oval:def:1603oval:org.mitre.oval:def:2545oval:org.mitre.oval:def:3138oval:org.mitre.oval:def:3973oval:org.mitre.oval:def:4508oval:org.mitre.oval:def:4741The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values.BindView Advisory: Memory Leak and DoS in NT4 RPC serverMicrosoft Security Bulletin MS04-029Microsoft Windows RPC Runtime Library obtain informationMicrosoft Windows MS04-029 patch is not installedOVAL2505OVAL5277oval:org.mitre.oval:def:2505oval:org.mitre.oval:def:5277Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901.Vulnerability in WordPad Could Allow Code Execution (885836)Microsoft Word for Windows 6.0 Converter Table Conversion Buffer Overflow VulnerabilityOVAL1168OVAL1417OVAL1959OVAL1976OVAL3416OVAL3743OVAL4328OVAL685win-converter-table-code-execution(18337)oval:org.mitre.oval:def:1168oval:org.mitre.oval:def:1417oval:org.mitre.oval:def:1959oval:org.mitre.oval:def:1976oval:org.mitre.oval:def:3416oval:org.mitre.oval:def:3743oval:org.mitre.oval:def:4328oval:org.mitre.oval:def:685Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe.Re: [Full-Disclosure] shell:windows command questionVulnerability in Windows Shell Could Allow Remote Code Execution (841356Microsoft Windows Program Group Converter vulnerable to buffer overflowMicrosoft Windows Program Group Converter Filename Local Buffer Overrun VulnerabilityMicrosoft Windows Program Group Converter buffer overflowOVAL1279OVAL1837OVAL1843OVAL2753OVAL3071OVAL3768OVAL3822OVAL4244OVAL4493win-ms04037-patch(17662)oval:org.mitre.oval:def:1279oval:org.mitre.oval:def:1837oval:org.mitre.oval:def:1843oval:org.mitre.oval:def:2753oval:org.mitre.oval:def:3071oval:org.mitre.oval:def:3768oval:org.mitre.oval:def:3822oval:org.mitre.oval:def:4244oval:org.mitre.oval:def:4493Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website.Microsoft Office WordPerfect Converter Buffer Overflow VulnerabilityMicrosoft Security Bulletin MS04-027Microsoft WordPerfect converter long message buffer overflowOVAL2670OVAL3311OVAL3333OVAL4005OVAL5021VU#449438101124910112501011251101125212529oval:org.mitre.oval:def:2670oval:org.mitre.oval:def:3311oval:org.mitre.oval:def:3333oval:org.mitre.oval:def:4005oval:org.mitre.oval:def:5021The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows.Vulnerability in NNTP Could Allow Remote Code Execution (883935)P-012: Microsoft Vulnerability in NNTP Could Allow Remote Code Execution (883935)Microsoft IIS contains vulnerability in NNTP serviceMicrosoft Windows NNTP buffer overflowhttp://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10OVAL246OVAL4392OVAL5070OVAL5926win-ms04036-patch(17661)20041012 CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilitiesoval:org.mitre.oval:def:246oval:org.mitre.oval:def:4392oval:org.mitre.oval:def:5070oval:org.mitre.oval:def:5926oval:org.mitre.oval:def:5021Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation.Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)P-010: Microsoft Compressed (Zipped) Folders VulnerabilityMicrosoft Windows XP and Windows Server 2003 Compressed Folders buffer overflowMicrosoft Windows MS04-034 patch is not installedhttp://www.eeye.com/html/research/advisories/AD20041012A.htmlOVAL1053OVAL3913OVAL4276OVAL6397VU#649374101163720041013 EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerabilityoval:org.mitre.oval:def:1053oval:org.mitre.oval:def:3913oval:org.mitre.oval:def:4276oval:org.mitre.oval:def:6397The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID.20040621 [Full-Disclosure] iDEFENSE Security Advisory 06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerabilityradius-snmp-oid-dos(16466)WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory.20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosurewingate-directory-traversal(16589)http://www.idefense.com/application/poi/display?id=113WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory.20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosurewingate-directory-traversal(16589)http://www.idefense.com/application/poi/display?id=113Format string vulnerability in super before 3.23 allows local users to execute arbitrary code as root.super format string attackDSA-522-1 super -- format string vulnerabilitySuper Local Format String VulnerabilityDHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Routers, firmware version 1.45.7, does not properly clear previously used buffer contents in a BOOTP reply packet, which allows remote attackers to obtain sensitive information.Multiple Linksys Devices DHCP Information Disclosure and Denial of Service VulnerabilityLinksys EtherFast routers BOOTP packet denial of serviceLinksys BEFSR41 DHCP vulnerability server leaks network data6325101028811606ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate Server 2.1, allows local users to delete arbitrary files via a symlink attack on files in /tmp.KSymoops KSymoops-GZNM Insecure Temporary File Handling Symbolic Link Vulnerabilityksymoops-gznm symlink attackMDKSA-2004:060Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module.Webmin Configuration Module Information Disclosure VulnerabilityWebmin Multiple Unspecified VulnerabilitiesWebmin allows security restriction bypass[SNS Advisory No.74] Webmin Access Control Rule Bypass Vulnerabilityhttp://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/74_e.htmlhttp://www.webmin.com/changes-1.150.htmlDSA-526GLSA-200406-12MDKSA-2004:074CLA-2004:848The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords.Webmin And Usermin Account Lockout Bypass VulnerabilityWebmin Multiple Unspecified VulnerabilitiesWebmin username or password denial of service[SNS Advisory No.75] Webmin/Usermin Account Lockout Bypass Vulnerabilityhttp://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/75_e.htmlhttp://www.webmin.com/changes-1.150.htmlDSA-526GLSA-200406-12GLSA-200406-15MDKSA-2004:074Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remote attackers to execute arbitrary script as other users via script or HTML in an e-mail message, possibly triggering a cross-site scripting (XSS) vulnerability.Horde IMP Email Header HTML Injection VulnerabilityHorde IMP Content-type header cross-site scriptingHorde-IMP: Input validation vulnerabilityhttp://www.horde.org/imp/3.2/11805** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0589. Reason: This candidate is a duplicate of CVE-2004-0589. Notes: All CVE users should reference CVE-2004-0589 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.acpRunner ActiveX 1.2.5.0 allows remote attackers to execute arbitrary code via the (1) DownLoadURL, (2) SaveFilePath, and (3) Download ActiveX methods.IBM acpRunner could allow code executionIBM acpRunner Activex Dangerous Methods VulnerabilityIBM ACPRunner ActiveX Control Dangerous Method Vulnerabilityhttp://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-54588Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux allows local users to cause a denial of service.Linux Kernel HbaApiNode Improper File Permissions Denial of Service VulnerabilitySuSE HbaApiNode denial of servicehttp://www.securitytracker.com/alerts/2004/May/1010057.htmlFEDORA-2004-186MDKSA-2004:066RHSA-2004:413RHSA-2004:41820040804-01-USuSE-SA:2004:0101010057Cross-site scripting (XSS) vulnerability in the web mail module for Usermin 1.070 allows remote attackers to insert arbitrary HTML and script via e-mail messages.This vulnerability is addressed in the following product update: Usermin, Usermin, 1.080Usermin HTML Email Script Code Execution VulnerabilityUsermin email message cross-site scripting[SNS Advisory No.73] Usermin Cross-site Scripting Vulnerabilityhttp://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/73_e.htmlGLSA-200406-15Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when configured for BGP routing, allows remote attackers to cause a denial of service (device reload) via malformed BGP (1) OPEN or (2) UPDATE messages.Cisco IOS BGP packet denial of serviceBGP implementations do not adequately handle malformed BGP OPEN and UPDATE messages20040616 Cisco IOS Malformed BGP Packet Causes ReloadFreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject.GLSA-200406-20MDKSA-2004:070ipsec-verifyx509cert-auth-bypass(16515)Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type.This vulnerability is addressed in the following product release: Inter7, SqWebMail, 4.0.5SqWebMail Email Header HTML Injection VulnerabilitySqWebMail print_header-uc function cross-site scriptingXSS vulnerability in Sqwebmail 4.0.4DSA-533-1 courier -- cross-site scripting11918GLSA-200408-02The tcp_find_option function of the netfilter subsystem for IPv6 in the SUSE Linux 2.6.5 kernel with USAGI patches, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type, a similar flaw to CVE-2004-0626.SUSE-SA:2004:02020040703 Re: SUSE Security Announcement: kernel (SUSE-SA:2004:020)linux-kernel-tcpfindoption-dos(43137)Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules.Sygate Enforcer unauthenticated broadcast issueSygate Enforcer broadcast traffic bypass filterSygate Secure Enterprise Enforcer Unauthenticated Broadcast Request Bypass Vulnerability20040810 Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issueThe memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete.BID:10725php-memorylimit-code-execution(16693)20040713 Advisory 11/2004: PHP memory_limit remote vulnerability20040714 Advisory 11/2004: PHP memory_limit remote vulnerabilityDSA-531DSA-669GLSA-200407-13MDKSA-2004:068RHSA-2004:392RHSA-2004:395RHSA-2004:405SUSE-SA:2004:0212004-0039GLSA-200407-1320040714 TSSA-2004-013 - phpCLA-2004:847SSRT477720040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php)RHSA-2005:81610725The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities.BID:1072420040713 Advisory 11/2004: PHP memory_limit remote vulnerabilityDSA-531Multiple Vulnerabilities in Microsoft Windows Components and Outlook Express20040714 Advisory 12/2004: PHP strip_tags() bypass vulnerabilityDSA-669GLSA-200407-13MDKSA-2004:068RHSA-2004:392RHSA-2004:395RHSA-2004:405SUSE-SA:2004:021GLSA-200407-1320040714 TSSA-2004-013 - phpCLA-2004:847SSRT477720040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php)RHSA-2005:816The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference.Linux Kernel Equalizer Load Balancer Device Driver Local Denial Of Service VulnerabilityLinux kernel eql.c driver denial of servicehttp://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZgMultiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking.libpng png_handle_sBIT and png_handle_tRNS buffer overflowMultiple Vulnerabilities in libpngDebian Security AdvisoryLibPNG Graphics Library Multiple Remote Vulnerabilitieshttp://scary.beasts.org/security/CESA-2004-001.txtFLSA:1943GLSA-200408-03GLSA-200408-22MS05-009RHSA-2004:402RHSA-2004:421RHSA-2004:429SuSE-SA:2004:0232004-0040http://www.mozilla.org/projects/security/known-vulnerabilities.htmlhttp://www.adobe.com/support/downloads/detail.jsp?ftpID=2679TA05-039AVU#388984VU#817368OVAL2274OVAL2378OVAL594OVAL4492SCOSA-2005.491549520050209 MSN Messenger PNG Image Buffer Overflow Download Shellcoded ExploitCLA-2004:856FLSA:2089SSRT4778SCOSA-2004.1620040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png)oval:org.mitre.oval:def:2274oval:org.mitre.oval:def:2378oval:org.mitre.oval:def:594oval:org.mitre.oval:def:4492MDKSA-2006:212MDKSA-2006:2132295722958MDKSA-2004:079MDKSA-2006:212MDKSA-2006:213200663The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference.libpng png_handle_iCCP denial of serviceMultiple Vulnerabilities in libpngLibPNG Graphics Library Multiple Remote Vulnerabilitieshttp://scary.beasts.org/security/CESA-2004-001.txtCLA-2004:856DSA-536FLSA:1943GLSA-200408-03GLSA-200408-22SSRT4778RHSA-2004:402RHSA-2004:429SCOSA-2004.16SuSE-SA:2004:0232004-0040http://www.mozilla.org/projects/security/known-vulnerabilities.htmlVU#236656OVAL257220040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png)oval:org.mitre.oval:def:2572MDKSA-2006:212MDKSA-2006:2132295722958MDKSA-2004:079MDKSA-2006:212MDKSA-2006:213200663Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image.CLA-2004:856DSA-536DSA-570DSA-571FLSA:1943FLSA:2089GLSA-200408-03GLSA-200408-22SSRT4778RHSA-2004:402RHSA-2004:421RHSA-2004:429SCOSA-2004.16SuSE-SA:2004:0232004-004020040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png)http://www.mozilla.org/projects/security/known-vulnerabilities.htmlVU#160448VU#286464VU#477512OVAL1479SCOSA-2005.4915495oval:org.mitre.oval:def:1479MDKSA-2006:212MDKSA-2006:2132295722958MDKSA-2004:079MDKSA-2006:212MDKSA-2006:213LibPNG Graphics Library Multiple Remote Vulnerabilitieslibpng integer buffer overflowMultiple Vulnerabilities in libpnghttp://scary.beasts.org/security/CESA-2004-001.txtAPPLE-SA-2004-09-09200663Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication.BID:1078020040722 Samba 3.x swat preauthentication buffer overflowRHSA-2004:259Samba SWAT invalid base64 character causes buffer overflowGLSA-200407-21MDKSA-2004:071SUSE-SA:2004:0222004-003920040722 SWAT PreAuthorization PoC20040722 Security Release - Samba 3.0.5 and 2.2.10CLA-2004:851CLA-2004:85420040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba)20040722 TSSA-2004-014 - sambadistcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions.distcc IP-based Access Control Rules Security Bypassbid 11319distcc IP gain privilegesThe binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic.FreeBSD-SA-04:13freebsd-binary-information-disclosure(16558)bugtraq id 10643gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332.GLSA-200406-18bugtraq id 10603gzip-gzexe-tmpfile(16506)The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference.GLSA-200406-19gift-fasttrack-daemon-dos(16508)bugtraq id 10604http://gift-fasttrack.berlios.de/11941Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued.20040618 ircd-hybrid-7 / ircd-ratbox low-bandwidth DoSbugtraq id 10572ircd-parseclientqueued-dos(16457)Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request.20040619 Script injection in DNSONE appliancebugtraq id 10573dnsone-dhcp-report-xss(16456)The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication.20040614 authentication bug in KAME's racoon20040615 Re: authentication bug in KAME's racoonGLSA-200406-17bugtraq id 10546racoon-eaycheckx509cert-auth-bypass(16414)RHSA-2004:308SCOSA-2005.10711310104951186311877The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory.GLSA-200407-14bugtraq id 10570unreal-secure-query-command-execute(16451)20040618 Code execution in the Unreal Engine through \secure\ packetrssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail.20040619 Security flaw in rsshbugtraq id 10574rssh-jail-obtain-info(16470)The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections.20040621 Microsoft MN-500 Wireless Router Web-Based Administration DoSmn500-web-admin-dos(16448)bugtraq id 10585Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections.20040621 NETGEAR FVS318 Web-Based Administration DoSnetgear-fvs318-dos(16462)bugtraq id 10585The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification.20040621 ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability20040625 Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability"zonealarm-mobile-code-bypass(16471)10584osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory.20040621 Multiple osTicket exploits!osticket-php-file-upload(16477)osticket-view-attachments(16478)bugtraq id 10586osticket-php-file-upload(16477)osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size.20040621 Multiple osTicket exploits!osticket-php-file-upload(16477)Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request.dlink614-dhcp-xss(16468)101056220040701 DLINK 624, script injection vulnerability1058772111191920040621 DLINK 704, script injection vulnerability20040621 DLINK 614+, script injection vulnerabilityThe BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext.20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password)bt-voyager-password-plaintext(16472)bugtraq id 10589Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter.20040622 ArbitroWeb v0.6 Javascript injection vulnerabilitybugtraq id 10592arbitroweb-rawurl-xss(16481)FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument.20040623 Security Advisory : FreeBSD local DoSbugtraq id 10596freebsd-execve-dos(16499)Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow.20040623 Linux Broadcom 5820 Cryptonet Driver Integer Overflowbugtraq id 10599bcm5820-adddsabufbytes-integer-bo(16459)Updated kernel packages fix security vulnerabilitiesRHSA-2005:283P-04711936Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel.vbulletin-newreply-newthread-xss(16502)bugtraq id 1060220040624 vBulletin HTML Injection Vulnadmin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords.20040624 ZWS Newsletter & Mailing List Managerzws-gain-admin-access(16507)bugtraq id 10605Mac OS X 10.3.4 does not properly clear memory for user login, Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory.20040625 Mac OS X stores login/Keychain/FileVault passwords on diskmacos-memory-view-passwords(16557)Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog.20040625 format string vulnerability in Gnatsbugtraq id 10609gnats-format-string(16517)PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code.20040625 artmedic_links5 PHP Script (include path) vulnartmedic-url-file-disclosure(16518)SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page.20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEB20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEBZH2004-14SAbugtraq id 10614infinity-web-sql-injection(16513)The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type.20040630 Remote DoS vulnerability in Linux kernel 2.6.xCLA-2004:852FEDORA-2004-202GLSA-200407-12linux-tcpfindoption-dos(16554)SUSE-SA:2004:020The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string.20040705 MySQL Authentication Bypass20040705 MySQL Authentication BypassVU#18403020040705 MySQL Authentication BypassStack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string.20040705 MySQL Authentication Bypass20040705 MySQL Authentication Bypassmysql-myrnd-bo(16612)VU#64532620040705 MySQL Authentication BypassBuffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string.acroread: UUDecode filename buffer overflowAdobe Acrobat/Acrobat Reader ActiveX Control URI Request Heap Buffer Overflow Vulnerabilityhttp://www.adobe.com/support/techdocs/330527.htmlacrobat-reader-activex-bo(16998)20040813 Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow VulnerabilityThe uudecoding feature in Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via shell metacharacters ("`" or backtick) in the filename of the PDF file that is provided to the uudecode command.Adobe Acrobat Reader allows code executionAdobe Acrobat Reader Shell Metacharacter Remote Arbitrary Code Execution Vulnerabilityacroread: UUDecode filename buffer overflowhttp://www.adobe.com/support/techdocs/322914.htmlRHSA-2004:43220040812 Adobe Acrobat Reader (Unix) Shell Metacharacter Code Execution VulnerabilityBuffer overflow in the uudecoding feature for Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via a long filename for the PDF file that is provided to the uudecode command.Adobe Acrobat Reader For Unix UUDecode Buffer Overflow VulnerabilityAdobe Acrobat Reader uudecode filename buffer overflowacroread: UUDecode filename buffer overflowhttp://www.adobe.com/support/techdocs/322914.htmlRHSA-2004:43220040812 Adobe Acrobat Reader (Unix) 5.0 Uudecode Filename Buffer Overflow VulnerabilityAdobe Reader 6.0 does not properly handle null characters when splitting a filename path into components, which allows remote attackers to execute arbitrary code via a file with a long extension that is not normally handled by Reader, triggering a buffer overflow.BID:10696adobe-acrobat-null-bo(16667)http://www.adobe.com/support/techdocs/330527.htmlhttp://www.adobe.com/support/techdocs/34222.htm20040712 Adobe Reader 6.0 Filename Handler Buffer Overflow VulnerabilityThe iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow.FEDORA-2004-219FEDORA-2004-220GLSA-200407-08MDKSA-2004:067ethereal-isns-dos(16630)http://www.ethereal.com/appnotes/enpa-sa-00015.htmlhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381RHSA-2004:378VU#829422101065512024CLA-2005:916The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference.FEDORA-2004-219FEDORA-2004-220GLSA-200407-08MDKSA-2004:067ethereal-smb-sid-dos(16631)http://www.ethereal.com/appnotes/enpa-sa-00015.htmlhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381RHSA-2004:378VU#518782101065512024CLA-2005:916The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read.FEDORA-2004-219FEDORA-2004-220GLSA-200407-08MDKSA-2004:067http://www.ethereal.com/appnotes/enpa-sa-00015.htmlhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381CLA-2005:916DSA-528RHSA-2004:378ethereal-snmp-community-dos(16632)VU#835846101065512024Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message.AOL Instant Messenger Away Message Remote Buffer Overflow VulnerabilityAOL Instant Messenger aim:goaway URI Handler Buffer Overflow VulnerabilityAOL Instant Messenger "Away" Message Buffer Overflow VulnerabilityVU#735966aim-away-bo(16926)Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible.20040902 Oracle Database Server ctxsys.driload Access Validation VulnerabilityVU#316206110991240911099Buffer overflow in the KSDWRTB function in the dbms_system package (dbms_system.ksdwrt) for Oracle 9i Database Server Release 2 9.2.0.3 and 9.2.0.4, 9i Release 1 9.0.1.4 and 9.0.1.5, and 8i Release 1 8.1.7.4, allows remote authorized users to execute arbitrary code via a long second argument.20040902 Oracle Database Server dbms_system.ksdwrt Buffer Overflow Vulnerability20040905 Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9ihttp://www.red-database-security.com/advisory/advisory_20040903_3.htmhttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf11100oracle-dbmssystem-bo(17254)Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable.SquirrelMail From header cross-site scriptingSquirrelMail Email Header HTML Injection VulnerabilityDSA-535-1 squirrelmail -- several vulnerabilitieshttp://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txthttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973CLA-2004:8581045020040530 RS-2004-1: SquirrelMail Format string vulnerability in the SSL_set_verify function in telnetd.c for SSLtelnet daemon (SSLtelnetd) 0.13 allows remote attackers to execute arbitrary code.SSLtelnetd format stringDSA-529-1 netkit-telnet-ssl -- format stringSSLTelnetd Remote Syslog Format String VulnerabilityThomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections.20040805 Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN GenerationESB-2004.05041088112238speedtouch-hijack-connection(16919)Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.MIT krb5: Multiple vulnerabilitiesKerberos KDC double-freehttp://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txtTA04-247AVU#795632CLA-2004:860DSA-543RHSA-2004:3502004-004520040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)11078OVAL4936oval:org.mitre.oval:def:4936Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code.MIT krb5: Multiple vulnerabilitiesTrustix Secure Linux Bugfix Advisory #2004-0045Kerberos krb5_rd_cred double-freehttp://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txtTA04-247AVU#866472DSA-543RHSA-2004:35011078OVAL3322CLA-2004:86020040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)oval:org.mitre.oval:def:3322The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding.MIT krb5: Multiple vulnerabilitiesTrustix Secure Linux Bugfix Advisory #2004-0045Kerberos ASN.1 decoder library denial of servicehttp://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txtTA04-247AVU#550464CLA-2004:860DSA-543RHSA-2004:35020040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)11079OVAL2139oval:org.mitre.oval:def:2139Buffer overflow in the wvHandleDateTimePicture function in wv library (wvWare) 0.7.4 through 0.7.6 and 1.0.0 allows remote attackers to execute arbitrary code via a document with a long DateTime field.wvWare Library Field.c WVHANDLEDATETIMEPICTURE Function Remote Buffer Overflow VulnerabilitywvWare wvHandleDateTimePicture function buffer overflowwvWare Library Buffer Overflow Vulnerabilitywv: Buffer overflow vulnerabilityDSA-579FLSA:1906MDKSA-2004:077http://www.freebsd.org/ports/portaudit/7a5430df-d562-11d8-b479-02e0185c0b53.htmlhttp://cpan.cybercomm.nl/pub/gentoo-portage/app-text/wv/files/wv-1.0.0-fix_overflow.patch7761CLA-2004:863Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields.Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerabilitybid 11245Macromedia ColdFusion MX and JRun verbose mode buffer overflow20040929 iDEFENSE Security Advisory 09.29.04 - Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerabilityhttp://www.macromedia.com/devnet/security/security_zone/mpsb04-09.htmlVU#99020012647shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local users to overwrite arbitrary files via a symlink attack on the chains-$$ temporary file.Shorewall Insecure Temporary File Handling Symbolic Link VulnerabilityShorewall symlink attackShorewall : Insecure temp file handling[Shorewall-announce] 20040628 URGENT: Shorewall Security VulnerabilityMDKSA-2004:080Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol.Mozilla shell: command program executionMozilla Security Advisory 2004-07-08Mozilla fails to restrict access to the "shell:" URI handler20040707 shell:windows command questionhttp://www.mozilla.org/security/shell.htmlhttp://www.mozilla.org/projects/security/known-vulnerabilities.htmlO-17512027Buffer overflow in write_packet in control.c for l2tpd may allow remote attackers to execute arbitrary code.L2TPD Write_Packet Block BSS based Buffer Overflow Vulnerabilityl2tpd write_packet buffer overflow bss-based buffer overflow in l2tpdDSA-530-1 l2tpd -- buffer overflowl2tpd: Buffer overflowUploadServlet in Cisco Collaboration Server (CCS) running ServletExec before 3.0E allows remote attackers to upload and execute arbitrary files via a direct call to the UploadServlet URL.New Atlanta ServletExec Unauthorized Access VulnerabilityCisco Collaboration Server ServletExec allows elevated privilegesCisco Collaboration Server (CCS) ServletExec allows arbitrary file uploading20040630 Cisco Collaboration Server Vulnerability11979Unknown vulnerability in Sun Java Runtime Environment (JRE) 1.4.2 through 1.4.2_03 allows remote attackers to cause a denial of service (virtual machine hang).Sun Java Runtime Environment Unspecified Remote Denial Of Service VulnerabilitySun Java Virtual Machine denial of serviceSun Java Runtime Environment vulnerable to DoS57555SSRT4749HPSBUX01044BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods.BEA WebLogic Local Password Disclosure VulnerabilityBEA WebLogic Server and Express allows administrator or operator privilegesBEA WebLogic Server internal methods may disclose sensitive informationhttp://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp5296100976611359Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files.Sun Solaris configured as Kerberos logs passwords in plain textSun Solaris patches may cause passwords to be logged in clear textO-172: Sun Solaris 9 PatchesSun Solaris Patches 112908-12 And 115168-03 Clear Text Password Logging Vulnerability57587OVAL20651194010606101519oval:org.mitre.oval:def:2065oval:org.mitre.oval:def:255Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic).Sun Solaris vulnerable to DoS when the Basic Security Module (BSM) is configured to perform auditing of specific classesSun Solaris Basic Security Module Auditing Denial Of Service Vulnerability5749710594OVAL242611930oval:org.mitre.oval:def:2426eupdatedb in esearch 0.6.1 and earlier allows local users to create arbitrary files via a symlink attack on the esearchdb.py.tmp temporary file.Esearch eupdatedb Symbolic Link Vulnerabilityesearch eupdatedb symlink attackEsearch: Insecure temp file handlingThe accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections.PureFTPd Accept_Client Remote Denial of Service VulnerabilityPure-FTPd accept_client denial of servicePure-FTPd: Potential DoS when maximum connections is reachedhttp://www.pureftpd.org/Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time.NTP integer buffer overflowNTP service vulnerable to internal overflow if date / time offset is greater than 34 yearsSSRT4718Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket.Linux Kernel IEEE 1394 Integer Overflow VulnerabilityLinux kernel IEEE 1394 driver integer overflowlinux kernel IEEE1394(Firewire) driver integer overflowBuffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 allows remote attackers to execute arbitrary code via a long file name.MPlayer GUI File Name Buffer Overflow VulnerabilityMPlayer common.c buffer overflowMPlayer MeMPlayer.cGLSA-200408-01Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) show_news.php, and possibly other php files in CuteNews 1.3.1 allows remote attackers to inject arbitrary script or HTML via the id parameter.CuteNews Multiple Cross-site Scripting VulnerabilitiesCuteNews id variable cross-site scripting20040628 Cross-Site Scripting CuteNewsInteger signedness error in D-Link AirPlus DI-614+ running firmware 2.30 and earlier allows remote attackers to cause a denial of service (IP lease depletion) via a DHCP request with the LEASETIME option set to -1, which makes the DHCP lease valid for thirteen or more years.D-Link AirPlus DI-614+, DI-624, and DI-604 DHCP Server Flooding Denial Of Service VulnerabilityD-Link DHCP REQUEST packet denial of service20040629 Re: DLINK 614+ - SOHO routers, system DOS72941201820040628 DLINK 614+ - SOHO routers, DHCP service DOSPowerPortal 1.x allows remote attackers to gain sensitive information via invalid or missing parameters in HTTP requests to (1) resize.php or (2) modules.php, which reveals the path in an error message.PowerPortal Multiple Input Validation VulnerabilitiesPowerPortal path disclosureMultiple vulnerabilities PowerPortalhttp://www.swp-zone.org/archivos/advisory-07.txtCross-site scripting (XSS) vulnerability in modules.php in PowerPortal 1.x allows remote attackers to inject arbitrary script or HTML via the (1) parameter to the (a) private_messages module; (2) search parameter to the (b) links and (c) content modules; and (3) files parameter to the gallery module.PowerPortal multiple cross-site scriptingMultiple vulnerabilities PowerPortalDirectory traversal vulnerability in modules.php in PowerPortal 1.x allows remote attackers to list arbitrary directories via a .. (dot dot) in the files parameter.PowerPortal Multiple Input Validation VulnerabilitiesPowerPortal "dot dot" directory traversalMultiple vulnerabilities PowerPortalhttp://www.swp-zone.org/archivos/advisory-07.txtcsFAQ.cgi in csFAQ allows remote attackers to gain sensitive information via an invalid database parameter, which reveals the path to the web server in an error message.CGIScript.net CSFAQ Script Path Disclosure VulnerabilitycsFAQ path disclosureFull path disclosure csFAQhttp://www.swp-zone.org/archivos/advisory-08.txtOff-by-one error in the POP3_readmsg function in popclient 3.0b6 allows remote attackers to cause a denial of service (application crash) via an e-mail message with a certain line length, which leads to a buffer overflow.Popclient Email Message Buffer Overflow Vulnerabilitypopclient POP3_readmsg off-by-one buffer overflowDoS in popclient 3.0b620040629 DoS in popclient 3.0b6http://www.grok.org.uk/advisories/popclient.htmlRule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows access to sys_creat, sys_open, and sys_mknod inside jails, which could allow local users to gain elevated privileges.RSBAC Jail SUID And SGID File Creation VulnerabilityRSBAC JAIL module CREATE check gain privileges Announce: RSBAC v1.2.3 releasedrsbac 1.2.3 jail security problemshttp://www.rsbac.org/download/bugfixes/rsbac-jail-gain-privileges(16552)Web Access in Lotus Domino 6.5.1 allows remote attackers to cause a denial of service (server crash) via a large e-mail message, as demonstrated using a large image attachment.IBM Lotus Domino Server Web Access Malicious Email View Remote Denial Of Service VulnerabilityLotus Domino Web Access denial of serviceDoS against Domino 6.5.1Lotus Domino 6.5.0 and 6.5.1, with IMAP enabled, allows remote authenticated users to change their quota by using the IMAP setquota command.IBM Lotus Domino IMAP Quota Changing VulnerabilityLotus Domino allows change of quotaUnprevileged user can change quota on DominoPrestige 650HW-31 running Rompager 4.7 software allows remote attackers to cause a denial of service (device reboot) via a long password.ZyXEL Prestige Router Authentication Password Field Remote Denial Of Service VulnerabilityZyXEL Prestige 650HW-31 long password denial of serviceDSL router Prestige 650HW-3120040630 DSL router Prestige 650HW-31Brightmail Spamfilter 6.0 and earlier beta releases allows remote attackers to read mail from other users by modifying the id parameter in a viewMsgDetails.do request.Symantec Brightmail Anti-Spam 6.0Symantec Brightmail Anti-Spam view mail20040701 Brightmail leaks other user's spam20040714 Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: BrightmailMultiple cross-site scripting (XSS) vulnerabilities in the primary and management web interfaces in Netegrity IdentityMinder Web Edition 5.6 allows remote attackers to execute script as other users via (1) script that starts with %00 in the numOfExpressions parameter or (2) the mobjtype parameter.Netegrity IdentityMinder Multiple Cross-Site Scripting VulnerabilitiesNetegrity IdentityMinder cross-site scriptingXSS in Netegrity IdentityMinderCross-site scripting (XSS) vulnerability in SCI Photo Chat Server 3.4.9 allows remote attackers to execute arbitrary web script as other users via an invalid request that is echoed in the resulting error message.SCI Photo Chat Server Cross-Site Scripting VulnerabilitySCI Photo Chat Server cross-site scripting XSS in SCI Photo Chat Server 3.4.9Enterasys XSR-1800 series Security Routers, when running firmware 7.0.0.0 and using Policy-Based Routing, allow remote attackers to cause a denial of service (crash) via a packet with the IP record route option set.Enterasys XSR Security Router Record Route Denial Of Service VulnerabilityEnterasys Networks XSR Security RouterEnterasys XSR Security Routers DoShttp://www.enterasys.com/support/security/incidents/2004/07/11036.htmlCross-site scripting (XSS) vulnerability in (1) cart32.exe or (2) c32web.exe in Cart32 shopping cart allows remote attackers to execute arbitrary web script via the cart32 parameter to a GetLatestBuilds command.McMurtrey/Whitaker & Associates Cart32 GetLatestBuilds Script Cross-Site Scripting VulnerabilityCart32 GetLatestBuilds script cross-site scriptingCart32 Input Validation Flaw in 'GetLatestBuilds?cart32=' PermitsDirectory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter.Fastream NetFile FTP/Web Server Directory Traversal VulnerabilityFastream NETFile Server mkdir file uploadFastream NETFile FTP/Web Server Input validation Errorshttp://www.haxorcitos.com/Fastream_advisory.txtFastream NETFile FTP Server 6.7.2.1085 and earlier allows remote attackers to cause a denial of service (temporary hang) via the cd command with an unusual argument, possibly due to multiple leading slashes and/or an access to the floppy drive ("A").Fastream NETFile Server CD command denial of service20040704 Fastream NETFile FTP/Web Server Input validation ErrorsCross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Planet Chat Server 2.9 allows remote attackers to execute arbirary script as other users via the page parameter.12Planet Chat Server Cross-Site Scripting Vulnerability12Planet Chat Server cross-site scriptingXSS in 12Planet Chat Server 2.9http://www.autistici.org/fdonato/advisory/12PlanetChatServer2.9-adv.txtThe IP cloaking feature (cloak.c) in UnrealIRCd 3.2, and possibly other versions, uses a weak hashing scheme to hide IP addresses, which could allow remote attackers to use brute force methods to gain other user's IP addresses.Unreal IRCD Cloak.C IP Address Disclosure VulnerabilityUnreal IRCd information disclosureunreal ircd ip cloaking subsystem vulnerabilityhttp://www.unrealircd.com/http://www.bandecon.com/advisory/unreal.txt560Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access.Zoom Model 5560 X3 ETHERNET ADSL Modem Default Backdoor Account VulnerabilityConexant chipsets may allow attacker to restore factory default settingsbackdoor menu on conexant chipset dsl router (Zoom X3)Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute web script as other users via the message parameter.This vulnerability is addressed in the following product update: Comersus Open Technologies, Comersus Cart, 5.098Comersus Open Technologies Comersus Cart Multiple VulnerabilitiesComersus Cart cross-site scriptingComersus Cart Cross-Site Scripting Vulnerabilitycomersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other versions before 5.098, allows remote attackers to change the prices of items by directly modifying them in the URL.Comersus Open Technologies Comersus Cart Multiple VulnerabilitiesComersus Cart could allow price modificationComersus Cart Improper Request HandlingSymantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories.Symantec Norton Antivirus Denial Of Service VulnerabilityNorton AntiVirus compressed archive file denial of service20040709 Norton AntiVirus Denial Of Service Vulnerability [Part: !!!]WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, with the JunctionRewrite directive enabled, allows remote attackers to cause a denial of service via an HTTP GET request without any parameters.IBM Websphere Edge Server Denial Of Service VulnerabilityIBM Edge Server Caching Proxy component denial of service CYBSEC - Security Advisory: Denial of Service in IBM WebSpherehttp://www.cybsec.com/vuln/IBM-WebSphere-Edge-Server-DOS.pdfCertain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage.Linux kernel USB drivers do not initialize kernel memory properlybid 10892Linux kernel USB allows elevated privilegesLinux Kernel: Multiple information leaksFLSA:23362004-0041http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921http://www.securityspace.com/smysecure/catid.html?id=14580DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:50520202DSA-108220338Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors.BID:1078120040722 Security Release - Samba 3.0.5 and 2.2.10RHSA-2004:259Samba mangling method buffer overflowGLSA-200407-21MDKSA-2004:071SUSE-SA:2004:0222004-0039CLA-2004:851CLA-2004:854FLSA:2102SSRT478220040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba)20040722 TSSA-2004-014 - samba10158457664Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file.libXpmUpdated libxpm4 packages fix libXpm overflow vulnerabilitiesXFree86-libs, xsharedbid 11196libXpm xpmParseColors, ParseAndPutPixels, and ParsePixels functions stack-based buffer overflowshttp://scary.beasts.org/security/CESA-2004-003.txthttp://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patchDSA-560GLSA-200409-34GLSA-200502-07RHSA-2004:537RHSA-2005:004SUSE-SA:2004:034VU#882750APPLE-SA-2005-05-03USN-27-1TA05-136AFLSA-2006:152803CLA-2005:92457653HPSBUX02119ADV-2006-191420235MDKSA-2004:098Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file.libXpmUpdated libxpm4 packages fix libXpm overflow vulnerabilitiesXFree86-libs, xsharedbid 11196libXpm XPM file integer overflowhttp://scary.beasts.org/security/CESA-2004-003.txthttp://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patchDSA-560GLSA-200409-34GLSA-200502-07RHSA-2004:537RHSA-2005:004SUSE-SA:2004:034VU#537878APPLE-SA-2005-05-03USN-27-1TA05-136AFLSA-2006:152803CLA-2005:92457653HPSBUX02119ADV-2006-191420235MDKSA-2004:098KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.Temporary Directory VulnerabilityDSA-539-1 kdelibs -- temporary directory vulnerabilityKDE application symlink200408-131227620040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection VulnerabilitiesCLA-2004:864The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory.DCOPServer Temporary Filename VulnerabilityDebian Bug report logs - #261386KDE DCOPserver symlink attack200408-13MDKSA-2004:086VU#330638109241227620040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection VulnerabilitiesCLA-2004:864MDKSA-2004:086Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.Qt BMP image buffer overflowUpdated qt packages fix security issues20040818 CESA-2004-004: qtDSA-542SUSE-SA:2004:027GLSA-200408-20MDKSA-2004:085MDKSA-2004:085The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693.MDKSA-2004:085Qt: Image loader overflowsQt XPM file denial of serviceDSA-542FLSA:2314SUSE-SA:2004:027RHSA-2004:414MDKSA-2004:085The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692.Qt GIF file denial of serviceQt: Image loader overflowsMDKSA-2004:085DSA-542SUSE-SA:2004:027RHSA-2004:414MDKSA-2004:085Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command.4D WebSTAR Server V long FTP command buffer overflowBID:10720A071304-1ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txtThe ShellExample.cgi script in 4D WebSTAR 5.3.2 and earlier allows remote attackers to list arbitrary directories via a URL with the desired path and a "*" (asterisk) character.BID:10721A071304-14dwebstar-view-directory-listing(16687)ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt 10721Unknown vulnerability in 4D WebSTAR 5.3.2 and earlier allows remote attackers to read the php.ini configuration file and possibly obtain sensitive information.A071304-14dwebstar-view-phpini-files(16688)ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt4D WebSTAR 5.3.2 and earlier allows local users to read and modify arbitrary files via a symlink attack.A071304-14dwebstar-symlink(16689)BID:10714ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txtHeap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data.Check Point VPN-1 ASN.1 Decoding Remote CompromiseASN.1 AlertCheck Point VPN-1/FireWall-1 ASN1 decoding buffer overflowVU#435358O-190121771082082901010799Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function.BID:1073620040716 [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)apache-modssl-format-string(16705)mod_ssl contains a format string vulnerability in the ssl_log() functionhttp://packetstormsecurity.org/0407-advisories/modsslFormat.txthttp://virulent.siyahsapka.org/DSA-532FLSA:1888MDKSA-2004:075RHSA-2004:405RHSA-2004:408107367929USN-177-120040716 [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache)CLA-2004:857Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 does not properly detect a smartcard removal when the card is quickly removed, reinserted, and removed again, which could cause a user session to stay logged in and allow local users to gain unauthorized access.BID:7457sun-ray-session-access(11905)53922VU#100780DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information.BID:10698bugzilla-database-password-disclosure(16673)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7Unknown vulnerability in the administrative controls in Bugzilla 2.17.1 through 2.17.7 allows users with "grant membership" privileges to grant memberships to groups that the user does not control.BID:10698bugzilla-editusers-gain-privileges(16672)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bugzilla 2.16.x before 2.16.6, 2.18 before 2.18rc1, when configured to hide products, allows remote attackers to view hidden products.BID:10698bugzilla-product-name-disclosure(16671)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7Multiple cross-site scripting (XSS) vulnerabilities in (1) editcomponents.cgi, (2) editgroups.cgi, (3) editmilestones.cgi, (4) editproducts.cgi, (5) editusers.cgi, and (6) editversions.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allow remote attackers to execute arbitrary JavaScript as other users via a URL parameter.BID:10698bugzilla-edit-xss(16670)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7http://bugzilla.mozilla.org/show_bug.cgi?id=235265Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files.BID:10698bugzilla-chart-view-password(16669)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7http://bugzilla.mozilla.org/show_bug.cgi?id=235510SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allows remote attackers with privileges to grant membership to any group to execute arbitrary SQL.BID:10698bugzilla-editusers-sql-injection(16668)20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7http://bugzilla.mozilla.org/show_bug.cgi?id=244272MoinMoin 1.2.1 and earlier allows remote attackers to gain privileges by creating a user with the same name as an existing group that has higher privileges.BID:10568moinmoin-gain-admin-access(16465)GLSA-200407-09http://www.osvdb.org/670411807HP OpenView Select Access 5.0 through 6.0 does not correctly decode UTF-8 encoded unicode characters in a URL, which could allow remote attackers to bypass access restrictions.BID:10414VU#205766openview-select-gain-access(16247)SSRT4719IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Routers running IOS before 12.2(17b)SXA, before 12.2(17d)SXB, or before 12.2(14)SY03 could allow remote attackers to cause a denial of service (device crash and reload) via a malformed Internet Key Exchange (IKE) packet.BID:10083VU#90431020040408 Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerabilitycisco-vpnsm-ike-dos(15797)The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected.BID:10184VU#184558weblogic-urlpattern-obtain-information(15927)http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jspThe configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges.BID:10188weblogic-admin-password-plaintext(15926)VU#574222http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.jspThe remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown.BID:10185weblogic-ejb-object-deletion(15928)VU#658878http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jspCisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption).BID:10186TA04-111BVU#16245120040420 Vulnerabilities in SNMP Message Processingcisco-ios-snmp-udp-dos(15921)The WebLogic Authentication provider for BEA WebLogic Server and WebLogic Express 8.1 through SP2 and 7.0 through SP4 does not properly clear member relationships when a group is deleted, which can cause a new group with the same name to have the members of the old group, which allows group members to gain privileges.BID:10130weblogic-authentication-gain-privileges(15861)VU#470470http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.01.jsp5299100976311356Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper (epmap) on HP-UX 11 allows remote attackers to execute arbitrary code via a request with a small fragment length and a large amount of data.Entegrity DCE Security Patch (24-May-2004)A072204-1A072204-1A072204-1A072204-1Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.BID:10763Multiple Browsers Frame Injection Vulnerability TestMultiple Browsers Frame Injection VulnerabilityWeb browser frame spoofThe (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Web browser frame spoofMultiple Browsers Frame Injection Vulnerability TestMultiple Browsers Frame Injection VulnerabilityOVAL4756http://bugzilla.mozilla.org/show_bug.cgi?id=246448FLSA:2089MDKSA-2004:082RHSA-2004:421SUSE-SA:2004:036DSA-777DSA-810SCOSA-2005.4915495oval:org.mitre.oval:def:4756MDKSA-2004:082Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, and possibly other versions, does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.BID:106271197811966Multiple Browsers Frame Injection VulnerabilityWeb browser frame spoofSafari 1.2.2 does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Web browser frame spoofMultiple Browsers Frame Injection Vulnerability TestMultiple Browsers Frame Injection Vulnerability TestKonqueror 3.1.3, 3.2.2, and possibly other versions does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability.Multiple Browsers Frame Injection VulnerabilityMultiple Browsers Frame Injection Vulnerability TestWeb browser frame spoofhttp://www.kde.org/info/security/advisory-20040811-3.txt200408-1320040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection VulnerabilitiesCLA-2004:864Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code.http://bugzilla.mozilla.org/show_bug.cgi?id=236618RHSA-2004:421SUSE-SA:2004:036OVAL4629mozilla-netscape-soapparameter-bo(16862)SCOSA-2005.4915495oval:org.mitre.oval:def:4629Microsoft Java virtual machine (VM) 5.0.0.3810 allows remote attackers to bypass sandbox restrictions to read or write certain data between applets from different domains via the "GET/Key" and "PUT/Key/Value" commands, aka "cross-site Java."20040710 Covert Channels allow Cross-Site-Java in Microsoft VMMicrosoft JVM Cross-Domain Applet Unauthorized Communication Vulnerabilitymsjvm-sandbox-bypass(16666)The Half-Life engine before July 7 2004 allows remote attackers to cause a denial of service (server or client crash) via an empty fragmented packet.BID:1070020040712 Remote crash of Half-Life servers and clients (versions before the 07 July 2004)Half-Life packet denial of serviceCross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 and 1.4 dev allows remote attackers to inject arbitrary web script or HTML via the file parameter.BID:10718moodle-help-file-xss(16684)20040713 Moodle XSS Vulnerabilityhttp://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.phpThe Windows Media Player control in Microsoft Windows 2000 allows remote attackers to execute arbitrary script in the local computer zone via an ASX filename that contains javascript, which is executed in the local context in a preview panel.BID:1069320040711 Media Preview Script Execution VulnerabilityMicrosoft Windows 2000 Media Player control code executionMicrosoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability."20040711 MSIE Similar Method Name Redirection Cross Site/Zone ScriptingMicrosoft Internet Explorer function redirect cross-site scriptinghttp://freehost07.websamba.com/greyhats/similarmethodnameredir.htmMS04-038TA04-293AVU#207264OVAL4702OVAL6829OVAL7084OVAL7496OVAL790612048OVAL7448oval:org.mitre.oval:def:4702oval:org.mitre.oval:def:6829oval:org.mitre.oval:def:7084oval:org.mitre.oval:def:7496oval:org.mitre.oval:def:7906oval:org.mitre.oval:def:7448The Remote Control Client service in Microsoft's Systems Management Server (SMS) 2.50.2726.0 allows remote attackers to cause a denial of service (crash) via a data packet to TCP port 2702 that causes the server to read or write to an invalid memory address.sms-remote-service-dos(16696)20040714 [HV-MED] DoS in Microsoft SMS ClientBID:10726PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq parameter to faq.php, or (3) ranksrow parameter to profile.php, which reveal the full path in an error message.20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8]phpBB usercp_viewprofile.php script path disclosurephpbb-indexphp-path-disclosure(16716)phpbb-lang-faq-path-disclosure(16720)Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php.20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8]phpBB lang_faq.php script cross-site scriptingphpbb-indexphp-xss(16724)phpbb-lang-bbcode-xss(16726)10738Cross-site scripting (XSS) vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary script as other users via the input field.20040716 [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2] [ Multiple security holes in PhpNuke - part 2]PHP-Nuke search module cross-site scriptingSQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter.Multiple security holes in PhpNuke - part 2[ Multiple security holes in PhpNuke - part 2]PHP-Nuke search module SQL injectionFormat string vulnerability in OllyDbg 1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are directly provided to the OutputDebugString function call.BID:10742ollydbg-outputdebugstring-format-string(16711)20040717 [FMADV] Format String Bug in OllyDbg 1.1020040717 [FMADV] Format String Bug in OllyDbg 1.10 3757Web_Store.