Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges.oval:org.mitre.oval:def:868Updated kernel packages available for Red Hat Enterprise Linux 3 Update 1bid 9429Linux kernel ptrace allows elevated privilegesRed Hat Enterprise Linux kernel-2.4.21 does not perform adequate checking of eflags when in 32-bit ptrace emulation modeGLSA-200402-06The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function.cvs commit: src/sys/netinet ip_icmp.c tcp.h tcp_input.c tcp_subr.c tcp_usrreq.c tcp_var.hbid 9572Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking."Updated Fedora Core 1 testing kernelUpdated kernel packages resolve minor security vulnerabilitiesSUSE Security Announcement: Linux Kernel (SuSE-SA:2004:005)DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491DSA-495RHSA-2004:065SuSE-SA:2004:005OVAL1017OVAL834MDKSA-2004:029RHSA-2004:106RHSA-2004:166TLSA-2004-14O-082O-121O-126O-127O-1459570107821091110912112021136111362113691137011376114641189112075linux-r128-gain-priviliges(15029)oval:org.mitre.oval:def:1017oval:org.mitre.oval:def:834The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users.OpenCA Security Advisorybid 943520040116 [OpenCA Advisory] Vulnerability in signature verificationVU#336446openca-improper-signature-verification(14847)3615Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte.Advisory 01/2004: 12 x Gaim remote overflows12 x Gaim remote overflowsDSA-434-1 gaim -- several vulnerabilitiesVU#190366VU#226974VU#404470VU#65597420040126 Advisory 01/2004: 12 x Gaim remote overflowsGLSA-200401-04SuSE-SA:2004:004gaim-mime-decoder-bo(14942)gaim-mime-decoder-oob(14944)gaim-yahoodecode-offbyone-bo(14935)gaim-sscanf-oob(14938)CLA-2004:813SSA:2004-02637361008850Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect.Gentoo Linux Security Advisory12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesAdvisory 01/2004: 12 x Gaim remote overflowsRHSA-2004:033RHSA-2004:045MDKSA-2004:006SuSE-SA:2004:004DSA-43420040201-01-UOVAL818VU#297198VU#371382VU#444158VU#503030VU#527142VU#87183820040126 Advisory 01/2004: 12 x Gaim remote overflows9489gaim-http-proxy-bo(14947)gaim-login-name-bo(14940)gaim-login-value-bo(14941)gaim-urlparser-bo(14945)gaim-yahoopacketread-keyname-bo(14943)gaim-yahoowebpending-cookie-bo(14939)20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeCLA-2004:813SSA:2004-026oval:org.mitre.oval:def:818MDKSA-2004:00620040202-01-U373137321008850Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code.DSA-434-1 gaim -- several vulnerabilities12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesUltramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeRHSA-2004:032MDKSA-2004:006GLSA-200401-04VU#197142OVAL81920040126 Advisory 01/2004: 12 x Gaim remote overflowsSuSE-SA:2004:0049489gaim-extractinfo-bo(14946)VU#19714220040126 Advisory 01/2004: 12 x Gaim remote overflowsCLA-2004:813SSA:2004-026oval:org.mitre.oval:def:819MDKSA-2004:00637331008850Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow.GLSA-200401-04OVAL82020040126 Advisory 01/2004: 12 x Gaim remote overflowsgaim-directim-bo(14937)20040126 Advisory 01/2004: 12 x Gaim remote overflowsCLA-2004:81320040127 [slackware-security] GAIM security update (SSA:2004-026-01)oval:org.mitre.oval:def:820MDKSA-2004:00620040202-01-U37341008850Gaim contains an integer overflow vulnerability when parsing DirectIM packets12 x Gaim remote overflowsUltramagnetic Advisory #001: Multiple Vulnerabilities in Gaim CodeUpdated Gaim packages fix various vulnerabiliiesUltramagnetic Advisory #001: Multiple vulnerabilities in Gaim codeRHSA-2004:033MDKSA-2004:006DSA-434RHSA-2004:04520040201-01-UApache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user.http://www.apache-ssl.org/advisory-20040206.txtApache-SSL security advisory - apache_1.3.28+ssl_1.52 and priorbid 9590Apache-SSL has a default password20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior3877Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges.Updated kernel packages fix security vulnerabilitybid 9691Linux Kernel ncp_lookup allows elevated privilegesDSA-479-1 linux-kernel-2.4.18-alpha+i386+powerpc -- several vulnerabilitiesDSA-480DSA-481DSA-482DSA-489DSA-491DSA-495RHSA-2004:065RHSA-2004:188SuSE-SA:2004:005OVAL1035OVAL835FEDORA-2004-079MDKSA-2004:015TLSA-2004-05O-082CLA-2004:820oval:org.mitre.oval:def:1035oval:org.mitre.oval:def:835Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code.fsp -- buffer overflow, directory traversalDebian FSP VulnerabilitiesFSP boundary error buffer overflowO-048jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash).jabber -- denial of servicebid 9376Updated jabber packages fix DoS vulnerabilityJabber SSL connections denial of service334510559Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings.New nd packages fix buffer overflowsbid 9365nd -- buffer overflowsnd long string buffer overflow10086161054910550vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges.vbox3 -- privilege leakbid 9381vbox3-gain-privileges(14170)The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files.phpgroupware -- missing filename sanitising, SQL injectionbid 9387phpgroupware-calendar-file-include(13489)6860Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations.phpgroupware -- missing filename sanitising, SQL injectionbid 9386100866210591jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands.jitterbug -- improperly sanitised inputbid 9397jitterbug-execute-code(14207)Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges.bid 9366Lotus Notes and Domino notes.ini file has insecure permissions20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions3424100862310566PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code.PhpGedView $PGV_BASE_DIRECTORY PHP file include936833431056520040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem1008632PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView allows administrative password modification105653403Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView search.php cross-site scripting9369340210565admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command.Vuln in PHPGEDVIEW 2.61 Multi-ProblemPhpGedView admin.php information disclosure9371340410565Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php.Multiple Vulnerabilities in Phorum 3.4.5bid 9361Phorum common.php, profile.php, and login.php script cross-site scripting105673434350635101008633SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter.Multiple Vulnerabilities in Phorum 3.4.5bid 9363Phorum register.php script SQL injection350810567SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter.http://www.vbulletin.com/forum/showthread.php?postid=588825vBulletin Forum 2.3.xx calendar.php SQL InjectionvBulletin Forum 2.3.xx calendar.php script SQL Injection93603344FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages.FirstClass Client 7.1: Command Execution via Email Web LinkOpen Text Corporation FirstClass Local File Reference Command Execution VulnerabilityFirstClass Client executes code without displaying a warning dialog3442105561008609McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81.20040510 McAfee ePolicy Orchestrator Remote Compromise Vulnerabilityepolicy-execute-commands(14166)bugtraq id 10200Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI.HTTP Parsing Vulnerabilities in Check Point Firewall-1Check Point FireWall-1 format stringbid 9581Two checkpoint fw-1/vpn-1 vulns20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities20040205 Two checkpoint fw-1/vpn-1 vulnshttp://www.checkpoint.com/techsupport/alerts/security_server.htmlhttp://www.us-cert.gov/cas/techalerts/TA04-036A.htmlO-072Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet.Check Point ISAKMP vulnerable to buffer overflow via Certificate RequestCheck Point VPN-1 IKE buffer overflowbid 9582 Two checkpoint fw-1/vpn-1 vulnshttp://www.us-cert.gov/cas/techalerts/TA04-036A.html20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer OverflowO-07338214432The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions.mod-auth-shadow -- password expirationbid 94043454100867510612vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames.vsftpd Discloses Whether Usernames are Valid or