Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion.20050112 Linux kernel i386 SMP page fault handler privilege escalation20050112 Linux kernel i386 SMP page fault handler privilege escalationhttp://isec.pl/vulnerabilities/isec-0022-pagefault.txtCLA-2005:930FLSA:2336MDKSA-2005:022RHSA-2005:043RHSA-2005:0922005-000120050114 [USN-60-0] Linux kernel vulnerabilitieslinux-fault-handler-gain-privileges(18849)101286213822RHSA-2005:016DSA-1070DSA-1067DSA-1069RHSA-2005:017122442016320202DSA-108220338MDKSA-2005:022poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows remote attackers to change passwords for arbitrary users.GLSA-200501-22Gentoo update for poppassd_pam 101284013865The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file.Updated kernel packages fix security vulnerabilitiesbid 12261http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3twMDKSA-2005:022SUSE-SA:2005:0182005-0001http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmglinux-vma-gain-privileges(18886)1012885DSA-1070DSA-1067DSA-1069RHSA-2005:0172016320202DSA-108220338MDKSA-2005:022The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files.mysql -- insecure temporary filesMySQL mysqlaccess Script Insecure Temporary File Creationbid 12277http://lists.mysql.com/internals/20600http://mysql.osuosl.org/doc/mysql/en/News-4.1.10.htmlCLA-2005:947MDKSA-2005:03620050118 [USN-63-1] MySQL client vulnerabilitymysql-mysqlaccess-symlink(18922)101864MDKSA-2005:036Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers.20050117 Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow VulnerabilityDSA-646GLSA-200501-37RHSA-2005:07120050118 [USN-62-1] imagemagick vulnerability12287RHSA-2005:070The COPS dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (infinite loop).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-cops-dos(18999)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the DLSw dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash from assertion).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-dlsw-dos(19000)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the DNP dissector in Ethereal 0.10.5 through 0.10.8 allows remote attackers to cause "memory corruption."http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-dnp-memory-corruption(19001)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the Gnutella dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-gnutella-dos(19002)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through 0.10.8 allows remote attackers to cause a denial of service by triggering a free of statically allocated memory.http://www.ethereal.com/appnotes/enpa-sa-00017.htmlGLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-mmse-free-memory(19003)FLSA-2006:152922RHSA-2005:01112326MDKSA-2005:013Multiple vulnerabilities in fliccd, when installed setuid root as part of the kdeedu Kstars support for Instrument Neutral Distributed Interface (INDI) in KDE 3.3 to 3.3.2, allow local users and remote attackers to execute arbitrary code via stack-based buffer overflows.http://www.kde.org/info/security/advisory-20050215-1.txtFEDORA-2005-148GLSA-200502-2314306Format string vulnerability in the a_Interface_msg function in Dillo before 0.8.3-r4 allows remote attackers to execute arbitrary code via format string specifiers in a web page.GLSA-200501-111220313760dillo-capi-format-string(18807)13764nwclient.c in ncpfs before 2.2.6 does not drop root privileges before executing utilities using the NetWare client functions, which allows local users to gain privileges.ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6DSA-665GLSA-200501-44MDKSA-2005:028RHSA-2005:371FLSA:15290412400132971013019MDKSA-2005:028Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malicious NetWare servers to execute arbitrary code on the NetWare client.ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6GLSA-200501-44MDKSA-2005:028FLSA:15290412400132981013019MDKSA-2005:028diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitrary commands via shell metacharacters in a URL.DSA-650http://www.securitytracker.com/alerts/2005/Jan/1012955.html13897sword-diatheke-command-execution(18997)10129551232013941Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code.gatos -- buffer overflowDebian GATOS xatitv "exported_display()" Buffer OverflowGATOS xatitv buffer overflowThe f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.DSA-661GLSA-200501-43123801013028140411405214067The f2 shell script in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files.DSA-66110130281404114052Unknown vulnerability in hztty 2.0 and earlier allows local users to execute arbitrary commands.hztty -- privilege escalationbid 