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter.BID:10744extropia-webstore-command-execution(16710)20040717 Web_Store.cgi allows Command ExecutionBuffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing on a Local Area Network (LAN), allows remote attackers to execute arbitrary code via vectors such as (1) the getinfo query, (2) the connect packet, and other unknown vectors.BID:10743Medal of Honor games packet buffer overflow20040717 Medal of Honor remote buffer-overflowThe search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message.20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3]PHP-Nuke asterisk plus path disclosureMultiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters.20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3]PHP-Nuke search module cross-site scriptingMultiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters.20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3]PHP-Nuke search min SQL injectionBuffer overflow in Whisper FTP Surfer 1.0.7 allows remote FTP servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long filename.20040719 Buffer overflow in Whisper FTP Surfer 1.0.7whisper-long-file-name-bo(16742)BID:1076120040719 Buffer overflow in Whisper FTP Surfer 1.0.7The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow.20040720 Denial of Service vulnerability in several Lexmark HTTP serverslexmark-long-host-bo(16752)BID:10765LionMax Software WWW File Share Pro 2.60 allows remote attackers to cause a denial of service (crash or hang) via a long URL, possibly triggering a buffer overflow.wwwfilesharepro-http-get-dos(16754)20040720 dos_in_file_share_2.6Sun Java System Portal Server 6.2 (formerly Sun ONE) allows remote authenticated users to obtain Calendar Server privileges and modify Calendar data by changing the display options to a non-default view.BID:10788SUNALERT:57586Sun Java System Portal Server allows access to Calendar ServerVU#8812541078812134Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak.Apple Mac OS X 10.3.5 Released - Multiple Vulnerabilities FixedAPPLE-SA-2004-09-09VU#128414safari-web-info-disclosure(16944)The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet.Apple Mac OS X 10.3.5 Released - Multiple Vulnerabilities Fixed20040331 IPv4 fragmentation --> The Rose Attack20040427 Source Code To Test IPv4 fragmentation --> The Rose Attackhttp://digital.net/~gandalf/Rose_Frag_Attack_Explained.txtAPPLE-SA-2004-09-09macos-tcp-ip-dos(16946)LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name.An updated lha package fixes security vulnerabilityLHa: Multiple vulnerabilitiesLHA metacharacter command executionFLSA:1833Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.KDE Security Advisory: Konqueror Cross-Domain Cookie InjectionKDE Konqueror allows attacker to set cookies in top-level domainsbid 10991http://www.kde.org/info/security/advisory-20040823-1.txtMDKSA-2004:08612341CLA-2004:864Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables.Updated httpd packages fix security issuesbid 11182GLSA-200409-21MDKSA-2004:096SUSE-SA:2004:0322004-0047apache-env-configuration-bo(17384)VU#481998101130312540mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop.SUSE Security Announcement: apache2Updated httpd packages fix mod_ssl security flawApache HTTP Server mod_ssl denial of servicebid 11094https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130750GLSA-200409-21MDKSA-2004:096SUSE-SA:2004:0302004-0047The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames.Subversion: Metadata information leakmod_authz_svn fails to protect metadatabid 11243Subversion mod_authz_svn information disclosureFEDORA-2004-318Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied.Updated redhat-config-nfs package resolves several security issuesred-hat-permission-gain-privileges(17478)11240FLSA:152787The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault).Updated httpd packages fix security issuesSUSE Security Announcement: apache2Apache HTTP Server speculative mode denial of servicehttp://issues.apache.org/bugzilla/show_bug.cgi?id=3013420040911 Remote buffer overflow in Apache mod_ssl when reverse proxying SSLGLSA-200409-21MDKSA-2004:096SUSE-SA:2004:0302004-0047OpenOffice (OOo) 1.1.2 creates predictable directory names with insecure permissions during startup, which may allow local users to read or list files of other users.OpenOffice World-Readable Temporary Files Disclose Files to Local UsersUpdated openoffice.org packages resolve security issue1115198041230212546126681291412932openofficeorg-tmpfile-insecure-permissions(17312)20040910 OpenOffice World-Readable Temporary Files Disclose Files to Local UsersThe BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file.Updated gdk-pixbuf packages fix security flawsUpdated gtk2 packages fix security flaws and bugsDSA-546FLSA:2005MDKSA-2004:095VU#825374gtk-bmp-dos(17383)FLSA-2005:155510MDKSA-2005:2141765711195CLA-2004:875MDKSA-2005:214Integer overflow in Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages.Groupware message receive integer overflowgaim-0.82-0.FC1gaim-0.82-0.FC2Gaim: New vulnerabilitiesRHSA-2004:4001105692601011083123831248013101gaim-groupware-integer-overflow(17140)The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions.ruby -- insecure file permissionsRuby: CGI::Session creates files insecurelyRuby FileStore and PStore insecure permissionMDKSA-2004:12812290MDKSA-2004:128Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code.bug fixhttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7FLSA:2089RHSA-2004:421SUSE-SA:2004:036OVAL3250mozilla-senduidl-pop3-bo(16869)VU#56102210856SCOSA-2005.4915495oval:org.mitre.oval:def:3250Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid.Importing false CA certificate leading to error -8182 (perm DoS), especially exploitable by emailhttp://www.mozilla.org/projects/security/known-vulnerabilities.htmlhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186GLSA-200408-22VU#784278RHSA-2004:421SUSE-SA:2004:036OVAL3134mozilla-certificate-dos(16706)SCOSA-2005.4915495FLSA:2089oval:org.mitre.oval:def:3134Mozilla before 1.7 allows remote web servers to read arbitrary files via Javascript that sets the value of an <input type="file"> tag.Mozilla can upload files without user confirmationhttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7RHSA-2004:421SUSE-SA:2004:036mozilla-warning-file-upload(16870)SCOSA-2005.4915495FLSA:2089Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI.null (%00) in filename fakes extension (ftp, file)RHSA-2004:421SUSE-SA:2004:036OVAL1227mozilla-modify-mime-type(16691)SCOSA-2005.4915495FLSA:2089oval:org.mitre.oval:def:1227Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted.SSL Certificate Spoof -- Allows malicious page to present SSL certificate from another sitehttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7FLSA:2089RHSA-2004:421SUSE-SA:2004:036OVAL3603mozilla-redirect-ssl-spoof(16871)SCOSA-2005.4915495oval:org.mitre.oval:def:3603Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box.pop up XPInstall/security dialog when user is about to clickOVAL440311999http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7FLSA:2089RHSA-2004:421SUSE-SA:2004:036mozilla-dialog-code-execution(16623)SCOSA-2005.491549520040407 Race conditions in security dialogsoval:org.mitre.oval:def:4403Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. Mozilla Firefox Certificate SpoofingMozilla / Mozilla Firefox "onunload" SSL Certificate Spoofinglock icon and certificates spoofable with onunload document.write20040725 Mozilla Firefox Certificate Spoofinghttp://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisoryhttp://www.mozilla.org/projects/security/known-vulnerabilities.htmlGLSA-200408-22RHSA-2004:421SUSE-SA:2004:036OVAL3989mozilla-ssl-certificate-spoofing(16796)SCOSA-2005.4915495FLSA:2089oval:org.mitre.oval:def:3989Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files.Untrusted web content can display content using Mozilla / Mozilla Firefox http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7FLSA:2089RHSA-2004:421SUSE-SA:2004:036OVAL2418mozilla-user-interface-spoofing(16837)VU#2623501083212188SCOSA-2005.4915495oval:org.mitre.oval:def:2418The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates.Certificate name matching for non-FQDNs is insecurehttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7RHSA-2004:421SUSE-SA:2004:036mozilla-certtesthostname-certificate-spoof(16868)FLSA:2089NGSEC StackDefender 2.0 allows attackers to cause a denial of service (system crash) via an invalid address for the BaseAddress parameter to the hooks for the (1) ZwAllocateVirtualMemory or (2) ZwProtectVirtualMemory functions.NGSEC StackDefender 2.0 Invalid Pointer Dereference Vulnerabilitystackdefender-baseaddress-dos(16892)NGSEC StackDefender 1.10 allows attackers to cause a denial of service (system crash) via an invalid address for the ObjectAttribues parameter to the hooks for the (1) ZwCreateFile or (2) ZwOpenFile functions.NGSEC StackDefender 1.10 Invalid Pointer Dereference Vulnerabilitystackdefender-objectattributes-dos(16879)libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack.libpng -- several vulnerabilitieslibpng offset miscalculation buffer overflowFLSA:1943Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the "x" option but also exploitable through "l" and "v", and fixed in header.c, a different issue than CVE-2004-0771.Bugzilla Bug 51285 app-arch/lha : buffer overflow againhttp://lw.ftw.zamosc.pl/lha-exploit.txtFLSA:1833GLSA-200409-13RHSA-2004:440lha-long-pathname-bo(16917)20040616 Re: [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities; Re:romload.c in DGen Emulator 1.23 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files during decompression of (1) gzip or (2) bzip ROM files.DGen Emulator Symbolic Link VulnerabilityDGen ROM decompression symlink attack12214Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries.LHA Multiple extract_one Buffer Overflow VulnerabilitiesLHA extract_one buffer overflows20040515 lha buffer overflow(s) again51285FLSA:1833GLSA-200409-13RHSA-2004:44020040606 Re: [SECURITY] [DSA 515-1] New lha packages fix severalDouble free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.double-free vulnerabilities in KDC and librariesVulnerabilities in MIT Kerberos 5Kerberos krb524d double-freeVU#350792DSA-543GLSA-200409-09MDKSA-2004:0882004-004511078OVAL4661CLA-2004:86020040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos)oval:org.mitre.oval:def:4661MDKSA-2004:088RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Windows allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1.RealNetworks Helix Universal Server POST denial of service20041007 RealNetworks Helix Server Content-Length Denial of Service VulnerabilityBuffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests.WIDCOMM Bluetooth Connectivity Software Buffer OverflowsBluetooth BTW and BTW-CE/PPC service request buffer overflow20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows20051204 have you ever been BluePIMped?20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer OverflowsFormat string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 to 2.2.1, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code.Courier-IMAP Remote Format String VulnerabilityCourier-IMAP auth_debug format string attackGLSA-200408-192004-004310976CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned.CVS Undocumented Flag Information Disclosure VulnerabilityCVS "history" command may disclose sensitive informationbid 10955CVS history information disclosureMDKSA-2004:108The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that cached passwords for SSL encrypted sites are only sent via SSL encrypted sessions to the site, which allows a remote attacker to cause a cached password to be sent in cleartext to a spoofed site.Updated mozilla packages fix multiple vulnerabilitieshttp://bugzilla.mozilla.org/show_bug.cgi?id=226278http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7mozilla-plaintext-password(17018)MDKSA-2004:082Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument.20060110 Sun Solaris uustat Buffer Overflow Vulnerability10193316193ADV-2006-0113183711015455solaris-uustat-bo(24045)19087Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast internal web server (icecast-server) 1.3.12 and earlier allows remote attackers to inject arbitrary web script via the UserAgent parameter.icecast-server -- missing escapebid 11021Icecast list.cgi UserAgent cross-site scriptingInteger overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).gtk+ XPM decoderUpdated gdk-pixbuf packages fix security flawsUpdated gtk2 packages fix security flaws and bugshttp://scary.beasts.org/security/CESA-2004-005.txtDSA-546FLSA:2005MDKSA-2004:095VU#729894gtk-xpm-pixbufcreatefromxpm-bo(17386)FLSA-2005:155510MDKSA-2005:2141765710177611195CLA-2004:875oval:org.mitre.oval:def:1617MDKSA-2005:214Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688).gtk+ XPM decoderUpdated gdk-pixbuf packages fix security flawsUpdated gtk2 packages fix security flaws and bugshttp://scary.beasts.org/security/CESA-2004-005.txtFLSA:2005MDKSA-2004:095MDKSA-2004:096VU#369358gtk-xpm-xpmextractcolor-bo(17385)FLSA-2005:155510MDKSA-2005:2141765710177611195CLA-2004:875oval:org.mitre.oval:def:1786MDKSA-2005:214The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector.Smiley theme installation lack of escapinggaim-0.82-0.FC1gaim-0.82-0.FC2Gaim: New vulnerabilitiesGaim smiley theme filename command executionRHSA-2004:400Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder.URL decode buffer overflowgaim-0.82-0.FC1gaim-0.82-0.FC2Gaim: New vulnerabilitieshttp://gaim.sourceforge.net/security/?id=4http://gaim.sourceforge.net/security/?id=5RHSA-2004:40011056926192629263101108312383124801292913101gaim-hostname-bo(17142)gaim-rtf-bo(17141)gaim-url-bo(17143)The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool.Updated httpd packages fix security issuesbid 11187GLSA-200409-21MDKSA-2004:096SUSE-SA:2004:032RHSA-2004:4632004-0047apache-ipv6-aprutil-dos(17382)12540Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields.Cross Site Scripting vulnerabilityOpenCA Web front end allows cross-site scriptingbid 1111320040906 OpenCA Security Advisory: Cross Site Scripting vulnerabilityInteger overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file.Updated gdk-pixbuf packages fix security flawsUpdated gtk2 packages fix security flaws and bugsDSA-546FLSA:2005MDKSA-2004:095VU#577654gtk-ico-integer-bo(17387)FLSA-2005:155510MDKSA-2005:2141765711195CLA-2004:875MDKSA-2005:214Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet.11642101215713145dns-localhost-dos(17997)Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txthttp://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=enhttp://www.gont.com.ar/drafts/icmp-attacks-against-tcp.htmlMS05-01957746OVAL3458OVAL1910OVAL4804HPSBUX01164SCOSA-2006.418317HPSBTU01210101658MS06-06413124ADV-2006-398322341HPSBST02161oval:org.mitre.oval:def:3458oval:org.mitre.oval:def:1910oval:org.mitre.oval:def:4804oval:org.mitre.oval:def:1177oval:org.mitre.oval:def:176oval:org.mitre.oval:def:211oval:org.mitre.oval:def:412oval:org.mitre.oval:def:514oval:org.mitre.oval:def:53oval:org.mitre.oval:def:6221957Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txthttp://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=enhttp://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html57746HPSBUX01164SCOSA-2006.418317RHSA-2005:016FLSA:157459-1FLSA:157459-2RHSA-2005:017RHSA-2005:043HPSBTU0121010165813124oval:org.mitre.oval:def:1112oval:org.mitre.oval:def:184oval:org.mitre.oval:def:464oval:org.mitre.oval:def:596oval:org.mitre.oval:def:688oval:org.mitre.oval:def:7261957Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files.rsync -- unsanitised input processingrsync: Potential information leakageUpdated rsync packages fix remotely-exploitable vulnerabilityhttp://samba.org/rsync/#security_aug04SUSE-SA:2004:0262004-004220040816 TSSA-2004-020-ES - rsync20040817 LNSA-#2004-0017: rsync (Aug, 17 2004)MDKSA-2004:083The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file.Possible root compromose with bsdmainutils 6.0.x < 6.0.15bid 11077bsdmainutils calendar allows attacker to gain root accessMultiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code.ftpd root escalationMultiple remote vulnerabilities in lukemftpd aka. tnftpdtnftpd -- remotely exploitable vulnerability20040817 Multiple remote vulnerabilities in lukemftpd aka. tnftpdDSA-551tnftpd-gain-access(17020)DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe program as the db2admin administrator, which allows local users to gain privileges via the DB2REMOTECMD named pipe. IBM DB2 Remote Command Execution Privilege UpgradeNAMED PIPE AUTHENTICATION INSTEAD OF USING AUTHENTICATION OF THEUSER IT IS LOGGED IN ASIBM DB2 Remote Command Server allows elevated privilegesbid 9821http://www.nextgenss.com/advisories/db2rmtcmd.txtSpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to cause a denial of service via certain malformed messages.SpamAssassin 2.64 is released!Updated spamassassin packages fixes possible malformed message vulnerabilitybid 10957FLSA:2268GLSA-200408-06http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337spamassassin-dos(16938)MDKSA-2004:084The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash).OpenPKG Security Advisory (zlib)zlibhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253FLSA:2043MDKSA-2004:090SCOSA-2004.17SUSE-SA:2004:029VU#238678GLSA-200408-269360936111129101108511051zlib-inflate-inflateback-dos(17119)SCOSA-2006.61837717054CLA-2004:865CLA-2004:878SSA:2004-278MDKSA-2004:090Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter.WhatsUp Gold _maincfgret.cgi buffer overflow20040825 Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerabilityhttp://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html11043The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm".Ipswitch WhatsUp Gold Remote Denial of Service VulnerabilityWhatsUp Gold Patches & Upgradeswhatsup-get-prn-dos(17418)Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value.20040824 CDE Mailer argv[0] Format String VulnerabilityVU#928598OVAL4030oval:org.mitre.oval:def:4030O-20211027dtmail-argv-format-string(17095)Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows local users or remote attackers with access to CUPS to execute arbitrary commands.CLA-2004:880SCOSA-2005.12SUSE-SA:2004:0312004-004712557foomatic-command-execution(17388)SUSE-SA:2006:0261118420312Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote attackers to execute arbitrary code via a specially-crafted BMP image, a different vulnerability than CVE-2004-0817.CLA-2004:870GLSA-200409-12http://www.vuxml.org/freebsd/ba005226-fb5b-11d8-9837-000c41e2cdad.htmlhttp://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&view=markup11084imlib2-bmp-bo(17183)Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files.Updated libtiff packageslibtiffLibTIFF library tiff library image decoding routines buffer overflowLibTIFF contains multiple heap-based buffer overflowsDSA-567-1 tiff -- heap overflowshttp://scary.beasts.org/security/CESA-2004-006.txthttp://www.kde.org/info/security/advisory-20041209-2.txtGLSA-200410-11MDKSA-2004:109MDKSA-2005:052RHSA-2005:354SUSE-SA:2004:0381140612818OVAL100114RHSA-2005:02120041013 CESA-2004-006: libtiffCLA-2004:888101677oval:org.mitre.oval:def:100114MDKSA-2004:109MDKSA-2005:052Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452.DSA-567-1 tiff -- heap overflowsMDKSA-2004:109Updated libtiff packages[suse-security-announce] SuSE Security Announcement: libtiff (SUSE-SA:2004:038)LibTIFF tif_dirread.c denial of servicehttp://bugzilla.remotesensing.org/show_bug.cgi?id=111http://www.kde.org/info/security/advisory-20041209-2.txtCLA-2004:888MDKSA-2005:052RHSA-2005:354SUSE-SA:2004:038VU#555304OVAL100115RHSA-2005:021101677oval:org.mitre.oval:def:100115MDKSA-2004:109MDKSA-2005:052Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file.mpg123 -- missing user input sanitisingbid 11121mpg123 layer2.c buffer overflow20040916 mpg123 buffer overflow vulnerability20040907 mpg123 buffer overflow vulnerabilityhttp://www.alighieri.org/advisories/advisory-mpg123.txtGLSA-200409-20MDKSA-2004:10011121cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges.20040909 Bugtraq: cdrecord local root exploit20040910 CAU-EX-2004-0002: cdrecord-suidshell.shFLSA:2058MDKSA-2004:0911107512481cdrecord-rsh-gain-privileges(17303)VU#700326101109120060401-01-U19532MDKSA-2004:091Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed requests that cause new processes to be spawned and enter an infinite loop.20040913 Samba 3.x SMBD Remote Denial of Service Vulnerability20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808)CLA-2004:873GLSA-200409-16RHSA-2004:4672004-004620040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba)The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided.20040913 Samba nmbd Invalid Length Denial of Service Vulnerability20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808)CLA-2004:873GLSA-200409-16RHSA-2004:4672004-004620040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba)The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access.GLSA-200409-21DSA-558RHSA-2004:4632004-0047apache-moddav-lock-dos(17366)Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407.Netopia Timbuktu remote buffer overflow issuebid 11714Timbuktu multiple connections denial of servicehttp://www.corsaire.com/advisories/c040720-001.txthttp://www.uniras.gov.uk/vuls/2004/190204/index.htm13250Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration.http://www.apacheweek.com/features/security-20http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patchapache-satisfy-gain-access(17473)FEDORA-2004-313GLSA-200409-332004-004911239Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code.Updated kernel packages fix security vulnerabilitiesRed Hat Updated Kernel Packagesbid 11794http://linux.bkbits.net:8080/linux-2.6/cset@3fad673ber4GuU7iWppydzNIyLntEQ13359linux-tss-gain-privilege(18346)Unknown vulnerability in the SG_IO functionality in ide-cd allows local users to bypass read-only access and perform unauthorized write and erase operations.http://lkml.org/lkml/2004/7/30/147linux-sgio-gain-privileges(17505)1249820070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware PlayerGLSA-200711-23RHSA-2007:046520070602-01-P25749ADV-2007-322925631258942690927706Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch.bid 11491bid 11492Linux kernel TIOCSETD race condition[USN-38-1] Linux kernel vulnerabilities20041020 CAN-2004-0814: Linux terminal layer raceshttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133110FLSA:2336MDKSA-2005:022RHSA-2005:293MDKSA-2005:022The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x before 3.0.2a, trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames.Samba Arbitrary File Access Vulnerability Samba Security Announcement -- Potential Arbitrary File AccessCorrees para vulnerabilidades do sambaDSA-600-1 samba -- arbitrary file accessSamba Remote Arbitrary File Access Vulnerabilityhttp://us4.samba.org/samba/news/#security_2.2.12FLSA:2102MDKSA-2004:104SUSE-SA:2004:0352004-0051samba-file-access(17556)20041005 ERRATA: Potential Arbitrary File Access (CAN-2004-0815)RHSA-2004:49810158457664Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet.kernelLinux, kernel, IP packet denial of serviceMDKSA-2005:022SUSE-SA:2004:0371148811202MDKSA-2005:022Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file.CLA-2004:870DSA-548GLSA-200409-12MDKSA-2004:089RHSA-2004:46511084imlib-bmp-bo(17182)MDKSA-2004:089The bridge functionality in OpenBSD 3.4 and 3.5, when running a gateway configured as a bridging firewall with the link2 option for IPSec enabled, allows remote attackers to cause a denial of service (crash) via an ICMP echo (ping) packet.20040825 Vulnerability: OpenBSD 3.5 Kernel Panic.20040826 028: RELIABILITY FIX: August 26, 200420040826 028: RELIABILITY FIX: August 26, 2004Winamp before 5.0.4 allows remote attackers to execute arbitrary script in the Local computer zone via script in HTML files that are referenced from XML files contained in a .wsz skin file.http://www.frsirt.com/exploits/08252004.skinhead.php12381ESB-2004.0537winamp-wsz-execute-code(17124)The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges.APPLE-SA-0024-09-07O-212VU#7041101249111135macos-corefoundation-gain-privileges(17291)Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable.APPLE-SA-2004-09-07VU#545446O-2121249111136macos-corefoundation-bo(17295)OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them.APPLE-SA-2004-09-07ESB-2004.05591113712491openldap-crypt-gain-access(17300)RHSA-2005:7511723321520PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files.APPLE-SA-2004-09-07ESB-2004.0559O-212111391011175macosx-pppdialer-symlink(17298)QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations.APPLE-SA-2004-09-0720040908 Re: Apple, Apple Remote Desktop client [Multiple vulnerabilities]O-212quicktime-dos(17294)11138VU#914870101117612491Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message.20040823 Netscape NSS Library Remote CompromiseSSRT477911015sslv2-client-hello-overflow(16314)Multiple buffer overflows in the ImageMagick graphics library 5.x before 5.4.4, and 6.x before 6.0.6.2, allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via malformed (1) AVI, (2) BMP, or (3) DIB files.DSA-547RHSA-2004:480RHSA-2004:494imagemagick-bmp-Bo(17173)231321ADV-2008-041228800The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and 5.3 does not properly drop privileges before executing the -f option, which allows local users to modify or create arbitrary files.IBM ctstrtcasd file overwrite11264126641011429smbd in Samba before 2.2.11 allows remote attackers to cause a denial of service (daemon crash) by sending a FindNextPrintChangeNotify request without a previous FindFirstPrintChangeNotify, as demonstrated by the SMB client in Windows XP SP2.20040831 Samba FindNextPrintChangeNotify() Error Lets Remote Authenticated Users Crash smbdhttp://samba.org/samba/history/samba-2.2.11.htmlGLSA-200409-142004-0043samba-findnextprintchangenotify-dos(17138)The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet.20040909 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability20040910 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerabilityhttp://www.f-secure.com/security/fsc-2004-2.shtml11145fsecure-content-scanner-dos(17307)McAfee VirusScan 4.5.1 does not drop SYSTEM privileges before allowing users to browse for files via the "System Scan" properties of the System Tray applet, which could allow local users to gain privileges.20040915 McAfee VirusScan Privilege Escalation Vulnerability [iDEFENSE]20040914 McAfee VirusScan Privilege Escalation Vulnerabilitymcafee-virusscan-gain-privileges(17367)The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy.Squid: Denial of service when using NTLM authenticationMDKSA-2004:093http://www.trustix.org/errata/2004/0047/Squid Web Proxy Cache NTLMSSP packet denial of serviceSquid Proxy NTLM Authentication Denial Of Service Vulnerabilityhttp://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_stringhttp://www.squid-cache.org/bugs/show_bug.cgi?id=1045FLSA-2006:152809MDKSA-2004:093Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages.sendmail -- pre-set passwordDebian sendmail sasl-bin Mail Relaying Security Issuebid 11262Sendmail sasl-bin mail relay12667Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3.Speedtouch USB driver homepageSpeedTouch format string attackhttp://www.mail-archive.com/speedtouch@ml.free.fr/msg06688.htmlMySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities.DSA-562-1 mysql -- several vulnerabilitiesUpdated mysql packages fix security issues and bugsUpdated mysql-server packageTrustix Secure Linux Security Advisory #2004-0054MySQL ALTER TABLE RENAME bypass restrictionGLSA-200410-22http://bugs.mysql.com/bug.php?id=3270http://lists.mysql.com/internals/1307312783http://www.securitytracker.com/alerts/2004/Oct/1011606.html11357CLA-2004:8921011606P-018101864Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length).DSA-562-1 mysql -- several vulnerabilitiesUpdated mysql packages fix security issues and bugsUpdated mysql-server packageTrustix Secure Linux Security Advisory #2004-0054MySQL mysql_real_connect buffer overflowGLSA-200410-22http://bugs.mysql.com/bug.php?id=4017http://lists.mysql.com/internals/147261098112305P-018CLA-2004:89220041125 [USN-32-1] mysql vulnerabilitiesMySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs.DSA-562-1 mysql -- several vulnerabilitiesUpdated mysql packages fix security issues and bugsTrustix Secure Linux Security Advisory #2004-0054MySQL UNION change denial of serviceGLSA-200410-22http://bugs.mysql.com/2408http://lists.mysql.com/internals/16168http://lists.mysql.com/internals/16173http://lists.mysql.com/internals/16174http://mysql.bkbits.net:8080/mysql-3.23/diffs/myisammrg/myrg_open.c@1.15RHSA-2004:61111357http://www.securitytracker.com/alerts/2004/Oct/1011606.html127831011606P-018CLA-2004:89220041125 [USN-32-1] mysql vulnerabilities101864Lexar Safe Guard for JumpDrive Secure 1.0 stores the password insecurely in memory using XOR encryption, which allows local users to read the password directly from the device and access the password protected part of the drive.A091304-11116212522jumpdrive-safeguard-obtain-password(17342)Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html".20040818 What A Drag II XP SP220040818 What A Drag II XP SP220040824 What A Drag! -revisited-MS04-038TA04-293AVU#52608910973OVAL1563OVAL2073OVAL3773OVAL4152OVAL6272OVAL7721ie-dragdrop-code-execution(17044)oval:org.mitre.oval:def:1563oval:org.mitre.oval:def:2073oval:org.mitre.oval:def:3773oval:org.mitre.oval:def:4152oval:org.mitre.oval:def:6272oval:org.mitre.oval:def:7721The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated.Vulnerability in SMTP Could Allow Remote Code Execution (885881)Microsoft Windows SMTP component vulnerable to remote code executionMicrosoft Windows 2003 SMTP service code executionMicrosoft Windows MS04-035 patch is not installedOVAL2300OVAL3460OVAL550911374oval:org.mitre.oval:def:2300oval:org.mitre.oval:def:3460oval:org.mitre.oval:def:5509Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability."HijackClick 3bid 10690Cumulative Security Update for Internet Explorer (834707)Microsoft, Internet Explorer, popup.show allows attacker to perform actions20040712 Re: HijackClick 320040712 Brand New Hole: Internet Explorer: HijackClick 3TA04-293AVU#413886OVAL2611OVAL4363OVAL5620OVAL6031OVAL6048OVAL80777774101067912048oval:org.mitre.oval:def:2611oval:org.mitre.oval:def:4363oval:org.mitre.oval:def:5620oval:org.mitre.oval:def:6031oval:org.mitre.oval:def:6048oval:org.mitre.oval:def:8077Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability."Crash IE with 11 bytesMemory Corruption Vulnerabilitybid 10816http://www.securiteam.com/exploits/5NP042KF5A.htmlMS04-038TA04-293AVU#291304OVAL2906OVAL3372OVAL4169OVAL5592OVAL6579P-00612806ie-popupshow-perform-actions(16675)20040723 Crash IE with 11 bytes ;)20040728 Re: Crash IE with 11 bytes ;)oval:org.mitre.oval:def:2906oval:org.mitre.oval:def:3372oval:org.mitre.oval:def:4169oval:org.mitre.oval:def:5592oval:org.mitre.oval:def:6579Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability."Cumulative Security Update for Internet Explorer (834707)Multiple Vulnerabilities in Microsoft Internet ExplorerMicrosoft Internet Explorer does not properly handle navigations from plug-insMicrosoft Internet Explorer plug-in navigation allows address bar spoofingMicrosoft Internet Explorer MS04-038 patch is not installedOVAL2487OVAL2537OVAL3949OVAL6313OVAL7095OVAL7194oval:org.mitre.oval:def:2487oval:org.mitre.oval:def:2537oval:org.mitre.oval:def:3949oval:org.mitre.oval:def:6313oval:org.mitre.oval:def:7095oval:org.mitre.oval:def:7194Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability."Cumulative Security Update for Internet Explorer (834707)Multiple Vulnerabilities in Microsoft Internet ExplorerMicrosoft Internet Explorer vulnerable to address bar spoofing on double byte character set systemsMicrosoft Internet Explorer Double Byte Character Set spoof Web site to obtain informationMicrosoft Internet Explorer MS04-038 patch is not installed20041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-03820041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038OVAL2448OVAL8127oval:org.mitre.oval:def:2448oval:org.mitre.oval:def:8127Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site.ACROS Security: Poisoning Cached HTTPS Documents in Internet ExplorerCumulative Security Update for Internet Explorer (834707)Multiple Vulnerabilities in Microsoft Internet ExplorerMicrosoft Internet Explorer does not properly handle cached HTTPS contentsMicrosoft Internet Explorer cache from SSL Web sites obtain informationhttp://www.acrossecurity.com/aspr/ASPR-2004-10-13-1-PUB.txtOVAL2219OVAL3872OVAL5150OVAL5520OVAL5740OVAL7611ie-ms04038-patch(17651)oval:org.mitre.oval:def:2219oval:org.mitre.oval:def:3872oval:org.mitre.oval:def:5150oval:org.mitre.oval:def:5520oval:org.mitre.oval:def:5740oval:org.mitre.oval:def:7611Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated.Vulnerability in Microsoft Excel Could Allow Remote Code Execution (886836)P-009: Microsoft Excel Vulnerability Could Allow Remote Code ExecutionMicrosoft Excel parameter validation errorMicrosoft Excel allows code executionOVAL2673OVAL422612800excel-ms04033-patch(17683)20041013 Buffer Overflow In Microsoft Exceloval:org.mitre.oval:def:2673oval:org.mitre.oval:def:4226The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability."Security bug in .NET Forms AuthenticationMicrosoft ASP.NET Framework bypass securityMS05-004TA05-039AVU#283646OVAL3556OVAL4987oval:org.mitre.oval:def:3556oval:org.mitre.oval:def:498711342Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames.MS05-005TA05-039AVU#416001OVAL2348OVAL2738OVAL4022ms-url-bo(19107)oval:org.mitre.oval:def:2348oval:org.mitre.oval:def:2738oval:org.mitre.oval:def:4022Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests.GNU Radius SNMP String Length Integer Overflow Denial of Service VulnerabilityGNU Radius 1.2.94.GNU Radius asn_decode_string integer overflowStar before 1.5_alpha46 does not drop the effective user ID (euid) before calling external programs, which could allow local users to gain privileges by modifying the RSH environment variable to reference a malicious program.star fails to set proper permissions on programs specified in RSH environment variableStar ssh gain privilegesbid 11141Star Has Unspecified Flaw That May Let Local Users Gain Root PrivilegesGLSA-200409-111011195The (1) write_list and (2) dump_curr_list functions in Net-Acct before 0.71 allows local users to overwrite arbitrary files via a symlink attack on temporary files.20040908 Insecure Temporary File Creation Vulnerability in Net-Accthttp://exorsus.net/projects/net-acct/net-acct-notempfiles.patchDSA-5591112512476net-acct-tmp-symlink(17283)Buffer overflow in htget 0.93 allows remote attackers to execute arbitrary code via a crafted URL.DSA-61113579htget-bo(18603)Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session.20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities11186web-browser-session-hijack(17415)http://www.securitytracker.com/alerts/2004/Sep/1011332.html1011332Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected.bid 11186Multiple vendor Web browsers allows attacker to hijack a user's sessionFirefox Bug in Setting Cookies in Certain Domains May Let Remote Users Conduct Session Fixation Attackshttps://bugzilla.mozilla.org/show_bug.cgi?id=25234212580101133120040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0866. Reason: This candidate is a duplicate of CVE-2004-0866. Notes: The description for CVE-2004-0866 was inadvertently attached to this issue instead. All CVE users should reference CVE-2004-0866 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Internet Explorer does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilitieshttp://www.westpoint.ltd.uk/advisories/wp-04-0001.txt1011332web-browser-cookie-session-hijack(17417)KDE Konqueror does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilitieshttp://www.westpoint.ltd.uk/advisories/wp-04-0001.txt1011330web-browser-cookie-session-hijack(17417)Mozilla does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilitieshttp://www.westpoint.ltd.uk/advisories/wp-04-0001.txt1011331web-browser-cookie-session-hijack(17417)Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection."20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilitieshttp://www.westpoint.ltd.uk/advisories/wp-04-0001.txt1011329web-browser-cookie-session-hijack(17417)Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program.APPLE-SA-2004-09-16 Security Update 2004-09-16iChat AV link allows application execution** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1123. Reason: This candidate is a reservation duplicate of CVE-2004-1123. Notes: All CVE users should reference CVE-2004-1123 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module.phpGroupWare: XSS vulnerability in wiki modulephpGroupWare Wiki module cross-site scriptinghttp://downloads.phpgroupware.org/changeloggetmail 4.x before 4.2.0, when run as root, allows local users to overwrite arbitrary files via a symlink attack on an mbox file.Local root compromise possible with getmailgetmail mbox file race conditionGetmail Local Symbolic Link Vulnerabilityhttp://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOGDSA-553GLSA-200409-32getmail 4.x before 4.2.0, and other versions before 3.2.5, when run as root, allows local users to write files in arbitrary directories via a symlink attack on subdirectories in the maildir.Local root compromise possible with getmailgetmail maildir race conditionGetmail Local Symbolic Link Vulnerabilityhttp://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOGDSA-553GLSA-200409-32Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value.Trustix Secure Linux Security Advisory #2004-0058Online Security SupportSamba QFILEPATHINFO buffer overflowSamba QFILEPATHINFO Unicode Filename Remote Buffer Overflow Vulnerabilityhttp://security.e-matters.de/advisories/132004.htmlAPPLE-SA-2005-03-21SCOSA-2005.1720041201-01-PSUSE-SA:2004:040P-038VU#4576221178210122351318920041115 Advisory 13/2004: Samba 3.x QFILEPATHINFO unicode filename buffer overflow20041115 [SAMBA] CAN-2004-0882: Possiebl Buffer Overrun in smbdCLA-2004:89920041217 [OpenPKG-SA-2004.054] OpenPKG Security Advisory (samba)Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function.Linux Kernel SMBFS Multiple Remote VulnerabilitiesLinux kernel smb_proc_readX_data denial of serviceUpdated openmotif packages fix image vulnerabilityhttp://security.e-matters.de/advisories/142004.html20041118 [USN-30-1] Linux kernel vulnerabilitiesFLSA:2336MDKSA-2005:02213232linux-smb-response-dos(18134)linux-smbreceivetrans2-dos(18136)VU#72619820041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilitiesDSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:50520202DSA-108220338MDKSA-2005:022The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs.DSA-563-3 cyrus-sasl -- unsanitised inputCyrus SASL Multiple Remote And Local VulnerabilitiesCyrus-SASL SASL_PATH environment variableUpdated cyrus-sasl packages fix local vulnerabilityAPPLE-SA-2005-03-21DSA-568FLSA:2137GLSA-200410-05RHSA-2004:5462004-0053http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657P-00320050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl)MDKSA-2004:106The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration.Apache HTTP Server SSLCipherSuite bypass restrictionsUpdated apache and mod_ssl packages fix security vulnerabilitieshttp://www.apacheweek.com/features/security-20http://issues.apache.org/bugzilla/show_bug.cgi?id=31505HPSBUX01123APPLE-SA-2005-08-15APPLE-SA-2005-08-17USN-177-1102198ADV-2006-07891907220041015 [OpenPKG-SA-2004.044] OpenPKG Security Advisory (modssl)RHSA-2004:562RHSA-2005:81611360APPLE-SA-2005-08-15RHSA-2008:0261Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls.Updated libtiff packagesLibTIFF Multiple Buffer Overflow VulnerabilitiesLibTiff integer overflowUpdated libtiff packages fix multiple vulnerabilitieshttp://www.kde.org/info/security/advisory-20041209-2.txtDSA-567MDKSA-2005:052RHSA-2005:354SUSE-SA:2004:0382004-0054VU#687568P-015http://www.securitytracker.com/alerts/2004/Oct/1011674.html128181011674OVAL100116RHSA-2005:021CLA-2004:888OpenPKG-SA-2004.043101677oval:org.mitre.oval:def:100116MDKSA-2004:109MDKSA-2005:052SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges.Online Security SupportLinux kernel instruction allows elevated privilegesLinux IBM S/390 Kernel SACF Instruction Local Privilege Escalation VulnerabilitySUSE-SA:2004:037DSA-101819369Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889.Updated CUPS packages fix security issuesUpdated xpdf packages fix vulnerabilitiesXpdf PDF integer overflowXpdf PDFTOPS Multiple Integer Overflow VulnerabilitiesDSA-573DSA-581DSA-599FLSA:2353GLSA-200410-20GLSA-200410-30MDKSA-2004:114MDKSA-2004:115MDKSA-2004:116RHSA-2004:592RHSA-2005:066RHSA-2005:354CLA-2004:886FLSA:2352SUSE-SA:2004:039USN-9-1MDKSA-2004:113MDKSA-2004:114MDKSA-2004:115MDKSA-2004:116Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888.Xpdf, CUPS: Multiple integer overflowsUpdated xpdf packages fix vulnerabilitiesXpdf PDF file integer overflowXpdf PDFTOPS Multiple Integer Overflow VulnerabilitiesGLSA-200410-30SUSE-SA:2004:03911501MDKSA-2004:113** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reasons: This candidate is a reservation duplicate of another candidate. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer.Updated gaim package fixes security issues and bugsMSN SLP buffer overflowGaim MSN SLP message buffer overflowGaim MSN SLP Remote Buffer Overflow VulnerabilityFLSA:2188GLSA-200410-23gaim-file-transfer-dos(17790)gaim-msn-slp-dos(17787)USN-8-1Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results.Vulnerability in ISA Server 2000 and Proxy Server 2.0 Could Allow Internet Content Spoofing (888258)Microsoft ISA and Proxy Server Web Site Spoofing VulnerabilityMicrosoft ISA Server and Proxy Server allow Web site spoofing caused by cache reverse lookup resultsOVAL4264OVAL4859oval:org.mitre.oval:def:4264oval:org.mitre.oval:def:4859The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability."Microsoft Windows Kernel Unchecked LPC Buffer Privilege Escalation VulnerabilityVulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)OVAL1321OVAL1561OVAL1581OVAL1886OVAL2008OVAL4021OVAL4458OVAL450win-kernel-lpc-gain-privileges(18339)oval:org.mitre.oval:def:1321oval:org.mitre.oval:def:1561oval:org.mitre.oval:def:1581oval:org.mitre.oval:def:1886oval:org.mitre.oval:def:2008oval:org.mitre.oval:def:4021oval:org.mitre.oval:def:4458oval:org.mitre.oval:def:450LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program.Microsoft Windows LSASS Connection Validation Privilege Escalation VulnerabilityVulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)OVAL1888OVAL2062OVAL3312OVAL3325OVAL4368OVAL778win-lsass-gain-privileges(18340)oval:org.mitre.oval:def:1888oval:org.mitre.oval:def:2062oval:org.mitre.oval:def:3312oval:org.mitre.oval:def:3325oval:org.mitre.oval:def:4368oval:org.mitre.oval:def:778The Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack.MS05-003P-095OVAL2128OVAL2447VU#65711812228101283313802oval:org.mitre.oval:def:2128oval:org.mitre.oval:def:2447The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability."Microsoft Windows DHCP Server Logging Remote Denial Of Service VulnerabilityVulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249)OVAL2280OVAL4282winnt-dhcp-machinename-dos(18341)oval:org.mitre.oval:def:2280oval:org.mitre.oval:def:4282The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability."Microsoft Windows DHCP Server Remote Buffer Overflow VulnerabilityVulnerability in DHCP Could Allow Remote Code Execution and Denial of Service (885249)OVAL3577OVAL4846winnt-dhcp-hardwareaddress-code-execution(18342)oval:org.mitre.oval:def:3577oval:org.mitre.oval:def:4846Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571.Microsoft Word for Windows 6.0 Converter Font Conversion Buffer Overflow VulnerabilityVulnerability in WordPad Could Allow Code Execution (885836)P-055OVAL1241OVAL1655OVAL3310OVAL3882OVAL4076OVAL4576OVAL4749OVAL539win-converter-font-code-execution(18338)20041214 Microsoft Word 6.0/95 Document Converter Buffer Overflow Vulnerabilityoval:org.mitre.oval:def:1241oval:org.mitre.oval:def:1655oval:org.mitre.oval:def:3310oval:org.mitre.oval:def:3882oval:org.mitre.oval:def:4076oval:org.mitre.oval:def:4576oval:org.mitre.oval:def:4749oval:org.mitre.oval:def:539Multiple heap-based buffer overflows in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via (1) the "Send page" functionality, (2) certain responses from a malicious POP3 server, or (3) a link containing a non-ASCII hostname.Known Vulnerabilities in MozillaMultiple vulnerabilities in Mozilla productsMozilla, Firefox, and Thunderbird nsPop3Protocol.cpp buffer overflowMozilla Multiple URI Processing Heap Based Buffer Overflow Vulnerabilitieshttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=258005http://bugzilla.mozilla.org/show_bug.cgi?id=245066http://bugzilla.mozilla.org/show_bug.cgi?id=226669http://bugzilla.mozilla.org/show_bug.cgi?id=256316FLSA:2089GLSA-200409-26SUSE-SA:2004:036SSRT4826mozilla-netscape-nonascii-bo(17378)Stack-based buffer overflow in the writeGroup function in nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to execute arbitrary code via malformed VCard attachments that are not properly handled when previewing a message.Mozilla Mail vulnerable to buffer overflow via Mozilla Browser Vcard Handling Remote Buffer Overflow VulnerabilityMozilla, Firefox, Thunderbird, and Netscape nsVCardObj.cpp buffer overflowstack based buffer overflow with vcards when previewing email messagehttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3FLSA:2089GLSA-200409-26SSRT4826SUSE-SA:2004:036TA04-261AInteger overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows.Mozilla contains integer overflows in bitmap image decoderMozilla Browser BMP Image Decoding Multiple Integer Overflow VulnerabilitiesMozilla BMP buffer overflowBMP integer overflow exploitshttp://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3FLSA:2089GLSA-200409-26SSRT4826SUSE-SA:2004:036TA04-261AFLSA:2089SSRT4826Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possible execute arbitrary code by convincing a user to drag and drop javascript: links to a frame or page in another domain.http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=250862FLSA:2089GLSA-200409-26SSRT4826SUSE-SA:2004:036TA04-261AVU#65192811177mozilla-netscape-sameorigin-bypass(17374)The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code.http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=235781http://bugzilla.mozilla.org/show_bug.cgi?id=231083GLSA-200409-26RHSA-2005:323SUSE-SA:2004:036VU#65316011192mozilla-insecure-file-permissions(17375)12526The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code.http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=254303GLSA-200409-26mozilla-tar-insecure-permissions(17373)Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins.http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=257523FLSA:2089GLSA-200409-26SSRT4826SUSE-SA:2004:036VU#4605281117912526mozilla-shortcut-clipboard-access(17376)Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages.http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3http://bugzilla.mozilla.org/show_bug.cgi?id=253942GLSA-200409-26SSRT4826SUSE-SA:2004:036VU#11319212526mozilla-enableprivilege-modify-dialog(17377)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0815. Reason: This candidate is a reservation duplicate of CVE-2004-0815. Notes: All CVE users should reference CVE-2004-0815 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.telnetd for netkit 0.17 and earlier, and possibly other versions, on Debian GNU/Linux allows remote attackers to cause a denial of service (free of an invalid pointer), a different vulnerability than CVE-2001-0554.Debian netkit telnetd vulnerabilityDSA-556-2 netkit-telnet -- invalid free(3)Netkit telnetd implementation buffer overflowhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694Unknown vulnerability in ecartis 0.x before 0.129a+1.0.0-snap20020514-1.3 and 1.x before 1.0.0+cvs.20030911-8 allows attackers in the same domain to gain administrator privileges and modify configuration.DSA-572ESB-2004.06691148712918ecartis-gain-privileges(17809)Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions.LibXPM Multiple Unspecified VulnerabilitieslibXpm denial of serviceDSA-607-1 xfree86 -- several vulnerabilitiesX.Org, XFree86: libXpm vulnerabilitieshttp://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patchFEDORA-2004-433GLSA-200502-06GLSA-200502-07MDKSA-2004:137RHSA-2004:537RHSA-2005:00420050216 [USN-83-1] LessTif 2 vulnerabilities13224libxpm-image-bo(18142):libxpm-improper-memory-access(18144):libxpm-command-execution(18145):libxpm-directory-traversal(18146):USN-83-1USN-83-2HPSBTU01228FLSA-2006:152803RHSA-2004:610MDKSA-2004:137Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the hide_cvsroot and forbidden settings, which could allow remote attackers to gain sensitive information.ViewCVS Multiple Information Disclosure VulnerabilitiesViewCVS repository weak securityDSA-605-1 viewcvs -- settings not honoredDirectory traversal vulnerability in cabextract before 1.1 allows remote attackers to overwrite arbitrary files via a cabinet file containing .. (dot dot) sequences in a filename.DSA-574-1 cabextract -- missing directory sanitisingcabextract Directory Traversal VulnerabilityCabextract Remote Directory Traversal Vulnerabilitycabextract directory traversalhttp://www.kyz.uklinux.net/cabextract.php#changesThe default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag.Vignette Application Portal Unauthenticated DiagnosticsVignette Application Portal Remote Information Disclosure VulnerabilityVignette Application Portal diagnostic utility obtain information1011447The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error.Updated squid package fixes vulnerabilitySquid Web Proxy Cache SNMP asn_parse_header denial of serviceSquid Proxy SNMP ASN.1 Parser Denial Of Service VulnerabilityCLA-2005:923GLSA-200410-15SCOSA-2005.1620041029 [OpenPKG-SA-2004.048] OpenPKG Security Advisory (squid)FLSA-2006:15280920041011 Squid Web Proxy Cache Remote Denial of Service VulnerabilityFEDORA-2008-6045SUSE-SR:2008:0143091430967The syscons CONS_SCRSHOT ioctl in FreeBSD 5.x allows local users to read arbitrary kernel memory via (1) negative coordinates or (2) large coordinates.FreeBSD-SA-04:15VU#9690781132112722syscons-consscrshot-info-disclosure(17584)Symantec Norton AntiVirus 2004, and earlier versions, allows a virus or other malicious code to avoid detection or cause a denial of service (application crash) using a filename containing an MS-DOS device name.Symantec Norton AntiVirus device name bypass securityhttp://www.seifried.org/security/advisories/kssa-010.html20041005 Symantec Norton AntiVirus Reserved Device Name Handling VulnerabilityAFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an AFP volume, allows the guest to "terminate authenticated user mounts" via modified SessionDestroy packets.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Multiple Security VulnerabilitiesAFP Server on Mac OS X 10.3.x to 10.3.5, under certain conditions, does not properly set the guest group ID, which causes AFP to change a write-only AFP Drop Box to be read-write when the Drop Box is on a share that is mounted by a guest, which allows attackers to read the Drop Box.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Multiple Security VulnerabilitiesCUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords.CUPS stores user account details in plain text in log fileCUPS disclose passwords in log filesCUPS Error_Log Local Password Disclosure VulnerabilityUpdated CUPS packages fix security issuesAPPLE-SA-2004-09-30DSA-566MDKSA-2004:116P-002MDKSA-2004:116NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial root login, reports the root account as being disabled, even when it has not.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Multiple Security VulnerabilitiesPostfix on Mac OS X 10.3.x through 10.3.5, with SMTPD AUTH enabled, does not properly clear the username between authentication attempts, which allows users with the longest username to prevent other valid users from being able to authenticate.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Postfix Release SMTPD AUTH Username Denial Of Service VulnerabilityHeap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through 10.3.5 may allow remote attackers to execute arbitrary code via a certain BMP image.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Multiple Security VulnerabilitiesAPPLE-SA-2004-10-27ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example self-signed certificate on each system, which allows remote attackers to decrypt sessions.APPLE-SA-2004-09-30 Security Update 2004-09-30Apple Mac OS X Multiple Security VulnerabilitiesThe Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6.0, 6.1, and 6.1 J2EE allows remote attackers to bypass authentication and view source files, such as .asp, .pl, and .php files, via an HTTP request that ends in ";.cfm".20041005 ColdFusion MX 6.1 on IIS File Contents Disclosure20040923 New Macromedia Security Zone Bulletins Postedhttp://www.macromedia.com/devnet/security/security_zone/mpsb04-08.htmlhttp://www.macromedia.com/devnet/security/security_zone/mpsb04-09.htmlVU#977440112451263812647coldfusion-jrun-restriction-bypass(17484)Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image.Novell SuSe Linux LibTIFF Heap Overflow VulnerabilityOnline Security SupportLibTIFF OJPEGVSetField heap overflowLibTIFF OJPEG Heap Buffer Overflow VulnerabilityVU#129910SUSE-SA:2004:038The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters.Samba SMBD Remote Denial of Service VulnerabilitySamba Remote Wild Card Denial Of Service VulnerabilitySamba ms_fnmatch denial of serviceAPPLE-SA-2005-03-21GLSA 200411-21MDKSA-2004:131SCOSA-2005.1720041201-01-PSUSE-SA:2004:04020041108 [SECURITY] CAN-2004-0930: Potential Remote Denial of Service VulnerabilityCLA-2004:899USN-22-1OpenPKG-SA-2004.054101783MDKSA-2004:131MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial of service (crash) via an HTTP request to webdbm with high ASCII values in the Server field, which triggers an assert error in the IsAscii7 function.20041006 MySQL MaxDB Web Agent WebDBMServer Name Denial of Service Vulnerability113461053212756maxdb-isascii7dos(17633)20041006 MySQL MaxDB Web Agent WebDBMServer Name Denial of Service VulnerabilityMcAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protection20041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityComputer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protectionhttp://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp20041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityKaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protectionVU#96881820041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityEset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protectionVU#96881820041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityRAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protectionVU#96881820041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilitySophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityMultiple vendor antivirus .zip bypass protectionVU#96881820041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityFreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet.FreeRADIUS: Multiple Denial of Service vulnerabilitiesfreeRADIUS Server vulnerable to a denial-of-service attackFreeRADIUS Multiple Attribute Decoding Denial Of Service Vulnerabilities10178FreeRADIUS denial of serviceOVAL1347oval:org.mitre.oval:def:1347changepassword.cgi in Neoteris Instant Virtual Extranet (IVE) 3.x and 4.x, with LDAP authentication or NT domain authentication enabled, does not limit the number of times a bad password can be entered, which allows remote attackers to guess passwords via a brute force attack.Juniper Networks NetScreen password brute force [GoSecure Advisory] Neoteris IVE Vulnerabilityhttp://www.gosecure.ca/SecInfo/gosecure-2004-10.txthttp://securitytracker.com/alerts/2004/Oct/1011552.html1011552836512752Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error.Apache mod_include module buffer overflowApache mod_include Local Buffer Overflow Vulnerability [OpenPKG-SA-2004.047] OpenPKG Security Advisory (apache)DSA-594MDKSA-2004:134RHSA-2004:600http://www.apacheweek.com/features/security-13http://securitytracker.com/id?101178312898102197ADV-2006-078919073RHSA-2005:816MDKSA-2004:134Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990.Trustix Secure Linux Security Advisory #2004-0058GD Graphics Library Multiple Unspecified Remote Buffer overflow Vulnerabilities20041115 [USN-25-1] libgd2 vulnerability13179OVAL1195RHSA-2006:019418686MDKSA-2006:113MDKSA-2006:11420824MDKSA-2006:12221050oval:org.mitre.oval:def:1195DSA-601RHSA-2004:638P-071MDKSA-2006:113MDKSA-2006:114MDKSA-2006:122USN-33-1gd-graphics-gdmalloc-bo(18048)Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters.Apache HTTP Server HTTP GET request denial of serviceUpdated apache2 packages fix request DoS20041101 DoS in Apache 2.0.52 ?SSRT4876HPSBUX011232004-0061APPLE-SA-2005-08-15APPLE-SA-2005-08-17102198ADV-2006-078919072RHSA-2004:562APPLE-SA-2005-08-15MDKSA-2004:135** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 generates easily predictable web session IDs, which allows remote attackers to hijack other sessions via the parentsessionid cookie.http://www.corsaire.com/advisories/c040817-002.txthttp://www.mitel.com/DocController?documentId=14223http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=enThe web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum.http://www.corsaire.com/advisories/c040817-003.txthttp://www.mitel.com/DocController?documentId=14223http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=enrquotad in nfs-utils (rquota_server.c) before 1.0.6-r6 on 64-bit architectures does not properly perform an integer conversion, which leads to a stack-based buffer overflow and allows remote attackers to execute arbitrary code via a crafted NFS request.nfs-utils getquotainfo function buffer overflowUpdated nfs-utils package fixes security vulnerabilitiesnfs-utils: Multiple remote vulnerabilitiesLinux NFS 64-Bit Architecture Remote Buffer Overflow VulnerabilityMDKSA-2005:005RHSA-2005:014http://bugs.gentoo.org/show_bug.cgi?id=72113VU#69830213440 FLSA-2006:138098MDKSA-2005:005Buffer overflow in unarj before 2.63a-r2 allows remote attackers to execute arbitrary code via an arj archive that contains long filenames.ARJ Software UNARJ Remote Buffer Overflow Vulnerabilityunarj file name buffer overflowunarj: Long filenames buffer overflow and a path traversal vulnerabilityDSA-652FLSA:2272RHSA-2005:007** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. It was a duplicate assignment before public disclosure. Notes: none.The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times.Linux Kernel SMBFS Multiple Remote VulnerabilitiesAdvisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilitiesLinux kernel smb_recv_trans2 memory leakUpdated openmotif packages fix image vulnerabilityhttp://security.e-matters.de/advisories/142004.htmlFLSA:2336MDKSA-2005:0222004-006113232USN-30-1DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:50520202DSA-108220338MDKSA-2005:022NetOp Host before 7.65 build 2004278 allows remote attackers to obtain sensitive hostname, username and local IP address information via (1) a NetOp HELO request, or (2) when responses are disabled, a "custom" HELO request.Danware NetOp Remote Control Information Disclosure VulnerabilityDanware NetOp Host multiple information disclosure issues20041119 Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issuesdanware-helo-obtain-information(18171)The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information.http://www.corsaire.com/advisories/c041123-001.txt16456hpigniteux-makerecovery-bypass-security(21858)145681014711HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption.20050816 Corsaire Security Advisory: HP Ignite-UX filesystem permissions issueHPSBUX0121916456hpigniteux-addnewclient-gain-access(21857)1014711Buffer overflow in the C2S module in the open source Jabber 2.x server (Jabberd) allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long username.Jabber Server Multiple Remote Buffer Overflow VulnerabilitiesJabberd2 C2S module buffer overflowJabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows20041124 Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0597. Reason: This candidate is a reservation duplicate of CVE-2004-0597. Notes: All CVE users should reference CVE-2004-0597 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0599. Reason: This candidate is a reservation duplicate of CVE-2004-0599 (the first item listed in that candidate). Notes: All CVE users should reference CVE-2004-0599 instead of this candidate. All references and descriptions have been removed from this candidate to prevent accidental usage.MySQL before 4.0.20 allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote.MySQL Remote FULLTEXT Search Denial Of Service VulnerabilityMySQL MATCH ... AGAINST SQL statement denial of serviceMySQL: Multiple vulnerabilitieshttp://bugs.mysql.com/bug.php?id=3870http://lists.mysql.com/packagers/202SUSE-SR:2004:0012004-0054Unknown vulnerability in MySQL 3.23.58 and earlier, when a local user has privileges for a database whose name includes a "_" (underscore), grants privileges to other databases that have similar names, which can allow the user to conduct unauthorized activities.MySQL Database Unauthorized GRANT Privilege VulnerabilityMySQL underscore allows elevated privilegesCLA-2005:947DSA-707MDKSA-2005:070RHSA-2004:597RHSA-2004:61120041125 [USN-32-1] mysql vulnerabilitiesP-018MDKSA-2005:070php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length.PHP phpinfo discloses memory contentsUpdated php packages fix security issues and bugs20040915 [VulnWatch] PHP Vulnerability N. 1FLSA:2344http://www.securitytracker.com/alerts/2004/Sep/1011279.html12560101127920040915 PHP Vulnerability N. 1rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified.http://www.securitytracker.com/alerts/2004/Sep/1011307.html125601011307PHP MIME array execute codeUpdated php packages fix security issues and bugs20040915 Php Vulnerability N. 2FLSA:234420040915 Php Vulnerability N. 2FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (core dump) via malformed USR vendor-specific attributes (VSA) that cause a memcpy operation with a -1 argument.FreeRADIUS Multiple Attribute Decoding Denial Of Service VulnerabilitiesfreeRADIUS Server vulnerable to a denial-of-service attackFreeRADIUS denial of serviceGLSA-200409-29Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes.FreeRADIUS Multiple Attribute Decoding Denial Of Service VulnerabilitiesfreeRADIUS Server vulnerable to a denial-of-service attackFreeRADIUS denial of serviceGLSA-200409-29Apple Remote Desktop Client 1.2.4 executes a GUI application as root when it is started by an Apple Remote Desktop Administrator application, which allows remote authenticated users to execute arbitrary code when loginwindow is active via Fast User Switching.Apple Remote Desktop Administrator Privilege Escalation VulnerabilityAPPLE-SA-2004-10-27Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values.Microsoft Word improper file parsing buffer overflow [HV-HIGH] MS Word multiple exceptions, at least one exploitableMS05-023OVAL1795OVAL2105OVAL2216OVAL420oval:org.mitre.oval:def:1795oval:org.mitre.oval:def:2105oval:org.mitre.oval:def:2216oval:org.mitre.oval:def:420Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file.Zinf Malformed Playlist File Remote Buffer Overflow VulnerabilityZinf .pls playlist file buffer overflow Re: Buffer overflow in Zinf 2.2.1 for Win32+exploitDSA-587-1 freeamp -- buffer overflow1265620040924 Buffer overflow in Zinf 2.2.1 for Win32stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified PATH when executing certain commands, which allows local users to execute arbitrary code by modifying the PATH environment variable to point to malicious programs.HP-UX stmkfont allows elevated privilegesHP-UX STMKFONT Local Privilege Escalation Vulnerabilityhttp://www.nsfocus.com/english/homepage/research/0402.htmSSRT480720041021 NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation VulnerabilityThe (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files.GNU GetText Unspecified Insecure Temporary File Creation VulnerabilityMultiple scripts temporary file overwriteGLSA-200410-102004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323FLSA:136323MDKSA-2006:051USN-5-1OpenPKG-SA-2004.055The (1) pj-gs.sh, (2) ps2epsi, (3) pv.sh, and (4) sysvlp.sh scripts in the ESP Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and other operating systems, allow local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwriteGhostScript Insecure Temporary File Creation Vulnerability2004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=13632117135RHSA-2005:08116997USN-3-1SCOSA-2006.2320056SCOSA-2006.1919799The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files.GNU GLibC Insecure Temporary File Creation VulnerabilityMultiple scripts temporary file overwrite2004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318DSA-636GLSA-200410-19RHSA-2004:586RHSA-2005:261USN-4-1The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwriteGNU Troff (Groff) Groffer Script Insecure Temporary File Creation VulnerabilityOpenSSL, Groff: Insecure tempfile handling2004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313MDKSA-2006:03818764The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as used by other packages such as ncompress, allows local users to overwrite files via a symlink attack on temporary files. NOTE: the znew vulnerability may overlap CVE-2003-0367.Multiple scripts temporary file overwriteGNU GZip Unspecified Insecure Temporary File Creation VulnerabilityDSA-588-1 gzip -- insecure temporary files2004-005013131The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwriteMIT Kerberos 5 SEND-PR.SH Insecure Temporary File Creation VulnerabilityMIT krb5: Insecure temporary file use in send-pr.shRHSA-2005:0122004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304The lvmcreate_initrd script in the lvm package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Trustix LVM Utilities Unspecified Insecure Temporary File Creation VulnerabilityMultiple scripts temporary file overwrite Insecure tempfile handlinghttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308RHBA-2004:232** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0457. Reason: This candidate is a reservation duplicate of CVE-2004-0457. Notes: All CVE users should reference CVE-2004-0457 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The netatalk package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwriteNetatalk: Insecure tempfile handling in etc2ps.shNetaTalk Unspecified Insecure Temporary File Creation Vulnerability2004-0050The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.OpenSSL DER_CHOP Insecure Temporary File Creation VulnerabilityMultiple scripts temporary file overwriteDSA-603GLSA-200411-152004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=13630212973OVAL164RHSA-2005:476oval:org.mitre.oval:def:164Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwritePerl Unspecified Insecure Temporary File Creation VulnerabilityDSA-620MDKSA-2005:0312004-0050RHSA-2005:88118075FLSA-2006:15284517661OpenPKG-SA-2005.001MDKSA-2005:031The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on temporary files.Multiple scripts temporary file overwritePostgreSQL Insecure Temporary File Creation VulnerabilityDSA-577-1 postgresql -- insecure temporary fileGLSA-200410-16MDKSA-2004:149RHSA-2004:4892004-0050http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136300USN-6-1OpenPKG-SA-2004.046MDKSA-2004:149Heap-based buffer overflow in the Hrtbeat.ocx (Heartbeat) ActiveX control for Internet Explorer 5.01 through 6, when users who visit online gaming sites that are associated with MSN, allows remote attackers to execute arbitrary code via the SetupData parameter.Heartbeat.ocx ActiveX control unknown vulnerabilityMicrosoft MSN "Hrtbeat.ocx" ActiveX control contains unspecified vulnerabilityhttp://www.ngssoftware.com/advisories/heartbeatfull.txtMS04-0381136720050119 MSN Heartbeat Control Buffer OverflowInternet Explorer on Windows XP does not properly modify the "Drag and Drop or copy and paste files" setting when the user sets it to "Disable" or "Prompt," which may enable security-sensitive operations that are inconsistent with the user's intended configuration.Microsoft Internet Explorer bypass Drag and Drop or copy and paste files security settingMicrosoft Internet Explorer fails to honor Microsoft Internet Explorer Drag and Drop VulnerabilityMS04-038TA04-293AFormat string vulnerability in ez-ipupdate.c for ez-ipupdate 3.0.10 through 3.0.11b8, when running in daemon mode with certain service types in use, allows remote servers to execute arbitrary code.EZ-IPupdate Remote Format String Vulnerabilityez-ipupdate show_message format stringez-ipupdate: Format string vulnerability20041111 ez-ipupdate format string bugDSA-592MDKSA-2004:12913167MDKSA-2004:129Buffer overflow in the EXIF parsing routine in ImageMagick before 6.1.0 allows remote attackers to execute arbitrary code via a certain image file.ImageMagick Remote EXIF Parsing Buffer Overflow VulnerabilityImageMagick EXIF image file buffer overflow [USN-7-1] imagemagick vulnerabilityhttp://www.imagemagick.org/www/Changelog.htmlGLSA-200411-111299511548Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL.MPG123 Remote URL Open Buffer Overflow Vulnerabilitympg123 getauthfromurl buffer overflowDSA-578-1 mpg123 -- buffer overflowGLSA-200410-271102310118321290820041019 mpg123 "getauthfromurl" buffer overflowThe CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request.Yukihiro Matsumoto Ruby CGI Module Unspecified Denial Of Service VulnerabilityRuby CGI module denial of serviceDSA-586MDKSA-2004:128RHSA-2004:635http://www.ubuntulinux.org/support/documentation/usn/usn-20-1MDKSA-2004:128Unknown vulnerability in the dotlock implementation in mailutils before 1:0.5-4 on Debian GNU/Linux allows attackers to gain privileges.http://packages.debian.org/changelogs/pool/main/m/mailutils/mailutils_0.6-2/changelogmailutils (1:0.5-4) unstable; urgency=HIGHInternet Explorer 6.x on Windows XP SP2 allows remote attackers to execute arbitrary code, as demonstrated using a document with a draggable file type such as .xml, .doc, .py, .cdf, .css, .pdf, or .ppt, and using ADODB.Connection and ADODB.recordset to write to a .hta file that is interpreted in the Local Zone by HTML Help.Microsoft Internet Explorer AnchorClick command execution How to Break Windows XP SP2 + Internet Explorer 6 SP220041020 How to Break Windows XP SP2 + Internet Explorer 6 SP220041020 How to Break Windows XP SP2 + Internet Explorer 6 SP220041020 Re: How to Break Windows XP SP2 + Internet Explorer 6 SP2Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers.iptables module initialization denial of serviceLinux Kernel IPTables Initialization Failure VulnerabilityDSA-580FLSA:2252MDKSA-2004:125P-026USN-81-1MDKSA-2004:125Buffer overflow in the process_menu function in yardradius 1.0.20 allows remote attackers to execute arbitrary code.Yard Radius Remote Buffer Overflow VulnerabilityYardRadius process_menu function buffer overflowDSA-598-1 yardradius -- buffer overflow278384: yardradius: security vulnerability still present in stableInteger overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation.Apple QuickTime Remote Integer Overflow VulnerabilityAPPLE-SA-2004-10-27Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost.Libxml2 Multiple Remote Stack Buffer Overflow VulnerabilitiesLibxml2 xmlNanoFTPScanURL function of the nanoftp.c file buffer overflowLibxml2 xmlNanoFTPScanProxy function buffer overflowAPPLE-SA-2005-01-25DSA-582OVAL117320041026 libxml2 remote buffer overflows (not in xml parsing code though)CLA-2004:890USN-89-1RHSA-2004:615RHSA-2004:650oval:org.mitre.oval:def:1173 SUSE-SR:2005:001GLSA-200411-05P-029111791118011324101194113000libxml2-nanoftp-file-bo(17872)libxml2-nanohttp-file-bo(17876)Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941.21050oval:org.mitre.oval:def:1260RHSA-2004:638P-07123783MDKSA-2004:132MDKSA-2006:113MDKSA-2006:114MDKSA-2006:122GD Graphics Library PNG image integer overflowGD Graphics Library Remote Integer Overflow Vulnerability libgd integer overflowDSA-589DSA-591DSA-601DSA-602MDKSA-2004:1322004-005811190OVAL1260USN-11-1USN-25-1SUSE-SR:2006:00318717MDKSA-2006:11320866MDKSA-2006:11420824MDKSA-2006:122Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files.GLSA-200501-14MDKSA-2005:00913779122181378813899MDKSA-2005:009Format string vulnerability in the -a option (daemon mode) in Proxytunnel before 1.2.3 allows remote attackers to execute arbitrary code via format string specifiers in an invalid proxy answer.Proxytunnel Remote Format String Vulnerabilityproxytunnel message function in the message.c file format stringProxytunnel: Format string vulnerabilityhttp://proxytunnel.sourceforge.net/news.htmlBuffer overflow in hpsockd before 0.