Not1008628Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature.20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow938320040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow3437100865110573yahoo-messenger-filename-bo(14171)Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username.Cisco Personal Assistant User Password Bypass Vulnerability9384ciscopersonalassistant-config-file-access(14172)3430Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code.Buffer overflow in control message handlingOpenPKG Security Advisory (inn)bid 9382SSA:2004-014-02VU#75902010578inn-artpost-control-message-bo(14190)Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character.SnapStream PVS LITE Cross Site Scripting Vulnerabillitybid 93753440100864610575snapstream-quotation-xss(14164)Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges.trr19 -- missing privilege releasebid 9520trr19-gain-privileges(14975)107443747100887510745Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port.Potential Server/Proxy Denial-of-Service Vulnerabilitybid 9421http://service.real.com/help/faq/security/security022604.html20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer OverflowVerity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others.20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issueultraseek-error-path-disclosure(16066)20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issueMultiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issuemime-contenttransfer-filter-bypass(17337)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients.Multiple vendor MIME separator issueNISCC Vulnerability Advisory 380375/MIMEbid 11157mime-separator-filtering-bypass(17334)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issuemime-rfc2047-filtering-bypass(17331)Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Vulnerabilities in H.323 Message ProcessingCERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationshttp://www.uniras.gov.uk/vuls/2004/006489/h323.htm94061008685The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value.bid 7090tcpdump contains vulnerability in RADIUS decoding function print_attr_string() in print-radius.cUpdated tcpdump packages fix various vulnerabilitiesDSA-425MDKSA-2004:00820040103-01-Uhttp://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlOVAL850OVAL853APPLE-SA-2004-02-23[tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.120040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)oval:org.mitre.oval:def:850oval:org.mitre.oval:def:853CLSA-2003:832FLSA:1222MDKSA-2004:00820040202-01-U1008735Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.CERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationshttp://www.uniras.gov.uk/vuls/2004/006489/h323.htm94061008687The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989.multiple vulnerabilities in tcpdump 3.8.1Updated tcpdump packages fix various vulnerabilitiesbid 9423DSA-425-1 tcpdump -- multiple vulnerabilitiesRHSA-2004:008MDKSA-2004:00820040103-01-Uhttp://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlOVAL851OVAL854APPLE-SA-2004-02-23VU#17408610636tcpdump-rawprint-isakmp-dos(14837)20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths)oval:org.mitre.oval:def:851oval:org.mitre.oval:def:854FLSA:1222MDKSA-2004:00820040202-01-U1008716Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file.20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower)3496100870210620antivir-tmpfile-insecure(14214)Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character.20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.421008779Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity.FishCart Integer Overflow / Rounding Errorbid 94261008731The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number.payShield library may verify bad requests20040114 nCipher Advisory #8: payShield library may verify bad requests9422payshield-incorrect-request-verification(14832)3537The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory.bid 941134601062320040113 SuSE linux 9.0 YaST config Skribt [exploit]1008703Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php.More phpGedView Vulnerabilities1191011925phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php.More phpGedView Vulnerabilities3464phpgedview-path-disclosure(14215)Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1.More phpGedView Vulnerabilities20070827 PhpGedView login page multiple XSS118681188011882118881189011891118941190311904119051190611907ADV-2007-2995347334743475347634773478101861326628phpgedview-login-xss(36285)phpgedview-multiple-xss(14212)PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code.PhpDig 1.6.x: remote command executionbid 9424phpdig-config-file-include(14826)Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function.Windows FTP Server Format String Vulnerabilityexploit for HD Soft Windows FTP Server 1.6bid 93851008658PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code.Remote Code Execution in ezContentsbid 9396http://www.ezcontents.org/forum/viewtopic.php?t=361ezcontents-php-file-include(14199)6878Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php.PHP Manpage lookup directory transversal / file disclosing9395manpagelookup-directory-traversal(14203)1008689Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request.Directory Traversal in Accipiter Direct Server 6.0Accipiter Direct Server dot dot directory traversalbid 938920040109 Directory Traversal in Accipiter Direct Server 6.0343310600PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script.bid 93383318100858410535easydynamicpages-php-file-include(14136)340820040102 include() vuln in EasyDynamicPages v.2.0Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949.bid 9352bid 9341xsok long -xsokdir buffer overflowxsok-lang-bo(14910)20040102 xsok local games exploit20040103 xsok local games exploit (2)The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service.Updated kernel packages resolve security vulnerabilitiesLinux kernel Vicam USB driver denial of servicebid 9690CLA-2004:846MDKSA-2004:015RHSA-2005:293SuSE-SA:2004:005O-082oval:org.mitre.oval:def:836** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none.The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985.http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txtSecond critical mremap() bug found in all Linux, kernel,slinux-kernel-2.4.16-arm -- several vulnerabilitiesLinux kernel do_mremap allows elevated privilegesbid 9686Linux kernel do_mremap local privilege escalation vulnerability20040218 Second critical mremap() bug found in all Linux kernelsCLA-2004:820DSA-438DSA-440DSA-441DSA-442DSA-444DSA-450DSA-453DSA-454DSA-456DSA-466DSA-470DSA-514DSA-475FEDORA-2004-079MDKSA-2004:015RHSA-2004:065RHSA-2004:066RHSA-2004:069RHSA-2004:106SSA:2004-049SuSE-SA:2004:0052004-00072004-0008VU#981222O-0823986oval:org.mitre.oval:def:825oval:org.mitre.oval:def:837Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages.http://bugs.debian.org/126336Updated mutt packages fix remotely-triggerable crashmuttUpdated mutt packages fix remotely-triggerable crashbid 9641Mutt index menu buffer overflow20040211 Mutt-1.4.2 fixes buffer overflow.CSSA-2004-013.0MDKSA-2004:010SSA:2004-04320040215 LNSA-#2004-0001: mutt remote crash20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt)3918oval:org.mitre.oval:def:811oval:org.mitre.oval:def:838The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference.Multiple Vulnerabilities in OpenSSLOpenSSL do_change_cipher_spec function denial of serviceOpenSSL Denial of Service Vulnerabilities20040317 New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.openssl.org/news/secadv_20040317.txthttp://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834DSA-465ESA-20040317-003FreeBSD-SA-04:05MDKSA-2004:023NetBSD-SA2004-005RHSA-2004:121SCOSA-2004.10SuSE-SA:2004:00757524http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00045.htmlVU#288574OVAL2621OVAL870OVAL97520040317 Cisco OpenSSL Implementation VulnerabilityFEDORA-2004-095GLSA-200403-03RHSA-2004:120RHSA-2004:1392004-0012O-101APPLE-SA-2005-08-15APPLE-SA-2005-08-17RHSA-2005:8301113917401FEDORA-2005-1042RHSA-2005:8291738117398SSRT4717SSA:2004-07718247oval:org.mitre.oval:def:2621oval:org.mitre.oval:def:870oval:org.mitre.oval:def:975MDKSA-2004:023The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data.Updated