12518hztty command execution101315414236Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code.playmidi -- buffer overflowplaymidiPlaymidi buffer overflow12274130491012957138281389013898MDKSA-2005:010Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.20050107 Exim host_aton() Buffer Overflow Vulnerability20050114 Exim dns_buld_reverse() Buffer Overflow Vulnerability[exim] 20050104 2 smallish security issueshttp://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44DSA-635DSA-637GLSA-200501-23RHSA-2005:025VU#132992Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.20050107 Exim auth_spa_server() Buffer Overflow Vulnerability20050212 exim auth_spa_server() PoC exploit[exim] 20050104 2 smallish security issueshttp://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44GLSA-200501-23RHSA-2005:02512188gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable. NOTE: the severity of this issue has been disputed.15004ADV-2005-193117023libzvt-gnomeptyhelper-spoof(22496)20051007 gnome-pty-helper writes arbitrary utmp recordsBuffer overflow in the code for recursion and glue fetching in BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses.http://www.uniras.gov.uk/niscc/docs/al-20050125-00059.htmlhttp://www.isc.org/index.pl?/sw/bind/bind-security.phphttp://www.isc.org/index.pl?/sw/bind/bind8.phpVU#327633bind-qusedns-bo(19063)12364SCOSA-2006.114009182911012996An "incorrect assumption" in the authvalidated validator function in BIND 9.3.0, when DNSSEC is enabled, allows remote attackers to cause a denial of service (named server exit) via crafted DNS packets that cause an internal consistency test (self-check) to fail.http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.htmlVU#938617http://www.isc.org/index.pl?/sw/bind/bind-security.phphttp://www.isc.org/index.pl?/sw/bind/bind9.php2005-0003bind-named-dns-dos(19062)12365101299514008The Acrobat web control in Adobe Acrobat and Acrobat Reader 7.0 and earlier, when used with Internet Explorer, allows remote attackers to determine the existence of arbitrary files via the LoadFile ActiveX method.http://www.adobe.com/support/techdocs/331465.htmlhttp://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdfhttp://www.frsirt.com/english/advisories/2005/0310http://www.hyperdose.com/advisories/H2005-06.txt129891524214813The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.NISCC Vulnerability Advisory 589088Id: 20050524-004331372925291The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.This vulnerability is addressed in the following product release: dnrd, dnrd, 2.10 Id: 20050524-004331372925291The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop.Id: 20050524-004331372925291Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address.http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=enHPSBTU01217VU#30222013562ADV-2005-0507ADV-2005-280610153201793820050509 NISCC Vulnerability Advisory IPSEC - 004033Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke before 3.0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) register a new user page, (2) User-Agent, or (3) Username, which is not properly quoted before sending to the error log.20050516 DotNetNuke (Multiple XSS)http://www.woany.co.uk/advisories/dotnetnukexss.txt15397136441364613647Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files.20050113 Apple iTunes Playlist Parsing Buffer Overflow VulnerabilityAPPLE-SA-2005-01-11VU#3773681223812833101283913804itunes-m3u-pls-bo(18851)The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability."MS05-012VU#927889OVAL1180OVAL2917OVAL3568OVAL4499win-ole-code-execution(19109)TA05-039Aoval:org.mitre.oval:def:1180oval:org.mitre.oval:def:2917oval:org.mitre.oval:def:3568oval:org.mitre.oval:def:4499The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability20050309 Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling VulnerabilityMS05-011TA05-039AVU#652537OVAL1606OVAL1847OVAL1889OVAL4043win-smb-code-execution(19089)12484oval:org.mitre.oval:def:1606oval:org.mitre.oval:def:1847oval:org.mitre.oval:def:1889oval:org.mitre.oval:def:4043Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability."MS05-012TA05-039AVU#597889OVAL1159OVAL2351OVAL2892OVAL901win-com-gain-privileges(19105)http://www.argeniss.com/research/SSExploit.c20050530 [Argeniss] MS05-012 Exploitoval:org.mitre.oval:def:1159oval:org.mitre.oval:def:2351oval:org.mitre.oval:def:2892oval:org.mitre.oval:def:901Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability."MS05-01920050412 Windows IP Options Remote CompromiseTA05-102AVU#233754OVAL3824OVAL1744OVAL4549oval:org.mitre.oval:def:3824oval:org.mitre.oval:def:1744oval:org.mitre.oval:def:4549Windows