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code.HP HPSOCKD Unspecified Remote Buffer Overflow Vulnerabilityhpsockd buffer overflowDSA-604-1 hpsockd -- missing input sanitising13371Multiple integer overflows in xzgv 0.8 and earlier allow remote attackers to execute arbitrary code via images with large width and height values, which trigger a heap-based buffer overflow, as demonstrated in the read_prf_file function in readprf.c. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct. iDEFENSE Security Advisory 12.13.04 - Multiple Vendor xzgv PRF Parsing Integer OverflowZGV And XZGV Image Viewer Multiple Remote Integer Overflow Vulnerabilitieshttp://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diffDSA-614xzgv-readprffile-bo(18454)main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack.Cscope Insecure Temporary File Creation VulnerabilitiesCscope temporary file race conditionDSA-610-1 cscope -- insecure temporary file20041117 RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch.GLSA-200412-1120041124 STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerabilityAPPLE-SA-2007-07-3125159ADV-2007-273226235Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors.This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.17DSA-1070DSA-1067DSA-1069201622016320202DSA-10821817620338Format string vulnerability in telnetd-ssl 0.17 and earlier allows remote attackers to execute arbitrary code.DSA-616VU#99503813663netkit-telnetssl-format-string(18654)zgv 5.5.3 allows remote attackers to cause a denial of service (application crash via segmentation fault) via crafted multiple-image (animated) GIF images.DSA-60811915zgv-multiple-image-dos(18480)11915lintian 1.23 and earlier removes the working directory even if it was not created by lintian, which may allow local users to delete arbitrary files or directories via a symlink attack.lintian-symlink(18808)13771Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled.shadow pwdcheck.c allows account modificationCLA-2004:894DSA-58513028Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location.ppp Callback Control Protocol header fields denial of service20041026 pppd out of bounds memory access, possible DOS[ubuntu-security-announce] 20041029 [USN-12-1] ppp Denial of ServiceTrend ScanMail allows remote attackers to obtain potentially sensitive information or disable the anti-virus capability via the smency.nsf file.ScanMail allows access to sensitive filesTrend Micro ScanMail for Domino Remote File Disclosure Vulnerabilityhttp://cgi.nessus.org/plugins/dump.php3?id=14312Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact.mc security updateDebian update for mcMidnight Commander format string attackbid 12263DSA-639GLSA-200502-24Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact.mc security updateDebian update for mcbid 12263DSA-639GLSA-200502-24midnight-commander-bo(18898)Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702.ICS DHCP log function format string attackISC DHCPD Remote Format String VulnerabilityDSA-584-1 dhcp -- format string vulnerability Re: debian dhcpd, old format string bug20041025 debian dhcpd, old format string bug20041102 Re: debian dhcpd, old format string bugVU#448384RHSA-2005:212The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows remote attackers to cause a denial of service (application crash) via mail headers that cause a line feed (LF) to be replaced by a null byte that is written to an incorrect memory address.Bogofilter EMail Filter Remote Quoted Printable Decoder Denial Of Service Vulnerabilitybogofilter quoted-printable decoder denial of servicehttp://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01Integer signedness error in the ssh2_rdpkt function in PuTTY before 0.56 allows remote attackers to execute arbitrary code via a SSH2_MSG_DEBUG packet with a modified stringlen parameter, which leads to a buffer overflow.PuTTY Remote SSH2_MSG_DEBUG Buffer Overflow VulnerabilityPuTTY SSH2_MSG_DEBUG buffer overflowAnatole Shaw <anatole () nationalsky ! com>PuTTY: Pre-authentication buffer overflowhttp://www.chiark.greenend.org.uk/~sgtatham/putty/13012129871721420041027 PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors.mc -- several vulnerabilitiesDebian update for mcbid 12263midnight-commander-dos(18903)RHSA-2005:512Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname.Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow Vulnerability20041103 [HV-MED] Zip/Linux long path buffer overflowhttp://www.hexview.com/docs/20041103-1.txtDSA-624FLSA:2255MDKSA-2004:141GLSA-200411-16RHSA-2004:634TLSA-2005-18USN-18-1P-072infozip-compressed-folder-bo(17956)20041103 [HV-MED] Zip/Linux long path buffer overflowMDKSA-2004:141Stack-based buffer overflow in Cyrus IMAP Server 2.2.4 through 2.2.8, with the imapmagicplus option enabled, allows remote attackers to execute arbitrary code via a long (1) PROXY or (2) LOGIN command, a different vulnerability than CVE-2004-1015.Cyrus IMAP username buffer overflowCyrus IMAPD Multiple Remote VulnerabilitiesAdvisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilitieshttp://security.e-matters.de/advisories/152004.htmlhttp://asg.web.cmu.edu/cyrus/download/imapd/changes.htmlGLSA-200411-34MDKSA-2004:13913274[cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 ReleasedMDKSA-2004:139The argument parser of the PARTIAL command in Cyrus IMAP Server 2.2.6 and earlier allows remote authenticated users to execute arbitrary code via a certain command ("body[p") that is treated as a different command ("body.peek") and causes an index increment error that leads to an out-of-bounds memory corruption.Cyrus IMAPD Multiple Remote VulnerabilitiesAdvisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilitiesCyrus IMAP PARTIAL and FETCH commands execute codehttp://security.e-matters.de/advisories/152004.htmlhttp://asg.web.cmu.edu/cyrus/download/imapd/changes.htmlDSA-597GLSA-200411-34MDKSA-2004:13913274[cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 ReleasedUSN-31-1MDKSA-2004:139The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x through 2.2.8 allows remote authenticated users to execute arbitrary code via certain commands such as (1) "body[p", (2) "binary[p", or (3) "binary[p") that cause an index increment error that leads to an out-of-bounds memory corruption.Cyrus IMAPD Multiple Remote VulnerabilitiesAdvisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilitiesDSA-597-1 cyrus-imapd -- buffer overflowhttp://security.e-matters.de/advisories/152004.htmlhttp://asg.web.cmu.edu/cyrus/download/imapd/changes.htmlGLSA-200411-34MDKSA-2004:13913274[cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 ReleasedUSN-31-1MDKSA-2004:139statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signal, which allows remote attackers to cause a denial of service (server process crash) via a TCP connection that is prematurely terminated.Linux NFS RPC.STATD Remote Denial Of Service Vulnerability [USN-36-1] NFS statd vulnerabilitynfs-utils statd denial of serviceDSA-606RHSA-2004:583RHSA-2005:0142004-0065 FLSA-2006:138098Buffer overflow in proxyd for Cyrus IMAP Server 2.2.9 and earlier, with the imapmagicplus option enabled, may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2004-1011.Cyrus IMAPD Multiple Remote Unspecified VulnerabilitiesCyrus IMAP Server 'imap magic plus' support code buffer overflowCyrus IMAP Server: Multiple remote vulnerabilitieshttp://asg.web.cmu.edu/cyrus/download/imapd/changes.htmlMDKSA-2004:139[cyrus-announce] 20041123 Cyrus IMAPd 2.2.10 ReleasedMDKSA-2004:139The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition.Linux Kernel SCM_SEND Local Denial of Service Vulnerabilityhttp://isec.pl/vulnerabilities/isec-0019-scm.txtFLSA:2336MDKSA-2005:022RHSA-2004:689linux-scmsend-dos(18483)RHSA-2005:016USN-38-1DSA-1070DSA-1067DSA-1069RHSA-2005:017201622016320202DSA-108220338SUSE-SA:2004:044MDKSA-2005:022Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors.FLSA:2336RHSA-2004:689linux-ioedgeport-bo(18433)RHSA-2005:016DSA-101719374RHSA-2005:01712102DSA-1070DSA-1067DSA-1069201622016320202DSA-108220338Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.20041219 PHP shmop.c module permits write of arbitrary memory.http://www.hardened-php.net/advisories/012004.txthttp://www.php.net/release_4_3_10.phpFLSA:2344MDKSA-2004:151MDKSA-2005:072RHSA-2005:03212045php-shmopwrite-outofbounds-memory(18515)HPSBMA0121220041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5USN-99-1RHSA-2005:816MDKSA-2004:151MDKSA-2005:07212411The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results.PHP Multiple Local And Remote VulnerabilitiesUpdated php packages fix security issues and bugshttp://www.hardened-php.net/advisories/012004.txthttp://www.php.net/release_4_3_10.php20041216 [OpenPKG-SA-2004.053] OpenPKG Security Advisory (php)FLSA:2344MDKSA-2004:151RHSA-2005:032SUSE-SA:2005:002php-unserialize-code-execution(18514)HPSBMA0121220041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5RHSA-2005:816MDKSA-2004:151The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.20041216 PHP Input Validation Vulnerabilitieshttp://www.php.net/release_4_3_10.phpCLA-2005:915GLSA-200412-14MDKSA-2004:15111981php-addslashes-view-files(18516)HPSBMA01212MDKSA-2004:151iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms.Apple iCal Calendar Import Alarm Notification Failure VulnerabilityAPPLE-SA-2004-11-22ical-calendar-authorization-bypass(18209)Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and MailServer before 6.0.5 use symmetric encryption for user passwords, which allows attackers to decrypt the user database and obtain the passwords by extracting the secret key from within the software.Multiple Kerio Products Universal Secret Key Storage Vulnerability [CAN-2004-1022] Insecure Credential Storage on Kerio Softwarekerio-weak-encryption(18470)Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in the plug-ins folder, and modify XML files related to configuration.kerio-insecure-permissions(18471)20041214 [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio SoftwareMultiple heap-based buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files.IMLib Multiple XPM Image Decoding Buffer Overflow VulnerabilitiesUpdated imlib packages fix security vulnerabilitiesMDKSA-2005:007MDKSA-2005:007Multiple integer overflows in the image handler for imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files.IMLib Multiple XPM Image Decoding Buffer Overflow VulnerabilitiesUpdated imlib packages fix security vulnerabilitiesDSA-628GLSA-200412-03MDKSA-2005:007MDKSA-2005:007Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences.ARJ Software UNARJ Remote Directory Traversal Vulnerabilityunarj file extraction directory traversal20041010 unarj dir-transversal bug (../../../..)DSA-628DSA-652FLSA:2272GLSA-200411-29RHSA-2005:007Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod.IBM AIX CHCOD Local Privilege Escalation VulnerabilityIBM AIX chcod Local Privilege Escalation Vulnerabilityaix-chcod-gain-privileges(18625)IY64355IY64354IY64356The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages.Sun Java Runtime Environment Java Plug-in JavaScript Security Restriction Bypass VulnerabilityAPPLE-SA-2005-02-2257591sdk-jre-applet-restriction-bypass(18188)VU#7603441327120041122 Sun Java Plugin Arbitrary Package Access Vulnerability20041122 Sun Java Plugin Arbitrary Package Access Vulnerability1015236112317ADV-2008-059929035fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to gain sensitive information by calling fcronsighup with an arbitrary file, which reveals the contents of the file that can not be parsed in an error message.Fcron FCronTab/FCronSighUp Multiple Local VulnerabilitiesFcron FCronTab/FCronSighUp Multiple Local VulnerabilitiesGLSA-200411-2720041115 Multiple Security Vulnerabilities in Fcronfcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to bypass access restrictions and load an arbitrary configuration file by starting an suid process and pointing the fcronsighup configuration file to a /proc entry that is owned by root but modifiable by the user, such as /proc/self/cmdline or /proc/self/environ.Fcron FCronTab/FCronSighUp Multiple Local VulnerabilitiesFcron fcronsighup bypass restrictionsGLSA-200411-2720041115 Multiple Security Vulnerabilities in Fcronfcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters such that fcronsighup does not properly append the intended fcrontab.sig to the resulting string.Fcron: Multiple vulnerabilitiesfcron-fcronsighup-create-files(18077)20041115 Multiple Security Vulnerabilities in FcronFcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptors of open files, which allows local users to bypass access restrictions and read fcron.allow and fcron.deny via the EDITOR environment variable.Fcron FCronTab/FCronSighUp Multiple Local VulnerabilitiesFcron fcrontab allows attacker to obtain informationGLSA-200411-2720041115 Multiple Security Vulnerabilities in FcronBuffer overflow in the http_open function in Kaffeine before 0.5, whose code is also used in gxine before 0.3.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long Content-Type header for a Real Audio Media (.ram) playlist file.Kaffeine RAM playlist file buffer overflowKaffeine Remote Buffer Overflow Vulnerability20041025 Kaffeine Media Player Conteny Type overflowGLSA-200411-14http://sourceforge.net/tracker/index.php?func=detail&aid=1060299&group_id=9655&atid=10965513117Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function.up-imapproxy denial of service20041107 up-imapproxy DoS vulnerabilitiesCross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML.SquirrelMail mime.php cross-site scriptingSquirrelMail decodeHeader HTML Injection VulnerabilitySquirrelMail: Encoded text XSS vulnerabilityhttp://www.squirrelmail.org/http://voxel.dl.sourceforge.net/sourceforge/squirrelmail/sm143a-xss.diffAPPLE-SA-2005-01-25APPLE-SA-2005-03-2120041110 [SquirrelMail Security Advisory] Cross Site Scripting in encoded textCLA-2004:905The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string.TWiki search function command executionTWiki Search Shell Metacharacter Remote Arbitrary Command Execution Vulnerability20041116 Re: [Full-Disclosure] TWiki search function allows arbitrary shell command executionhttp://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearchGLSA-200411-33P-03920041112 TWiki search function allows arbitrary shell command executionCLA-2005:918A design error in the IEEE1394 specification allows attackers with physical access to a device to read and write to sensitive memory using a modified FireWire/IEEE 1394 client, thus bypassing intended restrictions that would normally require greater degrees of physical access to exploit. NOTE: this was reported in 2008 to affect Windows Vista, but some Linux-based operating systems have protection mechanisms against this attack.http://pacsec.jp/advisories.htmlfirewire-ieee1394-interface-installed(18041)20041026 pacsec.jp advisory: Firewire/IEEE 1394 Considered Harmful to Physical Security20080305 Firewire Attack on Windows Vista20080305 RE: Firewire Attack on Windows Vista20080305 Re: Firewire Attack on Windows Vista20080309 Re: [Full-disclosure] Firewire Attack on Windows Vista20080309 Re: Firewire Attack on Windows Vista20080310 RE: [Full-disclosure] Firewire Attack on Windows Vista20080310 Re: [Full-disclosure] Firewire Attack on Windows Vista20080306 RE: Firewire Attack on Windows Vista20080306 Re: Firewire Attack on Windows Vista20080307 Re: Firewire Attack on Windows Vista20080308 RE: [Full-disclosure] Firewire Attack on Windows Vista20080308 Re: [Full-disclosure] Firewire Attack on Windows VistaThe NFS mountd service on SCO UnixWare 7.1.1, 7.1.3, 7.1.4, and 7.0.1, and possibly other versions, when run from inetd, allows remote attackers to cause a denial of service (memory exhaustion) via a series of requests, which causes inetd to launch a separate process for each request.20050111 [NILESA-20050101]: Denial of Service vulnerability due to the mountd bugSCOSA-2005.11222513805Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability."20041225 Microsoft Internet Explorer SP2 Fully Automated Remote CompromiseMS05-001TA05-012BVU#972415OVAL1349OVAL1963OVAL2830OVAL3496ie-helpactivexcontrol-save-file(18311)oval:org.mitre.oval:def:1349oval:org.mitre.oval:def:1963oval:org.mitre.oval:def:2830oval:org.mitre.oval:def:3496Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability."20041223 Microsoft Windows LoadImage API Integer Buffer overflow http://www.xfocus.net/flashsky/icoExp/index.htmlMS05-002TA05-012AVU#625856OVAL2956OVAL3097OVAL3220OVAL3355OVAL4671oval:org.mitre.oval:def:2956oval:org.mitre.oval:def:3097oval:org.mitre.oval:def:3220oval:org.mitre.oval:def:3355oval:org.mitre.oval:def:4671P-0941209512623101268413645win-loadimage-bo(18668)Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability."Microsoft Internet Explorer Malformed IFRAME Remote Buffer Overflow VulnerabilityMicrosoft Internet Explorer IFRAME SRC NAME buffer overflowMicrosoft Internet Explorer vulnerable to buffer overflow via FRAME and IFRAME elements20041023 python does mangleme (with IE bugs!)20041025 python does mangleme (with IE bugs!)20041024 python does mangleme (with IE bugs!)20041102 MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoCMS04-040TA04-315ATA04-336AOVAL12941295920041102 MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoCoval:org.mitre.oval:def:1294sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname.GratiSoft Sudo Restricted Command Execution Bypass VulnerabilitySudo bash command executionhttp://www.sudo.ws/sudo/alerts/bash_functions.htmlDSA-596MDKSA-2004:1332004-0061APPLE-SA-2005-05-0320041112 Sudo version 1.6.8p2 now available (fwd)OpenPKG-SA-2005.002USN-28-1MDKSA-2004:133Buffer overflow in the getnickuserhost function in BNC 2.8.9, and possibly other versions, allows remote IRC servers to execute arbitrary code via an IRC server response that contains many (1) ! (exclamation) or (2) @ (at sign) characters.BNC getnickuserhost IRC Server Response Buffer Overflow VulnerabilityBNC IRC getnickuserhost function buffer overflowDSA-5951314920041110 BNC 2.8.9 remote buffer overflowInteger overflow in fetch on FreeBSD 4.1 through 5.3 allows remote malicious servers to execute arbitrary code via certain HTTP headers in an HTTP response, which lead to a buffer overflow.FreeBSD Fetch Remote Buffer Overflow Vulnerabilityfetch HTTP header buffer overflowFreeBSD-SA-04:16Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout.IBM AIX LSVPD Local Privilege Escalation VulnerabilityIBM AIX invscout Local Command Execution Vulnerabilityaix-invscout-gain-privileges(18619)IY64852IY64976IY64820Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6.0-pl2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PmaAbsoluteUri parameter, (2) the zero_rows parameter in read_dump.php, (3) the confirm form, or (4) an error message generated by the internal phpMyAdmin parser.PHPMyAdmin Multiple Remote Cross-Site Scripting Vulnerabilitieshttp://www.netvigilance.com/html/advisory0005.htmhttp://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3phpmyadmin-multiple-xss(18158)Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output.Linux Kernel Local DRM Denial Of Service Vulnerability [USN-38-1] Linux kernel vulnerabilitiesFLSA:2336RHSA-2005:092linux-i810-dma-dos(15972)RHSA-2005:529RHSA-2005:551RHSA-2005:66317002ADV-2005-1878Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages.http://www.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.23aa3/00_VM_IO-4RHSA-2005:016https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137821linux-kernel-vmio-dos(19275)RHSA-2006:01401233818562RHSA-2005:017Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline.Linux Kernel PROC Filesystem Local Information Disclosure Vulnerability [USN-38-1] Linux kernel vulnerabilitiesGLSA-200408-24MDKSA-2005:022linux-spawning-race-condition(17151)FLSA:152532USN-38-1RHSA-2006:0190RHSA-2006:019118684SUSE-SA:2006:01219038RHSA-2005:293DSA-1018193691105211937 20060402-01-U 19607 21476MDKSA-2005:022Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2.26 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) next and (2) prev result search pages, and the (3) extended and (4) simple search forms.20041223 Cross-Site Scripting - an industry-wide problemhttp://www.mikx.de/index.php?p=6http://www.mnogosearch.org/history.html11895mnogosearch-search-xss(18434)Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=enhttp://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html20050412 Crafted ICMP Messages Can Cause Denial of ServiceMS05-019OVAL2188OVAL3826OVAL780HPSBUX01164SCOSA-2006.418317HPSBTU0121013124oval:org.mitre.oval:def:2188oval:org.mitre.oval:def:3826oval:org.mitre.oval:def:780oval:org.mitre.oval:def:181oval:org.mitre.oval:def:196oval:org.mitre.oval:def:405oval:org.mitre.oval:def:651oval:org.mitre.oval:def:8991957Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter.20041223 Cross-Site Scripting - an industry-wide problemhttp://www.mikx.de/index.php?p=6bugzilla-xss(18728)12154CLSA-2005:1040Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages.20041223 Cross-Site Scripting - an industry-wide problemhttp://www.mikx.de/index.php?p=6GLSA-200412-26viewcvs-xss(18718) SUSE-SR:2005:001PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5http://www.hardened-php.net/advisories/012004.txthttp://www.php.net/release_4_3_10.phpGLSA-200412-14MDKSA-2004:151MDKSA-2005:07211964php-safemodeexecdir-restriction-bypass(18511)HPSBMA01212CLA-2005:915USN-99-1MDKSA-2004:151MDKSA-2005:07212412The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion.20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5http://www.hardened-php.net/advisories/012004.txthttp://www.php.net/release_4_3_10.phpCLA-2005:915GLSA-200412-14MDKSA-2004:151MDKSA-2005:07220050318 [USN-99-1] PHP4 vulnerabilities20050324 [USN-99-2] Fixed php4 packages for USN-99-111964php-realpath-safemode-bypass(18512)HPSBMA01212MDKSA-2004:151MDKSA-2005:072Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file.PHP JPEG Image Buffer Overflow VulnerabilityUpdated php packages fix security issues and bugshttp://www.php.net/release_4_3_10.php20041216 [OpenPKG-SA-2004.053] OpenPKG Security Advisory (php)FLSA:2344MDKSA-2004:151RHSA-2005:032SUSE-SA:2005:002php-exifreaddata-bo(18517)HPSBMA01212MDKSA-2004:151The cmdline pseudofiles in (1) procfs on FreeBSD 4.8 through 5.3, and (2) linprocfs on FreeBSD 5.x through 5.3, do not properly validate a process argument vector, which allows local users to cause a denial of service (panic) or read portions of kernel memory. NOTE: this candidate might be SPLIT into 2 separate items in the future.FreeBSD procfs linprocfs information disclosureFreeBSD Linux ProcFS Local Kernel Denial Of Service And Information Disclosure VulnerabilityFreeBSD-SA-04:17Off-by-one error in the mysasl_canon_user function in Cyrus IMAP Server 2.2.9 and earlier leads to a buffer overflow, which may allow remote attackers to execute arbitrary code via the username.Cyrus IMAP Server mysasl_canon_user off-by-one buffer overflowCyrus IMAPD Multiple Remote Unspecified Vulnerabilitieshttp://asg.web.cmu.edu/cyrus/download/imapd/changes.htmlUSN-37-1A "missing serialization" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition.Linux Kernel AF_UNIX Arbitrary Kernel Memory Modification VulnerabilityLinux kernel AF_UNIX race condition20041119 Addendum, recent Linux <= 2.4.27 vulnerabilitiesFLSA:2336MDKSA-2005:022RHSA-2004:53720041214 [USN-38-1] Linux kernel vulnerabilitiesDSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:50520202DSA-108220338SUSE-SA:2004:044 20060402-01-U 19607MDKSA-2005:022Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function.Linux Kernel sock_dgram_sendmsg race condition [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg when using [USN-38-1] Linux kernel vulnerabilitiesMDKSA-2005:022MDKSA-2005:022The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code.Linux Kernel BINFMT_ELF Loader Local Privilege Escalation VulnerabilitiesLinux Kernel ELF setuid allows elevated privilegesUpdated openmotif packages fix image vulnerabilityhttp://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txtFLSA:2336MDKSA-2005:022RHSA-2004:549DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:5051164620202DSA-108220338 20060402-01-U 19607MDKSA-2005:022The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code.Linux Kernel BINFMT_ELF Loader Local Privilege Escalation VulnerabilitiesLinux Kernel ELF setuid allows elevated privilegesUpdated openmotif packages fix image vulnerabilityhttp://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txtFLSA:2336MDKSA-2005:022DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:5051164620202DSA-108220338 20060402-01-U 19607MDKSA-2005:022The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code.Linux Kernel BINFMT_ELF Loader Local Privilege Escalation VulnerabilitiesLinux Kernel ELF setuid allows elevated privilegesUpdated openmotif packages fix image vulnerabilityhttp://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txtFLSA:2336MDKSA-2005:022RHSA-2005:275DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:5051164620202DSA-108220338 20060402-01-U 19607MDKSA-2005:022The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality.Linux Kernel BINFMT_ELF Loader Local Privilege Escalation VulnerabilitiesLinux Kernel ELF setuid allows elevated privilegesUpdated kernel packages fix security vulnerabilitieshttp://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txtFLSA:2336MDKSA-2005:022RHSA-2006:0190RHSA-2006:019118684RHSA-2005:293DSA-1070DSA-1067DSA-10692016220163RHSA-2004:504RHSA-2004:5051164620202DSA-108220338MDKSA-2005:022The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary.Linux Kernel Local Denial Of Service And Memory Disclosure VulnerabilitiesLinux kernel a.out binary denial of serviceCLA-2005:930FLSA:2336MDKSA-2005:0222005-000120041216 [USN-39-1] Linux amd64 kernel vulnerability[linux-kernel] 20041111 a.out issueDSA-1070DSA-1067DSA-1069201622016320202DSA-108220338MDKSA-2005:022Cross-site scripting (XSS) vulnerability in standard_error_message.dtml for Zwiki after 0.10.0rc1 to 0.36.2 allows remote attackers to inject arbitrary HTML and web script via a malformed URL, which is not properly cleansed when generating an error message.Zwiki link cross-site scriptingZwiki Cross-Site Scripting Vulnerability STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerabilityhttp://zwiki.org/925ZwikiXSSVulnerabilityGLSA-200412-2320041126 Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerabilityMultiple buffer overflows in the RtConfigLoad function in rt-config.c for Atari800 before 1.3.4 allow local users to execute arbitrary code via large values in the configuration file.Atari800 Emulator Multiple Local Buffer Overflow Vulnerabilities Re: Atari800 - local root. (fwd) Atari800 - local root.DSA-6091261013670Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and MetaFrame Presentation Server client for WinCE before 8.33 allows remote servers to create arbitrary shortcuts on the client via a full UNC path in the AppInStartmenu directive.20050426 Citrix Program Neighborhood Agent Arbitrary Shortcut Creation Vulnerabilityhttp://support.citrix.com/kb/entry.jspa?externalID=CTX10565015108Stack-based buffer overflow in the client for Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and Citrix MetaFrame Presentation Server client for WinCE before 8.33 allows remote attackers to execute arbitrary code via a long cached icon filename in the InName XML element.20050426 Citrix Program Neighborhood Agent Buffer Overflowhttp://support.citrix.com/kb/entry.jspa?externalID=CTX10565015108Buffer overflow in (1) ncplogin and (2) ncpmap in nwclient.c for ncpfs 2.2.4, and possibly other versions, may allow local users to gain privileges via a long -T option.NCPFS Local Buffer Overflow Vulnerabilityncpfs nwclient.c buffer overflow20041129 ncpfs buffer overflowGLSA-200412-09MDKSA-2005:02820041129 ncpfs buffer overflowFLSA:152904MDKSA-2005:028The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability."Microsoft Windows WINS Association Context Data Remote Memory Corruption VulnerabilityWINS memory pointer hijackMicrosoft Windows Internet Naming Service (WINS) replication protocol contains a heap-based buffer overflow Immunity, Inc Advisor20041126 Immunity, Inc Advisorhttp://www.immunitysec.com/downloads/instantanea.pdf20041129 Microsoft WINS Server Vulnerability890710MS04-045P-054OVAL1549OVAL2541OVAL2734OVAL3677OVAL4372OVAL483113328123781012516oval:org.mitre.oval:def:1549oval:org.mitre.oval:def:2541oval:org.mitre.oval:def:2734oval:org.mitre.oval:def:3677oval:org.mitre.oval:def:4372oval:org.mitre.oval:def:4831The Application Framework (AppKit) for Apple Mac OS X 10.2.8 and 10.3.6 does not properly restrict access to a secure text input field, which allows local users to read keyboard input from other applications within the same window session.APPLE-SA-2004-12-02P-0491180213362macos-appkit-obtain-info(18350)mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials.APPLE-SA-2004-12-02P-04995711012414macos-moddigest-response-replay(18347)Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization.APPLE-SA-2004-12-02P-04913362apache-hfs-file-disclosure(18348)APPLE-SA-2005-08-15APPLE-SA-2005-08-1711802APPLE-SA-2005-08-15Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+, which bypass Apache file handles.APPLE-SA-2004-12-02P-04913362apache-hfs-obtain-info(18349)APPLE-SA-2005-08-15APPLE-SA-2005-08-1711802APPLE-SA-2005-08-15Human Interface Toolbox (HIToolBox) for Apple Mac 0S X 10.3.6 allows local users to exit applications via the force-quit key combination, even when the system is running in kiosk mode.APPLE-SA-2004-12-02P-04913362macos-hitoolbox-kiosk-dos(18352)11802Buffer overflow in PSNormalizer for Apple Mac OS X 10.3.6 allows remote attackers to execute arbitrary code via a crafted PostScript input file.APPLE-SA-2004-12-02P-04913362macos-psnormalizer-bo(18354)11802Terminal for Apple Mac OS X 10.3.6 may indicate that "Secure Keyboard Entry" is enabled even when it is not, which could result in a false sense of security for the user.APPLE-SA-2004-12-02P-0491180213362macos-terminal-secure-improper(18355)11802Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows remote attackers to send mail without authentication by replaying authentication information.APPLE-SA-2004-12-02P-04913362postfix-crammd5-auth-replay(18353)11802Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using Kerberos authentication and Cyrus IMAP allows local users to access mailboxes of other users.APPLE-SA-2004-12-02P-04913362cyrus-kerberos-gain-access(18351)11802Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "a corrupt section header."mc -- several vulnerabilitiesDebian update for mcbid 12263midnight-commander-section-dos(18907)RHSA-2005:512Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by triggering a null dereference.mc -- several vulnerabilitiesDebian update for mcbid 12263midnight-commander-find-dos(18908)RHSA-2005:512Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by causing mc to free unallocated memory.mc -- several vulnerabilitiesDebian update for mcbid 12263GLSA-200502-24midnight-commander-memory-allocation(18904)Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "use of already freed memory."mc -- several vulnerabilitiesDebian update for mcbid 12263midnight-commander-key-dos(18905)RHSA-2005:512Buffer overflow in InnerMedia DynaZip DUNZIP32.dll file version 5.00.03 and earlier allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, as demonstrated using (1) a .rjs (skin) file in RealPlayer 10 through RealPlayer 10.5 (6.0.12.1053), RealOne Player 1 and 2, (2) the Restore Backup function in CheckMark Software Payroll 2004/2005 3.9.6 and earlier, (3) CheckMark MultiLedger before 7.0.2, (4) dtSearch 6.x and 7.x, (5) mcupdmgr.exe and mghtml.exe in McAfee VirusScan 10 Build 10.0.21 and earlier, (6) IBM Lotus Notes before 6.5.5, and other products. NOTE: it is unclear whether this is the same vulnerability as CVE-2004-0575, although the data manipulations are the same.RealPlayer and RealOne Player DUNZIP32.DLL buffer overflowRealNetworks RealOne Player/RealPlayer Skin File Remote Stack Based Buffer Overflow Vulnerability High Risk Vulnerability in RealPlayer20041027 High Risk Vulnerability in RealPlayerhttp://service.real.com/help/faq/security/041026_player/EN/20041027 EEYE: RealPlayer Zipped Skin File Buffer OverflowVU#582498ADV-2005-205719906101194410122971709617394payroll-dunzip32-bo(22737)20041027 High Risk Vulnerability in RealPlayer20051223 dtSearch DUNZIP32.dll Buffer Overflow Vulnerability1819420060330 McAfee VirusScan DUNZIP32.dll Buffer Overflow VulnerabilityADV-2006-11761945120060906 IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability1016817296653Multiple integer overflows in (1) readbmp.c, (2) readgif.c, (3) readgif.c, (4) readmrf.c, (5) readpcx.c, (6) readpng.c,(7) readpnm.c, (8) readprf.c, (9) readtiff.c, (10) readxbm.c, (11) readxpm.c in zgv 5.8 allow remote attackers to execute arbitrary code via certain image headers that cause calculations to be overflowed and small buffers to be allocated, leading to buffer overflows. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct.ZGV And XZGV Image Viewer Multiple Remote Integer Overflow Vulnerabilitieszgv image headers heap overflow zgv image viewing heap overflows Re: zgv image viewing heap overflowsGLSA-200411-12http://www.svgalib.org/rus/zgv/http://www.svgalib.org/rus/zgv/zgv-5.8-integer-overflow-fix.diffArchive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system.Multiple vendor antivirus .zip bypass protectionMultiple Vendor Antivirus Software Zip Files Detection Evasion VulnerabilityArchive::Zip: Virus detection evasionMultiple Vendor Anti-Virus Software Detection Evasion VulnerabilityMDKSA-2004:11820041018 Multiple Vendor Anti-Virus Software Detection Evasion VulnerabilityVU#49254513038MDKSA-2004:118Format string vulnerability in the cherokee_logger_ncsa_write_string function in Cherokee 0.4.17 and earlier, when authenticating via auth_pam, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in the URL.Cherokee HTTPD Auth_Pam Authentication Remote Format String VulnerabilityCherokee Web Server format stringCherokee: Format string vulnerabilityhttp://bugs.gentoo.org/show_bug.cgi?id=67667MIMEDefang in MIME-tools 5.414 allows remote attackers to bypass virus scanning capabilities via an e-mail attachment with a virus that contains an empty boundary string in the Content-Type header.MIME-tools boundary bypass virus protectionRoaring Penguin Software MIMEDefang Multiple Unspecified VulnerabilitiesMIME-tools: Virus detection evasion20041026 [Mimedefang] SECURITY: Patch for MIME-toolsMDKSA-2004:123MDKSA-2004:123Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username.Cisco Secure Access Control Server Remote Authentication Bypass VulnerabilityCisco Secure ACS for Windows and Solution Engine EAP-TLS bypass authenticationP-028: Cisco Secure Access Control Server (ACS) EAP-TLS Authentication VulnerabilityCisco Security Advisory: Vulnerability in Cisco Secure Access Control Server EAP-TLS AuthenticationCross-site scripting (XSS) vulnerability in mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to execute arbitrary web script or HTML via the append parameter.Successful exploitation requires that debug mode is enabled.TIPS MailPost APPEND Variable Cross-Site Scripting VulnerabilityMailPost append cross-site scriptingMailPost vulnerable to cross-site scripting in the 'append' variable passed to the file as part of an HTTP GET requesthttp://www.procheckup.com/security_info/vuln_pr0410.htmlmailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash), leak sensitive pathname information in the resulting error message, and execute a cross-site scripting (XSS) attack via an HTTP request that contains a / (backslash) and arbitrary webscript before the requested file, which leaks the pathname and does not quote the script in the resulting Visual Basic error message.TIPS MailPost Error Message Cross-Site Scripting VulnerabilityMailPost slash cross-site scriptingMailPost vulnerable to cross-site scripting via an executable requested with a trailing slash appended to the filenamehttp://www.procheckup.com/security_info/vuln_pr0411.htmlMailPost 5.1.1sv, and possibly earlier versions, displays a different error message depending on whether the requested file exists or not, which allows remote attackers to gain sensitive information.TIPS MailPost Remote File Enumeration VulnerabilityMailPost HTTP GET information disclosureMailPost vulnerable file system information disclosure via HTTP GET requesthttp://www.procheckup.com/security_info/vuln_pr0408.htmlMailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to gain sensitive information via the debug parameter, which reveals information such as the path to the web root and the web server version.TIPS MailPost Remote Debug Mode Information Disclosure VulnerabilityMailPost debug mode information disclosureMailPost discloses sensitive system information when operating in debug modehttp://www.procheckup.com/security_info/vuln_pr0409.htmlMicrosoft Internet Explorer 6.0 SP2 allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page that contains a BASE element that points to the legitimate site, followed by an anchor (a) element with an empty "href" attribute, and a FORM whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL.Microsoft Internet Explorer HTML Form Base A Tag Status Bar Spoofing WeaknessMicrosoft Internet Explorer A HREF status bar spoofingMultiple web browsers do not properly interpret BASE and FORM elements when displaying URLs in the status bar20041030 Re: New URL spoofing bug in Microsoft Internet Explorer20060218 Re: Internet Explorer Phishing mouseover issue20060223 Re: Internet Explorer Phishing mouseover issue11273Nortel Networks Contivity VPN Client displays a different error message depending on whether the username is valid or invalid, which could allow remote attackers to gain sensitive information.Nortel Contivity VPN Client information disclosureNortel Contivity VPN Client Username Enumeration VulnerabilityNortel Networks Contivity VPN Client information leakage vulnerabilityFull-Disclosure] Nortel Networks Contivity VPN Client information leakage vulnerabilityhttp://www.nii.co.in/vuln/contivity.htmlhttp://www.kb.cert.org/vuls/id/CRDY-626N7FCross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier allows remote attackers to execute arbitrary web script or HTML via "specially formed URLs," possibly via the include parameter in index.php.Gallery Unspecified Remote HTML Injection VulnerabilityGallery script cross-site scriptingGallery: Cross-site scripting vulnerabilityDSA-642http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=142&mode=thread&order=0&thold=0http://g3cko.info/gallery2-4.patchdispatch-conf in Portage 2.0.51-r2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files.Gentoo Portage Dispatch-Conf Insecure Temporary File Creation VulnerabilityGentoo Portage dispatch-conf script symlink attackPortage, Gentoolkit: Temporary file vulnerabilitieshttp://bugs.gentoo.org/show_bug.cgi?id=6914713108qpkg in Gentoolkit 0.2.0_pre10 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary directory.Gentoo Gentoolkit QPKG Insecure Temporary File Creation VulnerabilityGentoolkit qpkg utility symlink attackPortage, Gentoolkit: Temporary file vulnerabilitiesGentoo Portage/Gentoolkit Insecure Temporary File Creationhttp://bugs.gentoo.org/show_bug.cgi?id=68846The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field.Kerio Personal Firewall IP Options Denial Of Service VulnerabilityKerio Personal Firewall (KPF) packet processing denial of serviceSecurity AdvisoriesAD20041109The mtink status monitor before 1.0.5 for Epson printers allows local users to overwrite arbitrary files via a symlink attack on the epson temporary file.MTink Insecure Temporary File Creation Vulnerabilitymtink temporary file symlink attackmtink: Insecure tempfile handlinghttp://bugs.gentoo.org/show_bug.cgi?id=70310Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size.Cisco IOS DHCP denial of serviceCisco IOS fails to properly handle malformed DHCP packetsCisco IOS DHCP Input Queue Blocking Denial Of Service Vulnerability20041110 Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-ServiceP-034TA04-316AThe buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 build 728 waits five minutes for a user response before terminating the process, which could allow remote attackers to bypass the buffer overflow protection by sending additional buffer overflow attacks within the five minute timeout period.Cisco Security Agent Buffer Overflow Protection Bypass VulnerabilityCisco Security Agent (CSA) bypass buffer overflow protectionCisco Security Advisory: Crafted Timed Attack Evades Cisco Security Agent ProtectionsP-036: Crafted Timed Attack Evades Cisco Security Agent ProtectionsSQL injection vulnerability in SQLgrey Postfix greylisting service before 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) sender or (2) recipient e-mail addresses.SQLgrey Postfix Greylisting Service SQL Injection VulnerabilitySQLgrey Postfix greylisting service SQL injectionTrustix Secure Linux Security Advisory #2004-0058http://sourceforge.net/project/shownotes.php?release_id=28125613135Buffer overflow in the handling of command line arguments in Skype 1.0.x.94 through 1.0.x.98 allows remote attackers to execute arbitrary code via a callto:// URL with a long non-existent username, a different vulnerability than CVE-2004-1777.Skype Technologies Skype CallTo URI Buffer Overrun VulnerabilitySkype callto: URI handler buffer overflowSkype callto:// BoF technical details20041116 Skype callto:// BoF technical detailshttp://www.skype.com/products/skype/windows/changelog.htmlhttp://www.skype.com/security/ssa-2004-02.html117861319120041115 Re: Skype callto:// BoF technical detailsThe init scripts in Search for Extraterrestrial Intelligence (SETI) project 3.08-r3 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.SETI@home, GIMPS, ChessBrain allows elevated privilegesGIMPS, SETI@home, ChessBrain: Insecure installationThe init scripts in Great Internet Mersenne Prime Search (GIMPS) 23.9 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.SETI@home, GIMPS, ChessBrain allows elevated privilegesGIMPS, SETI@home, ChessBrain: Insecure installationThe init scripts in ChessBrain 20407 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs.Gentoo ChessBrain EBuild Insecure Default Permissions VulnerabilitySETI@home, GIMPS, ChessBrain allows elevated privilegesGIMPS, SETI@home, ChessBrain: Insecure installationBuffer overflow in the WodFtpDLX.ocx (WeOnlyDo!) ActiveX component before 2.3.2.97, as used by CoffeeCup Direct FTP 6.2.0.62 and CoffeeCup Free FTP 3.0.0.10, and possibly other applications, allows remote attackers to execute arbitrary code via a long filename.wodFtpDLX long filename buffer overflowWeOnlyDo! wodFtpDLX ActiveX Component Remote Buffer Overflow VulnerabilityWeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability20041122 WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability20041122 CoffeeCup FTP Clients Buffer Overflow VulnerabilityStack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file.Nullsoft Winamp IN_CDDA.dll Remote Buffer Overflow VulnerabilityWinamp IN_CDDA.dll file buffer overflowWinamp - Buffer Overflow In IN_CDDA.dll20041126 Re: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatchedhttp://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdfVU#9865041326920041123 Winamp - Buffer Overflow In IN_CDDA.dll20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched]Mulitple buffer overflows in (1) http.c, (2) http-retr.c, (3) main.c and other code that handles network protocols in ProZilla 1.3.6-r2 and earlier allow remote servers to execute arbitrary code via a long Location header.ProZilla Multiple Remote Buffer Overflow VulnerabilitiesProZilla buffer overflowProZilla: Multiple vulnerabilitieshttp://bugs.gentoo.org/show_bug.cgi?id=7009020041124 Prozilla Remote ExploitDSA-663Apple Safari 1.0 through 1.2.3 allows remote attackers to spoof the URL displayed in the status bar via TABLE tags.APPLE-SA-2004-12-02VU#9254301157313047ie-table-status-spoofing(17909)Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314.Apple Safari Cross-Domain Dialog Box Spoofing VulnerabilityMultiple Browsers Dialog Box Spoofing Testhttp://secunia.com/secunia_research/2004-10/12892APPLE-SA-2004-12-02Darwin Streaming Server 5.0.1, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via a DESCRIBE request with a location that contains a null byte.Apple Mac OS X Multiple Remote And Local VulnerabilitiesApple Darwin Streaming Server DESCRIBE Null Byte Denial of Service Vulnerabilitydarwin-describe-dos(18357)Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities.SCOSA-2005.2chroot-jail-security-bypass(18970)SCOSA-2005.22123001391515339Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be exceeded.XPDF DoImage Remote Buffer Overflow Vulnerabilityftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patchhttp://www.kde.org/info/security/advisory-20041223-1.txt20041223 [USN-48-1] xpdf, tetex-bin vulnerabilitiesFLSA:2353FLSA:2352GLSA-200501-13GLSA-200501-17RHSA-2005:013RHSA-2005:018RHSA-2005:034RHSA-2005:053RHSA-2005:057RHSA-2005:066RHSA-2005:354xpdf-gfx-doimage-bo(18641)20041221 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability20041228 KDE Security Advisory: kpdf Buffer Overflow Vulnerability20041223 [USN-50-1] CUPS vulnerabilitiesCLA-2005:921GLSA-200412-25USN-50-120041221 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability20041228 KDE Security Advisory: kpdf Buffer Overflow VulnerabilityCLA-2005:921SCOSA-2005.4217277RHSA-2005:02620041221 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability1012646SUSE-SR:2005:001Buffer overflow in Open Dc Hub 0.7.14 allows remote attackers, with administrator privileges, to execute arbitrary code via a long RedirectAll command.Open DC Hub Remote Buffer Overflow VulnerabilityOpen DC Hub RedirectAll buffer overflow Buffer Overflow in Open Dc Hub 0.7.1420041124 Buffer Overflow in Open Dc Hub 0.7.14GLSA-200411-37Buffer overflow in CMailCOM.dll in CMailServer 5.2 allows remote attackers to execute arbitrary code via an attachement with a long filename.Youngzsoft CMailServer Multiple Remote VulnerabilitiesCMailServer CMailCOM.dll buffer overflowSIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilitieshttp://www.security.org.sg/vuln/cmailserver52.htmlSQL injection vulnerability in (1) fdelmail.asp, (2) addressc.asp, and possibly (3) postmail.asp and (4) fmvmail.asp in CMailServer 5.2 allow remote attackers to inject arbitrary SQL commands and delete mail metadata or e-mail addresses of contacts via the indexOfMail parameter.Youngzsoft CMailServer Multiple Remote VulnerabilitiesCMailServer fdelmail.asp and addressc.asp SQL injection[SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilitieshttp://www.security.org.sg/vuln/cmailserver52.htmlCross-site scripting (XSS) vulnerability in admin.asp in CMailServer 5.2 allows remote attackers to execute arbitrary web script or HTML via personal information fields, such as (1) username, (2) name, or (3) comments.This vulnerability is addressed in the following product release: YoungZSoft, CMailServer, 5.2.1Youngzsoft CMailServer Multiple Remote VulnerabilitiesCMailServer admin.asp cross-site scripting[SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilitieshttp://www.security.org.sg/vuln/cmailserver52.htmlMultiple buffer overflows in the enable command for SCO OpenServer 5.0.6 and 5.0.7 allow local users to execute arbitrary code via long command line arguments.SCOSA-2005.13openserver-enable-bo(19243)SCO OpenServer 12474Multiple cross-site scripting (XSS) vulnerabilities in Microsoft W3Who ISAPI (w3who.dll) allow remote attackers to inject arbitrary HTML and web script via (1) HTTP headers such as "Connection" or (2) invalid parameters whose values are echoed in the resulting error message.Microsoft Windows 2000 Resource Kit W3Who.DLL Multiple Remote VulnerabilitiesW3Who HTTP header and error message cross-site scripting20041206 Multiple vulnerabilities in w3who ISAPI DLLBuffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string.Microsoft Windows 2000 Resource Kit W3Who.DLL Multiple Remote VulnerabilitiesW3Who buffer overflowhttp://www.exaprobe.com/labs/advisories/esa-2004-1206.html20041206 Multiple vulnerabilities in w3who ISAPI DLLMultiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands.WS_FTP Server FTP commands buffer overflowMultiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14.20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14.http://www.securiteam.com/exploits/6D00L2KBPG.htmlBuffer overflow in CuteFTP Professional 6.0, and possibly other versions, allows remote FTP servers to cause a denial of service (application crash) via large replies to FTP commands.CuteFTP reply buffer overflowGlobalScape CuteFTP Multiple Command Response Buffer Overflow Vulnerabilities20041129 CuteFTP 6.0 Professional Remote Buffer Overflow VulnerabilityMultiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read.Linux Kernel IGMP Multiple Vulnerabilities[USN-38-1] Linux kernel vulnerabilitieshttp://isec.pl/vulnerabilities/isec-0018-igmp.txtFLSA:2336MDKSA-2005:022RHSA-2005:092linux-igmpmarksources-dos(18482)linux-ipmcsource-code-execution(18481)CLA-2005:930SUSE-SA:2004:044MDKSA-2005:022VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu.Vim Modelines Arbitrary Command Execution Variant Vulnerability [OpenPKG-SA-2004.052] OpenPKG Security Advisory (vim)Vim, gVim: Vulnerable options in modelinesFLSA:2343RHSA-2005:010RHSA-2005:036vim-modeline-gain-privileges(18503)Unknown vulnerability in the DICOM dissector in Ethereal 0.10.4 through 0.10.7 allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00016.htmlCLA-2005:916GLSA-200412-15MDKSA-2004:152RHSA-2005:037P-0611194313468ethereal-dicom-dos(18484)FLSA-2006:152922MDKSA-2004:152Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (application hang) and possibly fill available disk space via an invalid RTP timestamp.http://www.ethereal.com/appnotes/enpa-sa-00016.htmlCLA-2005:916GLSA-200412-15MDKSA-2004:152RHSA-2005:037P-0611346811943Ethereal-rtp-dos(18485)FLSA-2006:152922MDKSA-2004:152The HTTP dissector in Ethereal 0.10.1 through 0.10.7 allows remote attackers to cause a denial of service (application crash) via a certain packet that causes the dissector to access previously-freed memory.http://www.ethereal.com/appnotes/enpa-sa-00016.htmlCLA-2005:916GLSA-200412-15MDKSA-2004:152RHSA-2005:037P-06113468ethereal-http-dissector-dos(18487)11943FLSA-2006:152922MDKSA-2004:152Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed SMB packet.http://www.ethereal.com/appnotes/enpa-sa-00016.htmlCLA-2005:916DSA-613GLSA-200412-15MDKSA-2004:152RHSA-2005:037P-0611346811943ethereal-smb-dos(18488)FLSA-2006:152922MDKSA-2004:152The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attackers to guess passwords via a brute force attack.20050110 [USN-59-1] mailman vulnerabilitieshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=28679613603mailman-weak-encryption(18857)SUSE-SA:2005:007Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges.RHSA-2004:689SUSE-SA:2004:046linux-32bit-emulation-gain-privileges(18686)Multiple vulnerabilities in Konqueror in KDE 3.3.1 and earlier (1) allow access to restricted Java classes via JavaScript and (2) do not properly restrict access to certain Java classes from the Java applet, which allows remote attackers to bypass sandbox restrictions and read or write arbitrary files.http://www.heise.de/security/dienste/browsercheck/tests/java.shtml20041220 KDE Security Advisory: Konqueror Java Vulnerabilityhttp://www.kde.org/info/security/advisory-20041220-1.txtGLSA-200501-16MDKSA-2004:154RHSA-2005:065konqueror-sandbox-restriction-bypass(18596)VU#42022213586MDKSA-2004:154Multiple cross-site scripting (XSS) vulnerabilities in (1) main.c and (2) login.c for CVSTrac before 1.1.5 allow remote attackers to inject arbitrary HTML and web script.20041223 Cross-Site Scripting - an industry-wide problemhttp://www.mikx.de/index.php?p=620041217 [OpenPKG-SA-2004.056] OpenPKG Security Advisory (cvstrac)http://www.cvstrac.org/cvstrac/chngview?cn=321http://www.cvstrac.org/cvstrac/chngview?cn=32012017cvstrac-main-login-xss(18726)phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters.phpMyAdmin Multiple Remote VulnerabilitiesMultiple vulnerabilities in phpMyAdminhttp://www.exaprobe.com/labs/advisories/esa-2004-1213.htmlphpmyadmin-command-execute(18441)phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter.phpMyAdmin Multiple Remote VulnerabilitiesMultiple vulnerabilities in phpMyAdminhttp://www.exaprobe.com/labs/advisories/esa-2004-1213.htmlphpmyadmin-command-execute(18441)Computer Associates eTrust EZ Antivirus 7.0.0 to 7.0.4, including 7.0.1.4, installs its files with insecure permissions (ACLs), which allows local users to gain privileges by replacing critical programs with malicious ones, as demonstrated using VetMsg.exe.Computer Associates eTrust EZ Antivirus Local Insecure Default Installation Vulnerability20041215 Computer Associates eTrust EZ Antivirus Insecure File Permission Vulnerabilityetrust-antivirus-insecure-permissions(18502)Stack-based buffer overflow in the in_cdda.dll plugin for Winamp 5.0 through 5.08c allows attackers to execute arbitrary code via a cda:// URL with a long (1) device name or (2) sound track number, as demonstrated with a .m3u or .pls playlist file.20050127 NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Namehttp://www.nsfocus.com/english/homepage/research/0501.htmhttp://www.winamp.com/player/version_history.phpwinamp-incdda-bo(18840)1238113781Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges.[USN-38-1] Linux kernel vulnerabilitiesLinux Kernel Sys32_NI_Syscall/Sys32_VM86_Warning Local Buffer Overflow Vulnerability[linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall()http://linux.bkbits.net:8080/linux-2.6/cset@1.2079http://linux.bkbits.net:8080/linux-2.6/gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQMDKSA-2005:022SUSE-SA:2004:044MDKSA-2005:022Buffer overflow in the mailListIsPdf function in Adobe Acrobat Reader 5.09 for Unix allows remote attackers to execute arbitrary code via an e-mail message with a crafted PDF attachment.Adobe Acrobat Reader Email Message Remote Buffer Overflow VulnerabilityAdobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerabilityhttp://www.adobe.com/support/techdocs/331153.htmladobe-acrobat-maillistlspdf-bo(18477)VU#25302413474 SUSE-SR:2005:001Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields.Adobe Reader 6.0 .ETD File Format String Vulnerabilityhttp://www.adobe.com/support/downloads/detail.jsp?ftpID=2679adobe-acrobat-etd-format-string(18478)OVAL2919oval:org.mitre.oval:def:2919Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow.Samba Directory Access Control List Remote Integer Overflow VulnerabilitySamba MS-RPC request heap corruptionSamba vulnerable to integer overflow processing file security descriptorshttp://www.samba.org/samba/security/CAN-2004-1154.htmlAPPLE-SA-2005-03-21DSA-701RHSA-2005:020SCOSA-2005.17SUSE-SA:2004:045134531197320041216 Samba smbd Security Descriptor Integer Overflow Vulnerability10164357730oval:org.mitre.oval:def:1459oval:org.mitre.oval:def:642Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. NOTE: later research shows that Internet Explorer 7 on Windows XP SP2 is also vulnerable.Microsoft Internet Explorer Remote Window Hijacking VulnerabilityMultiple Browsers Window Injection Vulnerability Testhttp://secunia.com/secunia_research/2004-13/advisory/132512262820061025 IE7 status: 8 days after release, 3 unfixed issuesMozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.Mozilla Browser and Mozilla Firefox Remote Window Hijacking Vulnerabilityhttp://secunia.com/secunia_research/2004-13/advisory/http://secunia.com/multiple_browsers_window_injection_vulnerability_test/http://www.mozilla.org/security/announce/mfsa2005-13.htmlGLSA-200503-10GLSA-200503-3013129OVAL100045RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100045Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.Opera Window Injection Vulnerabilityhttp://secunia.com/secunia_research/2004-13/advisory/http://secunia.com/multiple_browsers_window_injection_vulnerability_test/GLSA-200502-17Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window or tab whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.KDE Konqueror Remote Window Hijacking VulnerabilityKDE Security Advisory: Konqueror Window Injection VulnerabilityMultiple Browsers Window Injection Vulnerability Testhttp://secunia.com/secunia_research/2004-13/advisory/13254http://www.kde.org/info/security/advisory-20041213-1.txtRHSA-2005:00913254135601347713486 SUSE-SR:2005:001** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1122, CVE-2004-1314. Reason: this was an out-of-band assignment duplicate intended for one issue, but the description and references inadvertently combined multiple issues. Notes: All CVE users should consult CVE-2004-1122 and CVE-2004-1314 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage.Netscape 7.x to 7.2, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability.Netscape Remote Window Hijacking VulnerabilityMultiple Browsers Window Injection Vulnerability Testhttp://secunia.com/secunia_research/2004-13/advisory/13402rssh 2.2.2 and earlier does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via (1) rdist -P, (2) rsync, or (3) scp -S.RSSH Remote Arbitrary Command Execution Vulnerabilityrssh and scponly arbitrary command executionrssh, scponly: Unrestricted command execution20050115 Re: rssh and scponly arbitrary command executionThe unison command in scponly before 4.0 does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via the (1) -rshcmd or (2) -sshcmd flags.SCPOnly Remote Arbitrary Command Execution Vulnerabilityscponly command line command executionGLSA-200412-01http://www.sublimation.org/scponly/#relnotes20041202 rssh and scponly arbitrary command execution20050115 Re: rssh and scponly arbitrary command executionCisco CNS Network Registrar Central Configuration Management (CCM) server 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (CPU consumption) by ending a connection after sending a certain sequence of packets.Cisco CNS Network Registrar CCM denial of service20041202 Cisco Network Registrar Denial of Service VulnerabilityThe lock manager in Cisco CNS Network Registrar 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (process crash) via a certain "unexpected packet sequence."Cisco CNS Network Registrar DNS and DHCP Server Remote Denial of Service VulnerabilitiesCisco CNS Network Registrar lock manager denial of service20041202 Cisco Network Registrar Denial of Service VulnerabilityKonqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.Multiple Web browsers FTP command executionKDE Konqueror FTP URI Arbitrary FTP Server Command Execution VulnerabilityDSA-631GLSA-200501-18MDKSA-2005:045RHSA-2005:009RHSA-2005:06520041205 7a69Adv#16 - Konqueror FTP command injectionMDKSA-2005:045CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command.Microsoft Internet Explorer FTP URI Arbitrary FTP Server Command Execution VulnerabilityMultiple Web browsers FTP command execution20041207 7a69Adv#15 - Internet Explorer FTP command injectionMS06-042ADV-2006-321212299101244413404oval:org.mitre.oval:def:46220080313 Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability28208ADV-2008-087029346mirrorselect before 0.89 creates temporary files in a world-writable location with predictable file names, which allows remote attackers to overwrite arbitrary files via a symlink attack.Gentoo MirrorSelect Local Insecure File Creation Vulnerabilitymirrorselect symlink attackmirrorselect: Insecure temporary file creation13392Stack-based buffer overflow in the WebDav handler in MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to execute arbitrary code via a long Overwrite header.MySQL MaxDB WebDav Handler Overwrite Header Remote Buffer Overflow VulnerabilityMaxDB WebDav buffer overflowMaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of ServiceMaxDB WebTools 7.5.00.18 and earlier allows remote attackers to cause a denial of service (application crash) via an HTTP GET request for a file that does not exist, followed by two carriage returns, which causes a NULL dereference.MySQL MaxDB WAHTTP Server Remote Denial Of Service VulnerabilityMaxDB denial of serviceMaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Servicea2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename.GNU a2ps File Name Command Execution VulnerabilityGNU a2ps allows elevated privileges[Full-Disclosure] a2ps executing shell commands from file nameMDKSA-2004:140SUSE-SA:2004:034http://bugs.debian.org/28313412375http://www.securiteam.com/unixfocus/5MP0N2KDPA.htmlFLSA:15287057649OpenPKG-SA-2005.003MDKSA-2004:140KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares.KDE Plaintext Password Disclosure VulnerabilityShortcuts may insecurely store SMB authentication information Password Disclosure for SMB Shares in KDE's Konquerorhttp://www.sec-consult.com/index.php?id=118 http://www.kde.org/info/security/advisory-20041209-1.txt20041129 Password Disclosure for SMB Shares in KDE's KonquerorGLSA-200412-16MDKSA-2004:150P-051122481012471135601347713486kde-smb-password-plaintext(18267)20041209 KDE Security Advisory: plain text password exposureStack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname.VERITAS Backup Exec Agent Browser Remote Buffer Overflow Vulnerability20041216 Veritas Backup Exec Agent Browser Registration Request Buffer Overflow Vulnerabilityhttp://www.frsirt.com/exploits/20050111.101_BXEC.cpp.phphttp://seer.support.veritas.com/docs/273419.htmhttp://seer.support.veritas.com/docs/273420.htmhttp://seer.support.veritas.com/docs/273422.htmhttp://seer.support.veritas.com/docs/273850.htmVU#90772913495netbackup-agent-browser-bo(18506)Internet Explorer 6 allows remote attackers to bypass the popup blocker via the document object model (DOM) methods in the DHTML Dynamic HTML (DHTML) Editing Component (DEC) and Javascript that calls showModalDialog.HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut !ie-popup-blocking-bypass(18444)direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attackers to cause a denial of service by "manipulating non-existing file handles."mc -- several vulnerabilitiesDebian update for mcMidnight Commander Format String, Buffer Overflow, and Memory Allocation Errors May Let Remote Users Deny Service or Execute Arbitrary Codebid 12263midnight-commander-direntry-dos(18909)1012903RHSA-2005:512fish.c in midnight commander allows remote attackers execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters.mc -- several vulnerabilitiesDebian update for mcMidnight Commander command executionbid 12263http://securitytracker.com/alerts/2005/Jan/1012903.html1012903RHSA-2005:512Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code.mc -- several vulnerabilitiesDebian update for mcbid 12263GLSA-200502-24RHSA-2005:217midnight-commander-extfs-dos(18911)http://securitytracker.com/alerts/2005/Jan/1012903.html1012903Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page.20050110 [USN-59-1] mailman vulnerabilitieshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287555DSA-674MDKSA-2005:01513603mailman-script-driver-xss(18854)RHSA-2005:235MDKSA-2005:015SUSE-SA:2005:007The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x before 3.7.7 allows local users to overwrite arbitrary files via a symlink attack on temporary directories.DSA-61520041223 [USN-49-1] debmake vulnerability1363312078debmake-debstd-symlink(18646)Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on little endian architectures, allows remote attackers to cause a denial of service (application crash).DSA-678MDKSA-2005:03914309MDKSA-2005:039htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files.htmlheadline -- insecure temporary filesbid 12147HtmlHeadLine.sh symlink attackHtmlHeadLine.sh Unsafe Temporary Files May Let Local Users Gain Elevated Privileges101275613715hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password.20050111 HylaFAX hfaxd unauthorized login vulnerability[hylafax-announce] 20050111 **ANOUNCE** hylafax-4.2.1 releasedGLSA-200501-21MDKSA-2005:00613812MDKSA-2005:006Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file.CLA-2005:920GLSA-200501-06MDKSA-2005:001MDKSA-2005:002MDKSA-2005:052RHSA-2005:019RHSA-2005:035SUSE-SA:2005:00120050106 [USN-54-1] TIFF library tool vulnerability13728libtiff-tiffdump-bo(18782)1217313776MDKSA-2005:001MDKSA-2005:002MDKSA-2005:052The EPSF pipe support in enscript 1.6.3 allows remote attackers or local users to execute arbitrary commands via shell metacharacters.DSA-654GLSA-200502-03MDKSA-2005:033RHSA-2005:04020050124 [USN-68-1] enscript vulnerabilitiesenscript-epsf-command-ececution(19012)FLSA:152892USN-68-1101296520060526 rPSA-2006-0083-1 enscript12329MDKSA-2005:033Enscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames.DSA-654GLSA-200502-03MDKSA-2005:033RHSA-2005:04020050124 [USN-68-1] enscript vulnerabilitiesenscript-filename-command-execution(19029)FLSA:152892USN-68-1101296520060526 rPSA-2006-0083-1 enscript12329MDKSA-2005:033Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash).DSA-654GLSA-200502-03MDKSA-2005:033RHSA-2005:04020050124 [USN-68-1] enscript vulnerabilitiesenscript-multiple-bo(19033)FLSA:152892USN-68-1101296520060526 rPSA-2006-0083-1 enscript12329MDKSA-2005:033Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CVE-2004-1188.MPlayer And Xine PNM_Get_Chunk Multiple Remote Client-Side Buffer Overflow VulnerabilitiesMultiple Vendor Xine 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerabilityhttp://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diffMDKSA-2005:011xine-pnatag-bo(18640)MDKSA-2005:011The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187.MPlayer And Xine PNM_Get_Chunk Multiple Remote Client-Side Buffer Overflow VulnerabilitiesMultiple Vendor Xine 0.99.2 PNM Handler Negative Read Length Overflow Vulnerabilityhttp://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diffMDKSA-2005:011xine-pnmgetchunk-bo(18638)MDKSA-2005:011The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow.http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt20041220 MITKRB5-SA-2004-004: heap overflow in libkadm5srvCLA-2005:917MDKSA-2004:156RHSA-2005:012RHSA-2005:0452004-006920050110 [USN-58-1] MIT Kerberos server vulnerabilitykerberos-libkadm5srv-bo(18621)APPLE-SA-2005-08-15APPLE-SA-2005-08-17MDKSA-2004:156SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not properly check commands sent to CD devices that have been opened read-only, which could allow local users to conduct unauthorized write activities to modify the firmware of associated SCSI devices.Online Security SupportSUSE-SA:2004:042suse-scsi-firmware-overwrite(18370)RHSA-2006:01011851011784Race condition in SuSE Linux 8.1 through 9.2, when run on SMP systems that have more than 4GB of memory, could allow local users to read unauthorized memory from "foreign memory pages."Online Security SupportSuSE-SA:2004:042linux-smbrecvtrans2-memory-leak(18137)Format string vulnerability in the lprintf function in Citadel/UX 6.27 and earlier allows remote attackers to execute arbitrary code via format string specifiers sent to the server.Citadel/UX Network Data Logging Remote Format String Vulnerabilityhttp://www.nosystem.com.ar/advisories/advisory-09.txtcitadel-format-string(18429)20041213 Citadel/UX <= v6.27 Remote Format String Vulnerability20041214 Re: Citadel/UX <= v6.27 Remote Format String VulnerabilityPrevx Home 1.0 allows local users with adminstrator privileges to bypass the intrusion prevention features by directly writing to \device\physicalmemory, which restores the running kernel's original SDT ServiceTable.Prevx Home disable protection settings20041124 Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration 20041122 [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restorationhttp://www.securitytracker.com/alerts/2004/Nov/1012294.html1012294Buffer overflow in Star Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a long nickname.LucasArts Star Wars Battlefront Game Server Multiple Remote Denial Of Service VulnerabilitiesStar Wars Battlefront long nickname buffer overflow20041124 Limited buffer-overflow and arbitrary memory access in Star WarsStar Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a join request that contains a memory address that causes the server to read arbitrary memory.LucasArts Star Wars Battlefront Game Server Multiple Remote Denial Of Service VulnerabilitiesStar Wars Battlefront packet denial of service20041124 Limited buffer-overflow and arbitrary memory access in Star Wars Battlefront 1.1Cross-site scripting (XSS) vulnerability in inmail.pl in Insite Inmail allows remote attackers to inject arbitrary web script or HTML via the acao parameter.InShop and InMail Cross-Site Scripting VulnerabilitiesInsite's InMail and inShop cross-site scripting1318820041124 XSS in Brazilian Insite productsCross-site scripting (XSS) vulnerability in inshop.pl in Insite inShop allows remote attackers to inject arbitrary web script or HTML via the screen parameter.InShop and InMail Cross-Site Scripting VulnerabilitiesInsite's InMail and inShop cross-site scriptingInsite InMail / inShop Cross-Site Scripting Vulnerabilities20041124 XSS in Brazilian Insite productsMicrosoft Internet Explorer allows remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.Multiple vendor Web browsers nested array denial of serviceMicrosoft Internet Explorer Infinite Array Sort Denial Of Service Vulnerability[Full-Disclosure] MSIE & FIREFOX flaws: 20041125 MSIE flaws: nested array sort() loop Stack overflow exceptionSafari 1.2.4 on Mac OS X 10.3.6 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.Multiple vendor Web browsers nested array denial of serviceApple Safari Web Browser Infinite Array Sort Denial Of Service Vulnerability20041125 More Browser flaws on MACOSX: nested array sort() loop Stack overflow exceptionFirefox and Mozilla allow remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.Multiple vendor Web browsers nested array denial of serviceMozilla Firefox Infinite Array Sort Denial Of Service Vulnerability20041125 FIREFOX flaws: nested array sort() loop Stack overflow exception20041125 MSIE & FIREFOX flaws: 'detailed' advisory and comments that you probably don't want to read anyway11760Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays.Opera Web Browser Infinite Array Sort Denial Of Service VulnerabilityMultiple vendor Web browsers nested array denial of serviceRe: [Full-Disclosure] MSIE flaws: nested array sort() loop20041125 Re: Opera flaws: nested array sort() loop Stack overflow exceptionCross-site scripting (XSS) vulnerability in parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to inject arbitrary web script or HTML via the file parameter.Successful exploitation requires that both the non-stealth and the debug modes are enabled.phpCMS parser.php cross-site scriptingPHPCMS Cross-Site Scripting VulnerabilityphpCMS <= 1.2.1 Xss Vulnerability, Information disclosurehttp://www.phpcms.de/download/index.en.html20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosureparser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to gain sensitive information via an invalid file parameter, which reveals the web server's installation path.phpCMS <= 1.2.1 Xss Vulnerability, Information disclosurephpcms-parser-path-disclosure(18279)phpcms-parser-xss(18272)20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosureFluxBox 0.9.10 and earlier versions allows local users to cause a denial of service (application crash) by calling Xman with a long -title value, possibly triggering a buffer overflow.FluxBox XMAN denial of serviceFluxBox crash vulnerability20041126 FluxBox crash vulnerabilitycodebrowserpntm.php in PnTresMailer 6.03 allows remote attackers to gain sensitive information via an invalid filetohighlight parameter, which reveals the full path in an error message.PnTresMailer information disclosurePnTresMailer code browser 6.03 VulnerabilitiesDirectory traversal vulnerability in codebrowserpntm.php in pnTresMailer 6.0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the filetodownload parameter.PNTresMailer Directory Traversal VulnerabilityPnTresMailer code browser 6.03 Vulnerabilitiespntresmailer-information-disclosure(18263)The Serious engine, as used in (1) Alpha Black Zero Intrepid Protocol 1.04 and earlier, (2) Nitro family, and (3) Serious Sam Second Encounter 1.07 allows remote attackers to cause a denial of service (server crash) via a large number of UDP join requests that exceeds the maximum player limit, as originally reported for Alpha Black Zero.20040929 Crash in Alpha Black Zero 1.041127912687alphablackzero-udp-packet-dos(17545)101145420041128 Players overflow in Serious engine UDP (was Alpha Black Zero, 29 Sep 2004)Buffer overflow in Orbz 2.10 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long password field in a join request.21-6 Productions Orbz Remote Buffer Overflow VulnerabilityOrbz join packet password buffer overflow Buffer-overflow in Orbz 2.10Verisign Payflow Link, when running with empty Accepted URL fields, does not properly verify the data in the hidden AMOUNT field, which allows remote attackers to modify the price of the items that they purchase.Payflow Link hidden field modification[SHK-001]Payflow Link Default Config may lead to Hidden Field ModificationCross-site scripting (XSS) vulnerability in proxylog.dat in IPCop 1.4.1 and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the (1) url or (2) part variables.IPCop Web Administration Interface Proxy Log HTML Injection VulnerabilityIPCop proxylog.dat page cross-site scripting20041201 [KA Advisory 0411291] IPCop Cross Site Scripting Vulnerability in proxylog.datMultiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands.Mercury Mail Multiple Remote IMAP Stack Buffer Overflow VulnerabilitiesMercury Mail Transport System command buffer overflowMultiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003.20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003.1250813348Directory traversal vulnerability in btdownload.php in Blog Torrent preview 0.8 allows remote attackers to download arbitrary files via a .. (dot dot) in the file argument.Blog Torrent Remote Directory Traversal VulnerabilityBlog Torrent btdownload.php directory traversalBlog Torrent preview 0.8 - arbitary file downloadCross-site scripting (XSS) vulnerability in index.php in Advanced Guestbook 2.3.1, 2.2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the entry parameter.Advanced Guestbook Cross-Site Scripting VulnerabilityAdvanced Guestbook index.php cross-site scripting Advanced Guestbook20041204 Re: Advanced GuestbookFormat string vulnerability in Kreed 1.05 and earlier allows remote attackers to execute arbitrary code via format specifiers in (1) a nickname or (2) message text.Burut Kreed Game Server Multiple Remote VulnerabilitiesKreed message and nickname format stringMultiple vulnerabilities in Kreed 1.05Kreed 1.05 and earlier allows remote attackers to cause a denial of service (server disconnect) via a long UDP packet, which causes a "message too long" socket error.Burut Kreed Game Server Multiple Remote VulnerabilitiesKreed UDP packet denial of serviceMultiple vulnerabilities in Kreed 1.05The scripts that handle players in Kreed 1.05 and earlier allow remote attackers to cause a denial of service (server freeze) via a long (1) nickname or (2) model type, which generates dialog boxes on the server that must be manually handled before the server continues the game.Burut Kreed Game Server Multiple Remote VulnerabilitiesKreed nickname or model type denial of serverMultiple vulnerabilities in Kreed 1.05Hosting Controller 6.1 Hotfix 1.4, and possibly other versions, allows remote attackers to view arbitrary directories by specifying the target pathname in the FilePath parameter to (1) Statsbrowse.asp or (2) Generalbrowse.asp.Hosting Controller FilePath Parameter File Disclosure VulnerabilityHosting Controller view filesHosting ControllerRemote Execute 2.30 allows remote attackers to cause a denial of service (application crash) by making 7 simultaneous connections.Ibex Software Remote Execute Remote Denial of Service VulnerabilityRemote Execute denial of serviceRemote Execute vulnerable to denial-of-serviceDoS leading to crash of client in Remote Execute 2.30paFileDB 3.1, when using sessions authentication and while the administrator logs on, allows remote attackers to read the administrator's password hash and conduct brute force password guessing attacks by listing the contents of the sessions directory and reading the associated file for the administrator session.PAFileDB Password Hash Disclosure VulnerabilitypaFileDB 'sessions' method information disclosureMultiple Vulnerabilities in paFileDB 3.1http://echo.or.id/adv/adv09-y3dips-2004.txtBattlefield 1942 1.6.19 and earlier, and Battlefield Vietnam 1.2 and earlier, allows a remote master server to cause a denial of service (client crash) via a server reply that contains a large numplayers value, which triggers a null dereference.Digital Illusions Multiple Games Remote Denial of Service VulnerabilityBroadcast client crash in Battlefield 1942 1.6.19 and Vietnam 1.2Battlefield Vietnam numplayers denial of servicebattlefield-numplayers-dos(18400)Directory traversal vulnerability in weblibs.pl in WebLibs 1.0 allows remote attackers to read arbitrary files via .. sequences in the TextFile parameter.Darryl Burgdorf WebLibs Directory Traversal VulnerabilityWebLibs weblibs.pl directory traversalRemote Web Server Text File Viewing Vulnerability in WebLibs 1.013400weblibs.pl in WebLibs 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the TextFile parameter.Darryl Burgdorf WebLibs Directory Traversal VulnerabilityWebLibs weblibs.pl directory traversalRemote Web Server Text File Viewing Vulnerability in WebLibs 1.0The Management Agent in F-Secure Policy Manager 5.11.2810 allows remote attackers to gain sensitive information, such as the absolute path for the web server, via an HTTP request to fsmsh.dll without any parameters.F-Secure URL obtain informationF-Secure Policy Manager FSMSH.DLL CGI Application Installation Path Disclosure Vulnerability=?iso-8859-1?Q?F-Secure_Policy_Manager_-__physical_path_disclosure?=http://www.oliverkarow.de/research/f-secure.txtOff-by-one error in the mtr_curses_keyaction function for mtr 0.55 through 0.65 allows local users to hijack raw sockets, as demonstrated using the "s" keybinding, which leaves a buffer without a NULL terminator.MTR MTR_Curses_KeyAction Local Off-By-One Buffer Overflow VulnerabilityLocal off-by-one in mtr versions 0.55 to 0.65mtr-mtrcurseskeyaction-offbyone-bo(18428)SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality.SugarCRM Multiple Input Validation VulnerabilitiesSugarCRM record SQL injectionSugarSales Multiple VulnerabilitiesSugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter. SugarSales Multiple Vulnerabilitiessugar-sales-path-disclosure(18447)Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and possibly execute arbitrary PHP code via .. (dot dot) sequences in the (1) module, (2) action, or (3) theme parameters to index.php, (4) the theme parameter to Login.php, and possibly other parameters or scripts.SugarCRM Multiple Input Validation VulnerabilitiesSugarCRM directory traversalSugarSales Multiple VulnerabilitiesThe install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtain the MySQL administrative password in cleartext from an installation form, or to cause a denial of service by changing database settings to the default.SugarSales Multiple Vulnerabilitiessugar-sales-password-plaintext(18449)Cross-site scripting vulnerability in the parser for Gadu-Gadu allows remote attackers to inject arbitrary web script or HTML via (1) http:// or (2) news:// URLs, a different vulnerability than CVE-2004-1410.http://www.man.poznan.pl/~security/gg-adv.txtgadu-gadu-xss(18582)11899125171345020041213 Gadu-Gadu several vulnerabilitiesGadu-Gadu allows remote attackers to gain sensitive information and read files from the _cache directory of other users via a DCC connection and a CTCP packet that contains a 1 as the type and a 4 as the subtype.http://www.man.poznan.pl/~security/gg-adv.txtgadu-gadu-dcc-ctcp-obtain-files(18461)20041213 Gadu-Gadu several vulnerabilitiesDirectory traversal vulnerability in Gadu-Gadu allows remote attackers to read arbitrary files via .. (dot dot) sequences in a DCC connection with a CTCP packet that contains a 1 as the type and a 4 as the subtype.http://www.man.poznan.pl/~security/gg-adv.txtgadu-gadu-dcc-ctcp-obtain-files(18461)20041213 Gadu-Gadu several vulnerabilitiesStack-based buffer overflow in the code that sends images in Gadu-Gadu allows remote attackers to execute arbitrary code via a large image filename.http://www.man.poznan.pl/~security/gg-adv.txtgadu-gadu-image-filename-bo(18462)20041213 Gadu-Gadu several vulnerabilitiesInteger overflow in Gadu-Gadu allows remote attackers to cause a denial of service (disk consumption) via a user packet to the DCC file transfer capability with an invalid file length.http://www.man.poznan.pl/~security/gg-adv.txtgadu-gadu-dcc-bo(18465)20041213 Gadu-Gadu several vulnerabilitiesload_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL.FLSA:2336RHSA-2004:689http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQhttp://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=14296512101linux-loadelfbinary-dos(18687)RHSA-2005:016DSA-1070DSA-1067DSA-1069RHSA-2005:017201622016320202DSA-108220338Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor.Updated kernel packages fix security vulnerabilitiesbid 12190http://isec.pl/vulnerabilities/isec-0021-uselib.txtCLA-2005:930FEDORA-2005-013FEDORA-2005-014FLSA:2336MDKSA-2005:022RHSA-2005:0922005-0001http://www.securityfocus.com/advisories/7804linux-uselib-gain-privileges(18800)RHSA-2005:01620050107 Linux kernel sys_uselib local root vulnerabilityDSA-1070DSA-1067DSA-1069RHSA-2005:017201622016320202DSA-108220338 SUSE-SR:2005:001MDKSA-2005:022Buffer overflow in the LDAP component for Netscape Directory Server (NDS) 3.6 on HP-UX and other operating systems allows remote attackers to execute arbitrary code.SSRT486757754VU#258905P-0831209914960Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors.Updated kernel packages fix security vulnerabilitiesbid 12309** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none.Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability."MS05-009VU#259890TA05-039AOVAL1306OVAL1568OVAL2379win-ms05kb890261-update(19096)oval:org.mitre.oval:def:1306oval:org.mitre.oval:def:1568oval:org.mitre.oval:def:2379WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow.WinRAR <= 3.41 Compressed File Deletion Buffer Overflow ExploitRARLAB WinRAR File Name Remote Client-Side Buffer Overflow Vulnerabilityhttp://www.frsirt.com/exploits/20041217.Winrar.c.phpwinrar-zip-file-bo(18569)Buffer overflow in the expandtabs function in 2fax 3.04 allows remote attackers to execute arbitrary code via a text file that is converted to TIFF.2Fax Tab Expansion Buffer Overflow Vulnerability2fax 3.04 expandtabs overflows s buffer2fax-bpcx-bo(10901)Multiple buffer overflows in the (1) event_text and (2) event_specific functions in abc2midi 2004.12.04 allow remote attackers to execute arbitrary code via crafted ABC files.ABC2MIDI Multiple Stack Buffer Overflow Vulnerabilitiesabc2midi 2004.12.04 event_text overflows msg buffer; event_specific overflows msg bufferabc2midi-eventspecific-bo(18574)abc2midi-eventtext-bo(18573)Buffer overflow in the process_abc function in abc.c for abc2mtex 1.6.1 allows remote attackers to execute arbitrary code via crafted ABC files.ABC2MTEX Process ABC Key Field Buffer Overflow Vulnerabilityabc2mtex 1.6.1 process_abc overflows key bufferabc2mtex-processabc-bo(18578)Buffer overflow in the put_words function in subs.c for abcm2ps 3.7.20 allows remote attackers to execute arbitrary code via crafted ABC files.abcm2ps 3.7.20 put_words overflows str bufferJef Moine abcm2ps ABC File Remote Buffer Overflow Vulnerabilityabcm2ps-putwords-bo(18579)Multiple buffer overflows in the handle_directive function in abcpp.c for abcpp 1.3.0 allow remote attackers to execute arbitrary code via crafted ABC files.process_directive overflows token bufferABCPP Directive Handler Buffer Overflow Vulnerabilityabcpp-handledirective-bo(18581)Multiple buffer overflows in the (1) write_heading function in subs.cpp or (2) trim_title function in parse.cpp for abctab2ps 1.6.3 allow remote attackers to execute arbitrary code via crafted ABC files.abctab2ps 1.6.3 write_heading overflows t; _ trim_title overflows restabctab2ps Write_Heading Function ABC File Remote Buffer Overflow Vulnerabilityabctab2ps Trim_Title Function ABC File Remote Buffer Overflow Vulnerabilityabctab2ps-trimtitle-bo(18584)abctab2ps-writeheading-bo(18583)Multiple buffer overflows in the preparse function in asp2php 0.76.23 allow remote attackers to execute arbitrary code via crafted ASP scripts.preparse() overflows token buffer; preparse() overflows temp bufferasp2php-preparse-bo(18585)Buffer overflow in the bsb_open_header function in libbsb for bsb2ppm 0.0.6 allows remote attackers to execute arbitrary code via crafted BSB pictures. bsb2ppm 0.0.6 overflows line bufferbsb2ppm-bsbopenheader-bo(18586)changepassword.cgi in ChangePassword 0.8, when installed setuid, allows local users to execute arbitrary code by modifying the PATH environment variable to point to a malicious "make" program.ChangePassword Local Privilege Escalation Vulnerabilityhttp://tigger.uic.edu/~jlongs2/holes/changepassword.txtchangepassword-gain-privileges(18593)Buffer overflow in the simplify_path function in config.c for ChBg 1.5 allows remote attackers to execute arbitrary code via a crafted chbg scenario file.ChBg Scenario File Overflow Vulnerabilitychbg 1.5 simplify_path overflows res bufferDSA-644MDKSA-2005:027chbg-simplifypath-bo(18595)MDKSA-2005:027Buffer overflow in the readObjectChunk function in 3dsimp.cpp for the convex-tool program in Convex 3D 0.8pre1 allows remote attackers to execute arbitrary code via a crafted 3DS file.Convex 3D Buffer Overflow VulnerabilityConvex 3D 0.8pre1 readObjectChunk overflows objectname bufferconvex-3d-readobjectchunk-bo(18601)Buffer overflow in the get_field_headers function in csv2xml.cpp for csv2xml 0.5.1 allows remote attackers to execute arbitrary code via a crafted CSV file.CSV2XML Buffer Overflow Vulnerabilitycsv2xml 0.5.1 get_field_headers overflows tokencsv2xml-getfieldheaders-bo(18602)Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file.CUPS 1.1.22 hpgltops ParseCommand overflows bufCUPS HPGL File Processor Buffer Overflow VulnerabilityMDKSA-2005:008RHSA-2005:013RHSA-2005:053cups-parsecommand-hpgl-bo(18604)GLSA-200412-25USN-50-1MDKSA-2005:008lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors.lppasswd ignores write errors, etc.MDKSA-2005:008RHSA-2005:013RHSA-2005:053cups-lppasswd-passwd-truncate(18606)GLSA-200412-25USN-50-1MDKSA-2005:008lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail.CUPS 1.1.22 lppasswd ignores write errors, etc.MDKSA-2005:008RHSA-2005:013RHSA-2005:053cups-lppasswd-dos(18608)GLSA-200412-25USN-50-1MDKSA-2005:008lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message.CUPS 1.1.22 lppasswd ignores write errors, etc.MDKSA-2005:008RHSA-2005:013RHSA-2005:053cups-lppasswd-passwd-modify(18609)GLSA-200412-25USN-50-1MDKSA-2005:008Buffer overflow in the dxfin function in d.c for dxfscope 0.2 allows remote attackers to execute arbitrary code via a crafted DXF file. dxfscope 0.2 overflows ent_name bufferDXFScope Remote Client-Side Buffer Overflow Vulnerabilitydxfscope-dxfin-bo(18558)Buffer overflow in the save_embedded_address function in filter.c for elm/bolthole filter 2.6.1 allows remote attackers to execute arbitrary code via a crafted email message.elm/bolthole filter 2.6.1 save_embedded_address overflows address bufferBolthole Filter Address Parsing Buffer Overflow Vulnerabilityelm-bolthole-bo(18607)Buffer overflow in the DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a long filename.DownloadLoop overflows COMMAND; DownloadLoop does not check for nasty charactersgreed-downloadloop-bo(18633)The DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a filename with shell metacharacters.DownloadLoop overflows COMMAND; DownloadLoop does not check for nasty charactersgreed-downloadloop-command-execution(18634)Buffer overflow in the remove_quote function in convert.c for html2hdml 1.0.3 allows remote attackers to execute arbitrary code via a crafted HTML file.html2hdml 1.0.3 remove_quote overflows print_buf bufferhtml2hdml-removequote-bo(18556)IglooFTP 0.6.1, when recursively uploading a directory, allows local users to overwrite the files that are being uploaded by creating temporary files with names generated by the tmpnam function, before the files are opened by IglooFTP.IglooFTP 0.6.1 uses fopen in /tmpiglooftp-file-overwrites(18632)The download_selection_recursive() function in ftplist.c for IglooFTP 0.6.1 allows remote malicious FTP servers to overwrite arbitrary files via filenames that contain / (slash) characters.IglooFTP 0.6.1 does not check for directory escapesiglooftp-file-overwrite(18561)Buffer overflow in the switch_voice function in parse.c for jcabc2ps 20040902 allows remote attackers to execute arbitrary code via a crafted ABC file.jcabc2ps switch_voice() overflows t1 bufferABC2PS/JCABC2PS Voice Field Buffer Overflow Vulnerabilityjcabc2ps-switchvoice-bo(18563)Buffer overflow in the get_file_list_stdin function in jpegtoavi 1.5 allows remote attackers to execute arbitrary code via a crafted set of JPEG files and filenames.JPegToAvi File List Buffer Overflow Vulnerabilityhttp://tigger.uic.edu/~jlongs2/holes/jpegtoavi.txtjpegtoavi-getfileliststdin-bo(18565)The gui_popup_view_fly function in gui_tview_popup.c for junkie 0.3.1 allows remote malicious FTP servers to execute arbitrary commands via shell metacharacters in a filename.junkie 0.3.1 gui_popup_view_fly does not check for nasty characters; ftp_retr does not check for directory escapesjunkie-command-execution(18567)The ftp_retr function in junkie 0.3.1 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in a filename.junkie 0.3.1 gui_popup_view_fly does not check for nasty characters; ftp_retr does not check for directory escapesjunkie-ftpretr-command-execution(18568)Buffer overflow in the strexpand function in string.c for LinPopUp 1.2.0 allows remote attackers to execute arbitrary code via a crafted message that is not properly handled during a Reply operation.LinPopUp 1.2.0 overflows sub_string bufferLinPopUp Remote Buffer Overflow VulnerabilityDSA-632linpopup-strexpand-bo(18627)Buffer overflow in the Mesh::type method in mesh.c for the mview program in Mesh Viewer 0.2.2 allows remote attackers to execute arbitrary code via crafted mesh files.Mesh Viewer Buffer Overflow VulnerabilityMesh Viewer 0.2.2 Mesh::type overflows s1 buffermesh-type-bo(18616)Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist.mpg123 0.59r find_next_file overflows linetmp bufferMPG123 Find Next File Remote Client-Side Buffer Overflow Vulnerabilitympg123-findnextfile-bo(18626) SUSE-SR:2005:001Buffer overflow in the get_header function in asf_mmst_streaming.c for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a crafted ASF video stream.MPlayer MMST Get_Header Remote Client-Side Buffer Overflow VulnerabilityMPlayer 1.0pre5 get_header overflows data buffermplayer-getdata-bo(18631)Buffer overflow in the auto_filter_extern function in auto.c for NapShare 1.2, with the extern filter enabled, allows remote attackers to execute arbitrary code via a crafted gnutella response.NapShare 1.2 auto_filter_extern overflows filename bufferNapShare Remote Buffer Overflow Vulnerabilitynapshare-autofilterextern-bo(18630)Buffer overflow in the error function in preproc.c for NASM 0.98.38 1.2 allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2005-1194.NASM 0.98.38 error() overflows buff[]NASM Error Preprocessor Directive Buffer Overflow Vulnerabilitynasm-preprocc-bo(18540)RHSA-2005:381Buffer overflow in the parse_html function in o3read.c for o3read 0.0.3 allows remote attackers to execute arbitrary code via a crafted SXW file. o3read 0.0.3 parse_html overflows t bufferO3Read HTML Parser Buffer Overflow VulnerabilityGLSA-200501-20o3read-parsehtml-bo(18547)Multiple buffer overflows in (1) the getline function in pcalutil.c and (2) the get_holiday function in readfile.c for pcal 4.7.1 allow remote attackers to execute arbitrary code via a crafted calendar file.pcal 4.7.1 getline overflows tmpbuf; get_holiday overflows tmppcal-getline-pcalutil-bo(18552)Buffer overflow in the process_moves function in pgn2web.c for pgn2web 0.3 allows remote attackers to execute arbitrary code via a crafted PGN file.PGN2WEB Buffer Overflow Vulnerabilitypcal 4.7.1 getline overflows tmpbuf; get_holiday overflows tmphttp://tigger.uic.edu/~jlongs2/holes/pgn2web.txtpgn2web-pgn2webc-bo(18554)Buffer overflow in qwik-smtpd allows remote attackers to use the server as an SMTP spam relay via a long HELO command, which overwrites the adjacent localIP data buffer. qwik-smtpd overflows clientHelo bufferqwilmail-smtp-helo-open-relay(18555)Buffer overflow in the parse_emelody function in parse_emelody.c for ringtonetools 2.22 allows remote attackers to execute arbitrary code via a crafted eMelody file.ringtonetools 2.22 parse_emelody overflows song bufferGLSA-200503-18ringtonetools-parseemelody-bo(18557)Buffer overflow in the ReadFontTbl function in reader.c for rtf2latex2e 1.0fc2 allows remote attackers to execute arbitrary code via a crafted RTF file.rtf2latex2e 1.0fc2 ReadFontTbl overflows bufferRTF2LATEX2E Stack Buffer Overflow Vulnerabilityrtf2latex2e-reader-bo(18559)The mget function in cmds.c for tnftp 20030825 allows remote FTP servers to overwrite arbitrary files via FTP responses containing file names with / (slash) characters.tnftp 20030825 does not check for directory escapesTNFTP FTP Client Directory Traversal Vulnerabilitytnftp-mget-cmds-file-overwrite(18560)The slip_down function in slip.c for the uml_net program in uml-utilities 20030903, when uml_net is installed setuid root, does not verify whether the calling user has sufficient permission to disable an interface, which allows local users to cause a denial of service (network service disabled).uml-utilities 20030903 uml_net slip_down() fails to check permissionsumlutilities-umtnet-slipdown-dos(18562)The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files.20041220 [USN-43-1] groff utility vulnerabilitieshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372groff-eqn2graph-pic2graph-symlink(18660)MDKSA-2006:038Buffer overflow in the process_font_table function in convert.c for unrtf 0.19.3 allows remote attackers to execute arbitrary code via a crafted RTF file.unrtf 0.19.3 process_font_table overflows name bufferunrtf-processfonttable-convert-bo(18566)Buffer overflow in the parse function in vb2c.c for vb2c 0.02 allows remote attackers to execute arbitrary code via a crafted FRM file.vb2c 0.02 parse_sub overflows token bufferMichael Kohn VB2C FRM File Remote Buffer Overflow Vulnerabilityvb2c-gettoken-bo(18605)Buffer overflow in the get_attr function in html.c for vilistextum 2.6.6 allows remote attackers to execute arbitrary code via a crafted web page.Vilistextum HTML Attribute Parsing Buffer Overflow Vulnerabilityvilistextum 2.6.6 get_attr overflows temp buffervilistextum-getattr-bo(18610)Buffer overflow in the open_aiff_file function in demux_aiff.c for xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary code via a crafted AIFF file.xine-lib open_aiff_file overflows bufferMDKSA-2005:011xine-openaifffile-bo(18611)MDKSA-2005:011Buffer overflow in the book_format_sql function in format.c for xlreader 0.9.0 allows remote attackers to execute arbitrary code via a crafted Excel (XLS) file.xlreader 0.9.0 overflows insert_start bufferXLReader Remote Client-Side Buffer Overflow Vulnerabilityxlreader-bookformatsql-bo(18612)The id3tag_sort function in id3tag.c for YAMT 0.5 allows remote attackers to execute arbitrary commands via an MP3 file with double quotes in the Artist tag.YAMT 0.5 id3tag_sort does not check for nasty charactersYAMT ID3 Tag Sort Command Execution Vulnerabilityyamt-id3tagsort-bo(18614)http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html11999101258313554Buffer overflow in the get function in get.c for Yanf 0.4 allows remote malicious web servers to execute arbitrary code via crafted HTTP responses.Yanf 0.4 get() overflows bufYanf HTTP Response Buffer Overflow Vulnerabilityyanf-get-bo(18615)Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file.File ELF Header Unspecified Buffer Overflow VulnerabilityFile ELF Header buffer overflowGLSA-200412-072004-0063http://www.securitytracker.com/alerts/2004/Dec/1012433.html1012433The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang.20041223 Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerabilityhttp://www.xfocus.net/flashsky/icoExp/MS05-002TA05-012AVU#177584VU#697136OVAL1304OVAL2580OVAL3216OVAL3957OVAL712win-ani-ratenumber-dos(18667)oval:org.mitre.oval:def:1304oval:org.mitre.oval:def:2580oval:org.mitre.oval:def:3216oval:org.mitre.oval:def:3957oval:org.mitre.oval:def:712Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a crafted .hlp file.20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerabilityhttp://www.xfocus.net/flashsky/icoExp/12092win-winhlp32-bo(18678)Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow.20041221 libtiff STRIPOFFSETS Integer Overflow VulnerabilityAPPLE-SA-2005-05-03VU#539110TA05-136A101677Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow.libtiff Directory Entry Count Integer Overflow VulnerabilitylibTIFF Heap Corruption Integer Overflow VulnerabilitiesDSA-617MDKSA-2005:052RHSA-2005:019RHSA-2005:035SUSE-SA:2005:001VU#125598libtiff-tiff-tdircount-bo(18637)APPLE-SA-2005-05-03TA05-136AOVAL10011713776CLA-2005:920101677oval:org.mitre.oval:def:100117MDKSA-2005:052Heap-based buffer overflow in the demux_open_bmp function in demux_bmp.c for Unix MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a bitmap (BMP) file containing a large biClrUsed field.Research Reportshttp://www1.mplayerhq.hu/MPlayer/releases/ChangeLogMDKSA-2004:157mplayer-bitmap-bo(18527)MDKSA-2004:157Stack-based buffer overflow in the asf_mmst_streaming.c functionality for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a large MMST stream packet.iDEFENSE intelligencehttp://www1.mplayerhq.hu/MPlayer/releases/ChangeLoghttp://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diffMDKSA-2004:157mplayer-mmst-bo(18526)MDKSA-2004:157Integer overflow in the real_setup_and_get_header function in real.c for Unix MPlayer 1.0pre5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a Real RTSP streaming media file with a -1 content-length field, which leads to a heap-based buffer overflow.iDEFENSE intelligencehttp://www1.mplayerhq.hu/MPlayer/releases/ChangeLoghttp://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diffMDKSA-2004:157mplayer-rtsp-bo(18525)MDKSA-2004:157A bug in the HTML parser in a certain Microsoft HTML library, as used in various third party products, may allow remote attackers to cause a denial of service via certain strings, as reported in GFI MailEssentials for Exchange 9 and 10, and GFI MailSecurity for Exchange 8, which causes emails to remain in IIS or Exchange mail queues.http://www.csis.dk/default.asp?m=1&a=194http://kbase.gfi.com/showarticle.asp?id=KBID0022491214813708The Smc.exe process in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before invoking help, which allows local users to gain privileges.Secunia Research: My Firewall Plus Privilege Escalation VulnerabilityWebroot Software My Firewall Plus Local Privilege Escalation Vulnerabilitymy-firewall-plus-gain-privileges(18622)Safari 1.x allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability, a different vulnerability than CVE-2004-1122.http://secunia.com/secunia_research/2004-13/advisory/http://secunia.com/multiple_browsers_window_injection_vulnerability_test/APPLE-SA-2005-01-25web-browser-popup-spoofing(18397)13252viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm.20041112 phpBB Code EXEC (v2.0.10)20041118 EXEC exploit in phpBB - fix20041220 phpBB Wormhttp://www.phpbb.com/phpBB/viewtopic.php?t=240513GLSA-200411-32TA04-356AVU#49740013239phpbb-view-sql-injection(18052)Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated.20041229 Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.http://isec.pl/vulnerabilities/isec-0020-mozilla.txthttp://www.mozilla.org/security/announce/mfsa2005-06.htmlHPSBTU01114RHSA-2005:038mozilla-nntp-bo(18711)OVAL10005212131SUSE-SA:2006:02219823oval:org.mitre.oval:def:100052Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command.20041227 [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc includedhttp://www.hat-squad.com/en/000142.html20041228 Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included20041228 Netcat v1.11 For Windows , New fixed versionnetcat-doexec-bo(18681)Cross-site scripting (XSS) vulnerability in namazu.cgi for Namazu 2.0.13 and earlier allows remote attackers to inject arbitrary HTML and web script via a query that starts with a tab ("%09") character, which prevents the rest of the query from being properly sanitized.http://jvn.jp/jp/JVN%23904429FE.htmlhttp://www.namazu.org/security.html.en#xss-tabDSA-627HPSBMA01212FEDORA-2004-55712053125161012802101280513600namazu-tab-query-xss(18623) SUSE-SR:2005:001The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180.20041215 MSIE DHTML Edit Control Cross Site Scripting VulnerabilityMS05-013TA05-039AVU#356600OVAL1114OVAL1701OVAL3464OVAL3851OVAL47581348211950ie-dhtml-xss(18504)oval:org.mitre.oval:def:1114oval:org.mitre.oval:def:1701oval:org.mitre.oval:def:3464oval:org.mitre.oval:def:3851oval:org.mitre.oval:def:4758Asante FM2008 running firmware 1.06 is shipped with a default username and password, which could allow remote attackers to gain unauthorized access.20041215 Asante FM2008 10/100 Ethernet switch backdoor login11947asante-fm2008-default-account(18521)The configuration backup in Asante FM2008 running firmware 1.06 stores the username and password in cleartext, which could allow remote attackers to gain unauthorized access.20041215 Asante FM2008 10/100 Ethernet switch backdoor loginCisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange, has several hard coded usernames and passwords, which allows remote attackers to gain unauthorized access and change configuration settings or read outgoing or incoming e-mail messages.20041215 Cisco Unity Integrated with Exchange Has Default PasswordsP-06011954cisco-unity-exchange-default-accounts(18489)Multiple syscalls in the compat subsystem for NetBSD before 2.0 allow local users to cause a denial of service (kernel crash) via a large signal number to (1) xxx_sys_kill, (2) xxx_sys_sigaction, and possibly other translation functions.http://gleg.net/advisory_netbsd2.shtml13501netbsd-compat-gain-privileges(18564)The Microsoft Windows Media Player 9.0 ActiveX control may allow remote attackers to execute arbitrary web script in the Local computer zone via the (1) artist or (2) song fields of a music file, if the file is processed using Internet Explorer.20041218 MS Windows Media Player 9 Vulns (2)12031mediaplayer-mp3-code-execution(18576)The getItemInfoByAtom function in the ActiveX control for Microsoft Windows Media Player 9.0 returns a 0 if the file does not exist and the size of the file if the file exists, which allows remote attackers to determine the existence of files on the local system.20041218 MS Windows Media Player 9 Vulns (2)12032mediaplayer-activex-information-disclosure(18587)Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter.20041219 Exploit for Ultrix 4.5 dxtermhttp://www.frsirt.com/exploits/20041220.ultrix_dxterm_4.5_exploit.c.php12049ultrix-dxterm-bo(18613)Buffer overflow in Crystal FTP Client 2.8 allows remote malicious servers to execute arbitrary code via a response to a LIST command that contains a file name with a long extension.20041220 Crystal FTP Pro Client Buffer Overflow1358312038crystal-ftp-list-bo(18594)Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain elevated privileges.SSRT46871356512029hp-newgrp-gain-privileges(18577)Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program.20041220 AIX 5.1/5.2/5.3 local root exploitsIY64389IY6427712041aix-diagnostics-gain-privileges(18620) 20070330 AIX 4.3 lsmcode local root command execution 20070402 Re: AIX 4.3 lsmcode local root command execution 701Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users to execute arbitrary code via a long username.20041220 AIX 5.1/5.2/5.3 local root exploitsIY64358IY64522IY64312http://www.frsirt.com/exploits/20041220.paginit.c.php12043aix-paginit-username-bo(18618)The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows remote attackers to bypass the "File Download - Security Warning" dialog and save arbitrary files with arbitrary extensions via the SaveAs command.20041119 Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity...http://www.frsirt.com/exploits/20041119.IESP2Unpatched.phpVU#7439741320311686ie-execommand-warning-bypass(18181)3220Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request.20041221 Hewlett Packard HP-UX ftpd Remote Buffer Overflow VulnerabilitySSRT4883http://securitytracker.com/id?1012650VU#6474381207713608hp-ftpd-bo(18636)Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow.http://www.guninski.com/where_do_you_want_billg_to_go_today_2.htmlSUSE-SA:2005:01820041215 [USN-47-1] Linux kernel vulnerabilities11956linux-vcresize-dos(18523)FLSA:152532USN-47-1MDKSA-2005:218MDKSA-2005:21917826DSA-1070DSA-1067DSA-1069201622016320202DSA-108220338MDKSA-2005:218MDKSA-2005:219Integer overflow in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (kernel crash) via a cmsg_len that contains a -1, which leads to a buffer overflow.20041215 fun with linux kernel20041215 [USN-47-1] Linux kernel vulnerabilitieshttp://www.guninski.com/where_do_you_want_billg_to_go_today_2.html11956linux-ipoptionsget-dos(18522)Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function.20041215 fun with linux kernelhttp://www.guninski.com/where_do_you_want_billg_to_go_today_2.html20041215 [USN-47-1] Linux kernel vulnerabilities11956linux-ipoptionsget-memory-leak(18524)RHSA-2005:016DSA-1070DSA-1067DSA-1069RHSA-2005:0172016320202DSA-108220338The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack.20041223 [USN-51-1] teTeX auxiliary script vulnerabilityhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=28637012100xdvizilla-symlink(18708)The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not properly handle the credentials of a process that is launched before the module is loaded, which allows local users to gain privileges.20041223 Linux 2.6 Kernel Capability LSM Module Local Privilege ElevationCLA-2005:93012093linux-security-module-gain-privileges(18673)The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions.20041223 Oracle Trigger Abuse (#NISR2122004I)http://www.ngssoftware.com/advisories/oracle23122004I.txtoracle-triggers-gain-privileges(18655)SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2) MDSYS.SDO_LRS_TRIG_INS default triggers in Oracle 9i and 10g allows remote attackers to execute arbitrary SQL commands via the new.table_name or new.column_name parameters.20041223 Oracle Trigger Abuse (#NISR2122004I)http://www.ngssoftware.com/advisories/oracle23122004I.txtoracle-triggers-gain-privileges(18655)Debian GNU/Linux 3.0 installs the libpam-radius-auth package with the pam_radius_auth.conf set to be world-readable, which allows local users to obtain sensitive information.DSA-659libpamradiusauth-insecure-permission(19087)101303014046Cross-site scripting (XSS) vulnerability in info2www before 1.2.2.9 allows remote attackers to inject arbitrary web script or HTML via the arguments to info2www.DSA-711info2www-url-xss(20179)CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid patch, allows remote attackers to bypass authentication via the pserver access method.DSA-715CVS 1.12 and earlier on Debian GNU/Linux does not properly handle when a mapping for the current repository does not exist in the cvs-repouids file, which allows remote attackers to cause a denial of service (server crash).DSA-715Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access.57581VU#976470O-1661193510580esm-esmuser-gain-privileges(16463)The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM.57598VU#390742ESB-2004.04631210410747solaris-svm-dos(16729)OVAL3465oval:org.mitre.oval:def:3465X Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request.57619VU#1395041225710911xdm-xdmcp-dos(16940)101549OVAL100113oval:org.mitre.oval:def:100113Unknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash).57614ESB-2004.0565OVAL39601247011118solaris-innamed-dynamic-dos(17269)oval:org.mitre.oval:def:3960gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files.57600VU#635998OVAL165412744solaris-gzip-modify-privileges(17577)11318oval:org.mitre.oval:def:1654Multiple buffer overflows in Sun Java System Web Proxy Server (formerly Sun ONE Proxy Server) 3.6 through 3.6 SP4 allow remote attackers to execute arbitrary code via unknown vectors, possibly CONNECT requests.http://www.pentest.co.uk/documents/ptl-2004-06.html57606VU#964401P-027ESB-2004.0691http://securitytracker.com/alerts/2004/Oct/1012005.html13036sun-web-proxy-bo(17920)11566113041012005Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code.57659ESB-2004.0759P-050OVAL592solaris-inrwhod-command-execution(18385)11840oval:org.mitre.oval:def:592Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code.ESB-2004.0749P-045http://securitytracker.com/alerts/2004/Dec/1012368.htmlOVAL340013340solaris-ping-bo(18310)117821216810123681178257675oval:org.mitre.oval:def:3400Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges.57657ESB-2004.0661P-017http://securitytracker.com/alerts/2004/Oct/1011789.htmlOVAL483412873solaris-ldap-rbac-gain-priv(17757)1145910939101178911459oval:org.mitre.oval:def:4834The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack.57559ESB-2004.0347http://spoofed.org/files/text/solaris-smc-advisory.txtOVAL14821161610349smc-dotdot-directory-traversal(16146)611910349[focus-sun] 20031022 Information disclosure with SMC webserver on Solaris 98873oval:org.mitre.oval:def:1482Unknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.57545ESB-2004.0308OVAL29721148310216solaris-tcp-ip-dos(15955)566510216oval:org.mitre.oval:def:2972Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors.57470ESB-2004.0307OVAL168411457102025619solaris-sendfilev-dos(15946)oval:org.mitre.oval:def:1684The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities.57538VU#737548ESB-2004.0263OVAL35051131610080solaris-sshd-log-bypass(15784)10080oval:org.mitre.oval:def:3505The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged.57478O-099ESB-2004.00699852OVAL3567solaris-patches-disable-bsm(14918)9852oval:org.mitre.oval:def:3567Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user.57508ESB-2004.02019837OVAL1127solaris-uucp-multiple-bo(15425)9837oval:org.mitre.oval:def:1127Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files.57509VU#412566ESB-2004.0169O-089OVAL17321099197594071solaris-covfix-gain-privileges(15331)9759oval:org.mitre.oval:def:1732Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a malformed .hlp file, which leads to a heap-based buffer overflow.20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerabilityhttp://www.xfocus.net/flashsky/icoExp/12091win-winhlp32-bo(18678)The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters.20041223 Oracle Character Conversion Bugs (#NISR2122004G)http://www.ngssoftware.com/advisories/oracle23122004G.