util-linux packages fix information leakbid 9558GLSA-200404-0620040201-01-U20040406-01-U20040331 OpenLinux: util-linux could leak sensitive data20040408 LNSA-#2004-0010: login may leak sensitive dataVU#801526379610773utillinux-information-leak(15016)OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool.OpenSSL does not properly handle unknown message typesOpenSSL unknown TLS message types denial of serviceOpenSSL Denial of Service Vulnerabilities20040317 Re: New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834ESA-20040317-003DSA-465RHSA-2004:119RHSA-2004:121SCOSA-2004.1020040304-01-U5752420040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerabilityTA04-078AOVAL871OVAL90220040317 Cisco OpenSSL Implementation VulnerabilityFEDORA-2004-095GLSA-200403-03RHSA-2004:120RHSA-2004:1392004-001211139oval:org.mitre.oval:def:871oval:org.mitre.oval:def:902The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password.http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txthttp://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.htmlUpdated samba packages fix security vulnerabilitybid 9637Samba mksmbpasswd.sh could allow an attacker to gain access to user's accountO-0783919oval:org.mitre.oval:def:827Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106.Recent Changes to XFree86bid 9636XFree86FontInformationFileBufferOverflowXFree86 font.alias file buffer overflowXFree86 Font Information File Buffer Overflowhttp://www.idefense.com/application/poi/display?id=72DSA-443RHSA-2004:059RHSA-2004:060RHSA-2004:061SuSE-SA:2004:006MDKSA-2004:012OVAL806OVAL830VU#82000620040211 XFree86 vulnerability exploitCLA-2004:821FLSA:2314SSA:2004-04357768oval:org.mitre.oval:def:806oval:org.mitre.oval:def:830MDKSA-2004:012Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106.Updated XFree86 packages fix privilege escalation vulnerabilityUpdated XFree86 packages fix privilege escalation vulnerabilitybid 9652XFree86 CopyISOLatin1Lowered buffer overflowhttp://www.idefense.com/application/poi/display?id=73CLA-2004:821DSA-443FLSA:2314RHSA-2004:059SSA:2004-043SuSE-SA:2004:006MDKSA-2004:012OVAL807OVAL831VU#66750220040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II57768oval:org.mitre.oval:def:807oval:org.mitre.oval:def:831MDKSA-2004:012Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086.Apple Security UpdatesMac OS X mail undisclosed security issuebid 9504http://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-26APPLE-SA-2004-01-26Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504APPLE-SA-2004-01-26The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504macosx-configd-file-manipulation(14997)APPLE-SA-2004-01-266819The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087.Apple Security Updateshttp://lists.apple.com/mhonarc/security-announce/msg00045.htmlAPPLE-SA-2004-01-269504APPLE-SA-2004-01-266820Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable.Apple Security Updatesbid 9509A012704-1APPLE-SA-2004-01-26VU#9023746821macosx-trublue-environmentvariable-bo(14968)Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors.APPLE-SA-2004-01-26ESB-2004.0072950410723** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft."vBulletin Security VulnerabilityvBulletin Security Vulnerability RE: vBulletin Security Vulnerability: Re: vBulletin Security Vulnerabilityhttp://securitytracker.com/alerts/2004/Jan/1008780.html1008780Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact.Apple Security UpdatesAPPLE-SA-2004-01-269504APPLE-SA-2004-01-26XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI).xfree86 -- several vulnerabilitiesbid 9701XFree86 GLX array index denial of serviceCLSA-2004:824RHSA-2004:15220040406-01-UInteger signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI).xfree86 -- several vulnerabilitiesXFree86 GLX integer signedness denial of serviceCLSA-2004:824RHSA-2004:15220040406-01-U9701McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow.http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zipbid 9476epolicy-contentlength-post-dos(14989)3744Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973.Mod_python 2.7.10GLSA-200401-03RHSA-2004:058RHSA-2004:063Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol.Updated PWLib packages fix protocol security issuesCERT Advisory CA-2004-01 Multiple H.323 Message VulnerabilitiesMultiple vulnerabilities in H.323 implementationsPWLib message denial of serviceDSA-448-1 pwlib -- several vulnerabilitiesOVAL803OVAL826oval:org.mitre.oval:def:803oval:org.mitre.oval:def:8269406mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions.mksnap_ffs clears file system optionsbid 9533freebsd-mksnapffs-bypass-security(15005)3790crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow.crawl -- buffer overflow956610788crawl-long-environment-bo(15032)Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.Updated metamail packages fix vulnerabilitiesbid 9692Metamail header format string attack20040218 metamail format string bugs and buffer overflowsDSA-449MDKSA-2004:014metamail-contenttype-format-string(15245)VU#51851810908O-08320040218 metamail format string bugs and buffer overflowsSSA:2004-049MDKSA-2004:014Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.Updated metamail packages fix vulnerabilitiesMetamail splitmail file Subject header buffer overflow20040218 metamail format string bugs and buffer overflowsDSA-449MDKSA-2004:014metamail-printheader-nonascii-bo(15247)VU#51306210908O-083969220040218 metamail format string bugs and buffer overflowsSSA:2004-049MDKSA-2004:014Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084.Updated XFree86 packages fix privilege escalation vulnerabilityUpdated XFree86 packages fix privilege escalation vulnerabilityXFree86 security updatebid 9655XFree86 improper handling of multiple font filesDSA-443RHSA-2004:059SuSE-SA:2004:006MDKSA-2004:012OVAL809OVAL832CLA-2004:821FLSA:2314oval:org.mitre.oval:def:809oval:org.mitre.oval:def:832MDKSA-2004:012The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108.Updated sysstat packages fix security vulnerabilitiesSGI Advanced Linux Environment security update #14bid 9838RHSA-2004:093O-0976884OVAL849OVAL862sysstat-post-trigger-symlink(15428)oval:org.mitre.oval:def:849oval:org.mitre.oval:def:862The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107.Updated sysstat packages fix security vulnerabilitiesSGI Advanced Linux Environment security update #14bid 9844DSA-460sysstat-isag-symlink(15437)Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.2004-0020ESA-20040428-00420040405-01-URHSA-2004:166DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491DSA-495GLSA-200407-02MDKSA-2004:02920040504-01-UOVAL940RHSA-2004:105RHSA-2004:106RHSA-2004:183SuSE-SA:2004:009TLSA-2004-14O-121O-127101411136111362113731146411469114701148611494115181162611861118911198612003linux-iso9660-bo(15866)CLA-2004:846oval:org.mitre.oval:def:940MDKSA-2004:029Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL.Updated libxml2 packages fix security vulnerabilitybid 9718Libxml2 nanohttp buffer overflow[OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml)DSA-455GLSA-200403-01RHSA-2004:091libxml2-nanoftp-bo(15302)10958OVAL833OVAL875VU#493966O-086http://www.xmlsoft.org/news.html20040306 TSLSA-2004-0010 - libxml2RHSA-2004:650oval:org.mitre.oval:def:833oval:org.mitre.oval:def:875 SUSE-SR:2005:001gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file.Updated gdk-pixbuf packages fix crashbid 9842DSA-464FLSA:2005MDKSA-2004:020RHSA-2004:102gdk-pixbuf-bitmap-dos(15426)oval:org.mitre.oval:def:845oval:org.mitre.oval:def:846The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read.OpenSSL Denial of Service VulnerabilitiesMultiple Vulnerabilities in OpenSSLOpenSSL on a server configured with Kerberos ciphersuites denial of service20040317 New OpenSSL releases fix denial of service attacks [17 March 2004]http://www.openssl.org/news/secadv_20040317.txthttp://www.uniras.gov.uk/vuls/2004/224012/index.htmCLA-2004:834MDKSA-2004:023NetBSD-SA2004-005RHSA-2004:121SCOSA-2004.10SuSE-SA:2004:00757524SSRT4717http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00045.htmlVU#484726OVAL1049OVAL92820040317 