SharePoint Services and SharePoint Team Services for Windows Server 2003 does not properly validate an HTTP redirection query, which allows remote attackers to inject arbitrary HTML and web script via a cross-site scripting (XSS) attack, or to spoof the web cache.MS05-006TA05-039AVU#340409win-sharepoint-services-xss(19091)The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbtirary code, aka the "License Logging Service Vulnerability."MS05-010TA05-039AVU#130433OVAL2568OVAL3582OVAL4786OVAL644win-license-code-execution(19101)oval:org.mitre.oval:def:2568oval:org.mitre.oval:def:3582oval:org.mitre.oval:def:4786oval:org.mitre.oval:def:644The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability."MS05-007TA05-039AVU#939074OVAL2292OVAL3055win-named-pipe-information-disclosure (19093)14189124861013112oval:org.mitre.oval:def:2292oval:org.mitre.oval:def:3055Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability."MS05-014MS05-008TA05-039AVU#698835OVAL1334OVAL2046OVAL2953OVAL3006OVAL4726OVAL4864ie-dragdrop-gain-privileges(19117)11466OVAL1015oval:org.mitre.oval:def:1334oval:org.mitre.oval:def:2046oval:org.mitre.oval:def:2953oval:org.mitre.oval:def:3006oval:org.mitre.oval:def:4726oval:org.mitre.oval:def:4864oval:org.mitre.oval:def:1015Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability."20050209 Internet Explorer zone spoofing with encoded URLsMS05-014TA05-039AVU#580299OVAL1308OVAL1736OVAL3060OVAL3196OVAL3586ie-file-url-encode(19214)oval:org.mitre.oval:def:1308oval:org.mitre.oval:def:1736oval:org.mitre.oval:def:3060oval:org.mitre.oval:def:3196oval:org.mitre.oval:def:3586Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability."MS05-014TA05-039AVU#84377112427OVAL1005OVAL2692OVAL3137OVAL3910OVAL710ie-cdf-execute-code(19137)1013125oval:org.mitre.oval:def:1005oval:org.mitre.oval:def:2692oval:org.mitre.oval:def:3137oval:org.mitre.oval:def:3910oval:org.mitre.oval:def:710Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability."MS05-014TA05-039AVU#823971OVAL2385OVAL2817OVAL3318OVAL4085OVAL4947ie-cdf-execute-code(19137)124271013126oval:org.mitre.oval:def:2385oval:org.mitre.oval:def:2817oval:org.mitre.oval:def:3318oval:org.mitre.oval:def:4085oval:org.mitre.oval:def:4947The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow.MS05-015TA05-039AVU#820427OVAL2570OVAL3203OVAL713win-hyperlink-code-execution(19110)12479101311914195oval:org.mitre.oval:def:2570oval:org.mitre.oval:def:3203oval:org.mitre.oval:def:713Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message.MS05-040TA05-221A16354OVAL100084OVAL100085OVAL100086OVAL100088OVAL1075OVAL1213OVAL1297145181014639oval:org.mitre.oval:def:100084oval:org.mitre.oval:def:100085oval:org.mitre.oval:def:100086oval:org.mitre.oval:def:100088oval:org.mitre.oval:def:1075oval:org.mitre.oval:def:1213oval:org.mitre.oval:def:1297Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message.MS05-01713112OVAL4384OVAL4988oval:org.mitre.oval:def:4384oval:org.mitre.oval:def:4988Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application.MS05-01820050413 Windows kernel overflow fixedhttp://www.ngssoftware.com/advisories/ms-01.txtOVAL2562OVAL2731OVAL3941OVAL4797oval:org.mitre.oval:def:2562oval:org.mitre.oval:def:2731oval:org.mitre.oval:def:3941oval:org.mitre.oval:def:4797The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests.MS05-01813121OVAL1656OVAL1761OVAL3994OVAL4593oval:org.mitre.oval:def:1656oval:org.mitre.oval:def:1761oval:org.mitre.oval:def:3994oval:org.mitre.oval:def:4593The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document.MS05-01620050412 Microsoft MSHTA Script Execution Vulnerabilityhttp://www.securiteam.com/exploits/5YP0T0AFFW.htmlADV-2005-0335OVAL2184OVAL3456OVAL407OVAL4710OVAL573OVAL5871313220050529 Spam exploiting MS05-016oval:org.mitre.oval:def:2184oval:org.mitre.oval:def:3456oval:org.mitre.oval:def:407oval:org.mitre.oval:def:4710oval:org.mitre.oval:def:573oval:org.mitre.oval:def:587Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value.20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflowftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patchCLA-2005:921DSA-645DSA-648FLSA:2352FLSA:2353GLSA-200502-10MDKSA-2005:016MDKSA-2005:017MDKSA-2005:018MDKSA-2005:019MDKSA-2005:020MDKSA-2005:021RHSA-2005:034RHSA-2005:053RHSA-2005:057RHSA-2005:059RHSA-2005:0662005-000320050119 [USN-64-1] xpdf, CUPS vulnerabilitiesSCOSA-2005.4217277RHSA-2005:026MDKSA-2005:016MDKSA-2005:017MDKSA-2005:018MDKSA-2005:019MDKSA-2005:020MDKSA-2005:021The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities.http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html13124The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files.FLSA:2343RHSA-2005:036RHSA-2005:12220050118 [USN-61-1] vim vulnerabilities13841vim-symlink(18870)1012938Synaesthesia 2.1 and earlier, and possibly other versions, when installed setuid root, does not drop privileges before processing configuration and mixer files, which allows local users to read arbitrary files.DSA-68112546101320614300vdr before 1.2.6 does not securely create files, which allows attackers to overwrite arbitrary files.DSA-656GLSA-200501-42vdr-dvdapi-file-overwrite(19066)12356139301399514066zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files.DSA-655MDKSA-2005:012zhcon-information-disclosure(19045)123431012977139771398213987MDKSA-2005:012Buffer overflow in queue.c in a support script for sympa 3.3.3, when running setuid, allows local users to execute arbitrary code.DSA-67710131631421714224Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to execute arbitrary code.DSA-6761252310131621424814250prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-14APPLE-SA-2005-03-21RHSA-2005:099RHSA-2005:13513962GLSA-200501-39Multiple buffer overflows in the XView library 3.2 may allow local users to execute arbitrary code via setuid applications that use the library.DSA-672xview-xvparseone-bo(19271)The DBI library (libdbi-perl) for Perl allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file.DSA-658GLSA-200501-38RHSA-2005:07220050125 [USN-70-1] Perl DBI module vulnerabilitydbi-library-file-overwrite(19068)MDKSA-2005:0301236010130071401514050 FLSA-2006:178989MDKSA-2005:030The KDE screen saver in KDE before 3.0.5 does not properly check the return value from a certain function call, which allows attackers with physical access to cause a crash and access the desktop session.DSA-660RHSA-2005:009kdebase-screensaver-security-bypass(19084)Buffer overflow in xtrlock 2.0 allows local users to cause a denial of service (application crash) and hijack the desktop session.DSA-649xtrlock-screen-lock-bypass(18991)1231613938The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the e-mail address is subscribed to a private list, which allows remote attackers to determine the list membership for a given e-mail address.20050110 [USN-59-1] mailman vulnerabilitieshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285839http://qa.debian.org/bts-security.htmlMySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers.MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilitiesbid 1231320050119 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesThe sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash.MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities20050119 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesMySQL MaxDB 7.5.00 for Windows, and possibly earlier versions and other platforms, allows remote attackers to cause a denial of service (application crash) via invalid parameters to the (1) DBMCli_String::ReallocString, (2) DBMCli_String::operator, (3) DBMCli_Buffer::ForceResize, (4) DBMCli_Wizard::InstallDatabase, (5) DBMCli_Devspaces::Complete, (6) DBMWeb_TemplateWizard::askForWriteCountStep5, or (7) DBMWeb_DBMWeb::wizardDB functions, which triggers a null dereference.20050314 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilitiesmaxdb-null-pointer-dos(19687)20050314 MySQL MaxDB Web Agent Multiple Denial of Service VulnerabilitiesBuffer overflow in the X11 dissector in Ethereal 0.8.10 through 0.10.8 allows remote attackers to execute arbitrary code via a crafted packet.http://www.ethereal.com/appnotes/enpa-sa-00017.htmlDSA-653GLSA-200501-27MDKSA-2005:013RHSA-2005:037P-10613946ethereal-x11-bo(19004)FLSA-2006:15292212326MDKSA-2005:013Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message.htdig -- unsanitised inputht://dig Input Validation Hole in 'config' Parameter Permits Cross-Site Scripting Attacksbid 12442GLSA-200502-16MDKSA-2005:063RHSA-2005:0731013078htdig-config-xss(19223)SCOSA-2005.46142551741417415FLSA-2006:15290714276143031479515007RHSA-2005:090MDKSA-2005:063Heap-based buffer overflow in less in Red Hat Enterprise Linux 3 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file, as demonstrated using the UTF-8 locale.FLSA:2404RHSA-2005:068https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527less-file-bo(19131)The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library.alsa-lib security updatebid 12575The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL.CLA-2005:926DSA-689GLSA-200502-14RHSA-2005:100RHSA-2005:1042005-000320050211 [USN-80-1] mod_python vulnerabilityVU#356409125191013156FLSA:152896The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes.20050203 Python Security Advisory PSF-2005-001 - SimpleXMLRPCServer.pyhttp://www.python.org/security/PSF-2005-001/http://python.org/security/PSF-2005-001/patch-2.2.txtDSA-666MDKSA-2005:035RHSA-2005:1082005-0003python-simplexmlrpcserver-bypass(19217)12437101308314128MDKSA-2005:035A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch omits an "access check," which allows local users to cause a denial of service (crash).12599RHSA-2005:092red-hat-regression-dos(20618)Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when using the hugemem kernel, allows local users to read and write to arbitrary kernel memory and gain privileges via certain syscalls.12599RHSA-2005:092red-hat-patch-gain-privileges(20619)Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when running on x86 with the hugemem kernel, allows local users to cause a denial of service (crash).12599RHSA-2005:092red-hat-patch-dos(20620)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses.http://www.squid-cache.org/Advisories/SQUID-2005_1.txthttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patchCLA-2005:923DSA-651GLSA-200501-25MDKSA-2005:014RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313825FLSA-2006:15280912276MDKSA-2005:014The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers.http://www.squid-cache.org/Advisories/SQUID-2005_2.txthttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patchCLA-2005:923DSA-651GLSA-200501-25MDKSA-2005:014RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313825128861012882FLSA-2006:15280912275MDKSA-2005:014Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption).http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_authCLA-2005:923GLSA-200501-25RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-0003123241012818FLSA-2006:152809The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_authGLSA-200501-25RHSA-2005:060RHSA-2005:061SUSE-SA:2005:0062005-000313789122201012818FLSA-2006:152809Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line.DSA-69114495The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files.DSA-6911449514610Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets.DSA-670DSA-671DSA-685MDKSA-2005:038RHSA-2005:110RHSA-2005:112RHSA-2005:13320050207 [USN-76-1] Emacs vulnerabilityxemacs-movemail-format-string(19246)12462 FLSA-2006:152898MDKSA-2005:038Buffer overflow in the socket_getline function in Newspost 2.1.1 and earlier allows remote malicious NNTP servers to execute arbitrary code via a long string without a newline character.20050202 RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT]http://people.freebsd.org/~niels/issues/newspost-20050114.txthttp://www.vuxml.org/freebsd/7f13607b-6948-11d9-8937-00065be4b5b6.htmlGLSA-200502-0514092newspost-socketgetline-bo(19178)12418101305614098Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow.20050124 [USN-69-1] Evolution vulnerabilityCLA-2005:925DSA-673GLSA-200501-35MDKSA-2005:02412354evolution-camellockhelper-bo(19031)RHSA-2005:397RHSA-2005:238USN-69-1101298113830MDKSA-2005:024PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-19?PHPSESSID=8af117822fb1ca3aa966a64248b5d223APPLE-SA-2005-03-21RHSA-2005:099RHSA-2005:13513962GLSA-200501-39squirrelmail-frame-file-include(19037)Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables.20050129 SquirrelMail Security Advisoryhttp://www.squirrelmail.org/security/issue/2005-01-20APPLE-SA-2005-03-21DSA-662RHSA-2005:099RHSA-2005:1351396214096GLSA-200501-39squirrelmail-webmailphp-xss(19036)Unknown vulnerability in typespeed 0.4.1 and earlier allows local users to gain privileges.DSA-684SSLeay.pm in libnet-ssleay-perl before 1.25 uses the /tmp/entropy file for entropy if a source is not set in the EGD_PATH variable, which allows local users to reduce the cryptographic strength of certain operations by modifying the file.http://www.ubuntulinux.org/support/documentation/usn/usn-113-1MDKSA-2006:0231863913471MDKSA-2006:023bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, which allows remote attackers to execute arbitrary commands.DSA-690Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service (crash) via a RADIUS_REPLY_MESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument.20050111 Apache mod_auth_radius remote integer overflowhttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02DSA-659modauthradius-dos(18841)1221710128291377314046Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses.12724http://www.daemonology.net/papers/htt.pdfhttp://www.daemonology.net/hyperthreading-considered-harmful/SCOSA-2005.24101739VU#911878ADV-2005-05401013967ADV-2005-30021534818165RHSA-2005:476RHSA-2005:800[openbsd-misc] 20050304 Re: FreeBSD hiding security