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-character-conversion-gain-privileges(18657)VU#435974101782Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed.20041223 Oracle extproc buffer overflow (#NISR23122004A)http://www.ngssoftware.com/advisories/oracle23122004.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-extproc-library-bo(18659)VU#316206101782Directory traversal vulnerability in extproc in Oracle 9i and 10g allows remote attackers to access arbitrary libraries outside of the $ORACLE_HOME\bin directory.20041223 Oracle extproc directory traversal (#NISR23122004B)http://www.ngssoftware.com/advisories/oracle23122004B.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-extproc-directory-traversal(18658)VU#31620610178220061219 Oracle <= 9i / 10g (extproc) Local/Remote Command Execution ExploitExtproc in Oracle 9i and 10g does not require authentication to load a library or execute a function, which allows local users to execute arbitrary commands as the Oracle user.20041223 Oracle extproc local command execution (#NISR23122004C)http://www.ngssoftware.com/advisories/oracle23122004C.txtTA04-245A10871oracle-extproc-command-execution(18662)VU#316206101782Oracle 10g Database Server stores the password for the SYSMAN account in cleartext in the world-readable emoms.properties file, which could allow local users to gain DBA privileges.20041223 Oracle clear text passwords (#NISR2122004D)http://www.ngssoftware.com/advisories/oracle23122004D.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-sysman-password-plaintext(18661)VU#316206101782Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password.20041223 Oracle clear text passwords (#NISR2122004D)http://www.ngssoftware.com/advisories/oracle23122004D.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245AVU#316206101782ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script.20041223 Oracle ISQLPlus file access vulnerability (#NISR2122004E)http://www.ngssoftware.com/advisories/oracle23122004E.txtTA04-245A10871oracle-isqlplus-file-access(18656)VU#435974101782The TNS Listener in Oracle 10g allows remote attackers to cause a denial of service (listener crash) via a malformed service_register_NSGR request containing a value that is used as an invalid offset for a pointer that references incorrect memory.20041223 Oracle TNS Listener DoS (#NISR2122004F)http://www.ngssoftware.com/advisories/oracle23122004F.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-tnslsnr-nsgr-dos(18664)VU#316206101782Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4) WK_ADM.COMPLETE_ACL_SNAPSHOT, (5) WK_ACL.DELETE_ACLS_WITH_STATEMENT, or (6) DRILOAD.VALIDATE_STMT.20041223 Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H)http://www.ngssoftware.com/advisories/oracle23122004H.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-procedure-sql-injection(18665)VU#316206101782Stack-based buffer overflow in Oracle 9i and 10g allows remote attackers to execute arbitrary code via a long token in the text of a wrapped procedure.20041223 Oracle wrapped procedure overflow (#NISR2122004J)http://www.ngssoftware.com/advisories/oracle23122004J.txthttp://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfTA04-245A10871oracle-wrapped-procedure-bo(18666)VU#316206101782Multiple stack-based buffer overflows in IBM DB2 7.x and 8.1 allow local users to execute arbitrary code via (1) a long third argument to the rec2xml function or (2) a long filename argument to the generate_distfile procedure.20041223 IBM DB2 rec2xml buffer overflow vulnerability (#NISR2122004J)http://www.ngssoftware.com/advisories/db223122004K.txt20041223 IBM DB2 generate_distfile buffer overflow vulnerability (#NISR2122004L)http://www.ngssoftware.com/advisories/db223122004L.txt11089db2-rec2xml-bo(18682)db2-generatedistfile-bo(18663)Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file.20041223 SHOUTcast remote format string vulnerability20050219 exwormshoucast part of PTjob project: SHOUTcast v1.9.4 remoteGLSA-200501-04http://securitytracker.com/id?101267512096shoutcast-format-string(18669)Multiple buffer overflows in NetBSD kernel may allow local users to execute arbitrary code and gain privileges.http://gleg.net/advisory_netbsd2.shtmlUnknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges.SSRT4699P-08512098hp-sam-gain-privileges(18674)Directory traversal vulnerability in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.20041230 7a69Adv#17 - Internet Explorer FTP download path disclosurehttp://www.7a69ezine.org/node/view/17613704The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) scripts in a2ps before 4.13 allow local users to overwrite arbitrary files via a symlink attack on temporary files.GLSA-200501-02http://www.vuxml.org/freebsd/9168253c-5a6d-11d9-a9e7-0001020eed82.html136411210812109gnu-a2ps-fixpsin-symlink(18671)gnu-a2ps-psmanupin-symlink(18672)The expat XML parser code, as used in the open source Jabber (jabberd) 1.4.3 and earlier, jadc2s 0.9.0 and earlier, and possibly other packages, allows remote attackers to cause a denial of service (application crash) via a malformed packet to a socket that accepts XML connections.20040920 Possible DoS attack against jabberd 1.4.3 and jadc2s 0.9.020040919 [jabberd] Jabberd 1.4 critical bughttp://devel.amessage.info/jabberd14/http://www.vuxml.org/freebsd/2e25d38b-54d1-11d9-b612-000c6e8f12ef.htmlGLSA-200409-3111231jabberd-xml-dos(17466)102571011383101138412636jadc2s-xml-dos(17467)Heap-based buffer overflow in the DVD subpicture decoder in xine xine-lib 1-rc5 and earlier allows remote attackers to execute arbitrary code via a (1) DVD or (2) MPEG subpicture header where the second field reuses RLE data from the end of the first field.20040906 XSA-2004-5: heap overflow in DVD subpicture decoderhttp://xinehq.de/index.php/security/XSA-2004-5DSA-657GLSA-200409-30SSA:2004-266http://www.vuxml.org/freebsd/131bd7c4-64a3-11d9-829a-000a95bc6fae.html11205xine-dvd-subpicture-bo(17423)Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability."12712http://secunia.com/multiple_browsers_dialog_box_spoofing_test/http://secunia.com/multiple_browsers_form_field_focus_test/http://www.mozilla.org/security/announce/mfsa2005-05.htmlRHSA-2005:323RHSA-2005:335web-browser-modal-spoofing(18864)OVAL100050oval:org.mitre.oval:def:100050Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks.12712http://secunia.com/multiple_browsers_dialog_box_spoofing_test/http://secunia.com/multiple_browsers_form_field_focus_test/http://www.mozilla.org/security/announce/mfsa2005-05.htmlweb-browser-inactive-info-disclosure(17789)OVAL100053oval:org.mitre.oval:def:100053The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968.DSA-636MDKSA-2004:159RHSA-2005:26120041028 [USN-4-1] Standard C library script vulnerabilitiesMDKSA-2004:159Multiple SQL injection vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to execute arbitrary SQL statements via the (1) order, (2) project_id, (3) pro_main, or (4) hours_id parameters to index.php or (5) ticket_id to viewticket_details.php.20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ]http://www.gulftech.org/?node=research&article_id=00054-12142004GLSA-200501-0811952phpgroupware-projectid-sql-injection(18498)Multiple cross-site scripting (XSS) vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) kp3, (2) type, (3) msg, (4) forum_id, (5) pos, (6) cats_app, (7) cat_id, (8) msgball[msgnum], (9) fldball[acctnum] parameters to index.php or (10) ticket_id to viewticket_details.php.20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ]http://www.gulftech.org/?node=research&article_id=00054-12142004GLSA-200501-0811952phpgroupware-index-preferences-xss(18496)phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message.20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ]http://www.gulftech.org/?node=research&article_id=00054-12142004GLSA-200501-08phpgroupware-path-disclosure(18497)TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2005-0200.http://tikiwiki.org/tiki-read_article.php?articleId=97GLSA-200501-12P-08412110tikiwiki-image-command-execution(18691)126281012700The check_forensic script in apache-utils package 1.3.31 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.20050119 [USN-65-1] Apache utility script vulnerability13925apache-checkforensic-symlink(18993)[debian-apache] 20050119 Bug#290974: marked as done (apache: Temporary usage bugs that can be used in symlink attacks)USN-65-1Format string vulnerability in the gpsd_report function for BerliOS GPD daemon (gpsd, formerly pygps) 1.9.0 through 2.7 allows remote attackers to execute arbitrary code via certain GPS requests containing format string specifiers that are not properly handled in syslog calls.20050126 DMA[2005-0125a] - 'berlios gpsd format string vulnerability'http://www.digitalmunition.com/DMA%5B2005-0125a%5D.txt[Gpsd-announce] 20050127 Announcing release 2.8 of gpsdhttp://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg02103.htmlgpsd-format-string(19079)Unknown vulnerability in the Veritas NetBackup Administrative Assistant interface for NetBackup BusinesServer 3.4, 3.4.1, and 4.5, DataCenter 3.4, 3.4.1, and 4.5, Enterprise Server 5.1, and NetBackup Server 5.0 and 5.1, allows attackers to execute arbitrary commands via the bpjava-susvc process, possibly related to the call-back feature.http://seer.support.veritas.com/docs/271727.htmVU#685456P-0201149412901nebackup-bpjavasusvc-gain-privileges(17811)Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allow remote attackers to execute arbitrary code via a long argument to the (1) -F, (2) name, (3) en, (4) upscript, (5) downscript, (6) retries, (7) timeout, (8) scriptdetach, (9) noscript, (10) nodetach, (11) remote_mac, or (12) local_mac flags.20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilitiesVU#96168611104Qnx-rtp-pppoed-flags-bo(17280)Untrusted execution path vulnerability in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious mount program.20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilitiesVU#577566111059661qnx-rtp-mount-command-execute(17284)PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function.20041027 PHP4 cURL functions bypass open_basedirFLSA:2344RHSA-2005:40520050120 [USN-66-1] PHP vulnerabilities115571011984php-openbasedir-restriction-bypass(17900)RHSA-2005:406Unknown vulnerability in the tcsetattr function for Sun Solaris for SPARC 2.6, 7, and 8 allows local users to cause a denial of service (system hang).57474ESB-2004.0085VU#379390378610730solaris-tcsetattr-dos(14998)9548The pfexec function for Sun Solaris 8 and 9 does not properly handle when a custom profile contains an invalid entry in the exec_attr database, which may allow local users with custom rights profiles to execute profile commands with additional privileges.57453ESB-2004.0079107553764solaris-pfexec-gain-privileges(14988)953495341008893The Lithtech engine, as used in (1) Contract Jack 1.1 and earlier, (2) No one lives forever 2 1.3 and earlier, (3) Tron 2.0 1.042 and earlier, (4) F.E.A.R. (First Encounter Assault and Recon), and possibly other games, allows remote attackers to cause a denial of service (connection refused) via a UDP packet that causes recvfrom to generate a return code that causes the listening loop to exit, as demonstrated using zero byte packets or packets between 8193 and 12280 bytes, which result in conditions that are not "Operation would block."20041213 Socket unreacheable in the Lithtech engine (new protocol)1190213446lithtech-engine-communication-dos(18456)20051021 F.E.A.R. 1.01 likes lithsock1731720041213 Socket unreacheable in the Lithtech engine (new protocol)Winamp 5.07 and possibly other versions, allows remote attackers to cause a denial of service (application crash or CPU consumption) via (1) an mp4 or m4a playlist file that contains invalid tag data or (2) an invalid .nsv or .nsa file.20041213 Winamp 5.07 (latest version) Remote Crash + other stupid shizlehttp://forums.winamp.com/showthread.php?s=&threadid=202007VU#37296811909winamp-mp4-m4a-dos(18466)1012525winamp-nsa-nsv-dos(18467)20041213 Winamp 5.07 (latest version) Remote Crash + otherCross-site scripting (XSS) vulnerability in UseModWiki 1.0 allows remote attackers to inject arbitrary web script or HTML via an argument to wiki.pl.20041214 STG Security Advisory: [SSA-20041209-13] UseModWiki XSS vulnerability1192413441usemodwiki-wiki-xss(18458)Format string vulnerability in prelink.c in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via format string specifiers in the extension argument.20041214 Possible local root vulnerability in Roxio Toast on Mac OS X11926roxio-toast-tdixsupport-format-string(18472)20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7 HELPER APP - LOCAL ROOT COMROMISE]20031Directory traversal vulnerability in the Attachment module 2.3.10 and earlier for phpBB allows remote attackers to read arbitrary files via a .. (dot dot) in the filename.20041214 phpBB Attachment Mod Directory Traversal HTTP POST Injection1189313421attachment-mod-directory-traversal(18437)The control panel in ASP Calendar does not require authentication to access, which allows remote attackers to gain unauthorized access via a direct request to main.asp.20041214 ASP Calendar Vulnerability <www.ashiyane.com>11931asp-calendar-gain-access(18474)SQL injection vulnerability in verify.asp in Asp-rider allows remote attackers to execute arbitrary SQL statements and bypass authentication via the username parameter.20041214 ASP-rider is vulnerable to sql injection attack1193313470asp-rider-verify-sql-injection(18479)SQL injection vulnerability in iWebNegar allows remote attackers to execute arbitrary SQL commands via (1) the string parameter for index.php, (2) comments.php, or (3) the administrator login page.20041215 iwebnegar is vulnerable to all kind of sql injections11946iwebnegar-sql-injection(18505)PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code.20041215 STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerabilityhttp://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=18711194813479gnuboard-doc-index-file-include(18494)Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.20041216 STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Modhttp://www.opentools.de/board/viewtopic.php?t=35901189313421attachment-mod-file-upload(18438)MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code.20041216 STG Security Advisory: [SSA-20041215-19] Vulnerability of uploading files with multiple extensions in MediaWiki1198513478http://wikipedia.sourceforge.net/SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 through 3.1.3 allows remote attackers to inject arbitrary SQL commands via the (1) st or (2) keywords parameter.20041216 [MaxPatrol] SQL-injection in Ikonboard 3.1.x1198213513ikonboard-ikonboard-sql-injection(18533)Multiple directory traversal vulnerabilities in singapore Image Gallery Web Application 0.9.10 allow remote attackers to (1) read arbitrary files via the showThumb method for thumb.php, or (2) delete arbitrary files via admin.class.php.20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilitieshttp://www.security.org.sg/vuln/singapore0910.html11990singapore-thumb-directory-traversal(18528)singapore-adminclass-directory-traversal(18532)The addImage method for admin.class.php in Image Gallery Web Application 0.9.10 does not properly check filenames, which allows remote attackers to upload and execute arbitrary files.20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities11990singapore-adminclass-file-upload(18531)Multiple cross-site scripting vulnerabilities in Image Gallery Web Application 0.9.10 allow remote attackers to inject arbitrary web script or HTML.20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities11990Cross-site scripting (XSS) vulnerability in Gadu-Gadu build 155 and earlier allows remote attackers to inject arbitrary web script via a URL, which is echoed in a popup window that displays a parsing error message, a different vulnerability than CVE-2004-1229.20041217 Gadu-Gadu, another two bugs119981252413450Gadu-Gadu build 155 and earlier allows remote attackers to cause a denial of service (infinite loop) via a message that contains an image whose filename does not start with restricted characters.20041217 Gadu-Gadu, another two bugs11998gadu-gadu-image-dos(18580)Cross-site scripting (XSS) vulnerability in index.php in Kayako eSupport 2.x allows remote attackers to inject arbitrary web script or HTML via the searchm parameter.20041218 Multiple Vulnerabilities In Kayako eSupport v2.xhttp://www.gulftech.org/?node=research&article_id=00056-1218200412037kayako-index-xss(18571)Multiple SQL injection vulnerabilities in Kayako eSupport 2.x allow remote attackers to execute arbitrary SQL commands via the (1) subcat, (2) rate, (3) questiondetails, (4) ticketkey22, (5) email22 parameters to index.php, or (6) the e-mail field of the Forgot Key feature.20041218 Multiple Vulnerabilities In Kayako eSupport v2.xhttp://www.gulftech.org/?node=research&article_id=00056-1218200412037kayako-sql-injection(18572)Gadu-Gadu 6.1 build 156 allows remote attackers to cause a denial of service (application hang) via a message that contains many special strings that are converted to images.20041220 Gadu-Gadu Remote DoS (all versions)http://www.soltysiak.com/gg-dos.txtSQL injection vulnerability in (1) disp_album.php and possibly (2) disp_img.php in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter.20041222 2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability12083136202bgal-dispalbum-sql-injection(18645)pnxr3260.dll in the RealOne 2.0 build 6.0.11.868 browser plugin, as used in Internet Explorer, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embed tag.20041222 Realone2.0 1266020041222 Realone2.0 'pnxr3260.dll' Lets Remote Users IE Browser CrashCross-site scripting (XSS) vulnerability in login.php in PsychoStats 2.2.4 Beta and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter.20041223 Cross Site Scripting In PsychoStats 2.2.4 Beta && Earlierhttp://www.gulftech.org/?node=research&article_id=00057-1222200413619http://www.psychostats.com/forums/viewtopic.php?t=1102212089psychostats-login-xss(18651)Cross-site scripting (XSS) vulnerability in WPKontakt 3.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail address, which is not quoted when a parsing error is generated.20041223 WPkontakt message parsing error12097wpkontakt-email-command-execution(18685)PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the code.20041224 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard20041223 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard12103zeroboard-write-file-include(18679)zeroboard-outlogin-file-include(18677)1258012581101267713649Multiple cross-site scripting (XSS) vulnerabilities in header.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) site_title or (2) http_images parameter.20041228 Multiple WHM Autopilot Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00059-1227200420041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ]http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html1211913673whm-autopilot-header-xss(18700)Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, (2) step_one_tables.php, (3) step_two_tables.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the server_inc parameter to reference a URL on a remote web server that contains the code.20041228 Multiple WHM Autopilot Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00059-1227200420041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ]http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html1211913673whm-autopilot-php-file-include(18699) 12695 1012707WHM AutoPilot 2.4.6.5 and earlier allows remote attackers to gain sensitive information via phpinfo, which reveals php settings.20041228 Multiple WHM Autopilot Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00059-1227200420041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ]http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html1211913673whm-autopilot-information-disclosure(18701)Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the phpc_root_path parameter to (1) includes/calendar.php or (2) includes/setup.php.20041229 php-Calendar File Include Vulnerability [ Command Exec ]http://www.gulftech.org/?node=research&article_id=00060-1229200412127php-calendar-file-include(18710)20061021 Virtual Law Office (phpc_root_path) Remote File Include Vulnerability20657ADV-2006-4145225161017107vlo-phpcrootpath-file-include(29710)Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.20041227 Multiple Vulnerabilities in Moodle20041230 Re: Multiple Vulnerabilities in Moodle1212013694moodle-view-search-xss(18702)Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter.20041227 Multiple Vulnerabilities in Moodle20041230 Re: Multiple Vulnerabilities in Moodle12120moodle-directory-traversal(18550)Directory traversal vulnerability in index.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to read arbitrary files and execute arbitrary PHP files via .. (dot dot) sequences in the lng parameter.20041230 KorWeblog php injection Vulnerability12132PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demonstrated in index.php when using .. (dot dot) sequences in the lng parameter to cause main.inc to be loaded.20041230 KorWeblog php injection Vulnerability1213213700korweblog-install-file-include(18717)ArGoSoft FTP before 1.4.2.1 generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames.20041231 ArGoSoft FTP Server reveals valid usernames and allows for brutehttp://www.lovebug.org/argosoft_advisory.txt12139argosoft-information-disclosure(18721)11335101274413063ArGoSoft FTP 1.4.2.4 and earlier does not limit the number of times that a bad password can be entered, which makes it easier for remote attackers to guess passwords via a brute force attack.20041231 ArGoSoft FTP Server reveals valid usernames and allows for bruteargosoft-bruteforce(18722)SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter.20041231 SQL Injection Vulnerability In IBProArcade1213813260ibproarcade-gameid-sql-injection(18720)FormMail.php 5.0, and possibly other versions, allows remote attackers to read arbitrary files via a full pathname in the ar_file (auto-reply) parameter.20041231 Jacks FormMail.php remote file access vulnerability1214510815jack-formmail-arfile-view-files(18724)Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed (1) IP or (2) ICMP packets.20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet VulnerabilitiesVU#918920VU#9693441076812117cisco-ons-ip-dos(16760)cisco-ons-icmp-dos(16761)Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, and ONS 15600 1.x(x), allows remote attackers to cause a denial of service (control card reset) via malformed (1) TCP and (2) UDP packets.20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet VulnerabilitiesVU#486224VU#8003841076812117cisco-ons-tcp-dos(16762)cisco-ons-udp-dos(16764)Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.1(0) to 4.1(2), 4.5(x), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed SNMP packets.20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet VulnerabilitiesVU#5489681076812117cisco-ons-snmp-dos(16765)Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via a large number of TCP connections with an invalid response instead of the final ACK (TCP-ACK).20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet VulnerabilitiesVU#2770481076812117cisco-ons-tcp-ack-dos(16763)The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters.20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet VulnerabilitiesVU#7604321076812117cisco-ons-tl1-auth-bypass(16766)Multiple buffer overflows in the digest authentication functionality in Pavuk 0.9.28-r2 and earlier allow remote attackers to execute arbitrary code.GLSA-200407-1910797pavuk-digest-auth-bo(16807)The mod_authz_svn Apache module for Subversion 1.0.4-r1 and earlier allows remote authenticated users, with write access to the repository, to read unauthorized parts of the repository via the svn copy command.GLSA-200407-20http://svn.collab.net/repos/svn/tags/1.0.6/CHANGEShttp://www.securitytracker.com/alerts/2004/Jul/1010779.html10800subversion-modauthzsvn-restriction-bypass(16803)101077960Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD.http://www.security.org.sg/vuln/bjd361.html20040910 BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included]VU#7145841083412203blackjumbodog-long-string-bo(16842)Multiple heap-based buffer overflows in the modpow function in PuTTY before 0.55 allow (1) remote attackers to execute arbitrary code via an SSH2 packet with a base argument that is larger than the mod argument, which causes the modpow function to write memory before the beginning of its buffer, and (2) remote malicious servers to cause a denial of service (client crash) and possibly execute arbitrary code via a large bignum during authentication.20040804 CORE-2004-0705: Vulnerabilities in PuTTY and PSCPhttp://www.chiark.greenend.org.uk/~sgtatham/putty/changes.htmlhttp://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modpow.htmlGLSA-200408-04 1085012212putty-code-execution(16885)Cross-site scripting (XSS) vulnerability in icq.cgi in Board Power 2.04PF allows remote attackers to inject arbitrary web script or HTML via the action parameter.20040715 XSS in Board Power forumVU#74459010734boardpower-icq-xss(16698)Cross-site scripting (XSS) vulnerability in db2www CGI interpreter in IBM Net.Data 7 and 7.2 allows remote attackers to inject arbitrary web script or HTML via a macro filename, which is not properly handled by error emssages such as "DTWP001E."VU#197318http://www.kb.cert.org/vuls/id/DMOA-5VNPEL948810709ibm-netdata-db2wwwcomponent-xss(14925)20040126 Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability37121008845Cross-site scripting (XSS) vulnerability in the inline MIME viewer in Horde-IMP (Internet Messaging Program) 3.2.4 and earlier, when used with Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via an e-mail message.GLSA-200408-071084512202imp-html-viewer-xss(16866)Directory traversal vulnerability in Roundup 0.6.4 and earlier allows remote attackers to view arbitrary files via .. (dot dot) sequences in an @@ command in an HTTP GET request.http://packetstormsecurity.nl/0406-exploits/roundUP.txtGLSA-200408-0911801http://www.securitytracker.com/alerts/2004/Jun/1010415.html10459roundup-get-view-file(16350)1010415A race condition in nessus-adduser in Nessus 2.0.11 and possibly earlier versions, if the TMPDIR environment variable is not set, allows local users to gain privileges.GLSA-200408-111212710784nessus-adduser-race-condition(16768)Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet.http://www.juniper.net/support/security/alerts/screenos-sshv1-2.txtVU#7498701220810854netscreen-screenos-sshv1-dos(16876)Jetbox One 2.0.8 and possibly other versions stores passwords in the database in plaintext, which could allow attackers to gain sensitive information.20040804 vulnerabilities in JetboxOne CMShttp://echo.or.id/adv/adv03-y3dips-2004.txtVU#5867201085812230jetbox-one-plaintext-password(16898)8325Jetbox One 2.0.8 and possibly other versions allow remote attackers with Author privileges in the IMAGES module to upload PHP files and execute arbitrary code.20040804 vulnerabilities in JetboxOne CMShttp://echo.or.id/adv/adv03-y3dips-2004.txtVU#4174081223010859jetbox-one-file-upload(16900)Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 allows remote attackers to determine the location of files on a user's hard drive by obscuring a file upload control and tricking the user into dragging text into that control.http://bugzilla.mozilla.org/show_bug.cgi?id=206859#c0Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows remote attackers to read arbitrary files in known locations.http://bugzilla.mozilla.org/show_bug.cgi?id=239122http://www.mozilla.org/projects/security/known-vulnerabilities.htmlMozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks.http://bugzilla.mozilla.org/show_bug.cgi?id=228176http://www.mozilla.org/projects/security/known-vulnerabilities.html10419Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts.GLSA-200408-151095112296gentoo-tomcat-gain-privileges(16993)GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program.GLSA-200408-16http://bugs.gentoo.org/show_bug.cgi?id=59526RHSA-2005:2611096312306glibc-suid-info-disclosure(17006)RHSA-2005:256Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) enabled, allows remote attackers to cause a denial of service (device reload) via a malformed OSPF packet.20040818 Cisco IOS Malformed OSPF Packet Causes ReloadO-199VU#9894061097112322cisco-ios-ospf-dos(17033)Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL.20040817 Open Security Group Advisory #6GLSA-200408-18 1219410890xine-vcd-identifier-bo(16930)filediff in CVStrac allows remote attackers to execute arbitrary commands via shell metacharacters in rcsinfo.20040805 CVStrac Remote Arbitrary Code Execution exploithttp://www.cvstrac.org/cvstrac/tktview?tn=339http://www.cvstrac.org/cvstrac/chngview?cn=316VU#77081610878837312090cvstrac-command-execute(16929)The Virtual Private Network (VPN) capability in Novell Bordermanager 3.8 allows remote attackers to cause a denial of service (ABEND in IKE.NLM) via a malformed IKE packet, as sent by the Striker ISAKMP Protocol Test Suite.VU#432097http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093576.htm1072712067novell-bordermanger-ikenlm-dos(16697)The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002.20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server11047ciscosecure-csadmin-http-dos(17115)O-203918212386ciscosecure-csadmin-tcp-dos(17114)Cisco Secure Access Control Server (ACS) 3.2, when configured as a Light Extensible Authentication Protocol (LEAP) RADIUS proxy, allows remote attackers to cause a denial of service (device crash) via certain LEAP authentication requests.20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server11047ciscosecure-leap-radius-dos(17116)Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password.20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server11047ciscosecure-nds-blank-authentication(17117)Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address.20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server11047ciscosecure-csadmin-auth-bypass(17118)Unknown vulnerability in MoinMoin 1.2.2 and earlier allows remote attackers to gain unauthorized access to administrator functions such as (1) revert and (2) delete.https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801GLSA-200408-25108058194moinmoin-acl-gain-privileges(16833)Unknown vulnerability in the PageEditor in MoinMoin 1.2.2 and earlier, related to Access Control Lists (ACL), has unknown impact.http://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801GLSA-200408-25108018195moinmoin-pageeditor-gain-privilege(16832)Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port.20040827 Cisco Telnet Denial of Service VulnerabilityVU#38423011060http://www.securitytracker.com/alerts/2004/Aug/1011079.html12395cisco-ios-telnet-dos(17131)1011079Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line.20040901 WinZip Unspecified Buffer Overflows May Let Remote or Local Users Execute Arbitrary Codehttp://www.winzip.com/wz90sr1.htmO-211http://www.securitytracker.com/alerts/2004/Sep/1011132.html11092winzip-code-execution(17192)winzip-command-line-bo(17197)1011132The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root.20040817 Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concepthttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0GLSA-200409-0510968gallery-savephotos-file-upload(17021)Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.0.00.003 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) date or search text field in the calendar module, (2) Field parameter, Filter parameter, QField parameter, Start parameter or Search field in the address module, (3) Subject field in the message module or (4) Subject field in the Ticket module.20040822 Multiple Cross Site Scripting Vulnerabilities in eGroupWarehttp://sourceforge.net/forum/forum.php?forum_id=401807GLSA-200409-0611013egroupware-mult-modules-xss(17078)The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail message.http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/77_e.htmlGLSA-200409-15112212488usermin-web-mail-command-execution(17293)Format string vulnerability in the log function in SUS 2.0.2, and other versions before 2.0.6, allows local users to execute arbitrary code via format string specifiers in a command line argument that is passed directly to syslog.20040914 SUS 2.0.2 local root vulnerabilityhttp://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01http://pdg.uow.edu.au/sus/CHANGESGLSA-200409-1711176sus-log-format-string(17361)CRLF injection vulnerability in SnipSnap 0.5.2a, and other versions before 1.0b1, allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server.http://www.snipsnap.org/space/startGLSA-200409-2311180snipsnap-response-splitting(17364)20040914 ADVISORY: http response splitting in snipsnapFormat string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line.Failed exploit attempts will likely cause a denial of service condition.20040609 Advisory 09/2004: More CVS remote vulnerabilitiesFreeBSD-SA-04:1410499cvs-wrapper-format-string(16365)Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 allow remote attackers to cause a denial of service (device freeze) via a fast UDP port scan on the WAN interface.http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.htmlVU#44107811237symantec-firewallvpn-udp-dos(17469)102041263520040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security ProductsSymantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 allow remote attackers to bypass filtering and determine whether the device is running services such as tftpd, snmpd, or isakmp via a UDP port scan with a source port of UDP 53.20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Productshttp://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.htmlVU#32923011237symantec-udp-obtain-info(17470)1020512635Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 uses a default read/write SNMP community string, which allows remote attackers to alter the firewall's configuration file.20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Productshttp://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.htmlVU#17391011237symantec-udp-obtain-info(17470)1020612635symantec-default-snmp(17471)Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines.20040907 XSA-2004-4: multiple string overflowshttp://xinehq.de/index.php/security/XSA-2004-4GLSA-200408-18GLSA-200409-3011206xine-videocd-mrl-bo(17430)xine-subtitle-bo(17432)Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to execute arbitrary code via a VideoCD with an unterminated disk label.20040907 XSA-2004-4: multiple string overflowshttp://xinehq.de/index.php/security/XSA-2004-4GLSA-200409-3011206Cross-site scripting (XSS) vulnerability in the Management Console in JRun 4.0 allows remote attackers to execute arbitrary web script or HTML and possibly hijack a user's session.http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.htmlVU#6682061124512638jrun-management-console-xss(17483)20040923 New Macromedia Security Zone Bulletins PostedJRun 4.0 does not properly generate and handle the JSESSIONID, which allows remote attackers to perform a session fixation attack and hijack a user's HTTP session.20040923 New Macromedia Security Zone Bulletins Postedhttp://www.macromedia.com/devnet/security/security_zone/mpsb04-08.htmlVU#5849581124512638jrun-jsessionid-hijack(17481)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0928. Reason: This candidate is a duplicate of CVE-2004-0928. Notes: All CVE users should reference CVE-2004-0928 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Unknown vulnerability in the management station in HP StorageWorks Command View XP 1.8B and earlier allows remote attackers to bypass access restrictions.SSRT4794 http://www.securitytracker.com/alerts/2004/Sep/1011407.html11249hp-storageworks-restriction-bypass(17490)1011407Integer overflow in pnen3260.dll in RealPlayer 8 through 10.5 (6.0.12.1040) and earlier, and RealOne Player 1 or 2 on Windows or Mac OS, allows remote attackers to execute arbitrary code via a SMIL file and a .rm movie file with a large length field for the data chunk, which leads to a heap-based buffer overflow.http://www.service.real.com/help/faq/security/040928_player/EN/1130912672realplayer-rm-code-execution(17549)20041001 EEYE: RealPlayer pnen3260.dll Heap OverflowThe sbuf_getmsg function in BNC incorrectly handles backspace characters, which could allow remote attackers to bypass authentication and gain access to arbitrary scripts.GLSA-200410-13113551059612770bnc-backspace-command-execution(17672)Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact.ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txtVU#76025612254109038508symantec-clientless-file-browsers(16933)Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message.http://www.nosystem.com.ar/advisories/advisory-07.txthttp://www.dest-unreach.org/socat/advisory/socat-adv-1.htmlGLSA-200410-261293611505socat-format-string(17822)Buffer overflow in the TFTP client in InetUtils 1.4.2 allows remote malicious DNS servers to execute arbitrary code via a large DNS response that is handled by the gethostbyname function.11527inetutils-tftp-dns-bo(17878)20041026 inetutils tftp client, DNS resolving bofsUnknown vulnerability in Serviceguard A.11.13 through A.11.16.00 and Cluster Object Manager A.01.03 and B.01.04 through B.03.00.01 on HP-UX, Serviceguard A.11.14.04 and A.11.15.04 and Cluster Object Manager B.02.01.02 and B.02.02.02 on HP Linux, allow remote attackers to gain privileges via unknown attack vectors.SSRT35261150712946hp-cluster-serviceguard-gain-privileges(17867)wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences.wget: Server responses &c written to the tty verbatim (escape sequences, control characters, ...)bid 11871wget to create modify and overwrite files20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities1012472USN-145-1RHSA-2005:771wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code.wget: Server responses &c written to the tty verbatim (escape sequences, control characters, ...)bid 11871wget allows terminal parts to be overwritten20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities1012472USN-145-1RHSA-2005:771SUSE-SR:2006:016 20960Opera 7.54 and earlier does not properly limit an applet's access to internal Java packages from Sun, which allows remote attackers to gain sensitive information, such as user names and the installation directory.20041119 Java Vulnerabilities in Opera 7.54http://www.opera.com/linux/changelogs/754u1/GLSA-200502-17Opera 7.54 and earlier allows remote attackers to spoof file types in the download dialog via dots and non-breaking spaces (ASCII character code 160) in the (1) Content-Disposition or (2) Content-Type headers.http://secunia.com/secunia_research/2004-19/advisory/http://www.opera.com/linux/changelogs/754u1/GLSA-200502-171188312981opera-file-type-spoofing(18423)Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME types, which allows remote attackers to execute arbitrary code via a shortcut or launcher that contains an Exec entry.http://www.opera.com/linux/changelogs/754u2/http://www.zone-h.org/advisories/read/id=6503GLSA-200502-17SUSE-SR:2005:0081190113447pera-kfmclient-command-execution(18457)Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (game exit) via a data packet that contains a large size specifier, which causes a large memory allocation to fail.1155013008master-of-orion-size-dos(17908)20041027 Crashs in Master of Orion III 1.2.5Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (server crash) via multiple connections with long nicknames, possibly triggering a buffer overflow.20041027 Crashs in Master of Orion III 1.2.5http://packetstormsecurity.nl/0410-advisories/masterOrionIII.txt1155013008master-of-orion-nickname-dos(17884)Buffer overflow in the Screen Fetch option in XDICT 2002 through 2005 allows remote attackers to cause a denial of service ( CPU consumption or application exit) and possibly execute arbitrary code via a long string.20041101 XDICT Buffer OverRun Vulnerability,funny :-)20041101 XDICT Buffer OverRun Vulnerability,funny :-)http://secway.org/Advisory/Ad20041026EN.txtxdict-screen-fetch-bo(17929)The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive.20041102 Medium Risk Vulnerability in WinRARhttp://www.rarlabs.com/rarnew.htm1158113070winrar-repair-archive(17937)Directory traversal vulnerability in Web Forums Server 1.6 and 2.0 Power Pack allows remote attackers to read arbitrary files via a URL containing (1) "..\" (dot dot backslash), (2) "../" (dot dot slash), (3) "/%2E%2E%5C" (encoded dot dot backslash), or (4) "%2E%2E%2F" (encoded dot dot slash).20041102 Multiple Vulnerabilities in Web Forums ServerWeb Forums Server 1.6 and 2.0 Power Pack stores passwords in plaintext in the Username.ini file, which allows local users to gain privileges.20041102 Multiple Vulnerabilities in Web Forums ServerSQL injection vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary SQL commands via the messageToUserAccNum parameter.20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELMhttp://www.hat-squad.com/en/000077.html1158613079Cross-site scripting (XSS) vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary web script or HTML via the Subject field.20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELMhttp://www.hat-squad.com/en/000077.html1158613079helm-subject-xss(17943)Format string vulnerability in the Lithtech engine, as used in multiple games, allows remote authenticated users to cause a denial of service (application crash) via format string specifiers in (1) a nickname or (2) a message.20041105 In-game format string bug in the Lithtech engine1161013116lithtech-format-string(17972)17317The webmail service in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) by sending a POST request with a large Content-Length value, then disconnecting without sending that amount of data.20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909602pro-mail-post-dos(17977)The Telnet proxy in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (socket exhaustion) via a Telnet request to an IP address of the proxy's network interface, which causes a loop.20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909602pro-telnet-loopback-dos(17979)Integer overflow in the InitialDirContext in Java Runtime Environment (JRE) 1.4.2, 1.5.0 and possibly other versions allows remote attackers to cause a denial of service (Java exception and failed DNS requests) via a large number of DNS requests, which causes the xid variable to wrap around and become negative.20041108 DOS against Java JNDI/DNS1161913142sun-jre-dns-dos(17990)The displaycontent function in config.php for Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to gain sensitive information via a blank show parameter, which reveals the installation path in an error message, as demonstrated using index.php.20041109 Vulnerabilities in JAF CMShttp://echo.or.id/adv/adv08-y3dips-2004.txtjaf-cms-path-disclosure(18006)Directory traversal vulnerability in index.php in Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to read arbitrary files and possibly execute PHP code via a .. (dot dot) in the show parameter.20041109 Vulnerabilities in JAF CMShttp://echo.or.id/adv/adv08-y3dips-2004.txt1162713104jaf-cms-file-inlcude(17983)Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar allow remote attackers to inject arbitrary web script via (1) view_entry.php, (2) view_d.php, (3) usersel.php, (4) datesel.php, (5) trailer.php, or (6) styles.php, as demonstrated using img srg tags.20041109 Multiple Vulnerabilities in WebCalendar1165113164webcalendar-img-src-xss(18026)CRLF injection vulnerability in login.php in WebCalendar allows remote attackers to inject CRLF sequences via the return_path parameter and perform HTTP Response Splitting attacks to modify expected HTML content from the server.20041109 Multiple Vulnerabilities in WebCalendar1165113164webcalendar-response-splitting(18027)init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter.20041109 Multiple Vulnerabilities in WebCalendar1165113164webcalendar-init-file-include(18028)validate.php in WebCalendar allows remote attackers to gain sensitive information via an invalid encoded_login parameter, which reveals the full path in an error message.20041109 Multiple Vulnerabilities in WebCalendar1165113164webcalendar-encodedlogin-path-disclosure(18029)WebCalendar allows remote attackers to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php.20041109 Multiple Vulnerabilities in WebCalendar1165113164webcalendar-scripts-gain-access(18030)Hotfoon 4.0 does not notify users before opening links in web browsers, which could allow remote attackers to execute arbitrary code via a certian link sent in a chat window.20041110 Hotfoon Ver 4.0 Highv Risk13173hotfoon-url-command-execution(18038)Cross-site scripting (XSS) vulnerability in Response_default.html in 04WebServer 1.42 allows remote attackers to execute arbitrary web script or HTML via script code in the URL, which is not quoted in the resulting default error page.20041110 04WebServer Three Vulnerabilities20041115 Re: 04WebServer Three Vulnerabilitieshttp://www.security.org.sg/vuln/04webserver142.html116521315904webserver-error-xss(18033)04WebServer 1.42 does not adequately filter data that is written to log files, which could allow remote attackers to inject carriage return characters into the log file and spoof log entries.20041110 04WebServer Three Vulnerabilities20041115 Re: 04WebServer Three Vulnerabilitieshttp://www.security.org.sg/vuln/04webserver142.html116521315904webserver-web-log-spoofing(18034)04WebServer 1.42 allows remote attackers to cause a denial of service (fail to restart properly) via an HTTP request for an MS-DOS device name such as COM2.20041110 04WebServer Three Vulnerabilities20041115 Re: 04WebServer Three Vulnerabilitieshttp://www.security.org.sg/vuln/04webserver142.html116521315904webserver-dos-devices-dos(18036)SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php.20041111 SQL injection in vBulletin forums (last10.php)CRLF injection vulnerability in index.php in phpWebSite 0.9.3-4 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the block_username parameter in the user module.20041111 security hole (http response splitting) in phpwebsitehttp://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=863&ANN_user_op=viewGLSA-200411-351167313172phpwebsite-response-splitting(18046)Zone Labs IMsecure and IMsecure Pro before 1.5 allow remote attackers to bypass Active Link Filtering via an instant message containing a URL with hex encoded file extenstions.20041111 Zone Labs IMsecure Active Link Filter Bypasshttp://download.zonelabs.com/bin/free/securityAlert/16.html1166213169imsecure-active-link-bypass(18042)SQL injection vulnerability in follow.php in Phorum 5.0.12 and earlier allows remote authenticated users to execute arbitrary SQL command via the forum_id parameter.20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions]20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions]1166013174phorum-followphp-sql-injection(18045)SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation.phpbugtracker-bug-sql-injection(18053)11718phpbugtracker-project-sql-injection(18079)20041112 SQL Injection in phpBT (bug.php - Add)20041112 SQL Injection in phpBT (bug.php)20041112 SQL Injection in phpBT (bug.php) add projectStack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command.20041112 IPSwitch-IMail-8.13 Stack Overflow in the DELETE Command1167513200ipswitch-delete-bo(18058)Eudora 6.2.0.14 does not issue a warning when a user forwards an e-mail message that contains base64 or quoted-printable encoded attachments, which makes it easier for remote attackers to read arbitrary files via spoofed "Converted" headers.20041113 Eudora 6.2 attachment spoof20041113 Eudora 6.2 attachment spoofhttp://packetstormsecurity.nl/0411-exploits/eudora62014.txteudora-base64-attach-spoof-variant(18064)Format string vulnerability in Army Men RTS 1.0 allows remote attackers to cause a denial of service (application crash) via a nickname that contains format strings.20041114 Format string bug in Army Men RTS20041114 Format string bug in Army Men RTS1167913186army-men-rts-format-string(18065)Format string vulnerability in the game console in Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via format string specifiers in a message.20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine)1168313207hired-team-format-string(18083)Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (game interruption) via a malformed UDP packet sent to a game port, such as port 29200.1168313207hired-team-udp-dos(18085)20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine)Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via the status command.1168313207hired-team-status-dos(18086)20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine)Hired Team: Trial 2.0 and earlier and 2.200 does not limit how game players can kick other players off the server, including the administrator.1320720041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine)Microsoft Internet Explorer 6.0 SP1 does not properly handle certain character strings in the Path attribute, which can cause it to modify cookies in other domains when the attacker's domain name is within the target's domain name or when wildcard DNS is being used, which allows remote attackers to hijack web sessions.http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html1168013208ie-path-cookie-overwrite(18073)20041115 [SNS Advisory No.79] A Possibility of Cookie Overwrite in Microsoft Internet ExplorerThe Event Calendar module 2.13 for PHP-Nuke allows remote attackers to gain sensitive information via an HTTP request to (1) config.php, (2) index.php, or (3) submit.php, which reveal the full path in an error message.1169313213event-calendar-path-disclosure(18105)20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]Cross-site scripting (XSS) vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary web script via the (1) type, (2) day, (3) month, or (4) year parameters in a Preview operation, or (5) event comments.1169313213event-calendar-comment-xss(18107)event-calendar-xss(18106)20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]SQL injection vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the (1) eid or (2) cid parameters.1169313213event-calendar-sql-injection(18104)20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke]SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter.http://forums.invisionpower.com/index.php?showtopic=1549161170313245invisionpowerboard-sql-injection(18164)20041118 [MaxPatrol] SQL-injection in Invision Power Board 2.x20050425 SQL-injections in Invision Power Board v2.0.120050427 Re: SQL-injections in Invision Power Board v2.0.1AppServ 2.5.x and earlier installs a default username and password, which allows remote attackers to gain access.11704appserv-default-account(18163)20041118 AppServ 2.5.x and Prior ExploitBuffer overflow in pop3svr.exe for DMS POP3 1.5.3.27 and earlier allows remote attackers to cause a denial of service (service crash) via a long (1) username or (2) password.http://www.digitalmapping.sk.ca/pop3srv/Update.asp1170513248dms-pop3-username-bo(18161)20041118 Buffer overlow in DMS POP3 Server for Windows 2000/XP 1.5.3 buildZoneAlarm and ZoneAlarm Pro before 5.5.062, with ad-blocking enabled, allows remote web sites to cause a denial of service (application instability or system hang) via certain JavaScript.http://download.zonelabs.com/bin/free/securityAlert/18.html1170613244zonealarm-adblock-dos(18159)20041118 Zone Labs Ad-Blocking InstabilityPHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code.phpbb-admincashphp-file-include(18151)20041118 Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)20041118 Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.)SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter.11719101229213260ibproarcade-category-sql-injection(18180)20041120 IpbProArace 2.5.x SQL injection.Cross-site scripting (XSS) vulnerability in popup.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary web script via the img parameter.1172513262phpkit-popup-xss(18204)20041122 PHPKIT SQL Injection, XSSSQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.1172513262phpkit-include-sql-injection(18205)20041122 PHPKIT SQL Injection, XSSHalo: Combat Evolved 1.05 and earlier allows remote game servers to cause a denial of service (client crash) via a long value in a game server reply, which triggers a NULL dereference.1172413273halo-long-reply-dos(18196)20041122 Broadcast client crash in Halo 1.05ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versions, with HTTP Remote Administration enabled, does not require a password to access rpFWUpload.html, which allows remote attackers to reset the router configuration file.11723101229813278zyxel-configuration-reset(18202)20041121 Router ZyXEL Prestige 650 HW http remote admin.20041124 Re: Router ZyXEL Prestige 650 HW http remote admin.12108SecureCRT 4.0, 4.1, and possibly other versions, allows remote attackers to execute arbitrary commands via a telnet:// URL that uses the /F option to specify a configuration file on a samba share.1173113275securecrt-folder-command-execution(18201)20041123 SecureCRT - Remote Command ExecutionBuffer overflow in Soldier of Fortune II 1.03 Gold and earlier allows remote attackers to cause a denial of service (server or client crash) via a long (1) query or (2) reply.1173513289soldier-fortune-bo(18211)20041123 Broadcast memory corruption in Soldier of Fortune II 1.03Directory traversal vulnerability in viewimg.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter.20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability1174413286korweblog-viewimg-directory-traversal(18234)20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerabilityCross-site scripting (XSS) vulnerability in Search.jsp in JSPWiki 2.1.120-cvs and earlier allows remote attackers to execute arbitrary web script as other users via the query parameter.1174613285jspwiki-query-xss(18236)20041124 STG Security Advisory: [SSA-20041122-11] JSPWiki XSS vulnerabilityUploadFile.php in MoniWiki 1.0.9.2 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.hwp, which allows remote attackers to upload and execute arbitrary code.20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWiki1195113478moniwiki-file-upload(18493)20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWikiMultiple buffer overflows in MDaemon 6.5.1 allow remote attackers to cause a denial of service (application crash) via a long (1) SAML, SOML, SEND, or MAIL command to the SMTP server or (2) LIST command to the IMAP server.20040922 Remote buffer overflow in MDaemon IMAP and SMTP server20040922 Remote buffer overflow in MDaemon IMAP and SMTP server11238http://www.securitylab.ru/48146.html1022310224mdaemon-imap-list-bo(17476)20040922 Remote buffer overflow in MDaemon IMAP and SMTP serverThe file server in ActivePost Standard 3.1 and earlier allows remote authenticated users to cause a denial of service (application crash) via a long filename, possibly triggering a buffer overflow.1124412642activepost-long-filename-dos(17482)http://aluigi.altervista.org/adv/actp-adv.txt10114061264220040923 Multiple vulnerabilities in ActivePost Standard 3.1Directory traversal vulnerability in the file server in ActivePost Standard 3.1 allows remote authenticated users to upload arbitrary files via a .. (dot dot) in the filename.1124412642activepost-dotdot-directory-traversal(17488)http://aluigi.altervista.org/adv/actp-adv.txt101140620040923 Multiple vulnerabilities in ActivePost Standard 3.1The conference menu in ActivePost Standard 3.1 sends passwords of password-protected rooms in cleartext, which could allow remote attackers to gain sensitive information by sniffing the network connection.1124412642activepost-plaintext-password(17486)http://aluigi.altervista.org/adv/actp-adv.txt101140620040923 Multiple vulnerabilities in ActivePost Standard 3.1Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on.20040924 Motorola Wireless Router WR850G Authentication Circumvention20040923 Motorola Wireless Router WR850G Authentication Circumvention11241motorola-wr850g-gain-access(17474)Cross-site scripting (XSS) vulnerability in the (1) email or (2) file modules in paFileDB 3.1 Final allows remote attackers to execute arbitrary web script or HTML via the id parameter.20040925 New XSS vulnerabilities in paFileDB 3.1 finalpafiledb-pafiledb-xss(17504)SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp.20040923 aspWebCalendar /aspWebAlbum: SQL injection1124612651aspwebcalendar-sql-injection(17506) 3546 23098 ADV-2007-1093 24622 aspwebcalendar-calendar-sql-injection(33157)SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp.20040923 aspWebCalendar /aspWebAlbum: SQL injection11246aspwebalbum-sql-injection(17507)PHP remote file inclusion vulnerability in livre_include.php in @lex Guestbook allows remote attackers to execute arbitrary PHP code by modifying the chem_absolu parameter to reference a URL on a remote web server that contains the code.20040926 @lex Guestbook (PHP) Include filehttp://packetstormsecurity.nl/0410-exploits/alexPHP.txt11260@lex-guestbook-file-include(17516)1011432Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Message Board allow remote attackers to run arbitrary SQL commands via the (1) keywords parameter to search.asp, (2) handle parameter to profile.asp, (3) txtUserHandle parameter to reg2.asp or (4) txtUserEmail parameter to forgot.asp.20040926 SQL injection in BroadBoard Instant ASP Message Board1125012658broadboard-forgotasp-sql-injection(17502)broadboard-profileasp-sql-injection(17500)broadboard-reg2asp-sql-injection(17501)broadboard-searchasp-sql-injection(17498)1011419MyWebServer 1.0.3 allows remote attackers to cause a denial of service (application crash) via a large number of connections within a short time.20040927 MyWebServer 1.0.31125412689mywebserver-mult-connections-dos(17519)1011461MyWebServer 1.0.3 allows remote attackers to bypass authentication, modify configuration, and read arbitrary files via a direct HTTP request to (1) /admin or (2) ServerProperties.html.20040927 MyWebServer 1.0.311254mywebserver-admin-access(17520)1011461Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request.20040927 [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPShttp://www.hat-squad.com/en/000075.html11256ypops-pop3-bo(17515)ypops-smtp-bo(17518)1011426[VIM] 20061020 vendor ACK for old YPOPs! issue103661036712660Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php.20040927 Multiple XSS Vulnerabilities in Wordpress 1.21126812683wordpress-multiple-scripts-xss(17532)1011440Microsoft SQL Server 7.0 allows remote attackers to cause a denial of service (mssqlserver service halt) via a long request to TCP port 1433, possibly triggering a buffer overflow.20040928 MSSQL 7.0 DoShttp://packetstormsecurity.nl/0410-exploits/mssql.7.0.dos.c11265101143412680mssql-data-buffer-dos(17542)Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers.ICECast Remote Code Execution1127112666icecast-http-bo(17538)20041002 Re:2. Code execution in Icecast 2.0.1(exploit with shellcode)20040928 Code execution in Icecast 2.0.1 10446 1011439SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows remote attackers to execute arbitrary SQL commands via the key parameter.20040930 Multiple vulnerabilities in w-agora forum20040930 Multiple vulnerabilities in w-agora forum1128312695wagora-redirurl-sql-injection(17557)1011463Multiple cross-site scripting (XSS) vulnerabilities in w-Agora 4.1.6a allow remote attackers to execute arbitrary web script or HTML via the (1) thread parameter to download_thread.php, (2) loginuser parameter to login.php, or (3) userid parameter to forgot_password.php.20040930 Multiple vulnerabilities in w-agora forum20040930 Multiple vulnerabilities in w-agora forum1128312695wagora-get-post-xss(17553)1011463CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the thread parameter.20040930 Multiple vulnerabilities in w-agora forum20040930 Multiple vulnerabilities in w-agora forum1128312695wagora-response-splitting(17558)1011463list.php in w-Agora 4.1.6a allows remote attackers to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter.20040930 Multiple vulnerabilities in w-agora forum20040930 Multiple vulnerabilities in w-agora forum11283126951011463Cross-site scripting (XSS) vulnerability in index.