Cisco OpenSSL Implementation VulnerabilityGLSA-200403-03RHSA-2004:1202004-0012O-101APPLE-SA-2005-08-15APPLE-SA-2005-08-1711139SSA:2004-077oval:org.mitre.oval:def:1049oval:org.mitre.oval:def:928MDKSA-2004:023Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server.http://nagoya.apache.org/bugzilla/show_bug.cgi?id=27106Apache HTTP Server mod_ssl plain HTTP request denial of servicecvs commit: httpd-2.0/modules/ssl ssl_engine_io.cOverview of security vulnerabilities in Apache httpd 2.0bid 9826APPLE-SA-2004-05-03CLSA-2004:839GLSA-200403-04SSRT4717MDKSA-2004:043RHSA-2004:084RHSA-2004:1822004-001720040325 LNSA-#2004-0006: bug workaround for Apache 2.0.484182oval:org.mitre.oval:def:876The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges.http://www.pine.nl/press/pine-cert-20040201.txtshmat reference counting bugMultiple vendor BSD platforms allows elevated privilegesbid 9586 [PINE-CERT-20040201] reference count overflow in shmat()NetBSD-SA2004-0043836VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file.Vulnerability in Virtual PC for Mac Could Allow Privilege Elevation (835150)bid 9632Virtual PC Services Insecure Temporary File CreationO-076virtual-pc-gain-privileges(15113)3893An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.AD20040413AMS04-012TA04-104AVU#417052MS04-012OVAL955OVAL957OVAL958O-11510127100975811065win-rpcss-rpcmessage-dos(15708)oval:org.mitre.oval:def:955oval:org.mitre.oval:def:957oval:org.mitre.oval:def:958Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.MS04-011TA04-104AVU#353956MS04-011OVAL907OVAL946OVAL964O-114win-h323-bo(15710)oval:org.mitre.oval:def:907oval:org.mitre.oval:def:946oval:org.mitre.oval:def:964The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.20040413 EEYE: Windows VDM TIB Local Privilege EscalationAD20040413EMS04-011TA04-104AVU#78374820040413 EEYE: Windows VDM TIB Local Privilege EscalationOVAL1512OVAL1718O-11410117win-vdm-gain-privileges(15714)oval:org.mitre.oval:def:1512oval:org.mitre.oval:def:1718The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.MS04-011TA04-104AVU#63854820040414 NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol DecodingMS04-011OVAL1808OVAL1962OVAL1997O-11410113win-spp-bo(15715)oval:org.mitre.oval:def:1808oval:org.mitre.oval:def:1962oval:org.mitre.oval:def:1997The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.MS04-011TA04-104AVU#150236MS04-011OVAL885OVAL886OVAL892O-11410115ssl-message-dos(15712)oval:org.mitre.oval:def:885oval:org.mitre.oval:def:886oval:org.mitre.oval:def:892Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs.Microsoft Outlook "mailto:" Parameter Passing VulnerabilityVulnerability in Microsoft Outlook Could Allow Code Execution (828040)bid 982720040310 Outlook mailto: URL argument injection vulnerabilityTA04-070AVU#305206O-096oval:org.mitre.oval:def:843outlook-mailtourl-execute-code(15414)outlook-ms04009-patch(15429)Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files.Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)bid 9828VU#688094oval:org.mitre.oval:def:844msn-ms04010-patch(15427)msn-request-view-files(15415)Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.MS04-011TA04-104AVU#255924MS04-011OVAL1007OVAL1076OVAL924O-11410118win-asn1-double-free(15713)oval:org.mitre.oval:def:1007oval:org.mitre.oval:def:1076oval:org.mitre.oval:def:924The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."MS04-012TA04-104AVU#212892MS04-012OVAL1041OVAL1062OVAL1066OVAL1072O-1151012111065win-objectidentifier-open-port(15711)oval:org.mitre.oval:def:1041oval:org.mitre.oval:def:1062oval:org.mitre.oval:def:1066oval:org.mitre.oval:def:1072The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table.FreeBSD jail() Process Unauthorized Routing Table Modification VulnerabilityFreeBSD jailed process routing table modificationFreeBSD-SA-04:12The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail.Jailed processes can attach to other jailsbid 9762FreeBSD jail_attach allows elevated privileges4101Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter.PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and priorbid 9529376810753phpgedview-editconfig-directory-traversal(15129)1008892PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script.Code Injection Vulnerabilities in phpGedView 2.65.1 and priorPhpGedView v2.65.2bid 9531376910753phpgedview-gedfilconf-file-include(14987)Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter.http://sourceforge.net/forum/forum.php?forum_id=350228http://www.phpmyadmin.net/home_page/relnotes.php?rel=0Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and priorphpMyAdmin < 2.5.6-rc1: possible attack against export.phpbid 9564380010769phpmyadmin-dotdot-directory-traversal(15021)login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message.PhpGedView Path Disclosure Vulnerability1008844phpgedview-loginphp-path-disclosure(15128)6886The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote atackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference.http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gzGNU Radius Remote Denial of Service VulnerabilityGNU Radius accounting service fails to properly handle exceptional Acct-Status-Type and Acct-Session-Id attributesbid 9578GNU Radius rad_print_request denial of service20040204 GNU Radius Remote Denial of Service Vulnerability382410799Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php.PHP Code Injection Vulnerabilities in ezContents 2.0.2 and priorbid 9638ezContents multiple .php PHP file inclusionThe XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.MDKSA-2004:02920040405-01-UESA-20040428-0042004-0020GLSA-200407-02MDKSA-2004:0291015111362linux-xfs-info-disclosure(15901)MDKSA-2004:029cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process.IRIX Checkpoint and Restart libcpr Library Loading Privilege Escalation VulnerabilitySGI IRIX cpr allows elevated privileges20040507-01-PThe syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory.SGI IRIX SGI_IOPROBE allows root privilegesSGI IRIX SYSSGI() System Call Unprivileged User Kernel Memory Access Vulnerability20040601-01-P712211872The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary."SGI IRIX Undisclosed MapElf32Exec Local Denial Of Service VulnerabilitySGI IRIX mapelf32exec denial of serviceUpdated kernel packages fix security vulnerabilities20040601-01-P712311872RHSA-2004:504Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues."SGI IRIX Undisclosed Init Denial Of Service VulnerabilitySGI IRIX page denial of service20040601-01-P712411872The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped.DSA-1070DSA-1067DSA-1069201622016320202DSA-10821817420338RHSA-2004:549RHSA-2004:504linux-kernel-elfloader-dos(43124)Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors.SGI IRIX T_Bind/T_UnBind Undisclosed VulnerabilitySGI IRIX bsd.a kernel t_bind and t_unbind20040905-01-P12682Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows.ptl-2004-01: Multiple vulnerabilities in Nokia phonesMultiple vulnerabilities in Nokia phonesbid 9603Nokia OBEX denial of service20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phoneswu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead.wu-ftpd -- several vulnerabilitiesUpdated wu-ftpd package fixes security issuesbid 9832SSRT4704ADV-2006-1867oval:org.mitre.oval:def:1147oval:org.mitre.oval:def:1636oval:org.mitre.oval:def:1637oval:org.mitre.oval:def:6481105520168102356wuftpd-restrictedgid-gain-access(15423)Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges.DSA-451-1 xboing -- buffer overflowsxboing Local Buffer Overflow Vulnerabilitiesxboing buffer overflowBuffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS.python2.2 -- buffer overflowpythonbid 9836GLSA-200409-03MDKSA-2004:0194172python-getaddrinfo-bo(15409)Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands.xitalk -- missing privilege releasebid 9851xitalk allows attacker to gain elevated privilegeshttp://shellcode.org/Advisories/XITALK.txt11114Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames.emil email multiple buffer overflowsNew emil packages fix multiple vulnerabilitiesemil -- several vulnerabilitiesMultiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages.New emil packages fix multiple vulnerabilitiesemil -- several vulnerabilitiesemil format string attackrpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name.RHSA-2004:0722004-0009nfs-utils-dns-dos(15418)bugtraq id 9813OVAL861oval:org.mitre.oval:def:861The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.20040407 CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connectionsMDKSA-2004:027APPLE-SA-2004-05-03RHSA-2004:165GLSA-200406-17MDKSA-2004:027MDKSA-2004:069SCOSA-2005.10OVAL945VU#55239811328oval:org.mitre.oval:def:945MDKSA-2004:027Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code.DSA-48520040426 [ GLSA 200404-18 ] Multiple Vulnerabilities in ssmtpGLSA-200404-181015053605361100978811378113841148511571ssmtp-die-logevent-format-string(15872)20040507 [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp)x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program.DSA-484101495358100978911382xonix-privilege-dropping(15873)Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c.lbreakout2 < 2.4beta-2 local exploit lbreakout2 -- buffer overflowbid 9712LBreakout2 HOME environment variable buffer overflowhttp://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gzFormat string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command.New hsftp packages fix format string vulnerabilityNew hsftp packages fix format string vulnerabilitybid 9715hsftp format string attack20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability4029Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file.synaesthesia -- insecure file creationSynaesthesia configuration file symlink attackbid 9713Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC2231 encoding issuemime-tools-parameter-encoding(9274)Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients.NISCC Vulnerability Advisory 380375/MIMEbid 1115720040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issuemime-rfc822-filtering-bypass(17332)Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session.Sygate Secure Enterprise replay issueSygate Secure Enterprise replay denial of service20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issueKAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c.Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoonOpenBSD ISAKMP daemon Invalid SPI could allow an attacker to delete IPsec SAsNetBSD-SA2004-001http://docs.info.apple.com/article.html?artnum=61798http://lists.apple.com/mhonarc/security-announce/msg00046.htmlopenbsd-isakmp-initialcontact-delete-sa(14118)9417OVAL947APPLE-SA-2004-02-2320040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon9416oval:org.mitre.oval:def:947Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlMac OS X pppd Format String VulnerabilityApple Security UpdatesMac OS X ppp daemon format string attackbid 9730Apple Mac OS X Point-to-Point Protocol daemon (pppd) contains format string vulnerabilityAPPLE-SA-2004-02-236822Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar."Apple Security UpdatesMac OS X Safari Web browser undisclosed security issueApple Mac OS X Safari fails to properly display URLs in the status barhttp://lists.apple.com/mhonarc/security-announce/msg00046.htmlmacosx-safari-unknown(14993)APPLE-SA-2004-02-2310959DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlApple Security UpdatesMac OS X unknown issue in DiskArbitration implementationAPPLE-SA-2004-02-23VU#5788869731682410959macos-diskarbitration-unknown(15300)Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging."Apple Security UpdatesMac OS X unknown issue in CoreFoundation notification logginghttp://lists.apple.com/mhonarc/security-announce/msg00046.htmlmacos-corefoundation-unknown(15299)APPLE-SA-2004-02-2310959QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function.http://lists.apple.com/mhonarc/security-announce/msg00046.htmlApple Security UpdatesDarwin Streaming Server DESCRIBE request denial of serviceDarwin Streaming Server Remote Denial of Service Vulnerabilitybid 9735Apple Quicktime/Darwin Streaming Server fails to properly parse DESCRIBE requestsAPPLE-SA-2004-02-2320040223 Darwin Streaming Server Remote Denial of Service Vulnerability68266837FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections.FreeBSD memory buffers (mbufs) denial of serviceFreeBSD Memory Buffer Exhaustion Denial of Service Vulnerabilitybid 9792APPLE-SA-2004-05-28FreeBSD-SA-04:04VU#3956704124Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed.ltrace bugltrace Heap Overflow May Let Local Users Execute Arbitrary Code With Root Privilegesltrace search_for_command buffer overflowbid 879020031008 ltrace bug20031008 ltrace bug1007896Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences.http://www.apacheweek.com/issues/04-03-12http://nagoya.apache.org/bugzilla/show_bug.cgi?id=26152Apache for cygwin directory traversal vulnerabilitybid 9733Apache for Cygwin dot dot directory traversal20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability10962Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket."[ANNOUNCE] Apache HTTP Server 2.0.49 ReleasedTSLSA-2004-0017 - apacheApache HTTP Server socket starvation denial of serviceStronghold 4: New release fixes Apache, mod_ssl, and PHP issues2004-0027GLSA-200405-22MDKSA-2004:046OVAL1982VU#132110111705762899211009495OVAL100110APPLE-SA-2004-05-0320040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache)SSA:2004-133SSRT4717101555oval:org.mitre.oval:def:100110oval:org.mitre.oval:def:1982MDKSA-2004:046Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.OpenSSH SCP Client File Corruption Vulnerability[suse-security-announce] SUSE Security Announcement: Linux Kernel (SuSE-SA:2004:009)Vulnerabilidade no comando scphttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147http://www.juniper.net/support/security/alerts/adv59739.txtCLSA-2004:831SuSE-SA:2004:009RHSA-2005:106O-212openssh-scp-file-overwrite(16323)RHSA-2005:074RHSA-2005:165RHSA-2005:481RHSA-2005:495RHSA-2005:562RHSA-2005:567SCOSA-2006.111924317135 9550Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors.Advisory 03/2004: Multiple (13) Ethereal remote overflowsLNSA-#2004-0007: Multiple security problems in EtherealEthereal multiple dissectors buffer overflowsDSA-511-1 ethereal -- buffer overflowshttp://security.e-matters.de/advisories/032004.htmlhttp://www.ethereal.com/appnotes/enpa-sa-00013.htmlGLSA-200403-07RHSA-2004:136RHSA-2004:137MDKSA-2004:024OVAL878OVAL887VU#119876VU#125156VU#433596VU#591820VU#644886VU#659140VU#740188VU#864884VU#93158811185CLA-2004:83520040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal)oval:org.mitre.oval:def:878oval:org.mitre.oval:def:887MDKSA-2004:0246893The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.2004-0020RHSA-2004:166MDKSA-2004:029ESA-20040428-004DSA-495DSA-479DSA-480DSA-481DSA-482DSA-489DSA-491FLSA:2336GLSA-200407-02MDKSA-2004:029http://linux.bkbits.net:8080/linux-2.4/cset@4056b368s6vpJbGWxDD_LhQNYQrdzQO-121O-126O-12710152linux-ext3-info-disclosure(15867)RHSA-2005:293CLA-2004:846RHSA-2004:504RHSA-2004:505MDKSA-2004:029The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.MDKSA-2004:029DSA-495DSA-491DSA-489DSA-482DSA-479DSA-480DSA-481GLSA-200407-02MDKSA-2004:029RHSA-2004:413RHSA-2004:43720040804-01-Uhttp://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFAO-121O-127O-1939985linux-sound-blaster-dos(15868)CLA-2004:846MDKSA-2004:029Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.DSA-487RHSA-2004:15720040404-01-UFEDORA-2004-1552RHSA-2004:158RHSA-2004:159RHSA-2004:160GLSA-200405-01GLSA-200405-04OVAL1065SuSE-SA:2004:008SuSE-SA:2004:009MDKSA-2004:0321013653651136320040416 void.at - neon format string bugs20040416 [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon)oval:org.mitre.oval:def:1065The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.DSA-486FreeBSD-SA-04:07MDKSA-2004:028RHSA-2004:153RHSA-2004:154MDKSA-2004:02820040404-01-Uftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patchOVAL1042GLSA-200404-1311368113711137411375113771138011391114001140511548cvs-rcs-create-files(15864)FEDORA-2004-1620SSA:2004-108-02oval:org.mitre.oval:def:1042MDKSA-2004:028The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.MDKSA-2004:029ESA-20040428-0042004-0020GLSA-200407-02MDKSA-2004:029TLSA-2004-1410143linux-jfs-info-disclosure(15902)RHSA-2005:66317002RHSA-2004:504ADV-2005-1878MDKSA-2004:029Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field.RHSA-2004:15620040404-01-UTCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.DSA-478-1 