stuff[freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff][freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuffInternet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function.20050114 Internet Explorer (SP2) - Remote File DownloadStack-based buffer overflow in the websql CGI program in MySQL MaxDB 7.5.00 allows remote attackers to execute arbitrary code via a long password parameter.20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability122651012893The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs.3Com OfficeConnect Wireless 11g AP Information Disclosure VulnerabilityOfficeConnect Wireless information disclosurebid 12322101295813942inpview in SGI IRIX allows local users to execute arbitrary commands via the SUN_TTSESSION_CMD environment variable, which is executed by inpview without dropping privileges.20050113 SGI IRIX inpview Design Error Vulnerability13858irix-inpview-gain-privileges(18894)10128941225912915vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer.20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerabilityhttp://download.zonelabs.com/bin/free/securityAlert/19.html1253114256Stack-based buffer overflow in DataRescue Interactive Disassembler (IDA) Pro 4.7 allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name.20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerabilityhttp://www.datarescue.com/ubb/ultimatebb.php?/topic/2/146.htmldatabase-ida-portable-executable-bo(19042)12353101297513980AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl.20050117 AWStats Remote Command Execution Vulnerabilityhttp://awstats.sourceforge.net/docs/awstats_changelog.txtVU#272296138931300212298Buffer overflow in XShisen before 1.36 allows local users to execute arbitrary code via a long GECOS field.289784: xshisen: buffer overflow when handling GECOS fieldhttp://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.htmlhelvis 1.8h2_1 and earlier stores recovery files in world readable directories with world readable permissions, which allows local users to read the recovered files of other users.http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.htmlhelvis 1.8h2_1 and earlier allows local users to recover and read the files of other users via the elvrec setuid program.http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.htmlhelvis 1.8h2_1 and earlier allows local users to delete arbitrary files via the elvprsv setuid program.http://people.freebsd.org/~niels/ports/korean/helvis/issues.txtMultiple buffer overflows in golddig 2.0 and earlier allow local users to execute arbitrary code via (1) a long map name command line argument or (2) a long username as recorded in the USER environment variable.http://www.vuxml.org/freebsd/949c470e-528f-11d9-ac20-00065be4b5b6.htmlgolddig-long-mapname-bo(19039)golddig-long-username-bo(19040)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0975. Reason: This candidate is a duplicate of CVE-2005-0975. Notes: All CVE users should reference CVE-2005-0975 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow.Re: Make pipe data structure be a circular list of pages, rather than[linux-kernel] 20041216 [Coverity] Untrusted user data in kernel[linux-kernel] 20050105 Re: [Coverity] Untrusted user data in kernel[linux-kernel] 20050107 [PATCH 2.6.10-mm2] fs/coda Re: [Coverity] Untrusted user data in kernel1013018RHSA-2006:019118684RHSA-2005:663FLSA:157459-1DSA-1017193741700214967DSA-1070DSA-1067DSA-10692016320202DSA-1082ADV-2005-187820338The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user.20050127 DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid'http://www.digitalmunition.com/DMA[2005-0127a].txtAPPLE-SA-2005-01-25VU#678150macos-at-gain-privileges(18981)ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap.APPLE-SA-2005-01-25VU#980078macos-icc-profile-bo(19083)123671013000Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine.APPLE-SA-2005-01-25macos-ethernet-address-disclosure(19085)VU#464662140051013001The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected.Multiple vulnerabilities in KonversationKonversation expansion execute code20050119 Multiple vulnerabilities in KonversationGLSA-200501-341231210129721391913989Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC sripts.Multiple vulnerabilities in KonversationKonversation Perl script may allow execution of code20050119 Multiple vulnerabilities in KonversationGLSA-200501-341231210129721391913989The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users.Multiple vulnerabilities in Konversation20050119 Multiple vulnerabilities in Konversationkonversation-nick-password-information-disclosure(19038)GLSA-200501-341231210129721391913989ClamAV 0.80 and earlier allows remote attackers