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to execute arbitrary web script or HTML via the module parameter.20040930 Multiple Vulnerabilities in Silent Storm Portal1128412704silent-storm-xss(17554)1011470profile.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to gain privileges by setting the mail parameter to 1, which is the value for an administrator.20040930 Multiple Vulnerabilities in Silent Storm Portal1128412704silent-storm-gain-admin(17555)1011470Directory traversal vulnerability in ParaChat Server 5.5 allows remote attackers to read arbitrary files via a ..%5C (hex-encoded dot dot) in the URL.20040929 directory traversal in ParaChat Server 5.520040930 Re: directory traversal in ParaChat Server 5.51127212678parachat-directory-traversal(17541)20040928 directory traversal in ParaChat Server 5.520040929 Re: directory traversal in ParaChat Server 5.5104361011438Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) amp.exe in dBpowerAMP Audio Player 2.0 and dbPowerAmp Music Converter 10.0 allows remote attackers to cause a denial of service or execute arbitrary code via a .pls or .m3u playlist that contains long File1 (filename) fields.20040930 dbPowerAmp Buffer Overflow And Dos Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00052-092720041126612684dbpoweramp-player-filename-bo(17535)dbpoweramp-converter-filename-bo(17539)SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote attackers to execute arbitrary SQL commands via the p parameter.20041001 SQL Injection vulnerability in bBlog 0.7.3http://www.servers.co.nz/security/SCN200409-1.php1130312691bblog-array-sql-injection(17552)AJ-Fork 167 allows remote attackers to gain sensitive information via a direct request to (1) auto-acronyms.php, (2) auto-archive.php, (3) ount-article-views.php, (4) kses.php, (5) custom-quick-tags.php, (6) disable-all-comments.php, (7) easy-date-format.php, (8) enable-disable-comments.php, (9) filter-by-author.php, (10) format-switcher.php, (11) long-to-short.php, (12) prospective-posting.php, or (13) sort-by-xfield.php, which displays the full path in an error message.20041001 Multiple Vulnerabilities in AJ-Forkhttp://echo.or.id/adv/adv07-y3dips-2004.txtaj-fork-path-disclosure(17568)AJ-Fork 167 does not restrict access to directories such as (1) data, (2) inc, (3) plugins, (4) skins, or (5) tools, which allows remote attackers to list files in those directories via a direct HTTP request.20041001 Multiple Vulnerabilities in AJ-Forkhttp://echo.or.id/adv/adv07-y3dips-2004.txt11301af-fork-directory-disclosure(17569)1011484The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator.20041001 Multiple Vulnerabilities in AJ-Forkhttp://echo.or.id/adv/adv07-y3dips-2004.txt11301aj-fork-usersdbphp-write-access(17571)1011484Buffer overflow in Vypress Messenger 3.5.1 and earlier allows remote attackers to execute arbitrary code via a message with a long first field.1131012605vypress-visual-bo(17572)10451101148920041001 Broadcast buffer-overflow in Vypress Messenger 3.5.1The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a denial of service (CPU consumption) via XML attributes in a crafted XML document.20041002 Security advisory - Xerces-C++ 2.5.0: Attribute blowup1131212715xercescplusplus-xml-parser-dos(17575)Format string vulnerability in Judge Dredd: Dredd vs. Death 1.01 and earlier allows remote attackers to cause a denial of service (application crash) via format string specifiers in a chat message.20041002 In-game format string in Judge Dredd vs. Death 1.0112710judge-dredd-death-format-string(17579)index.php in PHP Links allows remote attackers to gain sensitive information via an invalid show parameter, which reveals the full path in an error message.20041003 Full path disclosure in PHP Linksphplinks-path-disclosure(17588)Cross-site scripting (XSS) vulnerability in index.php in Invision Power Board 2.0.0 allows remote attackers to execute arbitrary web script or HTML via the Referer field in the HTTP header.20041005 [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board1133212740invision-referer-header-xss(17604)index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message.20041006 Full path disclosure and sql injection on CubeCart 2.0.1cubecart-catid-path-disclosure(17630)SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter.20041006 Full path disclosure and sql injection on CubeCart 2.0.11133712764cubecart-catid-sql-injection(17632)BlackBoard 1.5.1 allows remote attackers to gains sensitive information via a direct request to (1) checkdb.inc.php, (2) admin.inc.php or (3) cp.inc.php, which reveals the path in a PHP error message.20041006 Multiple vulnerabilities in BlackBoardblackboard-directory-traversal(17636)PHP remote file inclusion vulnerability in BlackBoard 1.5.1 allows remote attackers to execute arbitrary PHP code by modifying the libpath parameter (incorrectly called "libpach") to reference a URL on a remote web server that contains _more.php, as demonstrated using checkdb.inc.php.20041006 Multiple vulnerabilities in BlackBoardhttp://blackboard.unclassified.de/70,1#10311133612757blackboard-lang-file-include(17637)Directory traversal vulnerability in the FTP server in TriDComm 1.3 and earlier allows remote attackers read or write arbitrary files via a .. (dot dot) in FTP commands such as (1) DIR, (2) GET, or (3) PUT.20041006 Directory traversal in Tridcomm 1.31134312755tridcomm-dotdot-directory-traversal(17631)CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter.20041006 HTTP Response Splitting Vulnerability in Wordpress 1.2http://wordpress.org/development/2004/10/wp-121/GLSA-200410-121134812773wordpress-response-splitting(17649)Flash Messaging 5.2.0g (rev 1.1.2) and earlier allows remote attackers to cause a denial of service (application crash) via certain wide characters.20041007 Server crash in Flash Messaging 5.2.0g11351101156912759flash-messaging-dos(17647)Flash Messaging clients can ignore disconnecting commands such as "shutdown" from the Flash Messaging Server 5.2.0g (rev 1.1.2), which could allow remote attackers to stay connected.20041007 Server crash in Flash Messaging 5.2.0g101156912759Buffer overflow in Monolith games including (1) Alien versus Predator 2 1.0.9.6 and earlier, (2) Blood 2 2.1 and earlier, (3) No one lives forever 1.004 and earlier and (4) Shogo 2.2 and earlier allows remote attackers to cause a denial of service (application crash) via a long secure Gamespy query.20041007 Limited \secure\ buffer-overflow in some old Monolith games1135412776blood2-long-query-bo(17668)shogo-long-query-bo(17670)106351011603avp2-long-query-bo(17665)nolf-long-query-bo(17669)20041008 Limited \secure\ buffer-overflow in some old Monolith gamesSQL injection vulnerability in GoSmart Message Board allows remote attackers to execute arbitrary SQL code via the (1) QuestionNumber and Category parameters to Forum.asp or (2) Username and Password parameter to Login_Exec.asp.20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board1136112790gosmart-forum-loginexec-sql-injection(17678)Cross-site scripting (XSS) vulnerability in GoSmart Message Board allows remote attackers to execute inject web script or HTML via the (1) Category parameter to Forum.asp or (2) MainMessageID parameter to ReplyToQuestion.asp.20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board1136112790gosmart-forum-mainmessageid-xss(17679)Clientexec allows remote attackers to gain sensitive information via an HTTP request to phpinfo.php, which calls the phpinfo function.20041012 Clientexec Billing Software12862clientexec-phpinfo-info-disclosure(17741)The web interface for Micronet Wireless Broadband Router SP916BM running firmware before 1.9 08/04/2004 resets the password to the default password when the router is shut off, which could allow remote attackers to gain access.20041012 Micronet wireless broadband router SP916BM admin password reset when power offmicronet-router-password-reset(17697)PHP remote file inclusion vulnerability in index.php in ocPortal 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the req_path parameter to reference a URL on a remote web server that contains a malicious funcs.php script.20041012 [hackgen-2004-#002] - Remote file inclusion bug in ocPortal 1.0.3.http://www.hackgen.org/advisories/hackgen-2004-002.txt1136812811ocportal-reqpath-file-include(17699)Cross-site scripting (XSS) vulnerability in render.UserLayoutRootNode.uP in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via the utf parameter.20041013 XXS in SCT email client1139212826sct-campus-userlayoutrootnode-xss(17704)Cross-site scripting (XSS) vulnerability in FuseTalk 4.0 allows remote attackers to execute arbitrary web script via an img src tag.20041013 XXS in fusetalk forum1282312823fusetalk-imgsrc-xss(17701)Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field.20041013 Buffer-overflow in ShixxNOTE 6.net1140912822shixxnote-font-bo(17705)The 3COM Wireless router 3CRADSL72 running Boot Code 1.3d allows remote attackers to gain sensitive information such as passwords and router settings via a direct HTTP request to app_sta.stm.20041013 3COM Wireless router (3CRADSL72) information disclosure20041015 More details on BID 11408 (3com 3cradsl72 wireless router)20041015 Re: 3COM Wireless router (3CRADSL72) information disclosure114083com-officeconnect-obtain-info(17723)RIM Blackberry 7230 running RIM Blackberry OS 3.7 SP1 allows remote attackers to cause a denial of service (device reboot and possibly data corruption) via a calendar message with a long Location field, which triggers a watchdog while the message is being stored.20041013 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss20041014 [HV-MED] UPDATE: RIM Blackberry DoS, data loss20041012 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data losshttp://www.hexview.com/docs/20041012-1.txthttp://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/Known_%20Issues_-_HexView_advisory_on_BlackBerry_buffer_overflow,_DoS,_and_data_loss.html?nodeid=737173&vernum=01138912814blackberry-calendar-bo(17700)Adobe Acrobat and Acrobat Reader 6.0 allow remote attackers to read arbitrary files via a PDF file that contains an embedded Shockwave (swf) file that references files outside of the temporary directory.20041012 Adobe acrobat / Adobe Reader 6 can read local files20041014 Re: Adobe acrobat / Adobe Reader 6 can read local files20041015 Re: Adobe acrobat / Adobe Reader 6 can read local files11386adobe-acrobat-swf-read-files(17694)Cross-site scripting (XSS) vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to execute arbitrary web script or HTML via the (1) query or (2) nick parameters.20041016 Multiple Vulnerabilities in CoolPHP11437101174812850coolphp-multiple-xss(17742)index.php in CoolPHP 1.0-stable allows remote attackers to gain sensitive information via an invalid op parameter, which reveals the path in an error message.20041016 Multiple Vulnerabilities in CoolPHP101174812850coolphp-path-disclosure(17744)Directory traversal vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to access arbitrary files and execute local PHP scripts via a .. (dot dot) in the op parameter.20041016 Multiple Vulnerabilities in CoolPHP11437101174812850coolphp-dotdot-directory-traversal(17745)ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response.20041015 ProFTPD 1.2.x remote users enumeration bughttp://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02114301011687proftpd-info-disclosure(17724)cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled.20041018 cPanel hardlink backup issue20041018 cPanel hardlink chown issue114491145512865cpanel-backup-view-file(17779)cpanel-htaccess-modify-ownership(17780)cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled.20041018 cPanel symlink chmod issueSalesLogix 6.1 allows remote attackers to bypass authentication by modifying the slxweb cookie to set user=Admin, teams=ADMIN!, and usertype=Administrator.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-cookie-admin-access(17749)20041018 Multiple vulnerabilities in Sage Saleslogix109421011769slxweb.dll in SalesLogix 6.1 allows remote attackers to cause a denial service (application crash) via an invalid HTTP request, which might also leak sensitive information in the ErrorLogMsg cookie.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-info-disclosure(17750)20041018 Multiple vulnerabilities in Sage Saleslogix109431011769slxweb.dll in SalesLogix 6.1 allows remote attackers to obtain sensitive information via a (1) Library or (2) Attachment request with an invalid file parameter, which reveals the path in an error message.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-filename-path-disclosure(17751)20041018 Multiple vulnerabilities in Sage Saleslogix109441011769SQL injection vulnerability in SalesLogix 6.1 allows remote attackers to execute arbitrary SQL statements via the id parameter in a view operation.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-sql-injection(17752)20041018 Multiple vulnerabilities in Sage Saleslogix109451011769SalesLogix 6.1 includes usernames, passwords, and other sensitive information in the headers of an HTTP response, which could allow remote attackers to gain access.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-obtain-passwords(17753)20041018 Multiple vulnerabilities in Sage Saleslogix109461011769SalesLogix 6.1 uses client-specified pathnames for writing certain files, which might allow remote authenticated users to create arbitrary files and execute code via the (1) vMME.AttachmentPath or (2) vMME.LibraryPath variables.20041018 Multiple vulnerabilities in Sage SaleslogixSalesLogix 6.1 does not verify if a user is authenticated before performing sensitive operations, which could allow remote attackers to (1) execute arbitrary SLX commands on the server or spoof the server via a man-in-the-middle (MITM) attack, or (2) obtain the database password via a GetConnection request to TCP port 1707.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-getconnection-account-disclosure(17754)20041018 Multiple vulnerabilities in Sage Saleslogix10947109481011769Directory traversal vulnerability in SalesLogix 6.1 allows remote attackers to upload arbitrary files via a .. (dot dot) in a ProcessQueueFile request.20041018 Multiple vulnerabilities in Sage Saleslogix1145012883saleslogix-processqueuefile-file-upload(17765)20041018 Multiple vulnerabilities in Sage Saleslogix109491011769Mozilla allows remote attackers to cause a denial of service (application crash from null dereference or infinite loop) via a web page that contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a null character and some trailing characters, as demonstrated by mangleme.20041018 Web browsers - a mini-farce20041018 Web browsers - a mini-farcehttp://lcamtuf.coredump.cx/mangleme/gallery/RHSA-2005:323114391011810mozilla-html-tags-dos(17805)Mozilla allows remote attackers to cause a denial of service (application crash from invalid memory access) via an "unusual combination of visual elements," including several large MARQUEE tags with large height parameters, as demonstrated by mangleme.20041018 Web browsers - a mini-farce20041018 Web browsers - a mini-farcehttp://lcamtuf.coredump.cx/mangleme/gallery/http://securitytracker.com/alerts/2004/Oct/1011810.html114401011810Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme.This was fixed in version 7.60.20041018 Web browsers - a mini-farce20041018 Web browsers - a mini-farcehttp://lcamtuf.coredump.cx/mangleme/gallery/11441opera-colspan-tbody-dos(17806)Links allows remote attackers to cause a denial of service (memory consumption) via a web page or HTML email that contains a table with a td element and a large rowspan value,as demonstrated by mangleme.20041018 Web browsers - a mini-farce20041018 Web browsers - a mini-farcehttp://lcamtuf.coredump.cx/mangleme/gallery/http://securitytracker.com/alerts/2004/Oct/1011808.html11442links-large-table-dos(17803)1011808Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme. NOTE: a followup suggests that the relevant trigger for this issue is the large COLS value.20041018 Web browsers - a mini-farce20041018 Web browsers - a mini-farcehttp://lcamtuf.coredump.cx/mangleme/gallery/http://securitytracker.com/alerts/2004/Oct/1011809.html11443lynx-dos(17804)1011809DSA-1077DSA-1076DSA-10852038320060602 Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilitiesVypress Tonecast 1.3 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed mp2 stream.1146212890vypress-tonecast-dos(17775)20041019 Broadcast crash in Vypress Tonecast 1.3Buffer overflow in Privateer's Bounty: Age of Sail II allows remote attackers to execute arbitrary code via a long nickname.20041020 Buffer-overflow in Age of Sail II 1.04.1511147912905age-of-sail-bo(17791)CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php.20041021 HTTP Response Splitting in Serendipity 0.7-beta4http://www.s9y.org/5.html1149712909serendipity-response-splitting(17798)1101311038110391011864** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature.20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] )http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833http://securitytracker.com/id?10117791145812891lotus-notes-xss(17758)SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter.20041021 SQL Injection in UBB.threads 3.4.x11502ubbthreads-sql-injection(17821)The WAV file property handler in Windows XP SP1 allows remote attackers to cause a denial of service (infinite loop in Explorer) via a WAV file with an invalid file header whose fmt chunk length is set to 0xFFFFFFFF.20041021 [HV-LOW] Unsafe WAV header handling can cause DoS on Windowshttp://www.hexview.com/docs/20041021-1.txt11503110531011880windowsxp-explorer-wav-dos(17864)Carbon Copy 6.0.5257 does not drop system privileges when opening external programs through the help topic interface, which allows local users to gain privileges via (1) the help topic interface in CCW32.exe, which launches Notepad, or (2) the help button in the Carbon Copy Scheduler (CCSched.exe).20041022 [Fwd: Altiris Carbon Copy Remote Control local SYSTEM exploitation.]1150012962carboncopy-help-gain-privileges(17838)pGina 1.7.6 and possibly older versions, when the Restart or Shutdown options are enabled on the login screen, allows remote attackers to cause a denial of service by connecting via Remote Desktop and clicking restart or shutdown.20041022 Windows DoS in certain pGina configurationshttp://www.lovebug.org/pgina_dos.txtpgina-dos(17836)Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command.20041022 Ability FTP Server 2.34 Buffer Overflow ExploitVU#857846115081103012941abilityftpserver-stor-dos(17823)Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long APPE command.[0day] 20041208 Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow - PnK:: DCN3T11508http://securitytracker.com/id?10124641294112347ability-appe-bo(18405)Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code.20041023 rssh: pizzacode security alerthttp://www.pizzashack.org/rssh/GLSA-200410-2812954rssh-format-string(17831)Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier allow remote attackers to execute arbitrary SQL statements.20041023 dwc_articles possible sql injection11509dwc-articles-sql-injection(17830)Cross-site scripting (XSS) vulnerability in the login form in Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to execute arbitrary web script or HTML via the url parameter.20041024 Two Vulnerabilities in OpenWFE Web Client1151412970openwfe-login-form-xss(17853)Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to conduct port scans of remote hosts by specifying the target in an rmi:// Worklist URL, then using the response times to infer the results.20041024 Two Vulnerabilities in OpenWFE Web Client1151412970openwfe-rmi-obtain-information(17852)Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the arguments to wiki.php.20041025 STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability1151612975moniwiki-wiki-xss(17835)process_bug.cgi in Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS does not check edit permissions on the keywords field, which allows remote authenticated users to modify the keywords in a bug via the keywordaction parameter.20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2https://bugzilla.mozilla.org/show_bug.cgi?id=252638bugzilla-bug-change(17840)show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive information.20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2https://bugzilla.mozilla.org/show_bug.cgi?id=26378011511bugzilla-xml-information-disclosure(17841)Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows remote authenticated users to obtain sensitive information when (1) viewing the bug activity log or (2) receiving bug change notification mails.20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2https://bugzilla.mozilla.org/show_bug.cgi?id=250605https://bugzilla.mozilla.org/show_bug.cgi?id=25354411511bugzila-metadata-information-disclosure(17842)Heap-based buffer overflow in the WvTFTPServer::new_connection function in wvtftpserver.cc for WvTftp 0.9 allows remote attackers to execute arbitrary code via a long option string in a TFTP packet.20041026 wvtfpd remote root heap overflow1152512986wvtfpd-wvtftpservercc-bo(17869)The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections.20041026 Hawking Technologies HAR11A router considered insecure11543har11a-gain-unauth-access(17877)Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command.20041026 MailCarrier 2.51 SMTP server Buffer Overflow [PoC included]1153512999mailcarrier-ehlo-helo-bo(17861)Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows remote attackers to cause a denial of service (application crash or memory consumption) via a large binary file with a .html extension.20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding or crashmozilla-html-dos(17839)Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 0.94 and 1.0 allow remote attackers to execute arbitrary web script and HTML via the (1) terme parameter to search.php or (2) letter parameter to letter.php.20040828 Cross Site Scripting in XOOPS Version 2.x Dictionary module1106412424xoops-dictionsary-letter-xss(17154)93939394xoops-dictionary-search-xss(17152)Heap-based buffer overflow in Titan FTP 3.21 and earlier allows remote attackers to cause a denial of service (crash) via a long FTP command such as (1) CWD, (2) STAT, or (3) LIST.20040829 [vulnwatch] Titan FTP Server Long Command Heap Overflow Vulnerability1106912419titan-long-command-bo(17172)WFTPD Pro Server 3.21 allows remote authenticated users to cause a denial of service (crash) via a series of long MLIST commands.20040829 [vulnwatch] WFTPD Pro Server 3.21 MLST Command Denial of Service Vulnerability1106712420wftpd-mlst-command-dos(17169)WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence.20040829 [vulnwatch] WS_FTP Server Denial of Service Vulnerability1106512406wsftp-file-parsing-dos(17155)Xedus 1.0 allows remote attackers to cause a denial of service (refuse connections) by connecting multiple times from the same IP address.20040830 Multiple Vulnerabilities In Xedus Webserverhttp://www.gulftech.org/?node=research&article_id=00047-083020041107112418xedus-mult-connection-dos(17165)Cross-site scripting (XSS) vulnerability in Xedus 1.0 allows remote attackers to execute arbitrary web script or HTML via the (1) username parameter to test.x, (2) username parameter to TestServer.x, or (3) param parameter to testgetrequest.x.20040830 Multiple Vulnerabilities In Xedus Webserverhttp://www.gulftech.org/?node=research&article_id=00047-083020041107112418xedus-test-xss(17166)Directory traversal vulnerability in Xedus 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.20040830 Multiple Vulnerabilities In Xedus Webserverhttp://www.gulftech.org/?node=research&article_id=00047-083020041107112418xedus-dotdot-directory-traversal(17167)SQL injection vulnerability in Password Protect allows remote attackers to execute arbitrary SQL statements and bypass authentication via (1) admin or Pass parameter to index_next.asp, (2) LoginId, OPass, or NPass to CPassChangePassword.asp, (3) users_edit.asp, or (4) users_add.asp.20040830 Password Protect XSS and SQL-Injection vulnerabilities.http://www.criolabs.net/advisories/passprotect.txt1107312407password-protect-sql-injection(17188)Cross-site scripting (XSS) vulnerability in (1) index.asp, (2) ChangePassword.asp, (3) users_list.asp, (4) and users_add.asp in Password Protect allows remote attackers to inject arbitrary web script or HTML via the ShowMsg parameter.20040830 Password Protect XSS and SQL-Injection vulnerabilities.http://www.criolabs.net/advisories/passprotect.txt1107312407password-protect-showmsg-xss(17187)Buffer overflow in Microsoft Msinfo32.exe might allow local users to execute arbitrary code via a long filename in the msinfo_file command line parameter. NOTE: this issue might not cross security boundaries, so it may be REJECTED in the future.20040831 MSInfo Buffer Overflow20040830 MSInfo Buffer Overflow20040830 MSInfo Buffer Overflowmsinfo-msinfofile-bo(17153)D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet.20040831 D-Link DCS-900 IP camera remote exploit that change the IPhttp://www.securitytracker.com/alerts/2004/Aug/1011100.html1107212425dlink-dcs900-ip-modification(17171)1011100Multiple cross-site scripting (XSS) vulnerabilities in the registration page in phpScheduleIt 1.0.0 RC1 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Lastname fields during new user registration, or (3) the Schedule Name field.20040831 Multiple Vulnerabilities in phpScheduleIt11080phpscheduleit-xss(17193)20040917 Re: Multiple Vulnerabilities in phpScheduleIt9451phpscheduleit-script-injection(17194)phpScheduleIt 1.0.0 RC1 does not clear administrative privileges if the administrator logs in as a normal user, which allows users with physical access to gain administrative privileges.20040831 Multiple Vulnerabilities in phpScheduleItphpscheduleit-gain-privileges(17195)The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS.20040831 SSHD / AnonCVS Nastynesshttp://www.securitytracker.com/alerts/2004/Sep/1011143.htmlopenssh-port-bounce(17213)20040831 SSHD / AnonCVS Nastyness1011143 9562SQL injection vulnerability in the calendar module in phpWebsite 0.9.3-4 and earlier allows remote attackers to execute arbitrary SQL commands via cal_template.20040901 Multiple Vulnerabilities In phpWebsitehttp://www.gulftech.org/?node=research&article_id=00048-08312004http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=8221108812438phpwebsite-calendar-module-sql-injection(17199)Cross-site scripting (XSS) vulnerability in phpWebsite 0.9.3-4 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) CM_pid parameter in the comments module or (2) the subject or message fields in the notes module.20040901 Multiple Vulnerabilities In phpWebsitehttp://www.gulftech.org/?node=research&article_id=00048-08312004http://www.securitytracker.com/alerts/2004/Aug/1011120.htmlhttp://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=8221108812438phpwebsite-comments-module-xss(17202)1011120phpwebsite-notes-script-injection(17203)CRLF injection vulnerability in Comersus Shopping Cart 5.0991 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the redirecturl parameter.20040901 ADVISORY: http response splitting hole in Comersus shopping cart11083comersus-cart-response-splitting(17201)Cross-site scripting (XSS) vulnerability in the Activity and Events Viewer for Newtelligence DasBlog allows remote attackers to inject arbitrary web script or HTML via the (1) User Agent or (2) Referrer HTTP headers.20040901 Cross-Site Scripting Vulnerability in Newtelligence DasBloghttp://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f09-8d53-f0b97f11b1981108612416dasblog-useragent-referer-xss(17174)Kerio Personal Firewall 4.0 (KPF4) allows local users with administrative privileges to bypass the Application Security feature and execute arbitrary processes by directly writing to \device\physicalmemory to restore the running kernel's SDT ServiceTable.20040902 Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restorationhttp://www.security.org.sg/vuln/kerio4016.html1246811096kerio-pf-protection-dos(17270)Cross-site scripting (XSS) vulnerability in index.php in CuteNews 1.3.6 and earlier allows remote attackers with Administrator, Editor, Journalist or Commenter privileges to inject arbitrary web script or HTML via the mod parameter.20040902 [hackgen-2004-#001] - Non-critacal Cross-Site Scripting bug in CuteNews1109712432cutenews-mod-xss(17214)PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier allows remote attackers to execute arbitrary PHP code via the cutepath parameter to (1) show_archives.php or (2) show_news.php.20040830 RE: CuteNews News.txt writable to worldhttp://www.7a69ezine.org/node/view/13012432cutenews-file-include(17288)MailWorks Professional allows remote attackers to bypass authentication and gain privileges via a cookie that contains "auth=1" and "uId=1."20040902 MailWorks Professional - Authentication bypass1109512458mailworks-cookie-admin-access(17217)YaBB SE 1.5.1 allows remote attackers to obtain sensitive information via a direct HTTP request to Admin.php, which reveals the full path in a PHP error message.20040904 FUll Path Disclosure in YABBSEhttp://echo.or.id/adv/adv05-y3dips-2004.txtyabb-admin-path-disclosure(17267)Engenio/LSI Logic storage controllers, as used in products such as Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches, allow remote attackers to cause a denial of service (freeze and possible data corruption) via crafted TCP packets.20040904 Engenio/LSI Logic controllers denial of service/data corruption1110812464engenio-controller-tcp-dos(17290)Call of Duty 1.4 and earlier allows remote attackers to cause a denial of service (game end) via a large (1) query or (2) reply packet, which is not properly handled by the buffer overflow protection mechanism. NOTE: this issue might overlap CVE-2005-0430.20040905 Broadcast shutdown in Call of Duty 1.411119callofduty-dos(17286)Cross-site scripting (XSS) vulnerability in index.php in PsNews 1.1 allows remote attackers to inject arbitrary web script or HTML via the no parameter.20040905 Bug XSS in PsNews 1.1http://www.securitytracker.com/alerts/2004/Sep/1011191.html11124psnews-xss(17302)1011191Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN servers to execute arbitrary code via a long string that ends in a newline character.20040908 Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploithttp://unsecure.altervista.org/security/trillian.htm1114212487trillian-msn-bo(17292)Off-by-one error in Halo Combat Evolved 1.04 and earlier allows remote attackers to cause a denial of service (server crash) via a long client response.1114712504halo-response-offbyone-bo(17310)20040909 Off-by-one bug in Halo 1.04Multiple SQL injection vulnerabilities in index.php in Subjects 2.0 Postnuke module allow remote attackers to execute arbitrary SQL commands via the (1) pageid, (2) subid, or (3) catid parameters.20040910 SQL-Injection in Subjects 2.0 for Postnuke1114812497subjects-indexphp-sql-injection(17311)Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to execute arbitrary web script or HTML via the (1) User name parameter to accountsettings.html or (2) Search string parameter to search.html.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-xss(17313)Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, allow remote attackers to (1) create arbitrary directories via a .. (dot dot) in the user parameter to viewaction.html or (2) rename arbitrary files via a ....// (doubled dot dot) in the folderold or folder parameters to folders.html.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-create-directory(17314)Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-path-disclosure(17315)attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view other users' attachments by specifying the username and message ID in an HTTP request.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-view-attachment(17316)accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers to create text files with arbitrary content via the accountid parameter.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-create-file(17317)viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1) delete arbitrary files via the originalfolder parameter or (2) move arbitrary files via the messageid parameter.20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.71137112789merak-icewarp-file-deletion(17976)Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX.20040911 Serv-U up to 5.2 Denial of Service1115512507servu-stou-dos(17329)Heap-based buffer overflow in the image sending feature in Gadu-Gadu 6.0 build 149 allows remote attackers to execute arbitrary code via a crafted GG_MSG_IMAGE_REPLY message.20040912 Gadu-Gadu (all versions with image-send feature) Heap Overflow1115812510gadu-gadu-image-bo(17324)pdesk.cgi in PerlDesk allows remote attackers to gain sensitive information via an invalid lang parameter, which includes pathname information in an error message.20040912 Posible Inclusion File in Perl Desk12512perldesk-lang-file-include(17343)Directory traversal vulnerability in pdesk.cgi in PerlDesk allows remote attackers to read portions of arbitrary files and possibly execute arbitrary Perl modules via ".." sequences terminated by a %00 (null) character in the lang parameter, which can leak portions of the requested files if a compilation error message occurs.20040912 Posible Inclusion File in Perl Desk1116012512perldesk-directory-traversal(19712)Directory traversal vulnerability in TwinFTP 1.0.3 R2 allows remote attackers create arbitrary files via a .../ (triple dot) in the (1) CWD, (2) STOR, or (3) RETR commands.20040913 Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directoryhttp://www.security.org.sg/vuln/twinftp103r2.html1115912511twinftp-argument-directory-traversal(17323)application.cgi in the Pingtel Xpressa handset running firmware 2.1.11.24 allows remote authenticated users to cause a denial of service (VxWorks OS crash) via a long HTTP GET request, possibly triggering a buffer overflow.A091304-21116112523xpressa-applicationcgi-dos(17346)Multiple buffer overflows in (1) phrelay-cfg, (2) phlocale, (3) pkg-installer, or (4) input-cfg in QNX Photon microGUI for QNX RTP 6.1 allow local users to gain privileges via a long -s (server) command line parameter.20040913 [RLSA_02-2004] QNX Photon multiple buffer overflowshttp://www.rfdslabs.com.br/qnx-advs-03-2004.txt11164qnx-rtp-photon-bo(17339)Format string vulnerability in QNX 6.1 FTP client allows remote authenticated users to gain group bin privileges via format string specifiers in the QUOTE command.20040913 [RLSA_03-2004] QNX ftp client format string bughttp://www.rfdslabs.com.br/qnx-advs-04-2004.txt12533qnx-ftp-quote-format-string(17347)A race condition in crrtrap for QNX RTP 6.1 allows local users to gain privileges by modifying the PATH environment variable to reference a malicious io-graphics program before is executed by crrtrap.20040913 [RLSA_04-2004] QNX crrtrap possible race condition vulnerability11165qnx-rtp-crttrap-race-condition(17345)Zyxel P681 running ZyNOS Vt020225a contains portions of memory in an ARP request, which allows remote attackers to obtain sensitive information by sniffing the network.20040913 Zyxel Prestige 681 SDSL router information leak11167prestige-information-disclosure(17372)9962SMC routers SMC7004VWBR running firmware 1.00.014 and SMC7008ABR EU running firmware 1.42.003 allow remote attackers to bypass authentication by connecting to it from the same IP address as the administrator who is logged in, then accessing the setup_status.htm or status.HTM pages.20040915 SMC7004VWBR / SMC7008ABR 1119712601smc-router-security-bypass(17443)10088Internet Explorer 6.0 in Windows XP SP2 allows remote attackers to bypass the Information Bar prompt for ActiveX and Javascript via an XHTML page that contains an Internet Explorer formatted comment between the DOCTYPE tag and the HTML tag, as demonstrated using the DesignScience MathPlayer ActiveX plugin.20040915 IE6 + XP SP2 Vulnerability11200ie-information-bar-bypass(20617)CRLF injection vulnerability in down.asp for Snitz Forums 2000 3.4.04 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the location parameter.20040916 ADVISORY: security hole (http response splitting) in snitz forumshttp://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=547911120112590snitz-response-splitting(17421)Pigeon Server 3.02.0143 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a long login name sent to port 3103.20040916 Freeze in Pigeon Server 3.02.014320040916 Freeze in Pigeon Server 3.02.01431120312585pigeon-server-dos(17427)sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root privileges, which allows local users to read arbitrary files via a symlink attack on the temporary file before quitting sudoedit.20040916 [sudo-announce] Sudo version 1.6.8p1 now available (fwd)http://packetstormsecurity.nl/0409-exploits/sudoedit.txthttp://www.sudo.ws/sudo/alerts/sudoedit.htmlVU#424358O-2191120410023 12596sudo-sudoedit-view-files(17424)Cross-site scripting (XSS) vulnerability in the Web Server in DNS4Me 3.0.0.4 allows remote attackers to execute arbitrary web script or HTML via the URL.20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00049-09162004http://securitytracker.com/id?10113341121312595dns4me-xss(17425)The Web Server in DNS4Me 3.0.0.4 allows remote attackers to cause a denial of service (CPU consumption and crash) via a large amount of data.20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00049-09162004http://securitytracker.com/id?10113341121312595dns4me-dos(17426)Cross-site scripting (XSS) vulnerability in index.php in Mambo 4.5 (1.0.9) allows remote attackers to inject arbitrary web script or HTML via the (1) Itemid, (2) mosmsg, or (3) limit parameters.20040918 Vulnerabilities in TUTOShttp://mamboforge.net/frs/shownotes.php?release_id=16721122010179mambo-multiple-xss(20616)PHP remote file inclusion vulnerability in Function.php in Mambo 4.5 (1.0.9) allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code.20040918 Vulnerabilities in TUTOShttp://www.securitytracker.com/alerts/2004/Sep/1011365.html1122010180mambo-cachelibrary-execute-code(17449)1011365Symantec ON Command CCM 5.4.x and iCommand 3.0.x has four default usernames and passwords, one of which is hardcoded, which allows remote attackers to gain unauthorized access.20040920 Default username/password pairs in ON Command CCM 5.x databasehttp://www.sarc.com/avcenter/security/Content/2004.09.29.html1122512604oncommand-multiple-default-accounts(17447)EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to bypass authentication for the remote administration feature via a URL that contains an extra leading / (slash).20040921 Multiple Vulnerabilities In EmuLive Server4http://www.gulftech.org/?node=research&article_id=00051-092020041122612616emuliveserver4-url-gain-access(17450)EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66.20040921 Multiple Vulnerabilities In EmuLive Server4http://www.gulftech.org/?node=research&article_id=00051-092020041122612616emulive-tcp-port-dos(17451)The "Forgot your Password" link in Computer Associates (CA) Unicenter Management Portal 2.0 and 3.1 displays different error messages for users that exist and users that do not exist, which could allow remote attackers to guess valid usernames.20040921 CA UniCenter Management Portal Username Enumeration Vulnerability1122912620unicenter-management-username-bruteforce(17464)The Base64 function in PopMessenger 1.60 (before 20 Sep 2004) and earlier allows remote attackers to cause a denial of service (application crash) via invalid characters in a message, which causes several alert dialogs to be displayed and leads to a crash.20040921 Broadcast crash in Popmessenger 1.60 (before 20 Sep 2004)1123012612popmessenger-base64-dos(17465)SettingsBase.php in Pinnacle ShowCenter 1.51 allows remote attackers to cause a denial of service (web interface errors) via an invalid Skin parameter.20040922 Pinnacle ShowCenter 1.51 possible DoS20040921 Pinnacle ShowCenter Skin Denial of Service11232pinnacle-showcenter-dos(17463)Cross-site scripting (XSS) vulnerability in SettingsBase.php in Pinnacle ShowCenter 1.51 build 121 allows remote attackers to inject arbitrary HTML or web script via the Skin parameter, which is echoed in an error message.12613pinnacle-showcenter-xss(17708)11415Heap-based buffer overflow in the AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 allows remote attackers to execute arbitrary code via a long SAUTH command during RSA authentication.20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruptionhttp://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=1020050219 cfengine rsa heap remote exploit: part of PTjob projectGLSA-200408-081089912251cfengine-cfservd-command-execution(16935)The AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 does not properly check the return value of the ReceiveTransaction function, which leads to a failed malloc call and triggers to a null dereference, which allows remote attackers to cause a denial of service (crash).20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruptionhttp://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10GLSA-200408-081090012251cfengine-cfservd-dos(16937)Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag.20040729 Fusion News Yet Another Unauthorized Account Addition Vulnerability108361010829fusion-news-add-account(16853)WpQuiz 2.60b1 through 2.60b8 allows remote attackers to gain privileges via a direct request to adminrestore.php in the extras directory.20040730 WpQuiz Gain Admin Rightd Exploit foundwpquiz-extra-gain-access(16848)8321Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username.20040731 Citadel/UX Remote DoS Vulnerability20040731 Re: Citadel/UX Remote DoS Vulnerabilityhttp://www.nosystem.com.ar/advisories/advisory-04.txthttp://securitytracker.com/id?10108091083312197citadel-user-dos(16840)The U.S. Robotics USR808054 wireless access point allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via an HTTP GET request with a long version string.20040802 7a69Adv#13 - USRobotics AP Wireless Denial of Service1084012207usrobotics-wireless-get-bo(16860)The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified libclntsh.so.9.0.20040802 OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform)1082912205oracle-libraries-gain-privileges(16839)Webbsyte Chat 0.9.0 allows remote attackers to cause a denial of service (crash) via a large number of connections.20040803 DoS in Webbsyte Chat 0.9.010842webbsyte-chat-dos(16852)Datakey Rainbow iKey2032 USB token, when using the CIP client package, does not encrypt communications between the token and the driver, which could allow local users to obtain the PINs of other users.20040804 Clear text password exposure in Datakey's tokens and smartcardsdatakey-plaintext-pin(16887)page.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the url parameter.8936pagecgi-url-command-execution(19713)20040806 Remote Command ExecutionCross-site scripting (XSS) vulnerability in post.php in Moodle before 1.3 allows remote attackers to inject arbitrary web script or HTML via the reply parameter.20040806 xss in moodle (post.php)1088412262moodle-post-xss(16924)Cross-site scripting (XSS) vulnerability in TypePad allows remote attackers inject arbitrary Javascript via the name parameter.20040806 Type xxstypepad-name-xss(19664)Unknown vulnerability in HP Process Resource Manager (PRM) C.02.01[.01] and earlier, as used by HP-UX Workload Manager (WLM), allows local users to corrupt data files.SSRT47851090712245hp-prm-wlm-file-corruption(16928)BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying firewall.ini to contain a large firewall rule.20040811 BlackICE unprivileged local user attack20040811 ISS BlackIce Server Protect Unprivileged User Attack10915blackice-firewall-dos(16959)Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 allows remote attackers or local users to read arbitrary files via "..\\", "..\", and similar dot dot sequences in the URL.This was fixed in MIMEsweeper for Web v5.0.4.20040811 Clearswift Mimesweeper Path Traversal Vulnerability20040811 Re: Clearswift Mimesweeper Path Traversal Vulnerabilityhttp://packetstormsecurity.nl/0408-exploits/clearswift.txt1091812273mimesweeper-directory-traversal(16960)Cross-site scripting (XSS) vulnerability in PForum before 1.26 allows remote attackers to inject arbitrary web script or HTML via the (1) IRC Server or (2) AIM ID fields in the user profile.20040814 pscript.de PFORUM XSS VulnerabilityVU#67454210954898512317pforum-irc-aim-xss(17003)Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value.20040816 gv buffer overflows: here, there, and everywhere10944gv-psscan-header-bo(17019)The ZwOpenSection function in Integrity Protection Driver (IPD) 1.4 and earlier allows local users to cause a denial of service (crash) via an invalid pointer in the "oa" argument.20040817 [NGSEC-2004-6] IPD, local system denial of service.http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt1096512169ipd-oa-pointer-dos(17010)Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail Server 5.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) cserver, (3) ext, (4) global, (5) showgroups, (6) or showlite parameters to address.html, or the (7) spage or (8) autoresponder parameters to settings.html, the (9) folder parameter to readmail.html, or the (10) attachmentpage_text_error parameter to attachment.html, (11) folder, (12) ct, or (13) cv parameters to calendar.html, (14) an <img> tag, or (15) the subject of an e-mail message.20040817 Vulnerabilities in Merak Webmail Serverhttp://packetstormsecurity.nl/0408-exploits/merak527.txthttp://www.securitytracker.com/alerts/2004/Aug/1010969.html1096690379038903990409041904212269merak-xss(17024)1010969The (1) address.html and possibly (2) calendar.html pages in Merak Mail Server 5.2.7 allow remote attackers to gain sensitive information via an invalid HTTP request, which reveals the installation path. NOTE: it is unclear whether the calendar.html is an exposure, since the path is leaked in web logs that may only be available to the administrators, who would have access to the path through legitimate means.20040817 Vulnerabilities in Merak Webmail Serverhttp://packetstormsecurity.nl/0408-exploits/merak527.txthttp://www.securitytracker.com/alerts/2004/Aug/1010969.html10966904312269merak-address-calendar-path-disclosure(17027)1010969The (1) function.php or (2) function.view.php scripts in Merak Mail Server 5.2.7 allow remote attackers to read arbitrary PHP files via a direct HTTP request to port 32000.20040817 Vulnerabilities in Merak Webmail Serverhttp://packetstormsecurity.nl/0408-exploits/merak527.txthttp://www.securitytracker.com/alerts/2004/Aug/1010969.html10966904512269merak-view-php-files(17029)1010969SQL injection vulnerability in calendar.html in Merak Mail Server 5.2.7 allows remote attackers to execute arbitrary SQL statements via the schedule parameter.20040817 Vulnerabilities in Merak Webmail Serverhttp://packetstormsecurity.nl/0408-exploits/merak527.txthttp://www.securitytracker.com/alerts/2004/Aug/1010969.html10966904412269merak-calendarhtml-sql-injection(17022)1010969The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message.20040818 Multiple vulnerabilities in PHP-FUSIONphpfusion-path-disclosure(17036)The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password.20040818 Multiple vulnerabilities in PHP-FUSION1097412336phpfusion-database-file-access(17037)Stack-based buffer overflow in xvbmp.c in XV allows remote attackers to execute arbitrary code via a crafted image file.20040820 XV multiple buffer overflows, exploit included10985xv-image-bo(17053)Multiple integer overflows in (1) xviris.c, (2) xvpcx.c, and (3) xvpm.c in XV allow remote attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow.20040820 XV multiple buffer overflows, exploit included10985xv-image-bo(17053)BadBlue 2.5 allows remote attackers to cause a denial of service (refuse HTTP connections) via a large number of connections from the same IP address.20040820 BadBlue Webserver v2.5 Denial Of Service Vulnerabilityhttp://www.gulftech.org/?node=research&article_id=00043-082020041098312346badblue-mult-connection-dos(17064)Buffer overflow in British National Corpus SARA (sarad) allows remote attackers to execute arbitrary code by calling the client with a long string.20040820 Buffer overflow in sarad1098412348sara-server-bo(17060)Cross-site scripting (XSS) vulnerability in Nihuo Web Log Analyzer 1.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header.20040820 Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer1098812347nihuo-http-get-xss(17055)Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows remote attackers to inject arbitrary web script or HTML via (1) the return parameter to login_page.php, (2) e-mail field in signup.php, (3) action parameter to login_select_proj_page.php, or (4) hide_status parameter to view_all_set.php.20040820 Multiple Vulnerabilities in Mantis Bugtrackermantis-loginpage-xss(17066)mantis-loginselectprojpage-xss(17070)mantis-signup-xss(17069)mantis-viewallset-xss(17072)1099412338signup_page.php in Mantis bugtracker allows remote attackers to send e-mail bombs by creating multiple users and providing the same e-mail address.20040820 Multiple Vulnerabilities in Mantis Bugtracker10995mantis-improper-account-validation(17093)SQL injection vulnerability in out.ViewFolder.php in MyDMS before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the folderid parameter.This was fixed in version 1.4.2.20040820 Multiple vulnerabilities in MyDMS1099612340mydms-folderld-sql-injection(17054)Directory traversal vulnerability in MyDMS 1.4.2 and other versions allows remote registered users to read arbitrary files via .. (dot dot) sequences in the URL.20040820 Multiple vulnerabilities in MyDMS1099612340mydms-dotdot-file-download(17058)PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remote web server that contains the code.20040820 Mantis Bugtracker Remote PHP Code Execution Vulnerability10993mantis-php-file-include(17065)Cross-site scripting (XSS) vulnerability in the create list option in Sympa 4.1.x and earlier allows remote authenticated users to inject arbitrary web script or HTML via the description field.20040820 Cross Site Scripting Vulnerability in Sympa1099212339sympa-description-xss(17057)Cacti 0.8.5a allows remote attackers to gain sensitive information via an HTTP request to (1) auth.php, (2) auth_login.php, (3) auth_changepassword.php, and possibly other php files, which reveal the installation path in a PHP error message.20040816 SQL Injection in CACTI20040816 SQL Injection in CACTI12308cacti-error-path-disclosure(17014)SQL injection vulnerability in auth_login.php in Cacti 0.8.5a allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) password parameters.20040816 SQL Injection in CACTI20040816 SQL Injection in CACTIGLSA-200408-211096012308cacti-authlogin-sql-injection(17011)Cross-site scripting (XSS) vulnerability in page.php in JShop allows remote attackers to inject arbitrary web script or HTML via the xPage parameter.20040823 JShop Input Validation Hole in page.php Permits Cross-Sitehttp://indohack.sourceforge.net/drponidi/jshop-vuln.txthttp://securitytracker.com/id?101102012345jshop-page-xpage-xss(17075)Bird Chat 1.61 allows remote attackers to cause a denial of service (crash) via invalid users.This has been fixed in version 1.61 Security Release.20040823 DoS in Bird Chat 1.61http://www.autistici.org/fdonato/advisory/BirdChat1.61-adv.txt1101012365bird-chat-dos(17080)Music daemon (musicd) 0.0.3 and earlier allows remote attackers to read arbitrary files by calling LOAD with a full pathname, then calling SHOWLIST.20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploithttp://musicdaemon.sourceforge.net/11006musicd-commands-view-files(17067)Music daemon (musicd) 0.0.3 and earlier allows remote attackers to cause a denial of service (crash) by calling LOAD with a binary file as an argument, then calling SHOWLIST.20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploithttp://www.securitytracker.com/alerts/2004/Aug/1011025.htmlhttp://musicdaemon.sourceforge.net/11006musicd-load-showlist-dos(17068)1011025Directory traversal vulnerability in WebAPP 0.9.9 allows remote attackers to view arbitrary files via a .. (dot dot) in the viewcat parameter.20040824 WebAPP directory traversal and ability to retrieve the DES encrypted password hashhttp://cornerstone.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=updates&id=11102812373webapp-dotdot-directory-traversal(17100)Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to view arbitrary files via an HTTP request for the disk_c virtual folder.20040824 Easy File Sharing Webserver v1.25 Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00045-08242004http://securitytracker.com/id?10110451103412372easyfilesharing-obtain-info(17109)Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to cause a denial of service (CPU consumption or crash) via many large HTTP requests.20040824 Easy File Sharing Webserver v1.25 Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00045-082420041103612372easyfilesharing-http-request-dos(17110)91751011045Buffer overflow in Painkiller 1.3.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password.20040824 Limited buffer overflow in Painkiller 1.311102912367painkiller-long-password-bo(17101)Cross-site scripting (XSS) vulnerability in index.php in PHP Code Snippet Library allows remote attackers to inject arbitrary web script or HTML via the (1) cat_select or (2) show parameters.20040824 PHP Code Snippet Library Multiple Cross-Site Scripting (XSS)1103812370snippet-index-xss(17108)Cross-site scripting (XSS) vulnerability in NetworkEverywhere NR041 running firmware 1.2 Release 03 allows remote attackers to inject arbitrary web script or HTML via the DHCP HOSTNAME option.20040825 bug found11046network-everywhere-dhcp-gain-access(17120)NtRegmon before 6.12 allows local users to cause a denial of service (crash), while NtRegmon is running, via invalid pointers to hook functions such as ZwSetQueryValue.20040825 [NGSEC-2004-7] NtRegmon, local system denial of service.http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt11042ntregmon-registry-dos(17106)Attack Mitigator IPS 5500 3.11.008, and possibly other versions, when configured in a one-armed routing configuration, allows remote attackers to cause a denial of service (CPU consumption) via a large number of HTTP requests.20040825 IRM 010: Top Layer Attack Mitigator IPS 5500 Denial of Service1104912390am-ips5500-http-dos(17125)RealVNC 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900.20040825 RealVNC 4.0 DoS1104813143realvnc-multiple-connections-dos(17123)Ground Control II: Operation Exodus 1.0.0.7 and earlier allows remote servers to cause a denial of service (client or server crash) via a large packet, which generates a "Message too long" socket error that is treated as a critical error.http://securitytracker.com/id?101107511058ground-control-dos(17130)20040826 Broadcast forced exit in Ground Control II 1.0.0.7Stack-based buffer overflow in Gaucho 1.4 Build 145 allows remote attackers to execute arbitrary code via a POP3 email with a long Content-Type header.20040826 Gaucho v1.4 Build 145 Buffer Overflowhttp://www.security.org.sg/vuln/gaucho140.htmlhttp://securitytracker.com/id?10110321102312387gaucho-pop3-bo(17090)The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs.20040826 Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State)20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State)20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State)http://bugzilla.mozilla.org/show_bug.cgi?id=1621341105912392netscape-java-tab-spoofing(17137)The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records.20040615 Symantec Enterprise Firewall DNSD cache poisoning Vulnerabilityhttp://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html1055711888The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges.http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_47.00.jspVU#858990950210725weblogic-multiple-connection-gain-access(15826)BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers.http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_54.00.jspVU#566390http://securitytracker.com/id?10097651013211358weblogic-trust-certificate-spoofing(15862)BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges.http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jspVU#350350950110728weblogic-boot-password-disclosure(14957)BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges.http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jspVU#92023810131bea-configxml-plaintext-password(15860)5297100976411357Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning.20040121 Voice Product Vulnerabilities on IBM ServersVU#721092946910696ciscovoice-ibmservers-dos(14901)O-06636911008814The default installation of Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, does not require authentication, which allows remote attackers to gain administrator privileges by connecting to TCP port 14247.20040121 Voice Product Vulnerabilities on IBM ServersVU#602734946810696ciscovoice-ibmservers-admin-access(14900)O-06636921008814Unknown vulnerability in Ethereal 0.8.13 to 0.10.2 allows attackers to cause a denial of service (segmentation fault) via a malformed color filter file.http://www.ethereal.com/appnotes/enpa-sa-00013.htmlVU#69548611185ethereal-colour-filter-dos(15572)RHSA-2004:136Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV.http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixes.shtmlVU#41573411089fsecure-antivirus-protection-bypass(15432)Buffer overflow in hsrun.exe for HAHTsite Scenario Server 5.1 Patch 06 (build 91) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long project name.20040402 Buffer Overflow in HAHTsite Scenario Server 5.1VU#7059581003311288hahtsite-long-request-bo(15717)Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows local users to gain root privileges via unknown vectors.HPSBUX0401-308VU#406406O-057hp-libdtsvc-bo(14828)Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apache 2.x, when SecFilterScanPost is enabled, allows remote attackers to execute arbitrary code via crafted POST requests.20040316 ModSecurity 1.7.4 for Apache 2.x remote off-by-one overflowhttp://www.s-quadra.com/advisories/Adv-20040315.txthttp://www.modsecurity.org/VU#779438988511138mod-security-offbyone-bo(15489)The default installation of NetScreen-Security Manager before Feature Pack 1 does not enable encryption for communication with devices running ScreenOS 5.0, which allows remote attackers to obtain sensitive information via sniffing.http://www.kb.cert.org/vuls/id/CRDY-5VEU8NVU#927630945510675netscreen-information-disclosure(14886)3613The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function.57479VU#7025269477solaris-kernel-module-gain-privilege(14917)oval:org.mitre.oval:def:4532The character converters in the Spamhunter and Language ID modules for Symantec Brightmail AntiSpam 6.0.1 before patch 132 allow remote attackers to cause a denial of service (crash) via messages with the ISO-8859-10 character set, which is not recognized by the converters.ftp://ftp.symantec.com/public/english_us_canada/products/sba/sba_60x/updates/p132_notes.htmVU#6975981245913489symantec-brightmail-spamhunter-dos(18530)The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass.20040311 Cpanel 8.