tcpdump -- denial of servicehttp://www.rapid7.com/advisories/R7-0017.htmlhttp://www.tcpdump.org/tcpdump-changes.txtFEDORA-2004-1468RHSA-2004:219tcpdump-isakmp-delete-bo(15680)10003OVAL972VU#240790100959311258113202004-001520040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilitiesoval:org.mitre.oval:def:972Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite.DSA-478-1 tcpdump -- denial of serviceRapid7 Advisory R7-0017emil format string attack20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilitieshttp://www.tcpdump.org/tcpdump-changes.txtFEDORA-2004-1468RHSA-2004:219VU#49255810004OVAL976tcpdump-isakmp-integer-underflow(15679)1009593112582004-0015oval:org.mitre.oval:def:976Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name.http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txtWu-FTPd SKEY Stack Overflow VulnerabilityWU-FTPD SKEY authentication buffer overflowDSA-457-1 wu-ftpd -- several vulnerabilitiesUpdated wu-ftpd package fixes security issues8893smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted.Samba 3.x + kernel 2.6.x local root vulnerabilitySamba smbmnt allows elevated privilegesbid 9619DSA-463-1 samba -- privilege escalation20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability3916** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password.Calife heap corrupt / potential local root exploitbid 9756Calife long password buffer overflowDSA-461-1 calife -- buffer overflow9776The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. Squid Proxy Cache Security Update Advisory SQUID-2004:1bid 9778Squid url_regex ACL bypassCLA-2004:838DSA-474GLSA-200403-11MDKSA-2004:025RHSA-2004:133RHSA-2004:134SCOSA-2005.1620040404-01-U20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid)5916oval:org.mitre.oval:def:877oval:org.mitre.oval:def:941Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges.Symantec, Firewall/VPN Appliance, model 200 leak of securitybid 9784Symantec Firewall/VPN caches administrative password in plain text Symantec FireWall/VPN Appliance model 200 leak of security20040216 Symantec FireWall/VPN Appliance model 200 leak of security4117Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events.Sandblad #13: Cross-domain exploit on zombie document with eventCross-domain exploit on zombie document with event handlersbid 9747Mozilla event handler cross-site scriptingRHSA-2004:110RHSA-2004:112SSRT47224062oval:org.mitre.oval:def:874oval:org.mitre.oval:def:937Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page.Symantec Gateway Security Management Service Cross Site Scriptingbid 9755Symantec Gateway Security error page cross-site scriptingHeap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username.Vulnerability in SMB Parsing in ISS ProductsInternet Security Systems' BlackICE and RealSecure contain a heap overflow in the processing of SMB packets20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing OverflowAD200402269752407210988pam-smb-protocol-bo(15207)Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data.Adobe Acrobat Reader XFDF buffer overflowAdobe Acrobat Reader XML Forms Data Format Buffer Overflowbid 980220040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow4135Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.MS04-014MS04-014OVAL968VU#74071610112msjet-query-execute-code(15703)TA04-104Aoval:org.mitre.oval:def:968Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm).bugtraq id 10321win-hcp-code-execution(16095)VU#484814MS04-01520040512 MS04-015 - Windows Help Center - Dvdupgradehttp://www.exploitlabs.com/files/advisories/EXPL-A-2004-001-helpctr.txtOVAL1008OVAL103220040512 MS04-015 - Windows Help Center - Dvdupgradeoval:org.mitre.oval:def:1008oval:org.mitre.oval:def:1032Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation.Microsoft Security Bulletin MS04-028Microsoft Windows JPEG buffer overflowTA04-260AVU#297462OVAL1105OVAL1721OVAL2706OVAL3038OVAL3082OVAL3320OVAL3810OVAL3881OVAL4003OVAL4216OVAL430720040914 Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflowoval:org.mitre.oval:def:1105oval:org.mitre.oval:def:1721oval:org.mitre.oval:def:2706oval:org.mitre.oval:def:3038oval:org.mitre.oval:def:3082oval:org.mitre.oval:def:3320oval:org.mitre.oval:def:3810oval:org.mitre.oval:def:3881oval:org.mitre.oval:def:4003oval:org.mitre.oval:def:4216oval:org.mitre.oval:def:4307Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041.Microsoft Windows HTML Help could allow execution of codeMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Windows HTML Help component fails to properly validate input dataVulnerability in HTML Help Could Allow Code Execution (840315)Microsoft Windows HTML Help Heap Overflow Vulnerability20040714 HtmlHelp - .CHM File Heap OverflowOVAL1503OVAL1530OVAL2155OVAL3179oval:org.mitre.oval:def:1503oval:org.mitre.oval:def:1530oval:org.mitre.oval:def:2155oval:org.mitre.oval:def:3179IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet.Microsoft Security Bulletin MS04-016Microsoft DirectX DirectPlay Remote Malformed Packet Denial Of Service VulnerabilityMS04-016OVAL1027OVAL2190OVAL2413OVAL2516OVAL2705674211802ms-directx-directplay-dos(16306)oval:org.mitre.oval:def:1027oval:org.mitre.oval:def:2190oval:org.mitre.oval:def:2413oval:org.mitre.oval:def:2516oval:org.mitre.oval:def:2705Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query.Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting and Spoofing Attacks (842436)VU#948750OVAL2016exchange-owa-execute-code(16583)oval:org.mitre.oval:def:2016Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx.Business Objects Crystal Reports Web Form Viewer Directory Traversal VulnerabilityCrystal Reports file deletionhttp://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.aspMS04-017OVAL115767481180020040502 Crystal Reports Vulnerabilities20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reportsoval:org.mitre.oval:def:1157Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function.Microsoft IIS 4 Redirect Remote Buffer Overflow VulnerabilityMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Internet Information Server (IIS) 4.0 contains a buffer overflow in the redirect functionMicrosoft Internet Information Server (IIS) redirect buffer overflowMS04-021O-179OVAL220410706779912061oval:org.mitre.oval:def:2204Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow.Vulnerability in NetDDE Could Allow Remote Code Execution (841533Microsoft Windows contains an unchecked buffer in the NetDDE servicesMicrosoft Windows NetDDE buffer overflowMicrosoft Internet Information Server MS04-031 patch is not installedOVAL1852OVAL2394OVAL3120OVAL3242OVAL4592OVAL5074OVAL67881280320041013 Microsoft Windows NetDDE Service Buffer Overflowoval:org.mitre.oval:def:1852oval:org.mitre.oval:def:2394oval:org.mitre.oval:def:3120oval:org.mitre.oval:def:3242oval:org.mitre.oval:def:4592oval:org.mitre.oval:def:5074oval:org.mitre.oval:def:678811372"Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions.Security Update for Microsoft Windows (840987)Microsoft Windows Window Management API allows elevated privilegesMicrosoft Windows MS04-032 patch is not installedMicrosoft Windows contains vulnerability in Window Management API20041013 SetWindowLong Shatter AttacksThe Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions.Security Update for Microsoft Windows (840987)Microsoft Windows MS04-032 patch is not installedMicrosoft Windows Virtual DOS Machine (VDM) allows elevated privilegesMicrosoft Windows kernel fails to properly handle invalid opcodes used in DOS emulationOVAL1751OVAL3161OVAL3953OVAL4316OVAL476220041013 EEYE: Windows VDM #UD Local Privilege Escalationoval:org.mitre.oval:def:1751oval:org.mitre.oval:def:3161oval:org.mitre.oval:def:3953oval:org.mitre.oval:def:4316oval:org.mitre.oval:def:4762Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer."Security Update for Microsoft Windows (840987)[EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) HeapMicrosoft Windows Enhanced Metafile (EMF) buffer overflowOVAL1872OVAL2114OVAL2428VU#80627811375win-ms04032-patch(17658)oval:org.mitre.oval:def:1872oval:org.mitre.oval:def:2114oval:org.mitre.oval:def:2428The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow.Microsoft Windows POSIX Subsystem Buffer Overflow Local Privilege Escalation VulnerabilityMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Windows contains a buffer overflow in the POSIX subsystemMicrosoft Windows POSIX buffer overflow allows local attacker to gain privilegesVulnerability in POSIX Could Allow Code Execution (841872)MS04-020OVAL2166OVAL2847oval:org.mitre.oval:def:2166oval:org.mitre.oval:def:2847The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program.Security Update for Microsoft Windows (840987)Microsoft Windows Server 2003 kernel CPU denial of serviceMicrosoft Windows MS04-032 patch is not installedMicrosoft Windows kernel fails to reset values in CPU data structuresOVAL4893oval:org.mitre.oval:def:4893Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share.Microsoft Windows Task Scheduler Remote Buffer Overflow VulnerabilityMicrosoft Windows Task Scheduler buffer overflowVulnerability in Task Scheduler Could Allow Code Execution (841873)Multiple Vulnerabilities in Microsoft Windows Components and Outlook Expresshttp://www.ngssoftware.com/advisories/mstaskjob.txt20040714 Unchecked buffer in mstask.dllMS04-022VU#228028OVAL1344OVAL1781OVAL1964OVAL34281206020040714 Microsoft Windows Task Scheduler '.job' Stack Overflowoval:org.mitre.oval:def:1344oval:org.mitre.oval:def:1781oval:org.mitre.oval:def:1964oval:org.mitre.oval:def:3428Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908.Microsoft Windows Utility Manager gain privilegesMultiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Window Utility Manager Local Elevation of PrivilegesVulnerability in Utility Manager Could Allow Code Execution (842526)Microsoft Windows Utility Manager Local Privilege Escalation Variant VulnerabilityVU#868580OVAL2495oval:org.mitre.oval:def:2495Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba.Bugtraq: Microsoft's Explorer and Internet Explorer long share name buffer overflow.FullDisclosure: Microsoft's Explorer and Internet Explorer long share name buffer overflow.Microsoft Windows long file share name buffer overflowMicrosoft Windows MS04-037 patch is not installed32285710213OVAL1601OVAL1749OVAL2638OVAL4345OVAL530711482MS04-037VU#6162001011647http://www.securiteam.com/windowsntfocus/5JP0M1PCKI.html5687oval:org.mitre.oval:def:1601oval:org.mitre.oval:def:1749oval:org.mitre.oval:def:2638oval:org.mitre.oval:def:4345oval:org.mitre.oval:def:5307Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header.Microsoft Outlook Express Malformed Email Header Denial Of Service VulnerabilityMicrosoft Outlook Express malformed email header denial of serviceCumulative Security Update for Outlook Express (823353)Multiple Vulnerabilities in Microsoft Windows Components and Outlook ExpressMicrosoft Outlook Express fails to properly validate malformed e-mail headersMS04-018OVAL1950OVAL2137OVAL2657OVAL3376oval:org.mitre.oval:def:1950oval:org.mitre.oval:def:2137oval:org.mitre.oval:def:2657oval:org.mitre.oval:def:3376Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow.Microsoft Internet Explorer Install Engine Control Buffer OverflowCumulative Security Update for Internet Explorer (834707)Multiple Vulnerabilities in Microsoft Internet Explorerwww.kb.cert.orgMicrosoft Internet Explorer InstallEngineCtl SetCifFile buffer overflowhttp://www.ngssoftware.com/advisories/msinsengfull.txtOVAL5316OVAL5329OVAL6100OVAL6600OVAL7717OVAL7865ie-ms04038-patch(17651)20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a)20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a)oval:org.mitre.oval:def:5316oval:org.mitre.oval:def:5329oval:org.mitre.oval:def:6100oval:org.mitre.oval:def:6600oval:org.mitre.oval:def:7717oval:org.mitre.oval:def:7865The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log.Possible race condition in Symantec AntiVirus Scan Engine for RedSymantec Antivirus Scan Engine race conditionbid 9662isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP zero-length payload denial of servicehttp://www.rapid7.com/advisories/R7-0018.htmlVU#34911311156100281009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite.OpenBSD ISAKMP zero-length payload denial of serviceOpenBSD ISAKMP IPSEC SA payload denial of serviceR7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitieshttp://www.rapid7.com/advisories/R7-0018.html20040317 015: RELIABILITY FIX: March 17, 2004VU#78594599071009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via a an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP Cert Request payload integer underflowhttp://www.rapid7.com/advisories/R7-0018.htmlVU#22327399071009468isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP delete payload denial of servicehttp://www.rapid7.com/advisories/R7-0018.htmlVU#52449799071009468Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite.R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilitiesOpenBSD 3.5 release errataOpenBSD ISAKMP memory leakhttp://www.rapid7.com/advisories/R7-0018.htmlVU#996177100281009468Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range."Courier Mail Serverbid 9845Courier Japanese Codeset Conversion Buffer Overflow Vulnerabilitiescourier-codeset-converter-bo(15434)Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.Updated mc packages resolve several vulnerabilitiesMidnight Commander allows local elevation of privilegesMidnight Commander Multiple Unspecified VulnerabilitiesDSA-497MDKSA-2004:039SuSE-SA:2004:012GLSA-200405-21MDKSA-2004:039Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string.zoneminder-zms-bo(16136)bugtraq 10340Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges.Linux Kernel: Multiple vulnerabilities[SECURITY] Updated kernel packages fix security issues.MDKSA-2004:050SuSE-SA:2004:0101142911464114861149111683linux-cpufreq-info-disclosure(15951)CLA-2004:852FEDORA-2004-111MDKSA-2004:050The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact.Linux kernel Framebuffer Code Unspecified VulnerabilityLinux kernel framebuffer undisclosed issueLinux Kernel: Multiple vulnerabilitiesMDKSA-2004:037SuSE-SA:2004:010CLA-2004:852MDKSA-2004:037TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP.Multiple Vendor TCP Sequence Number Approximation VulnerabilityTCP spoofed reset denial of serviceVulnerabilities in TCP20040403-01-A20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Productshttp://www.juniper.net/support/alert.htmlNetBSD-SA2004-006MS05-019SCOSA-2005.3SCOSA-2005.9SCOSA-2005.14VU#415294http://www.uniras.gov.uk/vuls/2004/236929/index.htm20040425 Perl code exploting TCP not checking RST ACK.40301144011458OVAL4791OVAL2689OVAL3508SSRT4696MS06-064ADV-2006-398322341HPSBST02161oval:org.mitre.oval:def:4791oval:org.mitre.oval:def:2689oval:org.mitre.oval:def:3508oval:org.mitre.oval:def:270Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." Gentoo Linux Security AdvisoryMidnight Commander creates insecure filesDSA-497-1 mc -- several vulnerabilitiesMidnight Commander Multiple Unspecified VulnerabilitiesMDKSA-2004:039SuSE-SA:2004:012RHSA-2004:172MDKSA-2004:039Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code.Midnight Commander Multiple Unspecified VulnerabilitiesMidnight Commander format stringUpdated mc packages fix vulnerabilitiesDSA-497SuSE-SA:2004:012RHSA-2004:172GLSA-200405-21MDKSA-2004:039Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files.UTempter Multiple Local VulnerabilitiesUtempter symlink attackUpdated utempter package fixes vulnerabilityMDKSA-2004:031RHSA-2004:175GLSA-200405-05OVAL979SSA:2004-110oval:org.mitre.oval:def:979MDKSA-2004:031Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive.Multiple LHA Buffer Overflow/Directory Traversal VulnerabilitiesLHA multiple buffer overflows[Ulf Harnhammar]: LHA Advisory + Patch20040501 LHa buffer overflows and directory traversal problems20040502 Lha local stack overflow Proof Of Concept CodeDSA-515FLSA:1833RHSA-2004:178RHSA-2004:179GLSA-200405-02FEDORA-2004-119OVAL977CLA-2004:84020060403 