*.* have a problem ?20040311 cPanel Secuirty Advisory CPANEL-2004:01-01VU#831534984811111cpanel-resetpass-execute-commands(15443)The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter.20040312 Cpanel 9.1.0 have a problem ?VU#831534985511124cpanel-login-execute-commands(15486)Scalable OGo (SOGo) 1.0 allows remote authenticated users to bypass intended permissions and view private appointments of other users.http://securitytracker.com/id?1013553http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=106014675ogo-permission-information-disclosure(19820)Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument.20040406 GNU Sharutils buffer overflow vulnerability.FLSA:215520040407 [OpenPKG-SA-2004.011] OpenPKG Security Advisory (sharutils)10066sharutils-shar-bo(15759)RHSA-2005:377Multiple buffer overflows in sharutils 4.2.1 and earlier may allow attackers to execute arbitrary code via (1) long output from wc to shar, or (2) unknown vectors in unshar.GLSA-200410-01FLSA:215511298RHSA-2005:377Buffer overflow in the SDO_CODE_SIZE peocedure of the MD2 package (MDSYS.MD2.SDO_CODE_SIZE) in Oracle 10g before 10.1.0.2 Patch 2 allows local users to execute arbitrary code via a long LAYER parameter.20040902 [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Serverhttp://www.appsecinc.com/resources/alerts/oracle/2004-0001/http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdfhttp://www.securiteam.com/securitynews/5CP010KE0W.htmlhttp://www.frsirt.com/exploits/20050413.OracleExploit.sql.php13145oracle-mdsysmd2sdocodesize-bo(20078)Cisco VACM (View-based Access Control MIB) for Catalyst Operating Software (CatOS) 5.5 and 6.1 and IOS 12.0 and 12.1 allows remote attackers to read and modify device configuration via the read-write community string.20041008 Cisco IOS Software Multiple SNMP Community String VulnerabilitiesVU#6454005030cisco-snmp-vacm(6179)Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and modify device configuration data via the cable-docsis read-write community string used by the Data Over Cable Service Interface Specification (DOCSIS) standard.20041008 Cisco IOS Software Multiple SNMP Community String VulnerabilitiesVU#840665cisco-ios-cable-docsis(6180)A "range check error" in Skype for Windows before 0.98.0.28 allows local and remote attackers to cause a denial of service (application crash) via long command line arguments or a long callto:// URL, a different vulnerability than CVE-2004-1114.http://www.skype.com/security/ssa-2004-01.html20040615 Skype URI callto username overflow118601010490Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks.20041222 Permission problem in Skype BETA for linux20050216 Re: Permission problem in Skype BETA for linux12081skype-lang-insecure-permissions(18644)Cross-site scripting (XSS) vulnerability in board.php for ThWboard before beta 2.84 allows remote attackers to inject arbitrary web script or HTML via the lastvisited parameter.http://sourceforge.net/project/shownotes.php?release_id=207893http://cvs.sourceforge.net/viewcvs.py/thwb/thwb/board.php?r1=1.11&r2=1.1293673330100861710546thwboard-board-xss(14143)Info Touch Surfnet kiosk allows local users to deposit extra time into Internet kiosk accounts via repeated authentication attempts.9347Info Touch Surfnet kiosk allows local users to crash Surfnet and access the underlying operating system via the CMD_CREDITCARD_CHARGE command.9348athenareg.php in Athena Web Registration allows remote attackers to execute arbitrary commands via shell metacharacters in the pass parameter.934916861Directory traversal vulnerability in Net2Soft Flash FTP Server 1.0 allows remote attackers to read and create arbitrary files via a /.. (slash dot dot).http://www.securiteam.com/windowsntfocus/5FP051FBPQ.html9350100858810522Buffer overflow in the web server of Webcam Watchdog 3.63 allows remote attackers to execute arbitrary code via a long HTTP GET request.20040103 Webcam Watchdog Stack Overflow Vulnerabilityhttp://www.elitehaven.net/webcamwatchdog.txthttp://www.webcamsoft.com/en/watchdog_h.html9351331210527webcam-watchdog-get-bo(14131)SQL injection vulnerability in calendar.php for Invision Power Board 1.3 allows remote attackers to execute arbitrary SQL commands via the m parameter, which sets the $this->chosen_month variable.20040103 [SCSA-025] Invision Power Board SQL Injection Vulnerability93533319105301008589PortalApp places user credentials under the web root with insufficient access control, which allows remote attackers to gain access to sensitive information via a direct request to 8275.mdb.93541008627portalapp-url-access-database(14169)SQL injection vulnerability in PostCalendar 4.0.0 allows remote attackers to execute arbitrary SQL commands via search queries.http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=253793723336100862110554postcalendar-search-sql-injection(14111)ASP-Nuke 1.3 and earlier places user credentials under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to main.mdb.9355Cross-site scripting (XSS) vulnerability in the web management interface in ZyWALL 10 4.07 allows remote attackers to inject arbitrary web script or HTML via the rpAuth_1 page.20040106 ZyXEL10 OF ZyWALL Series Router Cross Site Scripting Vulnerabillity937334431008644zywall-xss(14163)1057412793Cross-site scripting (XSS) vulnerability in the web management interface in Edimax AR-6004 ADSL Routers allows remote attackers to inject arbitrary web script or HTML via the URL.20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity93743435100864310576edimax-ar6004-xss(14165)The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access.20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity35111008643swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a long packet with two CRLF sequences to the service management port (TCP 8000).20040102 Switch Off Multiple Vulnerabilitieshttp://www.elitehaven.net/switchoff.txt9339100858110521switch-off-swnet-dos(14123)Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm.20040102 Switch Off Multiple Vulnerabilitieshttp://www.elitehaven.net/switchoff.txt93403309100858110521switch-off-swnet-bo(14124)Cross-site scripting (XSS) vulnerability in the VCard4J Toolkit allows remote attackers to inject arbitrary web script or HTML via the NICKNAME tag in a vCard.20040101 Possible XSS vuln in VCard4J93431008582vcard4j-nickname-xss(14120)Info Touch Surfnet kiosk allows local users to access the underlying filesystem via a 'file://' URI.9346PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3.20040104 HotNews arbitary file inclusionhttp://sourceforge.net/forum/forum.php?forum_id=3425949357100860810551hotnews-php-file-include(14140)33323405Cross-site scripting (XSS) vulnerability in search.php for FreznoShop 1.3.0 RC1 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter.93593335100860610547freznoshop-searchphp-xss(14147)RealOne player 6.0.11.868 allows remote attackers to execute arbitrary script in the "My Computer" zone via a Synchronized Multimedia Integration Language (SMIL) presentation with a "file:javascript:" URL, which is executed in the security context of the previously loaded URL, a different vulnerability than CVE-2003-0726.20040107 RealNetworks fails to address Cross-Site Scripting in RealOne Player9378382610086479584realoneplayer-smil-xss(14168)PF in certain OpenBSD versions, when stateful filtering is enabled, does not limit packets for a session to the original interface, which allows remote attackers to bypass intended packet filters via spoofed packets to other interfaces.20040105 firewall security bug?936219105Unknown vulnerability in Sysbotz SimpleData 4.0.1 and possibly earlier versions allows remote attackers to gain access via a crafted URL and a certain cookie.9380100869510595simpledata-gain-unauth-access(14206)Directory traversal vulnerability in PWebServer 0.3.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.20040308 directory traversal in PWebServer 0.3.3http://www.autistici.org/fdonato/advisory/PWebServer0.3.3-adv.txt981711057pwebserver-dotdot-directory-traversal(15404)Chat Anywhere 2.72 and earlier allows remote attackers to hide their IP address by using %00 before the nickname, which causes the IP address to be displayed as $IP$ on the administration web page.9823chat-anywhere-admin-bypass(15416)20040309 Ghost users in Chat Anywhere 2.72wMCam server 2.1.348 allows remote attackers to cause a denial of service (no new connections) via multiple malformed HTTP requests without the GET command.20040310 DoS in wMCam server 2.1.3489839wmcam-multiple-connections-dos(15431)Format string vulnerability in games using the Epic Games Unreal Engine 436 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in class names.984011108ut-class-format-string(15430)20040310 Format string bug in EpicGames Unreal engine20040311 Re: Format string bug in EpicGames Unreal engineSQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters.20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040312.txthttp://securitytracker.com/id?10094039854422911112cfwebstore-index-sql-injection(15447)Cross-site scripting (XSS) vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to inject arbitrary web script or HTML via the URL.20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040312.txthttp://securitytracker.com/id?10094039856423011112cfwebstore-url-xss(15454)Extcompose in metamail does not verify the output file before writing to it, which allows local users to overwrite arbitrary files via a symlink attack.20040312 Metamail extcompose script Symlink Vulnerability9850metamail-extcompose-symlink(15460)Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) postdays parameter to viewtopic.php or (2) topicdays parameter to viewforum.php.20040313 phpBB 2.0.6d && Earlier Security Issueshttp://www.phpbb.com/support/documents.php?mode=changelog#206986598664257425911121phpbb-viewforum-viewtopic-xss(15464)The Javascript engine in Opera 7.23 allows remote attackers to cause a denial of service (crash) by creating a new Array object with a large size value, then writing into that array.20040314 Opera Array Allocation Managment Exploit9869safari-array-dos(15413)The SSL HTTP Server in HP Web-enabled Management Software 5.0 through 5.92, with anonymous access enabled, allows remote attackers to compromise the trusted certificates by uploading their own certificates.20040314 Multiple Immunity Advisorieshttp://www.immunitysec.com/downloads/hp_http.sxw.pdfHPSBMA01003O-1009859SSRT4679hp-http-certificate-upload(15466)20040315 Immunity Advisory: Compaq Web Management vulnerability11126Multiple stack-based buffer overflows in Agent Common Services (1) cam.exe and (2) awservices.exe in Unicenter TNG 2.4 allow remote attackers to execute arbitrary code.20040314 Multiple Immunity Advisories20040315 Immunity Advisory: Computer Associates Unicenter TNGhttp://www.immunitysec.com/downloads/awservices.sxw.pdfftp://ftp.ca.com/CAproducts/unicenter/CCS31/nt/qi52764/QI52764.DB0986311131unicentertng-awservices-cam-bo(15472)VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authentication via an HTTP request to home.asp with a trailing slash (/).20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypassvgw48-gateway-directory-traversal(15476)9876Directory traversal vulnerability in VocalTec VGW4/8 Gateway 8.0 allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request, as demonstrated using home.asp.20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass9876vgw48-gateway-directory-traversal(15476)Unknown vulnerability in ColdFusion MX 6.0 and 6.1, and JRun 4.0, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption).20040315 Multiple Vendor SOAP server array DoShttp://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html987711132soap-array-dos(15473)Unknown vulnerability in Sun Java System Application Server 7.0 Update 2 and earlier, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption).20040315 Multiple Vendor SOAP server array DoS57517987711130soap-array-dos(15473)Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field.20040315 [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2]987911135phpnuke-multiple-parameters-xss(15491)Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injecting arbitrary script into the z parameter.20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke]98814293111344nalbum-nmimagephp-xss(15497)4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to obtain sensitive information via a direct request to displaycategory.php, which reveals the path in an error message.20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke]98814291111344nalbum-error path-disclosure(15493)PHP remote file inclusion vulnerability in displaycategory.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary PHP code by modifying the basepath parameter to reference a URL on a remote web server that contains fileFunctions.php.20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke]98814292111344nalbum-displaycategory-file-include(15496)SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to gain privileges or perform unauthorized database operations via the gid parameter.20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke]98814294111344nalbum-modulesphp-SQL-injection(15498)Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.1 through 5.0.3 beta allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_REFERER parameter to login.php, (2) HTTP_REFERER parameter to register.php, or (3) target parameter to profile.php.20040315 Phorum 5.0.3 Beta && Earlier XSS Issueshttp://phorum.org/changelog.txt988211157phorum-register-xss(15494)4333433443351009433Multiple cross-site scripting (XSS) vulnerabilities in Jelsoft vBulletin 2.0 beta 3 through 3.0 can4 allows remote attackers to inject arbitrary web script or HTML via the (1) page parameter to showthread.php or (2) order parameter to forumdisplay.php.20040316 JelSoft vBulletin Multiple XSS Vulnerabilities9888988911142vbulletin-showthread-xss(15495)431043111009440Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the what parameter to memberlist.php.20040316 JelSoft vBulletin Multiple XSS Vulnerabilities988711142vbulletin-showthread-xss(15495)20021121 XSS bug in vBulletin622643121009440vbulletin-memberlist-xss(10679)Cross-site scripting (XSS) vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) return or (2) mos_change_template parameters.20040316 Mambo Open Source Multiple Vulnerabilities98904665430811140mambo-return-moschangetemplate-xss(15499)SQL injection vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.20040316 Mambo Open Source Multiple Vulnerabilities9891430711140mambo-id-sql-injection(15500)Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaBB SE 1.5.1 Final allows remote attackers to inject arbitrary web script via the background:url property in (1) glow or (2) shadow tags.987311128yabb-glow-shadow-xss(15488)http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233100942720040314 YaBB/YaBBse Cross Site Scripting Vulnerability20040316 RE: YaBB/YaBBse Cross Site Scripting VulnerabilityVcard 2.9 and possibly other versions does not require authorization to run uninstall.php, which could allow remote attackers to uninstall Vcard and delete database tables via a direct request to uninstall.php.20040317 Vcard 2.8 uninstall script problem9910vcard-uninstall-delete-table(15522)Multiple cross-site scripting (XSS) vulnerabilities in error.php in Gijza.net Error Manager 2.1 for PHP-Nuke 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) pagetitle or (2) error parameters, or (3) certain parameters in the error log.20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager9911errormanager-error-xss(15529)errormanager-error-command-execution(15530)438411164error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message.20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager9911errormanager-error-path-disclosure(15524)438611164Buffer overflow in Chrome 1.2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large length value, which leads to a null dereference or out-of-bounds read.http://aluigi.altervista.org/adv/chrome-boom-adv.txt9898chrome-malloc-memcpy-dos(15535)20040318 Chrome 1.2.0.0 server crashBuffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660.20040318 mac osx- admin service buffer overflow20040319 Re: mac osx- admin service buffer overflowmacos-admin-servicebo(15533)9914The admin.ib file in Borland Interbase 7.1 for Linux has default world writable permissions, which allows local users to gain database administrative privileges.20040319 Borland Interbase admin.ib Administrative Access Vulnerability99294381100950011172interbase-admin-gain-privileges(15546)mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information.20040319 Apache mod_disk_cache stores client authentication credentials on disk99334446100950911176apache-moddiskcache-obtain-info(15547)102198ADV-2006-078919072RHSA-2004:562Multiple SQL injection vulnerabilities in index.php in Invision Gallery 1.0.1 allow remote attackers to execute arbitrary SQL via the (1) img, (2) cat, (3) sort_key, (4) order_key, (5) user, or (6) album parameters.20040322 Invision Gallery SQL Injection Vulnerabilities99444472100951211194invision-gallery-sql-injection(15566)SQL injection vulnerability in index.php in Invision Power Top Site List 1.1 RC 2 and earlier allows remote attackers to execute arbitrary SQL via the id parameter of the comments action.20040322 Invision Power Top Site List SQL Injection Vulnerability9945100951111187invision-id-sql-injection(15568)Cross-site scripting (XSS) vulnerability in Mod_survey 3.0.x before 3.0.16-pre2 and 3.2.x before 3.2.0-pre4 allows remote attackers to inject arbitrary web script or HTML via the certain survey fields or error messages for malformed query strings.20040322 Mod_Survey security advisory: Script injection bug99411009516modsurvey-xss(15582)Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL.20040322 directory traversal in xweb 1.0http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt99374460100951411186xweb-dotdot-directory-traversal(15567)MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message.20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke]9946Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php.20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke]9947msanalysis-modules-title-xss(15575)SQL injection vulnerability in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to execute arbitrary SQL via the referer field in an HTTP request.20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke]9948msanalysis-referer-sql-injection(15576)Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php.20040322 [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0]989511195phpnuke-img-gain-privileges(15596)SQL injection vulnerability in Member Management System 2.1 allows remote attackers to execute arbitrary SQL via the ID parameter to (1) resend.asp or (2) news_view.asp.20040322 Vulnerabilities in Member Management System 2.19931100950811179mms-id-sql-injection(15551)Cross-site scripting (XSS) vulnerability in Member Management System 2.1 allows remote attackers to inject arbitrary web script or HTML via (1) the err parameter to error.asp or (2) register.asp.20040322 Vulnerabilities in Member Management System 2.19932100950811179mms-xss(15552)Multiple cross-site scripting (XSS) vulnerabilities in News Manager Lite 2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to comment_add.asp, (2) search parameter to search.asp, or (3) n parameter to category_news_headline.asp.20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration9935449244934494100950711180news-manager-xss(15548)Multiple SQL injection vulnerabilities in News Manager Lite 2.5 allow remote attackers to execute arbitrary SQL code via the (1) ID parameter to more.asp, (2) ID parameter to category_news.asp, or (3) filter parameter to news_sort.asp.20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration9935449544964497100950711180news-manager-sql-injection(15549)News Manager Lite 2.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN parameter in the NEWS_LOGIN cookie.20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration9935100950711180news-manager-admin-access(15550)Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file.20040323 How to crash a harddisk - the Ipswitch WS_FTP Server way99534542112061009529wsftp-rest-dos(15560)wsftp-rest-stor-dos(41831)Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html.20040323 More Cpanel Vuls (cross site scripting)9965452945301009541cpanel-dodelautores-addhandle-xss(15517)The Rage 1.01 and earlier allows remote attackers to cause a denial of service (infinite loop) via a TCP packet with the port and IP address set to zero.99611009540therage-packet-dos(15584)20040323 Server freeze in The Rage 1.01Dameware Mini Remote Control 4.1.0.0 uses insufficiently random data to create the encryption key, which makes it easier for remote attackers to obtain sensitive information via brute force guessing.20030323 Dameware Passes Weak File Encryption Key in the Clear99574547100955711205dameware-random-generator-weak(15587)DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information.20040323 Dameware Passes Weak File Encryption Key in the Clearhttp://www.dameware.com/support/security/bulletin.asp?ID=SB399594547100955711205dameware-encryption-key-plaintext(15586)Buffer overflow in Terminator 3: War of the Machines 1.0 allows remote attackers to cause a denial of service via a long ServerInfo variable.99184447100949811182terminator3-bo(15542)20040323 Broadcast client buffer-overflow in Terminator 3 1.0Buffer overflow in the logging function in Picophone 1.63 and earlier allows remote attackers to execute arbitrary code via a large packet.99694550100955111209picophone-logging-function-bo(15595)20040324 Buffer overflow in PicoPhone 1.63Dark Age of Camelot before 1.68 live patch does not sign the RSA public key, which could allow remote malicious servers to gain sensitive information via a man-in-the-middle attack.20040324 Dark Age of Camelot login client vulnerability to man in the middle20040323 Dark Age of Camelot login client vulnerability to man in the middle attackhttp://capnbry.net/daoc/advisory20040323/9960daoc-login-mitm(15597)devices_update_printer_fw_upload.hts in HP Web JetAdmin 7.5.2546, when no password is set, allows remote attackers to upload arbitrary files to the printer directory.20040324 HP Web JetAdmin vulnerabilities.http://sh0dan.org/files/hpjadmadv.txtSSRT47009971hp-jetadmin-file-upload(15605)Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot) in the setinclude parameter.20040324 HP Web JetAdmin vulnerabilities.SSRT47009972hp-jetadmin-setinfo-directory-traversal(15606)HP Web Jetadmin 7.5.2546 allows remote attackers to cause a denial of service (crash) via a malformed request, possibly due to a stricmp() error from an invalid use of the "$" character.20040324 HP Web JetAdmin vulnerabilities.SSRT4700Directory traversal vulnerability in Trend Micro Interscan Web Viruswall in InterScan VirusWall 3.5x allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.20040324 TrendMacro Interscan Viruswall Directory Traversalhttp://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=1925799664549100955011215interscan-dotdot-directory-traversal(15590)Buffer overflow in Check Point SmartDashboard in Check Point NG AI R54 and R55 allows remote authenticated users to cause a denial of service (server disconnect) and possibly execute arbitrary code via a large filter on a column when using SmartView Tracker.20040325 Check Point SmartDashboard Buffer Overflowhttp://www.securitytracker.com/alerts/2004/Mar/1009490.htmlfw1-smartdashboard-bo(15539)100949098704412Invision NetSupport School Pro uses a weak encryption algorithm to encrypt passwords, which allows local users to obtain passwords.20040326 NetSupport School Pro: Password Encryption Weaknesses9981netsupportschoolpro-weak-encryption(15621)Multiple cross-site scripting (XSS) vulnerabilities in Extreme Messageboard (XMB) 1.8 SP3 and 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) xmbuser parameter to xmb.php, (2) folder parameter to u2u.php, (3) viewmost, replymost, or latest parameter to stats.php, (4) message or icons parameter to post.php, (5) threadlist, pagelinks, forumlist, navigation, or (6) forumdisplay parameter to forumdisplay.php.20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta]9983xmb-forum-multiple-xss(15654)149831498514986149871498811230Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3) misc.php, and (4) today.php, and (5) an arbitrary parameter in phpinfo.php.20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta]9983xmb-forum-multiple-xss(15654)14982149891499116884SQL injection vulnerability in Extreme Messageboard (XMB) 1.9 beta allows remote attackers to execute arbitrary SQL commands via the restrict parameter to (1) member.php, (2) misc.php, or (3) today.php.20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta]http://www.securitytracker.com/alerts/2004/Mar/1009561.html9983xmb-forum-sql-injection(15655)100956116886Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability.20040326 bblog 0.7.2 cross site scripting1009564bblog-name-xss(15635)1339710510nstxd in Nstx 1.1 beta3 and earlier allows remote attackers to cause a denial of service (crash) via a large packet, which triggers a null dereference.20040326 Nstxd vulnerabilityhttp://nstx.dereference.de/nstx/nstx-1.1-beta4.tgz99891009567nstx-null-dos(15638)Cross-site scripting (XSS) vulnerability in guest.cgi in Fresh Guest Book allows remote attackers to inject arbitrary web script or HTML via the Name field.20040328 vuln9995freshguestbook-guest-xss(15649)Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allows remote attackers to execute arbitrary code via a long STREAMQUOTE tag.20040325 eSignal v7 remote buffer overflow (exploit)http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt20040406 Re: eSignal v7 remote buffer overflow997811222esignal-specs-bo(15624)Etherlords I 1.07 and earlier and Etherlords II 1.03 and earlier allows remote attackers to cause a denial of service (crash) by sending a packet that specifies the size for the next packet, then sending a larger packet than specified, which causes Etherlords to read unallocated memory.9979etherlords1-packet-dos(15618)etherlords2-packet-dos(15619)20040325 Remote crash in Etherlords I 1.07 and II 1.03Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php.20040328 PhotoPost PHP Pro Multiple Vulnerabilitieshttp://securitytracker.com/id?1009571999411241photopost-php-sql-injection(15642)Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields.20040328 PhotoPost PHP Pro Multiple Vulnerabilitieshttp://securitytracker.com/id?1009571999411241photopost-php-xss(15643)Cross-site scripting (XSS) vulnerability in WebCT Campus Edition 4.1.1.5 allows remote attackers to inject arbitrary web script or HTML via the @import URL function in a CSS style tag.20040329 WebCT Campus Edition 4.1 - Cross site scripting using CSS @import999911242webct-import-xss(15652)SQL injection vulnerability in category.asp in A-CART Pro and A-CART 2.0 allows remote attackers to gain privileges via the catcode parameter.20040329 A-CART Pro & A-CART 2.0 Input Validation Holes999711236acart-categoryasp-sql-injection(15661)20061118 A-Cart 2.0 SQL Injection20061114 A-Cart pro[ injection sql (post&get)]20061118 A-Cart PRO SQL Injection20061118 Re: A-Cart PRO SQL InjectionMultiple cross-site scripting (XSS) vulnerabilities in (1) deliver.asp and (2) billing.asp in A-CART Pro and A-CART 2.0 allow remote attackers to inject arbitrary web script or HTML via the user information forms.20040329 A-CART Pro & A-CART 2.0 Input Validation Holes999711236acart-deliverasp-billingasp-xss(15660)Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10.20040330 Exensive cPanel Cross Site Scriptinghttp://www.cirt.net/advisories/cpanel_xss.shtml1000242084209421042114212421342144215424311244cpanel-multiple-scripts-xss(15671)21142ADV-2006-465822984The "%f" feature in the VirusEvent directive in Clam AntiVirus daemon (clamd) before 0.70 allows local users to execute arbitrary commands via shell metacharacters in a file name.20040330 clamd - NEVER use GLSA-200405-031000711253clamantivirus-virusevent-gain-privileges(15692)The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and password.20040330 Problem with customized login pages for Oracle SSO10009oracle-sso-login-spoofing(15676)LINBOX LIN:BOX allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash).20040330 Linbit linbox Multiple Vulnerabilitieshttp://www.websec.org/adv/linbit.txt.html1001011264linbox-slashslash-security-bypass(15677)Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows allows remote attackers to inject arbitrary web script or HTML via forum messages.20040330 phpkit suffers (reale stupid) XSS vuln.10013phpkit-forum-message-xss(15681)Memory leak in the back-bdb backend for OpenLDAP 2.1.12 and earlier allows remote attackers to cause a denial of service (memory consumption).CLSA-2003:685920317000SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp in CactuShop 5.x allows remote attackers to execute arbitrary SQL commands via the strItems parameter.20040331 CactuSoft CactuShop v5.x shopping cart software multiple securityhttp://www.s-quadra.com/advisories/Adv-20040331.txthttp://securitytracker.com/id?1009601100194785478611272cactushop-multiple-sql-injection(15686)Cross-site scripting (XSS) vulnerability in popuplargeimage.asp in CactuShop 5.x allows remote attackers to inject arbitrary web script or HTML via the strImageTag parameter.20040331 CactuSoft CactuShop v5.x shopping cart software multiple security2004031 CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities10020478711272cactushop-popularlargeimageasp-xss(15687)1009601Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long hostname or username to be inserted into a reply to a STAT command while a file is being transferred.20040323 ALLO ALLO WS_FTP Server20040323 Think of the buffers! Wont somebody think of the buffers?!995311206wsftp-allo-bo(15561)Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access.20040323 Open the WS_FTP Server backdoor to SYSTEM995311206wftp-site-gain-priviliege(15558)Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to execute arbitrary programs as SYSTEM by using the SITE command to modify certain iFtpSvc options that are handled by iftpmgr.exe.20040323 Open the WS_FTP Server backdoor to SYSTEM995311206wftp-site-gain-priviliege(15558)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1848. Reason: This candidate is a duplicate of CVE-2004-1848. Notes: All CVE users should reference CVE-2004-1848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Ada Image Server (ImgSvr) 0.4 allows remote attackers to view directories or download files via an HTTP request with a trailing %00 (null).20040401 Index viewing in imgSvr 0.4http://www.autistici.org/fdonato/advisory/imgSvr0.4-adv.txthttp://sourceforge.net/project/shownotes.php?release_id=230023100261002711277imgsvr-obtain-information(15706)display.cgi in Aborior Encore WebForum allows remote to execute arbitrary commands via shell metacharacters in the file variable.20040403 Remote Exploit for Aboriors Encore Web Forum10040encore-display-command-execution(15725)20060620 display.cgi20060621 Re: display.cgi168311009652Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via a link failure with Microsoft Windows.20040401-01-P10037irix-ftpd-link-dos(15722)Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via the PORT mode.20040401-01-P10037irix-ftpd-port-dos(15723)The ftp_syslog function in ftpd in SGI IRIX 6.5.20 "doesn't work with anonymous FTP," which has an unknown impact, possibly preventing the actions of anonymous users from being logged.20040401-01-PStack-based buffer overflow in DecodeBase16 function, as used in the (1) IRC module and (2) web server in eMule 0.42d, allows remote attackers to execute arbitrary code via a long string.20040403 eMule v0.42d Buffer Overflowhttp://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=221003911289emule-decodebase16-bo(15730)Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on Testing Server" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp.http://www.nextgenss.com/advisories/dreamweaver.txt20040403 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted]http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html1003611284dreamweaver-test-script-sql-injection(15721)TEXutil in ConTEXt, when executed with the --silent option, allows local users to overwrite arbitrary files via a symlink attack on texutil.log.20040404 Texutil symlink vulnerability.20040404 Texutil symlink vulnerability.http://securitytracker.com/id?100966110042texutil-symlink-attack(15728)YaST Online Update (YOU) in SuSE 8.2 and 9.0 allows local users to overwrite arbitrary files via a symlink attack on you-$USER/cookies.20040405 SuSEs YaST Online Update - possible symlink attackhttp://securitytracker.com/id?10096681004711300suse-you-symlink(15731)20040406 Re: SuSEs YaST Online Update - possible symlink attack4985Heap-based buffer overflow in in_mod.dll in Nullsoft Winamp 2.91 through 5.02 allows remote attackers to execute arbitrary code via a Fasttracker 2 (.xm) mod media file.20040405 NGSSoftware Insight Security Research Advisoryhttp://www.nextgenss.com/advisories/winampheap.txt1004511285winamp-inmod-bo(15727)49441009660Administration interface in Monit 1.4 through 4.2 allows remote attackers to cause a denial of service (segmentation fault) by sending a Basic Authentication request without a password, which causes Monit to decrement a null pointer and perform an out-of-bounds read.20040405 Advisory: Multiple Vulnerabilities in Monit1005111304monit-basic-auth-dos(15734)Stack-based buffer overflow in the administration interface in Monit 1.4 through 4.2 allows remote attackers to execute arbitrary code via a long username.20040405 Advisory: Multiple Vulnerabilities in Monit1005111304monit-offbyone-bo(15735)4981The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes.20040405 Advisory: Multiple Vulnerabilities in Monit1005111304monit-post-offbyone-bo(15736)4979Format string vulnerability in the logging function in IGI 2 Covert Strike server 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in RCON commands.20040405 Format string bug in IGI 2: Covert Strike 1.31005311299igi2covertstrike-rcon-format-string(15742)49661009667Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles.GLSA-200404-011006011305portage-lockfile-hardlink(15754)The Citrix MetaFrame Password Manager 2.0, when a central credential store is not configured, does not encrypt passwords entered immediately after executing the First Time User Wizards, which allows local users to gain sensitive information.20040406 Foundstone Labs Advisory: Citrix MetaFrame Password Manager 2.0http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=2561004911293metaframe-wizard-info-disclosure(15737)49421009659Buffer overflow in blaxxun 3D 7.0 allows remote attackers to execute arbitrary code via a long URL property inside an object tag.20040406 blaxxun3D(blaxxun Platform) 7 - Remote Buffer Overflow10064blaxxun-applicationxcc3d-bo(15625)Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to execute arbitrary code via the Internacional property followed by a long string.20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S)http://theinsider.deep-ice.com/texts/advisory53.txt1006511312panda-activescan-ascontrol-bo(15764)ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause a denial of service (crash) by calling the SetSitesFile function.20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S)http://theinsider.deep-ice.com/texts/advisory53.txt10067panda-activescan-ascontrol-dos(15831)Mcafee FreeScan allows remote attackers to cause a denial of service and possibly arbitrary code via a long string in the ScanParam property of a COM object, which may trigger a buffer overflow.20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosurehttp://theinsider.deep-ice.com/texts/advisory54.txt20040407 Symantec, McAfee and Panda ActiveX controls1007111313freescan-mcfscan-bo(15772)The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13".20040406 Kerio Personal Firewall 4 and IE 6 20040407 Kerio Personal Firewall 4.0.13 - Remote DoS (Crash)http://www.cipher.org.uk/index.php?p=advisories/HEX-Kerio_Personal_Firewall_Remote_DOS_7-04-2004.advisory1007511331kerio-pf-webfilter-dos(15821)McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows remote attackers to obtain sensitive information via the GetSpecialFolderLocation function with certain parameters.20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure20040407 Symantec, McAfee and Panda ActiveX controls20040407 McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC]1007711313freescan-mcfscan-info-disclosure(15782)Claim Anti-Virus (ClamAV) 0.68 and earlier allows remote attackers to cause a denial of service (crash) via certain RAR archives, such as those generated by the Beagle/Bagle worm.http://freshmeat.net/projects/clamav/?branch_id=29355&release_id=154462GLSA-200404-07989711177clam-antivirus-rar-dos(15553)rufsi.dll in Symantec Virus Detection allows remote attackers to cause a denial of service (crash) via a long string to the GetPrivateProfileString function. NOTE: this issue was originally reported as a buffer overflow, but that specific claim is disputed by the vendor, although a crash is acknowledged.20040407 Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow20040408 Re: Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow, Apr 720040407 Symantec, McAfee and Panda ActiveX controls10069symantec-sc-rufsi-bo(15778)Cross-site scripting (XSS) vulnerability in AzDGDatingLite 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) l parameter (aka language variable) to index.php or (2) id parameter to view.php.20040408 [waraxe-2004-SA#014 - Cross-Site Scripting aka XSS in AzDGDatingLite]1008411326azdgdating-index-view-xss(15796)50185019The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, (4) block-Calendar_center.php scripts in NukeCalendar 1.1.a, as used in PHP-Nuke, allow remote attackers to obtain sensitive information via a URL with an invalid argument, which reveals the full path in an error message.20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a]10082nuke-calendar-path-disclosure(15795)Cross-site scripting (XSS) vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to inject arbitrary web script or HTML via the eid parameter.20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a]10082nuke-calendar-modulesphp-xss(15798)SQL injection vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to execute arbitrary SQL commands via the eid parameter.20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a]10082nukecalendar-modulesphp-sql-injection(15799)Buffer overflow in the parse_all_client_messages function in LCDproc 0.4.x up to 0.4.4 allows remote attackers to execute arbitrary code via a large number of arguments.20040408 PSR - #2004-001 Remote - LCDProchttp://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.htmlGLSA-200404-191008511333lcdproc-parseallclientmessages-bo(15803)Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x versions up to 0.4.4, allows remote attackers to execute arbitrary code via (1) a long invalid command to parse_all_client_messages function, or (2) long argv command to test_func_func function.20040408 PSR - #2004-002 Remote - LCDProchttp://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.htmlGLSA-200404-191008511333lcdproc-testfuncfunc-bo(15814)Format string vulnerability in test_func_func in LCDProc 0.4.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the str variable.20040408 PSR - #2004-002 Remote - LCDProchttp://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.htmlGLSA-200404-191008511333lcdproc-testfuncfunc-format-string(15817)RSniff 1.0 allows remote attackers to cause a denial of service (connection exhaustion) via a large number of connections with a command other than AUTHENTICATE, or without any data, which prevents the socket from being closed properly.1009311339rsniff-connection-dos(15823)20040409 DoS in Rsniff 1.0The hash_strcmp function in hasch.c in Crackalaka 1.0.8 allows remote attackers to cause a denial of service (crash) via large malformed strings.20040409 DoS in Crackalaka 1.0.81009211340crackalaka-hashstrcmp-dos(15824)X-Micro WLAN 11b Broadband Router 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0 has a hardcoded "super" username and password, which could allow remote attackers to gain access.20040410 Backdoor in X-Micro WLAN 11b Broadband Router1009511342xmicro-router-default-account(15829)X-Micro WLAN 11b Broadband Router 1.6.0.1 has a hardcoded "1502" username and password, which could allow remote attackers to gain access.20040416 NEW backdoor in X-Micro WLAN 11b Broadband Router20040416 Re: Backdoor in X-Micro WLAN 11b Broadband Router1009511342xmicro-router-default-login(15890)Microsoft Internet Explorer 5.5 and 6.0 allocates memory based on the memory size written in the BMP file instead of the actual BMP file size, which allows remote attackers to cause a denial of service (memory consumption) via a small BMP file with has a large memory size.20040411 Microsoft Internet Explorer BMP file memory DoS vulnerabilityTiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an error message.20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344tikiwiki-path-disclosure(15847)Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php.20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344tikiwiki-xss(15846)Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php.20040411 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344tikiwiki-sql-injection(15845)Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation.20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter.20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344tikiwiki-tikimap-file-disclosure(15848)The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL.20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ]http://tikiwiki.org/tiki-read_article.php?articleId=661010011344tikiwiki-file-upload(15849)SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter.20040412 [waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2]http://www.waraxe.us/index.php?modname=sa&id=171013511347phpnuke-bypass-authentication(15839)Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie.20040412 [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3]http://www.waraxe.us/index.php?modname=sa&id=161012811347phpnuke-cookiedecode-xss(15842)SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter.20040412 [waraxe-2004-SA#018 - Admin-level authentication bypass in phpnuke 6.x-7.2]http://www.waraxe.us/index.php?modname=sa&id=18phpnuke-admin-bypass-authentication(15835)Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages.20040412 Citadel/UX 6.20 fixes local permissions vulnerability10102citadel-database-insecure-permissions(15850)PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 allows remote attackers to execute arbitrary PHP code via the base parameter.20040415 Include vulnerability in GEMITEL v 3.501015611393gemitel-spturnphpfile-include(15887)53961009824Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via onload, onmouseover, and other Javascript events in an e-mail attachment.20040415 SCT javascript execution vulnerability1015411396sct-campus-attachment-xss(15878)ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters.20040414 ZA Security Hole20040420 Re: ZA Security Hole10148zonealarm-email-bypass-security(15884)Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arbitrary GLOBAL variables by causing globals.php to be loaded before conf.inc.php via (3) .. sequences in the file parameter with the page parameter set to globals, or (4) ../globals.php in the user_langue parameter, as demonstrated by modifying $nuked[prefix] in the Suggest module.20040417 [SCSA-028] Nuked-Klan Multiple Vulnerabilitieshttp://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt1010411341nuked-klan-file-include(15843)nuked-klan-configurtion-corruption(15844)SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows remote attackers to execute arbitrary SQL commands via doubly hex-encoded characters such as "%2527", which is translated to "'", as demonstrated using the phorum_uriauth parameter to list.php.20040419 [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7]http://www.waraxe.us/index.php?modname=sa&id=191017311407phorum-userlogin-sql-injection(15894)Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter.20040419 Zaep AntiSpam Cross Site Scriptinghttp://www.securiteam.com/windowsntfocus/5EP0I15CKK.html1013911388zaep-antispam-xss(15858)sipclient.cpp in KPhone 4.0.1 and earlier allows remote attackers to cause a denial of service (crash) via a STUN response packet with a large attrLen value that causes an out-of-bounds read.20040419 KPhone STUN DoS (Malformed STUN Packets)http://www.securiteam.com/unixfocus/5PP0B1FCLY.htmlhttp://www.wirlab.net/kphone/changes-4.0.2.html10159kphone-stun-dos(15874)Fastream NETFile FTP/Web Server 6.5.1.980 allows remote attackers to cause a denial of service via a username that does not exist.20040419 DoS in NETFile FTP/Web Serverhttp://www.autistici.org/fdonato/advisory/FastreamNETFileFWServer6.5.1.980-adv.txt1016911428fastream-user-pass-dos(15899)55481009868The Solaris 9 patches 113579-02 through 113579-05, and 114342-02 through 114342-05, prevent ypserv and ypxfrd from properly restricting access to secure NIS maps, which allows local users to use ypcat or ypmatch to extract the contents of a secure map such as passwd.adjunct.byname.20040419 Solaris 9 patch 113579-03 introduces a NIS security bug57554O-14410261solaris-nis-unauth-privileges(15908)PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter.20040419 phpBB modified by Przemo arbitary code execution10177phpbb-albumportal-file-include(15916)Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message.20040414 Eudora 6.0.3 nested MIME DoS20040419 Eudora 6.1 is evil1013711360eudora-mime-message-dos(15857)Buffer overflow in Kinesphere eXchange POP3 allows remote attackers to execute arbitrary code via a long MAIL FROM field.20040419 Exchange pop3 remote exploit20040527 Re: Exchange pop3 remote exploithttp://securitytracker.com/id?10098821018011449exchange-pop3-smtp-bo(15922)5593Format string vulnerability in the PRINT_ERROR function in common.c for Cherokee Web Server 0.4.16 and earlier allows local users to execute arbitrary code via format string specifiers in the -C command line argument. NOTE: it is not clear whether this issue could be exploited remotely, or if Cherokee is running at escalated privileges. Therefore it might not be a vulnerability.20040420 Format String in Cherokeehttp://www.nosystem.com.ar/advisories/advisory-03.txtcherokee-printerror-format-string(15924)The AVXSCANONLINE.AvxScanOnlineCtrl.1 ActiveX control in BitDefender Scan Online allows remote attackers to (1) obtain sensitive information such as system drives and contents or (2) use the RequestFile method to download and execute arbitrary code via an object codebase that uses bitdefender.cab.20040419 BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure20040420 Re: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure1017511427bitdefender-avxscanonline-code-execution(15911)1017455491009862NcFTP client 3.1.6 and 3.1.7, when the username and password are included in an FTP URL that is provided on the command line, allows local users to obtain sensitive information via "ps aux," which displays the URL in the process list.20040419 NcFTP - password leaking1018211438ncftp-info-disclosure(15919)5595SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module.20040414 [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection20040420 [PNSA 2004-2] PostNuke Security Advisory PNSA 2004-2http://news.postnuke.com/Article2580.html1014611386postnuke-indexphp-sql-injection(15869)postnuke-changeinfo-sql-injection(15875)536853691009801phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses.20040419 phpBB 2.0.8a and lower - IP spoofing vulnerability20040419 Re: phpBB 2.0.8a and lower - IP spoofing vulnerability1017011434phbb-common-ip-spoofing(15909)xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link.http://www.xinehq.de/index.php/security/XSA-2004-1http://www.xinehq.de/index.php/security/XSA-2004-2GLSA-200404-20SSA:2004-1111019311433xine-mrl-file-overwrite(15939)55945739SQL injection vulnerability in Advanced Guestbook 2.2 allows remote attackers to execute arbitrary SQL commands and gain privileges via the password.20040421 Advanced Guestbook 2.2 -- SQL Injection Exploit20050212 Re: Advanced Guestbook 2.2 -- SQL Injection Exploit10209advancedguestbook-sql-injection(15892)phProfession 2.5 allows remote attackers to gain sensitive information via a direct HTTP request to upload.php, which reveals the path in a PHP error message.20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]http://www.waraxe.us/index.php?modname=sa&id=2110190562311465phprofession-upload-path-disclosure(15930)Cross-site scripting (XSS) vulnerability in modules.php in phProfession 2.5 allows remote attackers to inject arbitrary web script or HTML via the jcode parameter.20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]http://www.waraxe.us/index.php?modname=sa&id=2110190562411465phprofession-jcode-xss(15931)SQL injection vulnerability in modules.php in phProfession 2.5 allows remote attackers to execute arbitrary SQL code via the offset parameter.20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke]http://www.waraxe.us/index.php?modname=sa&id=2110190562511465phprofession-offset-sql-injection(15932)PostNuke 0.7.2.6 allows remote attackers to gain information via a direct HTTP request to files in the (1) includes/blocks directory, (2) pnadodb directory, (3) NS-NewUser module, (4) NS-Your_Account, (5) NS-LostPassword module, or (6) NS-User module which reveals the path to the web server in a PHP error message.20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2]http://www.waraxe.us/index.php?modname=sa&id=2210191postnuke-scripts-modules-path-disclosure(15933)Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 allows remote attackers to inject arbitrary web script or HTML via the (1) lid and query parameters to the Downloads module, (2) query parameter to the Web_links module, or (3) hlpfile parameter to openwindow.php.20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2]http://www.waraxe.us/index.php?modname=sa&id=2210191postnuke-openwindow-xss(15934)Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in a UMOD (Unreal MOD) file.10196unreal-umod-dotdot-file-overwrite(15942)20040422 Arbitrary file overwriting in Unreal engine through UMODblocker_query.php in Protector System 1.15b1 for PHP-Nuke allows remote attackers to gain sensitive information via a string in the portNum parameter, which reveals the full path in an error message.20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=2510206protector-blockerquery-path-disclosure(15963)Cross-site scripting (XSS) vulnerability in blocker_query.php in Protector System 1.15b1 allows remote attackers to inject arbitrary web script or HTML via the (1) target or (2) portNum parameters.20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=25protector-blockerquery-xss(15965)blocker.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection protection and execute limited SQL commands via URL-encoded "'" characters ("%27").20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=25SQL injection vulnerability in index.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection filters by using "/**/" sequences in the targeted fields.20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=25protector-sql-filter-bypass(15969)nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to obtain sensitive information via a string in the portNum parameter, which reveals the full path in an error message.20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6]http://www.waraxe.us/index.php?modname=sa&id=2411479nqt-nqtphp-path-disclosure(15957)Cross-site scripting (XSS) vulnerability in nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to inject arbitrary web script or HTML via the portNum parameter.20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6]http://www.waraxe.us/index.php?modname=sa&id=241020511479nqt-nqtphp-xss(15929)Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php.20040425 Multiple Vulnerabilities In OpenBBhttp://securitytracker.com/id?10099351021411481openbb-multiple-scripts-xss(15966)Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) FID parameter in board.php, (2) sortorder, perpage, or id parameters in member.php, (3) forums parameter in search.php, or (4) PID or FID parameters in post.php.20040425 Multiple Vulnerabilities In OpenBBhttp://securitytracker.com/id?10099351021411481openbb-multiplescripts-sql-injection(15964)Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link.20040425 Multiple Vulnerabilities In OpenBBhttp://securitytracker.com/id?100993511481openbb-tags-execute-code(15967)The readmsg action in myhome.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to read arbitrary messages by modifying the id parameter.20040425 Multiple Vulnerabilities In OpenBBhttp://securitytracker.com/id?10099351021711481openbb-myhomephp-obtain-information(15970)The avatar upload capability in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to execute arbitrary script by uploading files that include scripting code such as Javascript.20040425 Multiple Vulnerabilities In OpenBBhttp://securitytracker.com/id?10099351021811481openbb-file-upload(15971)Samsung SmartEther SS6215S switch, and possibly other Samsung switches, allows remote attackers and local users to gain administrative access by providing the admin username followed by a password that is the maximum allowed length, then pressing the enter key after the resulting error message.20040426 Samsung SmartEther SS6215S Switch10219samsung-smartether-admin-access(15973)modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to gain sensitive information via an HTTP request with an invalid (1) catid or (2) clipid parameter, which reveals the full path in an error message.20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nukevideo-gallery-error-path-disclosure(15978)SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to execute arbitrary SQL code via the (1) clipid or (2) catid parameters in a viewclip, viewcat, or voteclip action.20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke10215video-gallery-sql-injection(15979)DiGi Web Server allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request that contains a large number of / (slash) characters, which consumes resources when DiGi converts the slashes to \ (backslash) characters.20040427 resources consumption in DiGi WWW Serverhttp://www.autistici.org/fdonato/advisory/DiGiWwwServerC1-adv.txthttp://sourceforge.net/project/shownotes.php?release_id=23426110228570211490digi-www-slash-dos(15987)1009957paFileDB 3.1 allows remote attackers to gain sensitive information via a direct request to (1) login.php, (2) category.php, (3) search.php, (4) main.php, (5) viewall.php, (6) download.php, (7) email.php, (8) file.php, (9) rate.php, or (10) stats.php, which reveals the path in an error message.20040427 Multiple vulnerabilities paFileDBpafiledb-loginphp-path-disclosure(15990)Cross-site scripting (XSS) vulnerability in the category module in pafiledb.php for paFileDB 3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a vulnerability that is closely related to CVE-2004-1551.20040427 Multiple vulnerabilities paFileDB20040925 New XSS vulnerabilities in paFileDB 3.1 final10229pafiledb-pafiledbphp-xss(15992)SMC Barricade broadband router 7008ABR and 7004VBR enable remote administration by default, which allows remote attackers to gain access by connecting to port 1900.20040428 SMC Routers have remote administration enabled by default20040427 SMC Routers have remote administration enabled by default20040605 SMC 7008ABRv2 and 7004VBRv1 updated firmware corrects port 1900 issue.10232barricade-router-gain-access(15993)3com NBX IP VOIP NetSet Configuration Manager allows remote attackers to cause a denial of service (crash) via a Nessus scan in safeChecks mode.20040429 3com NBX VOIP NetSet Denial of Service Attack10240115043com-nbx-scan-dos(16015)Cross-site scripting (XSS) vulnerability in help.php in Moodle before 1.3 allows remote attackers to inject arbitrary HTML and web script via the text parameter.20040430 Cross Site Scripting in Moodle < 1.31025111535moodle-help-xss(16023)57471010008Cross-site scripting (XSS) vulnerability in do_search.php in PROPS 0.6.1 allows remote attackers to inject arbitrary HTML or web script via the search_string parameter.20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerabilityhttp://sourceforge.net/project/shownotes.php?group_id=29581&release_id=23443310258props-dosearch-xss(16035)Directory traversal vulnerability in glossary.php in PROPS 0.6.1 allows remote attackers to view arbitrary files via a .. (dot dot) in (1) module or (2) format variables.20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerabilityhttp://sourceforge.net/project/shownotes.php?group_id=29581&release_id=234433props-glossary-obtain-information(16036)The web interface for Crystal Reports allows remote attackers to cause a denial of service (disk exhaustion) by repeatedly requesting reports without retrieving the associated image files, which are not cleared from the image file folder.20040502 Crystal Reports Vulnerabilities20040608 Vulnerability: Arbitrary File Access & DoS in Crystal ReportsPost.pl in YaBB 1 Gold SP 1.2 allows remote attackers to modify records in the board's .txt file via carriage return characters in the subject field.20040502 Vulnerability in YaBB forum (Perl version without SQL)http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=10931332331026312609yabb-subject-modify-file(16050)The arch_get_unmapped_area function in mmap.c in the PaX patches for Linux kernel 2.6, when Address Space Layout Randomization (ASLR) is enabled, allows local users to cause a denial of service (infinite loop) via unknown attack vectors.20040502 PaX Linux Kernel 2.6 Patches DoS Advisory20040509 PaX DoS proof-of-conceptGLSA-200407-02http://pax.grsecurity.net/10264pax-aslr-enabled-dos(16037)Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) phpinfo.php, (2) addpic.php, (3) config.php, (4) db_input.php, (5) displayecard.php, (6) ecard.php, (7) crop.inc.php, which reveal the full path in a PHP error message.