Barracuda LHA archiver security bug leads to remote compromiseADV-2006-122057535754101586619514oval:org.mitre.oval:def:977Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path").Multiple LHA Buffer Overflow/Directory Traversal VulnerabilitiesLHA directory traversal[Ulf Harnhammar]: LHA Advisory + Patch20040501 LHa buffer overflows and directory traversal problemsDSA-515FLSA:1833RHSA-2004:178RHSA-2004:179GLSA-200405-02FEDORA-2004-119OVAL978CLA-2004:840oval:org.mitre.oval:def:978SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field.SteelID thePhotoTool Login.ASP SQL Injection VulnerabilitythePHOTOtool login.asp script SQL injectionthePHOTOtool SQL Injection VulnerabilityDirectory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter.Aprox Portal File Disclosure VulnerabilityAprox Portal File Disclosure Vulnerability Directory Traversal in Aprox PHP Portal.108591008915Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function.0verkill Game Client Multiple Local Buffer Overflow VulnerabilitiesOverkill client has multiple buffer overflows0verkill - little simple vulnerability.20040202 0verkill - little simple vulnerability.http://www.securiteam.com/securitynews/5AP010KC0C.htmloverkill-server-parsecommandline-bo(15000)SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable.All Enthusiast Photopost PHP Pro SQL Injection VulnerabilityPhotoPost PHP Pro SQL injectionhttp://www.securiteam.com/securitynews/5KP010UC0W.html20040202 ZH2004-03SA (security advisory): Photopost PHP Pro 4.6 SqlDirectory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php.X-Cart "dot dot" directory traversal X-Cart vulnerabilityX-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php.Qualiteam X-Cart Remote Command Execution VulnerabilityX-Cart perl_binary variable command execution X-Cart vulnerabilityX-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command.Qualiteam X-Cart Multiple Remote Information Disclosure VulnerabilitiesX-Cart general.php information disclosureX-Cart vulnerabilityAIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. Re: sqwebmail web login20040206 AIX password enumeration possibleaix-password-enumeration(15172)Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet.Cisco IOS MSFC2 Malformed Layer 2 Frame Denial Of Service VulnerabilityCisco 6000, 6500, and 7600 series systems frame containing a packet denial of serviceCisco Security Advisory: Cisco 6000/6500/7600 Crafted Layer 2 Frame VulnerabilityVU#81006210780Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero.Web Crossing Web Server Component Remote Denial Of Service VulnerabilityWeb Crossing 4.x/5.x Denial of Service Vulnerability9576webcrossing-contentlength-post-dos(15022)Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter.Laurent Adda Les Commentaires PHP Script Multiple Module File Include VulnerabilityLes Commentaires multiple PHP file include Les Commentaires (PHP) Include file10768The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory.Cauldron Chaser Remote Denial Of Service VulnerabilityChaser memory denial of serviceRemote crash of Chaser game <= 1.50Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum.This vulnerability is addressed in the following product release: PHPX, PHPX, 3.2.4PHPX Multiple VulnerabilitiesPHPX subject HTML injectionPHPX main.inc.php and help.inc.php cross-site scriptingMultiple Vulnerabilities in PHPX10797PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID.PHPX Multiple VulnerabilitiesPHPX could allow an attacker to modify cookie to hijack another user's account Multiple Vulnerabilities in PHPX20040316 PHPX 2.x - 3.2.410797phpx-session-hijack(15512)SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php.All Enthusiast Photopost PHP Pro SQL Injection VulnerabilityPhotoPost PHP Pro SQL injectionZH2004-04SA (security advisory): Multiple Sql Injectionhttp://www.zone-h.org/en/advisories/read/id=3864/Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter.RXGoogle.CGI Cross Site Scripting VulnerabilityRxGoogle query cross-site scripting rxgoogle.cgi XSS Vulnerability.TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name.TYPSoft FTP Server Remote Denial Of Service VulnerabilityTYPSoft FTP Server empty username denial of service TYPSoft FTP Server 1.10 may be crashed1008943IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability.IBM Cloudscape Database Remote Command Execution VulnerabilityIBM Cloudscape SQL injectionIBM cloudscape SQL Database (DB2J) vulnerable to remote commandCross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag.Crossday Discuz! Cross Site Scripting VulnerabilityDiscuz! Board image tag cross-site scriptingPossible Cross Site Scripting in Discuz! BoardXlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow.XLight FTP Server Long Directory Request Remote Denial Of Service VulnerabilityXlight ftp server long string denial of serviceRemote crash Xlight ftp server 1.52GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp.GNU LibTool Local Insecure Temporary Directory Creation VulnerabilityGNU Libtool creates insecure temporary directory20040130 Symlink Vulnerability in GNU libtool <1.5.2CLA-2004:811379510777OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port.http://www.guninski.com/obsdmtu.htmlhttp://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.cBSD ICMPV6 Handling Routines Remote Denial Of Service VulnerabilityOpenBSD IPv6 packet denial of serviceOpenBSD IPv6 remote kernel crash20040204 Remote openbsd crash with ip6, yet still openbsd much better than windowsNetBSD-SA2004-0023825Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files.Multiple RealPlayer/RealOne Player Supported File Type Buffer Overrun VulnerabilitiesRealOne Player multiple file buffer overflows Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayerMultiple Real media players vulnerable to buffer overflow when parsing crafted media files20040204 [VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer20040204 Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayerhttp://www.nextgenss.com/advisories/realone.txthttp://www.service.real.com/help/faq/security/040123_player/EN/O-075The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue.Joe Lumbroso Jack&#39;s Formmail.php Unauthorized Remote File Upload VulnerabilityJack's FormMail.php PHP file uploadformmail (PHP) Upload file using CSSThe AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||.Cactusoft CactuShop Lite Remote Arbitrary File Deletion Backdoor VulnerabilityCactuShop Lite contains a backdoor CactuSoft CactuShop 5.0 Lite shopping cart software backdoor20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdooroj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter.http://www.grohol.com/downloads/oj/latest/changelog.txtOpenJournal Authentication Bypassing VulnerabilityOpenJournal uid could allow an attacker administrative accessOpen Journal Blog Authenticaion Bypassing Vulnerability3872Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string.The Palace Graphical Chat Client Remote Buffer Overflow VulnerabilityPalace long server address buffer overflowThe Palace 3.x (Client) Stack Overflow Vulnerabilityhttp://www.elitehaven.net/thepalace.txt20040207 The Palace 3.x (Client) Stack Overflow VulnerabilityPHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information.Apache mod_php Global Variables Information Disclosure WeaknessPHP virtual host information disclosurePHP setting leaks from .htaccess files on virtual hostsGLSA-200402-013878palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue.Shaun2k2 Palmhttpd Server Remote Denial of Service Vulnerabilitypalmhttpd accept function buffer overflowPalmOS httpd accept() queue overflow DoS vulnerability.Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules.PHP-Nuke 'News' Module Cross-Site Scripting VulnerabilityPHP-Nuke News and Reviews modules cross-site scripting[waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0PHP-Nuke 'Reviews' Module Cross-Site Scripting VulnerabilitySQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers obtain the administrator password via the c_mid parameter.PHP-Nuke Public Message SQL Injection Vulnerability