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=2611524coppermine-multiple-path-disclosure(16039)57566495649664976498649965001010001Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=261025311524coppermine-menuincpho-xss(16040)5757Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=261025311524coppermine-modulesphp-directory-traversal(16042)57581010001picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=261025311524coppermine-parameters-execute-commands(16043)57591010001PHP remote file inclusion vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=261025311524coppermine-multiple-file-include(16041)57611010001PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc.20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=261025311524coppermine-multiple-file-include(16041)59121010001Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request.20040503 Multible_Vulnerabilites_in_Aldos_Webserverhttp://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt1026211542aweb-path-disclosure(16047)5880Directory traversal vulnerability in Aldo's Web Server (aweb) 1.5 allows remote attackers to view arbitrary files via a .. (dot dot) in an HTTP GET request.20040503 Multible_Vulnerabilites_in_Aldos_Webserverhttp://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt1026211542aweb-dotdot-directory-traversal(16048)5881Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote attackers to cause a denial of service (crash) via a long -l parameter, which triggers an out-of-bounds read.20040503 Serv-U LIST -l Parameter Buffer Overflow20040503 Serv-U LIST -l Parameter Buffer Overflowhttp://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html1018111430servu-list-command-bo(15913)55461009869The patch to the checklogin function in omail.pl for omail webmail 0.98.5 is incomplete, which allows remote attackers to execute arbitrary commands via shell metacharacters such as "`" (backticks) in the password.20040504 remote root exec vulnerability in omail102749585omailwebmail-checklogin-code-execution(12948)FuseTalk 4.0 allows remote attackers to ban other users via a direct request to banning.cfm.20040505 Fuse Talk Vunerabilities1027811555fusetalk-banning-unauth-access(16081)5894Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm.20040505 Fuse Talk Vunerabilities1027611555fusetalk-get-add-users(16080)58951010080Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.0 allows remote attackers to inject arbitrary web script via the size tag.20040505 SMF SIZE Tag Script Injection Vulnerability10281smf-size-html-injection(16067)Kolab stores OpenLDAP passwords in plaintext in the slapd.conf file, which may be installed world-readable, which allows local users to gain privileges.[kolab-users] 20040420 Possible Kolab LDAP configuration information disclosureMDKSA-2004:05220040505 [OpenPKG-SA-2004.019] OpenPKG Security Advisory (kolab)1027711560kolab-root-password-plaintext(16068)http://www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/Changelog5898MDKSA-2004:052The Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to gain sensitive information via an invalid show parameter to modules.php, which reveals the full path in a PHP error message.20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]http://www.waraxe.us/index.php?modname=sa&id=27Cross-site scripting (XSS) vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to inject arbitrary HTML and web script via the (1) ttitle or (2) sid parameters to modules.php.20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]http://www.waraxe.us/index.php?modname=sa&id=2711553phpnuke-ttitle-sid-xss(16073)SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php.20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2]http://www.waraxe.us/index.php?modname=sa&id=271028211553phpnuke-orderby-sid-sql-injection(16074)20080221 PHP-Nuke Module Downloads SQL Injection(sid)27932ifconfig "-arp" in SGI IRIX 6.5 through 6.5.22m does not properly disable ARP requests from being sent or received.20050502-01-P10289Unknown vulnerability in SGI IRIX 6.5 through 6.5.22m allows remote attackers to cause a denial of service via a certain UDP packet.20050502-01-P10287irix-udp-dos(16158)Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via a certificate with a long (1) subject or (2) issuer name field.20040506 [0xbadc0ded #03] DeleGate (SSL-filter) <= 8.9.210295115695945delegate-sslway-bo(16078)The Live CD in SUSE LINUX 9.1 Personal edition is configured without a password for root, which allows remote attackers to gain privileges via SSH.10297livecd-ssh-gain-access(16084)Buffer overflow in Eudora for Windows 5.2.1, 6.0.3, and 6.1 allows remote attackers to execute arbitrary code via an e-mail with (1) a link to a long URL to the C drive or (2) a long attachment name.20040507 Eudora file URL buffer overflowhttp://www.eudora.com/download/eudora/windows/6.1.1/RelNotes.txt1029811568eudora-long-url-bo(16086)Trend Micro OfficeScan 3.0 - 6.0 has default permissions of "Everyone Full Control" on the installation directory and registry keys, which allows local users to disable virus protection.20040507 Security issue with Trend OfficeScan Corporate Edition1030011576officescan-configuration-modify(16092)5990Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1) cat parameter in a CatView function or (2) jokeid parameter in a JokeView function.20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke]10306nukejokes-modules-xss(16096)SQL injection vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to execute arbitrary SQL via the jokeid parameter.20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke]http://www.waraxe.us/index.php?modname=sa&id=281030611579nukejokes-sql-injection(16099)NukeJokes 1.7 and 2 Beta allows remote attackers to obtain the full path of the server via (1) a direct call to mainfunctions.php, (2) an invalid jokeid parameter in a JokeView function or (3) an invalid cat parameter in a CatView function, which reveals the path in a PHP error message.20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke]nukejokes-multiple-path-disclosure(16094)PHP remote file inclusion vulnerability in index.php in phpShop 0.7.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the base_dir parameter to reference a URL on a remote web server that contains phpshop.cfg.20040509 Arbitrary code inclusion in phpShophttp://www.fribble.net/advisories/phpshop_29-04-04.txt1031311587phpshop-basedir-file-include(16107)msxml3.dll in Internet Explorer 6.0.2600.0 allows remote attackers to cause a denial of service (crash) via a single & (ampersand) in a <Ref href> link, which triggers a parsing error, possibly due to missing portions of the URI.20040510 msxml3.dll Parsing Error Crashes Internet Explorer Remotely Upon Refreshmsxml3-ampersand-dos(16112)The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges.20040510 Advisory 04/2004: Net(Free)BSD Systrace local root vulnerabilitiy1032011585systrace-gain-privileges(16110)Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory.20040511 Linux Kernel sctp_setsockopt() Integer Overflow2004-002910326linux-sctpsetsockopt-integer-bo(16117)Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded.20040516 Wget race condition vulnerability[wget] 20040517 Wget race condition vulnerability (fwd)[wget] 20040517 Re: Wget race condition vulnerability (fwd)10361wget-lock-race-condition(16167)USN-145-1RHSA-2005:771MDKSA-2005:20417399MDKSA-2005:204Cross-site scripting (XSS) vulnerability in WebCT Campus Edition allows remote attackers to inject arbitrary HTML or web script via (1) iframe, (2) img, or (3) object tags.20040517 WebCT: Cross Site Scripting Vulnerability10357webct-iframe-img-tags-xss(16156)20040516 WebCT: Cross Site Scripting VulnerabilityStack-based buffer overflow in the HTTP server in NetChat 7.3 and earlier allows remote attackers to execute arbitrary code via a long GET request.20040517 NetChat HTTP Server Stack Overflow1035311637netchat-sprintf-bo(16165)Multiple cross-site scripting (XSS) vulnerabilities in Turbo Traffic Trader C (TTT-C) 1.0 allow remote attackers to inject arbitrary HTML or web script, as demonstrated via (1) the link parameter to ttt-out, (2) the X-Forwarded-For header in a GET request to ttt-in, (3) the Referer header in a GET request to ttt-in, or the (4) site name or (5) site URL fields in the main control panel.20040517 Multiple TTT-C XSS vulnerabilities1035911623turbotraffictraderc-multiple-xss(16164)633963406341634263436344PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code.20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3]http://www.waraxe.us/index.php?modname=sa&id=291036511625phpnuke-modpath-file-include(16218)20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3]6222The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message.20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3]http://www.waraxe.us/index.php?modname=sa&id=291036711625phpnuke-show-weblink-path-disclosure(16170)Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x through 7.3 allow remote attackers inject arbitrary HTML or web script into the (1) optionbox parameter in the News module, (2) date parameter in the Statistics module, (3) year, month, and month_1 parameters in the Stories_Archive module, (4) mode, order, and thold parameters in the Surveys module, or (5) a SQL statement to index.php, as processed by mainfile.php.20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3]http://www.waraxe.us/index.php?modname=sa&id=291036711625phpnuke-multi-xss(16172)62256226Directory traversal vulnerability in file_manager.php in osCommerce 2.2 allows remote attackers to view arbitrary files via a .. (dot dot) in the filename argument.20040517 oscommerce 2.2 file_manager.php file browsing1036411624oscommerce-dotdot-directory-traversal(16174)20050322 osCommerce File Manager Directory Traversal Vulnerabilityhttp://www.excluded.org/advisories/advisory13.txt63081010176ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl.20040517 Buffer Overflow in ActivePerl ?20040518 RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ?20040517 RE: Buffer Overflow in ActivePerl ?20040518 Re: Buffer Overflow in ActivePerl ?http://www.oliverkarow.de/research/ActivePerlSystemBOF.txthttp://www.perlmonks.org/index.pl?node_id=35414510375perl-system-bo(16169)20040518 Re[2]: [Full-Disclosure] Buffer Overflow in ActivePerl ?SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters.20040518 Zen Cart login.php SQL Injection Vulnerabilityhttp://www.zen-cart.com/modules/ipb/index.php?showtopic=4835http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateDhttp://securitytracker.com/id?10101721037811649zencart-login-sql-injection(16176)http://www.packetstormsecurity.org/0405-advisories/zencart112d.txt6298 20060517 Re: Zen Cart login.php SQL Injection VulnerabilityThe distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php.http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateDSQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter.http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateDhttp://www.zen-cart.com/modules/ipb/index.php?showtopic=3731Format string vulnerability in the logmsg function in svc.c for Pound 1.5 and earlier allows remote attackers to execute arbitrary code via format string specifiers in syslog messages.20040507 Pound <=1.5 Remote Exploit (Format string bug)GLSA-200405-08http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000#1070234315000http://securitytracker.com/id?101003410267574611528pound-logmsg-format-string(16033)Buffer overflow in Icecast 2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a long Basic Authorization header that triggers an out-of-bounds read.20040509 Icecast 2.0.0 preauth overflowGLSA-200405-1010311607511578icecast-auth-request-bo(16103)Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php.20040521 e107 web portal Referers HTTP Injection1039511693e107-log-xss(16231)6345The Util_DecodeHTTPAuth function in BNBT BitTorrent Tracker Beta 7.5 Release 2 and earlier allows remote attackers to cause a denial of service (crash) via a Basic Authorization HTTP request with a "A==" value.20040522 BNBT BitTorrent Tracker Denial Of Servicehttp://fux0r.phathookups.com/advisory/sp-x12-advisory.txt1039911684bittorrent-http-get-dos(16228)63361010254Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject abitrary web script or HTML, as demonstrated using the message subject.20040522 Liferay Cross Site Scripting Flaw20041125 Re: Liferay Cross Site Scripting Flaw10402634611692liferay-message-xss(16232)1010259Cross-site scripting (XSS) vulnerability in user.php in e107 allows remote attackers to inject arbitrary web script or HTML via the (1) URL, (2) MSN, or (3) AIM fields.20040522 e107 web portal user.php XSS (Cross Site Scripting)10405641011696e107-user-xss(16241)Netgear RP114 allows remote attackers to bypass the keyword based URL filtering by requesting a long URL, as demonstrated using a large number of %20 (hex-encoded space) sequences.20040524 Netgear RP114 URL filter fails if URL is too long10404641111698netgearrp114-long-url-filter-bypass(16238)Orenosv 0.5.9f allows remote attackers to cause a denial of service (crash) via a long HTTP GET request.20040526 Orenosv HTTP/FTP Server Denial Of Servicehttp://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html10420641911706orenosv-http-get-dos(16250)Buffer overflow in the (1) WTHoster and (2) WebDriver modules in WildTangent Web Driver 4.0 allows remote attackers to execute arbitrary code via a long filename.20040527 WildTangent Web Driver Long FileName Stack Overflowhttp://www.ngssoftware.com/advisories/wildtangent.txt10421644511727wildtangent-wthoster-webdriver-bo(16266)MiniShare 1.3.2 allows remote attackers to cause a denial of service (crash) via a malformed HTTP GET or HEAD request without the proper number of trailing CRLF sequences.20040527 DoS in MiniShare 1.3.2http://www.autistici.org/fdonato/advisory/MiniShare1.3.2-adv.txthttp://sourceforge.net/project/shownotes.php?release_id=24115864321041711715minishare-get-head-dos(16260)SQL injection vulnerability in the art_print function in print.inc.php in unknown versions of jPortal before 2.3.1 allows remote attackers to inject arbitrary SQL commands via the id parameter.20040528 JPortal SQL Injectshttp://www.securiteam.com/unixfocus/5HP020KD5K.html10430650311737jportal-printincphp-sql-injection(16272)1010327Buffer overflow in Mollensoft Lightweight FTP Server 3.6 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long CWD command, as demonstrated in one example by using the "cd" command in an interactive FTP client.20040528 Mollensoft ftp Server ver 3.6 Buffer overflow20040601 Mollensoft Lightweight FTP Server CWD Buffer Overflow10409104296412mollensoft-cwd-command-bo(16237)mollensoft-cd-bo(16303)1010328Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) before LDU 700 allows remote attackers to inject arbitrary web script or HTML via a BBcode img tag in (1) functions.php, (2) header.php or (3) auth.inc.php.20040529 LDU (land down under) xss vulnerability65086510651111739ldu-bbcode-xss(16284)104351010335e107 0.615 allows remote attackers to obtain sensitive information via a direct request to (1) alt_news.php, (2) backend_menu.php, (3) clock_menu.php, (4) counter_menu.php, (5) login_menu.php, and other files, which reveal the full path in a PHP error message.20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]http://www.waraxe.us/index.php?modname=sa&id=31652511740e107-multiplescripts-path-disclosure(16277)1043620040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary web script or HTML via the (1) LAN_407 parameter to clock_menu.php, (2) "email article to a friend" field, (3) "submit news" field, or (4) avmsg parameter to usersettings.php.20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]http://www.waraxe.us/index.php?modname=sa&id=3110436652665276528652911740e107-user-setting-xss(16281)e107-clock-menu-xss(16279)e107-email-friend-xss(16280)20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]PHP remote file inclusion vulnerability in secure_img_render.php in e107 0.615 allows remote attackers to execute arbitrary PHP code by modifying the p parameter to reference a URL on a remote web server that contains the code.20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]http://www.waraxe.us/index.php?modname=sa&id=3110436653011740e107-secure-img-render-file-include(16282)20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]Multiple SQL injection vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary SQL code and gain sensitive information via (1) content parameter to content.php, (2) content_id parameter to content.php, or (3) list parameter to news.php.20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]http://www.waraxe.us/index.php?modname=sa&id=311043665316532653311740e107-content-news-sql-injection(16283)20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615]Buffer overflow in ibserver for Firebird Database 1.0 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows remote attackers to cause a denial of service (crash) via a long database name, as demonstrated using the gsec command.20040601 Firebird Database Remote Database Name Overflowhttp://www.securiteam.com/unixfocus/5AP0P0UCUO.html10446640811756firebird-database-name-bo(16229)20040602 Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow66241010381interbase-database-name-bo(16316)DSA-101419350PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string.20040601 [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke20040606 Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops10447659311766osc2nuke-eregi-path-disclosure(16296)oscnukelite-eregi-path-disclosure(16297)phpnuke-eregi-path-disclosure(16294)nukecops-ergei-path-disclosure(16298)20040601 [Squid 2004-OSC2Nuke-001] Inadequate Security Checking in OSC2Nuke20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops betaNC BundleThe HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username.20040721 Denial of Service in Conceptronic CADSLR1 Routerhttp://www.shellsec.net/leer_advisory.php?id=51076912110conceptronic-long-username-dos(16746)Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7.0.1 allows remote attackers to cause a denial of service via unknown attack vectors.20040721 APC Security Advisory Denial of Service Vulnerability with PowerChute Business Editionhttp://www.securitytracker.com/alerts/2004/Jul/1010745.html1077712124powerchute-console-dos(16767)10107458187Directory traversal vulnerability in EasyWeb FileManager 1.0 RC-1 for PostNuke allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the pathext parameter.20040724 EasyWeb FileManager Directory Traversalhttp://www.cirt.net/advisories/ew_file_manager.shtml10792819312151filemanager-pathext-view-directory-traversal(16806)radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier starts a process port 25072 that can be accessed with a default "jstwo" password, which allows remote attackers to gain access.20040724 eSeSIX Thintune thin client multiple vulnerabilities1079412154thintune-password-gain-access(16790)82461010770eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store sensitive usernames and passwords in cleartext in configuration files for the keeper library, which allows attackers to gain access.20040724 eSeSIX Thintune thin client multiple vulnerabilities1079412154thintune-plaintext-passwords(16795)82471010770eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow local users to gain privileges by pressing CTRL-SHIFT-ALT-DEL and entering the "maertsJ" password, which is hard-coded into lshell.20040724 eSeSIX Thintune thin client multiple vulnerabilities1079412154thintune-password-gain-privileges(16808)82481010770The Phoenix browser in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allows local users to read arbitrary files via a file:/// URL.20040724 eSeSIX Thintune thin client multiple vulnerabilities1079412154thintune-url-obtain-information(16798)82491010770eSeSIX Thintune thin clients running firmware 2.4.38 and earlier accept any password that begins with the actual password, which makes it easier for users to conduct brute force password guessing.20040724 eSeSIX Thintune thin client multiple vulnerabilitiesPHP remote file inclusion vulnerability in index.php in EasyIns Stadtportal 4 allows remote attackers to execute arbitrary PHP code via the site parameter.20040724 Easyins Stadtportalhttp://securitytracker.com/id?1010769 10795easyins-php-file-include(16797)8233CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to privmsg.php or (2) the redirect parameter to login.php.20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities1075312114phpbb-search-response-splitting(16759)Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl or web script via the search_author parameter.20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities1075312114phpbb-search-searchauthor-xss(16758)SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows remote attackers execute arbitrary SQL statements via the itemid parameter.20040725 NucleusCMS 3.01 SQL Injection Vulnerability13136nucleus-sql-injection(18002)SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements.20040726 ASPRunner Multiple Vulnerabilities20040726 ASPRunner Multiple Vulnerabilitieshttp://ferruh.mavituna.com/article/?5741079912164asprunner-sql-injection(16799)82511010777ASPRunner 2.4 allows remote attackers to gain sensitive information via (1) hidden form fields or (2) error messages.20040726 ASPRunner Multiple Vulnerabilities20040726 ASPRunner Multiple Vulnerabilitieshttp://ferruh.mavituna.com/article/?5741079912164asprunner-information-disclosure(16800)82521010777Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow remote attackers inject arbitrary web script or HTML via the (1) SearchFor parameter in [TABLE-NAME]_search.asp, (2) SQL parameter in [TABLE-NAME]_edit.asp, (3) SearchFor parameter in [TABLE]_list.asp, or (4) SQL parameter in export.asp.20040726 ASPRunner Multiple Vulnerabilities20040726 ASPRunner Multiple Vulnerabilitieshttp://ferruh.mavituna.com/article/?5741079912164asprunner-xss(16801)82548255825682571010777ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names.20040726 ASPRunner Multiple Vulnerabilities20040726 ASPRunner Multiple Vulnerabilitieshttp://ferruh.mavituna.com/article/?574107991216482531010777asprunner-database-file-access(16802)RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL.20040727 IRM 009: RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities1081212173risearch-show-open-proxy(16817)826582661010788SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to execute arbitrary SQL via the (1) thread_id, (2) parent_id, or (3) mode parameters.20040728 AntiBoard <= 0.7.2 XSS/SQL Injection1082112137antiboard-get-sql-injection(16828)Cross-site scripting (XSS) vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to inject arbitrary HTML or web script via the feedback parameter.20040728 AntiBoard <= 0.7.2 XSS/SQL Injection1082112137antiboard-feedback-xss(16830)8269Cross-site scripting (XSS) vulnerability in lostBook 1.1 and earlier allows remote attackers to inject arbitrary web script via the (1) Email or (2) Website fields.20040729 lostBook v1.1 Javascript Execution1082512190lostbook-email-website-xss(16835)82711010812DansGuardian 2.8 and earlier allows remote attackers to bypass the extension filtering rule via a hex encoded extension or . in the filename.20040729 DansGuardian Hex Encoding URL Banned Extension Filter Bypasshttp://dansguardian.org/?page=history1082312191dansguardian-filename-bypass-filtering(16836)82701010817SQL injection vulnerability in session.php in LinPHA 0.9.4 allows remote attackers to execute arbitrary SQL code and bypass authentication via the (1) linpha_userid or (2) linpha_password cookies.20040729 Linpha 0.9.4: authentication bypass1082712189linpha-cookie-gain-access(16834)8272SQL injection vulnerability in controlpanel.php in Jaws Framework and Content Management System 0.4 allows remote attackers to execute arbitrary SQL and bypass authentication via the (1) user, (2) password, or (3) crypted_password parameters.20040729 Jaws 0.4: authentication bypass10826jaws-controlpanel-sql-injection(16847)83201010815fetchnews in leafnode 1.9.47 and earlier allows remote attackers to cause a denial of service (process hang) via an emptry NNTP news article with missing mandatory headers.http://leafnode.sourceforge.net/leafnode-SA-2004-01.txt20040109 leafnode -1.9.47 security announcement SA-2004-01344110590leafnode-fetchnews-nntp-dos(14189)sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption).[openssh-unix-dev] 20040127 OpenSSH - Connection problem when LoginGraceTime exceeds time[openssh-unix-dev] 20040128 Re: OpenSSH - Connection problem when LoginGraceTime exceeds time[openssh-unix-dev] 20040127 OpenSSH - Connection problem when LoginGraceTime exceeds time[openssh-unix-dev] 20040128 Re: OpenSSH - Connection problem when LoginGraceTime exceeds timeFLSA-2006:168935RHSA-2005:5501496316567openssh-sshdc-logingracetime-dos(20930)17135172521700020061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 420061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-45022287523680The Altiris Client Service for Windows 5.6 SP1 Hotfix E (5.6.181) allows local users to execute arbitrary commands by opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2005-1590.20041119 Privilege escalation flaw in AClient Service for Windows (Version 5.6.181).Macallan Mail Solution 2.8.4.6 (Build 260), and possibly earlier versions, allows remote attackers to bypass authentication in the web interface via an HTTP GET request with two slashes ("//") after the server name.9646macallan-gain-unauthorized-access(15194)3926100903010861Cross-site scripting (XSS) vulnerability in index.php for Mambo Open Source 4.6, and possibly earlier versions, allows remote attackers to execute script on other clients via the Itemid parameter.http://www.systemsecure.org/advisories/ssadvisory06022004.phpmambo-itemid-xss(15062)9588Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command.20040206 Linux 2.4.24 with vserver 1.24 exploithttp://www.linux-vserver.org/index.php?page=ChangeLoglinux-vserver-gain-privileges(15073)9596387510816Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands.98001009295dreamftp-command-format-string(15380)Sophos Anti-Virus 3.78 allows remote attackers to cause a denial of service (infinite loop) via a MIME header that is not properly terminated.http://www.sophos.com/support/news/#mime-3789648sophos-mime-header-dos(15191)3925100904210855Cross-site scripting (XSS) vulnerability in search.php for Jelsoft vBulletin 3.0.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the query parameter.20040213 vBulletin PHP Forum Version9656vbulletin-search-xss(15208)Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields.20040208 TrackMania Demo Denial of Service20040209 Re: TrackMania Demo Denial of Servicehttp://www.securiteinfo.com/attaques/hacking/trackmaniados.shtml9604trackmania-dos(15081)Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attackers to cause a denial of service (reboot and loss of logged events) via a long request to TCP port 80, possibly triggering a buffer overflow.20040209 Red-M Red-Alert Multiple Vulnerabilitieshttp://genhex.org/releases/031003.txthttp://www.securiteam.com/securitynews/5SP0C0KC0A.html96181009001108323891redalert-long-request-dos(15086)20040209 Red-M Red-Alert Multiple VulnerabilitiesRed-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication to IP addresses, which allows remote attackers to bypass authentication by connecting from the same IP address as an active authenticated user.20040209 Red-M Red-Alert Multiple Vulnerabilitieshttp://genhex.org/releases/031003.txthttp://www.securiteam.com/securitynews/5SP0C0KC0A.html96181009001redalert-gain-access(15088)395220040209 Red-M Red-Alert Multiple VulnerabilitiesRed-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spaces in a Service Set Identifier (SSID) to a single space, which prevents Red-Alert from correctly identifying the SSID.20040209 Red-M Red-Alert Multiple Vulnerabilitieshttp://genhex.org/releases/031003.txthttp://www.securiteam.com/securitynews/5SP0C0KC0A.html96181009001redalert-bypass-security(15089)395320040209 Red-M Red-Alert Multiple VulnerabilitiesThe samiftp.dll library in Sami FTP Server 1.1.3 allows local users to cause a denial of service (pmsystem.exe crash) by issuing (1) a CD command with a tilde (~) character or dot dot (/../) or (2) a GET command for an unavailable file.20040213 Sami FTP Server 1.1.3 multiple vulnerabilitieshttp://www.karja.com/samiftp/news.html9657sami-cd-get-dos(15204)The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authenticated users to cause a denial of service (pmsystem.exe crash) via a GET request wit a large number of leading "/" (slash) characters.20040213 Sami FTP Server 1.1.3 multiple vulnerabilitieshttp://www.karja.com/samiftp/news.html9657sami-cd-get-dos(15204)Opera Web Browser 7.0 through 7.23 allows remote attackers to trick users into executing a malicious file by embedding a CLSID in the file name, which causes the malicious file to appear as a trusted file type, aka "File Download Extension Spoofing."http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/1076096403917opera-cslid-extension-spoof(21698)Cross-site scripting (XSS) vulnerability in search.php in JShop E-Commerce Server allows remote attackers to inject arbitrary web script or HTML via the xSearch parameter.http://www.systemsecure.org/advisories/ssadvisory09022004.php96093889100898810825jshop-searchphp-xss(15100)Multiple cross-site scripting (XSS) vulnerabilities in Brad Fears phpCodeCabinet 0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple parameters, including (1) the sid parameter to comments.php, (2) the cid, cf, or rfd parameters to category.php, or the cid parameter to (3) input.php, (4) browse.php, (5) themes/facade/header.php, or (6) themes/phpcc/header.php.http://sourceforge.net/project/shownotes.php?release_id=214860http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.596019645388538863887phpcodecabinet-multiple-xss(15190)1671016711100901210862Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a long query parameter.20040207 Sambar 6.0 stack overflowhttp://www.sambar.com/security.htm960757861008979sambar-http-post-bo(15071)Unknown vulnerability in SandSurfer before 1.7.0 allows remote attackers to gain access as a logged-in user.http://sourceforge.net/forum/forum.php?forum_id=35170596473922100911010829sandsurfer-gain-access(15193)Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message.http://www.sophos.com/support/news/#mime-3789650sophos-email-virus-undetected(15192)100904210855Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command.1008970matrixftp-login-list-dos(15075)Microsoft Internet Explorer 5.0.1 through 6.0 allows remote attackers to determine the existence of arbitrary files via the VBScript LoadPicture method, which returns an error code if the file does not exist.20040207 (no subject)961110820ie-error-obtain-information(15078)Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly identify systems that have been patched but remain vulnerable to exploit until the system is rebooted, possibly giving the administrator a false sense of security.20040210 Another Low Blow From Microsoft: MBSA Failure!9634eTrust InoculateIT for Linux 6.0 uses insecure permissions for multiple files and directories, including the application's registry and tmp directories, which allows local users to delete, modify, or examine sensitive information.20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux9616389610833etrust-inoculateit-insecure-permissions(15103)Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable. NOTE: since rsync is not setuid, this issue does not provide any additional privileges beyond those that are already available to the user. Therefore this issue may be REJECTED in the future.20040209 rsync <= 2.5.7 local buffer overflow (no root today:)linux-rsync-opensocketout-bo(15108)Cross-site scripting (XSS) vulnerability in WebcamXP 1.06.945 allows remote attackers to inject arbitrary HTML or web script as other users via a URL that contains the script.20040121 WebcamXP v1.06.945 Cross Site Scripting Vulnerabillitywebcamxp-xss(14904)9465Honeyd before 0.8 replies to TCP packets with the SYN and RST flags set, which allows remote attackers to identify IP addresses that are being simulated by Honeyd.20040121 Honeyd Security Advisory 2004-001: Remote Detection Via Simple Probe Packet20040121 [ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probehoneyd-nmap-information-disclosure(14905)9464369010088181069510694Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 final allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the URL.20040121 Mephistoles Httpd 0.6.0final XSSmephistoles-httpd-xss(14899)9470368910693Multiple scripts on SuSE Linux 9.0 allow local users to overwrite arbitrary files via a symlink attack on (1) /tmp/fvwm-bug created by fvwm-bug, (2) /tmp/wmmenu created by wm-oldmenu2new, (3) /tmp/rates created by x11perfcomp, (4) /tmp/xf86debug.1.log created by xf86debug, (5) /tmp/.winpopup-new created by winpopup-send.sh, or (6) /tmp/initrd created by lvmcreate_initrd.20040121 [SuSE 9.0] possible symlink attacks in some scripts20040122 Re: [SuSE 9.0] possible symlink attacks in some scriptssuse-multiple-symlink-attack(14963)94571008781Cross-site scripting (XSS) vulnerability in the banner engine (TBE) 5.0 allows remote attackers to execute arbitrary script as other users via the HTML banner view/preview capability.20040122 TBE - the banner engine server-side script execution vulnerabilitytbe-xss(14911)9472Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), version 242 and earlier, allows remote attackers (servers) to execute arbitrary code via long (1) gamename, (2) gamever, (3) hostname, (4) gametype, (5) mapname or (6) gamemode commands.9473hotpursuit2-bo(14909)20040122 Need for Speed Hot pursuit 2 <= 242 client's buffer overflowGeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines).20040122 GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service)The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow.20040122 GeoHttpServer Authentification Bypass Vulnerability D.O.S (Denial Of Service)1008807geohttpserver-long-password-bo(14913)Cross-site scripting (XSS) vulnerability in FREESCO 2.05, a modified version of thttpd, allows remote attackers to inject arbitrary web script or HTML via the test parameter.20040122 FREESCO public http server - Cross Site Scripting Vulnerabillityfreesco-thttpd-xss(14916)Cross-site scripting (XSS) vulnerability in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to process arbitrary script or HTML as other users via (1) a malformed request for a Perl program with script in the filename, (2) the User.id parameter to the webacc servlet, (3) the GWAP.version parameter to webacc, or (5) a URL request for a .bas file with script in the filename.20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilitieshttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10091529.htmnetware-enterprise-cgi2perl-xss(14919)4949Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to obtain sensitive server information, including the internal IP address, via a direct request to (1) snoop.jsp, (2) SnoopServlet, (3) env.bas, or (4) lcgitest.nlm.20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities1071194793715372037213722netware-enterprise-path-disclosure(14921)The webacc servlet in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to read arbitrary .htt files via a full pathname in the error parameter.20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple VulnerabilitiesNovell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to list directories via a direct request to (1) /com/, (2) /com/novell/, (3) /com/novell/webaccess, or (4) /ns-icons/.20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities134021340313404netware-enterprise-directory-disclosure(21749)Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to (1) restart the service, (2) use the getlastmsg command to view log information, or (3) use the online command to force a policy update from the database server.20040123 Finjan SurfinGate Vulnerability20040126 RE: Finjan SurfinGate Vulnerability20040123 Finjan SurfinGate Vulnerability107149478finjan-surfingate-execute-commands(14934)Multiple SQL injection vulnerabilities in QuadComm Q-Shop allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) search.asp, (2) browse.asp, (3) details.asp, (4) showcat.asp, (5) users.asp, (6) addtomylist.asp, (7) modline.asp, (8) cart.asp, or (9) newuser.asp.20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040123.txt9481qshop-multiple-sql-injection(14922)369836993700370137023703370437053706100883710704Multiple cross-site scripting (XSS) vulnerabilities in (1) imagezoom.asp or (2) recommend.asp in Q-Shop allow remote attackers to execute arbitrary script and steal the user session ID via Javascript in a URL.20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities9480qshop-url-xss(14923)3696369710704SQL injection vulnerability in register.php in Phorum before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the hide_email parameter.20040123 Multiple Vulnerabilities in Phorum 3.4.5http://phorum.org/Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename.20040124 [SST]ServU MDTM command remote buffero verflow adv20040126 Serv-U ftp 4.2 site chmod long_file_name exploit94831008841servu-chmodcommand-execute-code(14931)9675Directory traversal vulnerability in BremsServer 1.2.4 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in the URL.20040126 Directory traversal and XSS in BremsServer 1.2.49493bremsserver-dotdot-directory-traversal(14954)3755100885310731Cross-site scripting (XSS) vulnerability in BremsServer 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the URL.20040126 Directory traversal and XSS in BremsServer 1.2.49491bremsserver-xss(14953)3754107311008853Stack-based and heap-based buffer overflows in ProxyNow! 2.75 and earlier allow remote attackers to execute arbitrary code via a GET request with a long ftp:// URL.20040126 ProxyNow! 2.x Multiple Overflow Vulnerabilities9500proxynow-get-bo(14955)Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1.3.22, based on Apache, allow remote attackers to execute arbitrary script as other users via the (1) action, (2) username, or (3) password parameters in an isqlplus request.20040124 Oracle HTTP Server Cross Site Scripting Vulnerabillity9484oraclehttpserver-isqlplus-xss(14930)Directory traversal vulnerability in Tiny Server 1.1 allows remote attackers to read or download arbitrary files via a .. (dot dot) in the URL.20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilitieshttp://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt9485tinyserver-dotdot-directory-traversal(14927)370810707Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via malformed HTTP requests such as (1) a GET request without the HTTP version (HTTP/1.1), or (2) a request without GET or the HTTP version.20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilitieshttp://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt9485tinyserver-string-dos(14928)370910707Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via a GET request with a long filename, possibly due to a buffer overflow.20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilitieshttp://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt9485tinyserver-string-dos(14928)10707Cross-site scripting (XSS) vulnerability in Tiny Server 1.1 allows remote attackers to inject arbitrary web script or HTML via the URL.20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilitieshttp://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt9485tinyserver-xss(14929)371010707Reptile Web Server allows remote attackers to cause a denial of service (CPU consumption) via multiple incomplete GET requests without the HTTP version.20040124 Resources consumption in Reptile webserver daily versionhttp://www.autistici.org/fdonato/advisory/reptilewsDailyVersion-adv.txt94821008842reptilewebserver-get-dos(14932)Multiple directory traversal vulnerabilities in Borland Web Server (BWS) 1.0b3 and earlier allow remote attackers to read and download arbitrary files via (1) multi-dot "......" sequences, or (2) "%5c%2e%2e" (encoded "\..") sequences, in the URL.20040124 BWS v1.0b3 Directory Transversal Vulnerability94861008840bws-directory-traversal(14948)Cross-site scripting (XSS) vulnerability in intraforum_db.cgi in Intra Forum allows remote attackers to inject arbitrary web script or HTML via the (1) use_last_read or (2) forum parameters.20040124 Inrtra Forum Cross Site Scripting Vulnerabillityintraforum-intraforumcgi-xss(14933)Multiple cross-site scripting (XSS) vulnerabilities in Nextplace.com E-Commerce ASP Engine allow remote attackers to inject arbitrary web script or HTML via the (1) level parameter of productdetail.asp, (2) searchKey parameter of searchresults.asp, and possibly (3) level parameter of ListCategories.asp.20040124 NextPlace.com E-Commerce ASP Enginenextplace-multiple-xss(14952)The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412.20040127 Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1http://gallery.menalto.com/modules.php?op=modload&name=News&file=indexgallery-gallerybasedir-file-include(14950)GLSA-200402-049490107123737Buffer overflow in blackd.exe for BlackICE PC Protection 3.6 and other versions before 3.6.ccb, with application protection off, allows local users to gain system privileges by modifying the .INI file to contain a long packetLog.fileprefix value.20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM9514blackice-blackdexe-bo(14965)[ISSForum] 20040128 Third party BlackICE advisory374010739The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers.20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM9513Directory traversal vulnerability in Web Blog 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file variable.20040128 ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitraryhttp://www.zone-h.org/en/advisories/read/id=3822/9517webblog-dotdot-directory-traversal(14978)373910740Cross-site scripting (XSS) vulnerability in BRS WebWeaver 1.07 allows remote attackers to execute arbitrary script as other users via the query string to ISAPISkeleton.dll.20040128 BRS WebWeaver Webserver Cross Site Scripting Vulnerability951610741webweaver-isapiskeleton-xss(14977)37411008880SurfNOW 2.2 allows remote attackers to cause a denial of service (crash) via a series of long HTTP GET requests, possibly triggering a buffer overflow.20040128 Denial Of Service in SurfNOW 2.29519surfnow-get-dos(14976)Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables.20040128 phpBB privmsg.php XSS vulnerability patch.http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=1619439290Stack-based buffer overflow in ontape for IBM Informix Dynamic Server (IDS) 9.40.xC3 and earlier allows local users, with DSA privileges, to execute arbitrary code via a long ONCONFIG environment variable.20040129 ----------========== OPEN3S-2003-08-08-eng-informix-ontapehttp://www-1.ibm.com/support/docview.wss?uid=swg211533369512informix-ontape-binary-bo(14970)107373759Directory traversal vulnerability in PJreview_Neo.cgi in PJ CGI Neo review allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter.20040129 ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrievinghttp://www.zone-h.org/advisories/read/id=38249524pjcgineoreview-dotdot-directory-traversal(14980)107343746Certain third-party packages for CVSup 16.1h, such as SuSE Linux, contain untrusted paths in the ELF RPATH fields of certain executables, which could allow local users to execute arbitrary code by causing cvsup to link against malicious libraries that are created in world-writable directories such as /usr/src/packages.20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs9523cvsup-rpath-gain-privileges(14994)Oracle toplink mapping workBench uses a weak encryption algorithm for passwords, which allows local users to decrypt the passwords.20040128 Oracle toplink mapping workbench password algorithm20040128 Re: Oracle toplink mapping workbench password algorithmhttp://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=803&lngWId=5951520040128 Re: Oracle toplink mapping workbench password algorithmcryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption.[linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.*http://mareichelt.de/pub/notmine/diskenc.pdfhttp://www.securiteam.com/exploits/5UP0P1PFPM.html13775dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption.[linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.*http://mareichelt.de/pub/notmine/diskenc.pdfhttp://www.securiteam.com/exploits/5UP0P1PFPM.htmlOutlook Express 6.0, when sending multipart e-mail messages using the "Break apart messages larger than" setting, leaks the BCC recipients of the message to the addresses listed in the To and CC fields, which may allow remote attackers to obtain sensitive information.http://www.networksecurity.fi/advisories/outlook-bcc.html843555110409167101106712376outlook-email-address-disclosure(17098)Cross-site scripting (XSS) vulnerability in AWSguest.php in AllWebScripts MySQLGuest allows remote attackers to inject arbitrary HTML and PHP code via the (1) Name, (2) Email, (3) Homepage or (4) Comments field.http://www.computerknights.org/forum_viewtopic.php?2.122112341011376mysqlguest-awsguestphp-xss(17462)Unknown vulnerability in Adminedit.pl YaBB 1 Gold before 1.3.2 allows attackers to execute arbitrary code via settings.pl.http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=109313323312609yabb-admineditpl-xss(17459)1123510222CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote attackers to modify text file contents via the subject variable.http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=109313323312609yabb-admineditpl-xss(17459)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1827. Reason: This candidate is a duplicate of CVE-2004-1827. Notes: All CVE users should reference CVE-2004-1827 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Unknown vulnerability in the remote tape support (remote.c) in the RMT client for Jorg Schilling sdd 1.28 and 1.31 has unknown impact and attack vectors.ftp://ftp.berlios.de/pub/sdd/AN-1.5212584sdd-rmt(17442)SQL injection vulnerability in the ReMOSitory Server add-on module to Mambo Portal 4.5.1 (1.09) and earlier allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in the com_remository option.http://www.mamboportal.com/content/view/1615/10113561259720040917 Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability.20040919 Re: Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability.1121910040remository-filecatid-sql-injection(17441)Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php.101141612649baal-admin-password-modify(17499)SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows remote attackers to execute arbitrary SQL commands via the (1) sortdir or (2) criteria parameter to ladder-log.asp or the (3) memberid or (4) teamid parameter to view-profile.asp.20040926 HTTP Response Splitting and SQL injection in megabbs forum20040926 Re: HTTP Response Splitting and SQL injection in megabbs forummegabbs-sql-injection(17497)CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows attackers to conduct HTTP response splitting attacks via the fid parameter in a writenew action to thread-post.asp.20040926 HTTP Response Splitting and SQL injection in megabbs forum20040926 Re: HTTP Response Splitting and SQL injection in megabbs forummegabbs-response-splitting(17495)Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body.20040925 No body emails and Norton antivirus11259Unknown local vulnerability in the "change user" feature of Slava Astashonok Fprobe 1.0.5 and earlier has unknown impact and attack vectors.http://sourceforge.net/project/shownotes.php?release_id=26980711255101141712648fprobe-change-user(17494)Buffer overflow in the prepared statements API in libmysqlclient for MySQL 4.1.3 beta and 4.1.4 allows remote attackers to cause a denial of service via a large number of placeholders.http://dev.mysql.com/doc/mysql/en/news-4-1-5.htmlhttp://bugs.mysql.com/bug.php?id=519411261102441011408mysql-libmysqlclient-insert-bo(17493)Nettica Corporation INTELLIPEER Email Server 1.01 displays different error messages for valid and invalid account names, which allows remote attackers to determine valid account names.1125710349101142512661intellipeer-username-obtain-information(17510)Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via a very large data size.20040927 Broadcast crash in Chatman 1.5.1 RC11126310114311266510365chatman-dos(17513)Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML.http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=271848113021045412692mediawiki-raw-output-xss(17578)Multiple unknown vulnerabilities in Real Estate Management Software 1.0 have unknown impact and attack vectors.[fm-news] 20041001 Newsletter for Thursday, September 30th 2004113041048012721real-estate-management-software(17598)CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive.https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405http://www.cups.org/str.php?L700RHSA-2005:571FLSA:163274USN-185-1SUSE-SR:2005:018Online-bookmarks before 0.4.6 allows remote attackers to bypass its authentication mechanism via a direct request to (1) config/*, (2) bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6) functions.php.http://freshmeat.net/projects/onlinebookmarks/?branch_id=34962&release_id=1744011130512728online-bookmarks-resrtictions-bypass(17602)Multiple unknown vulnerabilities in Online Recruitment Agency 1.0 have unknown impact and attack vectors.http://archives.neohapsis.com/archives/apps/freshmeat/2004-09/0030.html1130610479127201011539online-recruitment-agency(17586)Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity 0.7 beta1, and possibly other versions before 0.7-beta3, allows remote attackers to inject arbitrary HTML and PHP code via the (1) email or (2) username field.20040928 Serendipity 0.7-beta1 SQL Injection PoC11269101144812673serendipity-commentphp-xss(17536)SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php.20040928 Serendipity 0.7-beta1 SQL Injection PoC11269101144812673serendipity-sql-injection(17533)1037010371Multiple buffer overflows in XMLStarlet Command Line XML Toolkit 0.9.3 have unknown impact and attack vectors via (1) xml_elem.c and (2) xml_select.c.http://sourceforge.net/project/shownotes.php?release_id=26896211270100741011496xmlstarlet-bo(17580)Format string vulnerability in xml_elem.c for XMLStarlet Command Line XML Toolkit 0.9.3 may allow attackers to cause a denial of service or execute arbitrary code.http://sourceforge.net/project/shownotes.php?release_id=268962http://cvs.sourceforge.net/viewcvs.py/xmlstar/xmlstarlet/src/xml_elem.c?r1=1.17&r2=1.18SQL injection vulnerability in file_overview.php in TUTOS 1.1 allows remote attackers to execute arbitrary SQL commands via the link_id parameter.20040918 Vulnerabilities in TUTOShttp://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/file/file_overview.php?r1=1.11.2.1&r2=1.11.2.21122112606tutos-sql-injection(17444)DSA-98018954101641011363Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the search field of the Address Module or (2) the t parameter to app_new.php.20040918 Vulnerabilities in TUTOShttp://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/app_new.php?r1=1.58&r2=1.591122112606tutos-xss(17445)DSA-98018954login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies.20040921 OpenBSD radius authentication vulnerabilityhttp://www.reseau.nl/advisories/0400-openbsd-radius.txthttp://www.openbsd.org/errata35.html#radius1122712617openbsd-radius-auth-bypass(17456)10203shoprestoreorder.asp in VP-ASP 5.0 does not close the database connection when a user restores a previous order, which allows remote attackers to cause a denial of service (connection consumption).http://www.vpasp.com/virtprog/info/faq_securityfixes.htm112281011359vpasp-shoprestoreopenasp-dos(17436)1007112611Lords of the Realm III 1.01 and earlier, when in the lobby stage, allows remote attackers to cause a denial of service (crash from unallocated memory write) via a long user nickname.20040914 Crash in Lords of the Realm III 1.011122312589lordsoftherealm-username-dos(17438)100781011361The print-from-email feature in the Canon ImageRUNNER (iR) 5000i and C3200 digital printer, when not using IP address range filtering, allows remote attackers to print arbitrary text without authentication via a text/plain email to TCP port 25.20040923 Promiscuous email printing in Canon imageRunner1124712659canon-imagerunner-dos(17512)Multiple buffer overflows in LaTeX2rtf 1.9.15, and possibly other versions, allow remote attackers to execute arbitrary code via (1) the expandmacro function, and possibly (2) Environments and (3) TranslateCommand.http://cvs.sourceforge.net/viewcvs.py/latex2rtf/latex2rtf/definitions.c?rev=1.22&view=log11233102161011367latex2rtf-expandmacro-bo(17460)latex2rtf-multiple-bo(17487)BaSoMail 1.24 allows remote attackers to cause a denial of service (CPU consumption) via multiple connections to TCP port (1) 25 (SMTP) or (2) 110 (POP3).http://members.lycos.co.uk/r34ct/main/Baso_mail/Baso_1.24.txt10761basomail-multiple-connection-dos(15002)37891008912Application Access Server (A-A-S) 1.0.37 and earlier allows remote authenticated users to cause a denial of service (application crash) via a long file request.http://members.lycos.co.uk/r34ct/main/A-A-S/AAS1_0_3.TXT10762aas-longhttp-request-dos(15003)Directory traversal vulnerability in sample_showcode.html in Caravan 2.00/03d and earlier allows remote attackers to read arbitrary files via the fname parameter.http://members.lycos.co.uk/r34ct/main/Caravan/Caravan.txt955510763caravan-dotdot-directory-traveral(15004)37871008913Cross-site scripting (XSS) vulnerability in Cherokee before 0.4.8 allows remote attackers to inject arbitrary web script or HTML via the URL, which is not properly quoted in the resulting error page.9496370710701cherokee-error-xss(14936)EarlyImpact ProductCart uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via a chosen plaintext attack.20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040216.txt 9669productcart-keystream-obtain-information(15231)3979100908510898SQL injection vulnerability in advSearch_h.asp in EarlyImpact ProductCart allows remote attackers to execute arbitrary SQL commands via the priceUntil parameter.20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilities20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040216.txt 9669productcart-advsearchhasp-sql-injection(15233)3981100908510898Cross-site scripting (XSS) vulnerability in Custva.asp in EarlyImpact ProductCart allows remote attackers to inject arbitrary Javascript via the redirectUrl parameter.20040218 Re: EarlyImpact ProductCart shopping cart software multiple security vulnerabilities20040216 EarlyImpact ProductCart shopping cart software multiple security vulnerabilitieshttp://www.s-quadra.com/advisories/Adv-20040216.txt9669productcart-custva-xss(15234)3980100908510898Multiple SQL injection vulnerabilities in ReviewPost PHP Pro allow remote attackers to execute arbitrary SQL commands via the (1) product parameter to showproduct.php or (2) cat parameter to showcat.php.20040204 ZH2004-04SA (security advisory): Multiple Sql Injection Vulnerabilities in ReviewPost PHP Prohttp://www.zone-h.org/en/advisories/read/id=3864/957410786reviewpostpro-showproduct-sql-injection(15035)The Internet Connection Firewall (ICF) in Microsoft Windows XP SP2 is configured by default to trust sessmgr.exe, which allows local users to use sessmgr.exe to create a local listening port that bypasses the ICF access controls.20041012 Writing Trojans that bypass Windows XP Service Pack 2 Firewall11410Cross-site scripting (XSS) vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.maxpatrol.com/advdetails.asp?id=11http://sourceforge.net/project/shownotes.php?release_id=27310411428SQL injection vulnerability in DevoyBB Web Forum 1.0.0 allows remote attackers to execute arbitrary SQL commands via unknown vectors.http://www.maxpatrol.com/advdetails.asp?id=11http://sourceforge.net/project/shownotes.php?release_id=27310411428asycpict.dll, as used in Microsoft products such as Front Page 97 and 98, allows remote attackers to cause a denial of service (hang) via a JPEG image with maximum height and width values.20041014 New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory20041015 Re: New Remote Microsoft JPEG DoS Vulnerability + Other Potential Security Vulnerabilitys in asycpict.dll 1.0 Advisory11412Multiple cross-site scripting (XSS) vulnerabilities in WowBB Forum 1.61 allow remote attackers to inject arbitrary web script or HTML via the (1) country parameter to view_user.php, (2) show parameter to view_forum.php, (3) letter parameter to view_user.php, (4) highlight parameter to view_topic.php, (5) show parameter to index.php, (6) q parameter to search.php, (7) Referer header to admin.php, or the (8) user_email parameter to login.php.http://www.maxpatrol.com/advdetails.asp?id=711429