to cause a denial of service (clamd daemon crash) via a ZIP file with malformed headers.http://sourceforge.net/project/shownotes.php?release_id=300116CLA-2005:928GLSA-200501-46MDKSA-2005:0252005-0003MDKSA-2005:025The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly create socket directories in /tmp, which could allow attackers to hijack local sockets.ADV-2005-0077SCOSA-2005.8UnixWare x.org Local Socket Hijacking VulnerabilityThe unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash).RHSA-2005:366https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg15019RHSA-2005:284RHSA-2005:293DSA-1070DSA-1067DSA-1069132662016320202DSA-108220338The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761.RHSA-2005:420RHSA-2005:66317002[kernel-svn-changes] 20050816 r3920 - in branches/dist/sarge-security: . kernel kernel/i386 kernel/source kernel/source/kernel-source-2.6.8-2.6.8/debian[linux-ia64] 20040916 Re: [Patch] Per CPU MCA/INIT data save areasADV-2005-1878Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry."RHSA-2005:293RHSA-2005:284rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not correctly allow access to anonymous clients that connect from a system whose hostname can not be determined. NOTE: while this issue occurs in a security mechanism, there is no apparent attacker role and probably does not satisfy the CVE definition of a vulnerability.P-214ADV-2005-070215619Unknown vulnerability in rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not sufficiently restrict access rights for read-mostly exports, which allows attackers to conduct unauthorized activities.P-214ADV-2005-070215619Buffer overflow in PeID allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name.20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerabilitydatabase-ida-portable-executable-bo(19042)1235513984Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab.http://www.mozilla.org/security/announce/mfsa2005-01.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=249332RHSA-2005:323RHSA-2005:335mozilla-firefox-file-upload(19168)OVAL10005712407oval:org.mitre.oval:def:100057Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF.http://www.mozilla.org/security/announce/mfsa2005-02.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=251297RHSA-2005:335mozilla-world-readable(17832)OVAL100056RHSA-2005:384SUSE-SA:2006:02219823oval:org.mitre.oval:def:100056Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks.http://www.mozilla.org/security/announce/mfsa2005-03.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=257308RHSA-2005:335mozilla-ssl-spoofing(19166)OVAL100055RHSA-2005:38412407oval:org.mitre.oval:def:100055Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks.http://www.mozilla.org/security/announce/mfsa2005-04.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=262689RHSA-2005:323RHSA-2005:335mozilla-ssl-view-source-spoofing(19169)OVAL10005412407oval:org.mitre.oval:def:100054Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature.http://www.mozilla.org/security/announce/mfsa2005-07.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265176mozilla-script-click-event-bypass(19170)OVAL10005112407oval:org.mitre.oval:def:100051Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to obtain sensitive data from the clipboard via Javascript that generates a middle-click event on systems for which a middle-click performs a paste operation.http://www.mozilla.org/security/announce/mfsa2005-08.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265728RHSA-2005:335mozilla-middle-click-information-disclosure(19171)RHSA-2005:38412407Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials.http://www.mozilla.org/security/announce/mfsa2005-09.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=267263RHSA-2005:323mozilla-407-proxy-obtain-information(19174)OVAL10004912407oval:org.mitre.oval:def:100049Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future.http://www.mozilla.org/security/announce/mfsa2005-10.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=263546thunderbird-javascript-handler-launch(19173)OVAL10004812407oval:org.mitre.oval:def:100048Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages.http://www.mozilla.org/security/announce/mfsa2005-11.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=268107RHSA-2005:094RHSA-2005:323RHSA-2005:335mozilla-cookie-policy-bypass(19172)OVAL100047SUSE-SA:2006:0221982312407oval:org.mitre.oval:def:100047Firefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code.http://www.mozilla.org/security/announce/mfsa2005-12.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=265668mozilla-firefox-livefeed-xss(19187)OVAL10004612407oval:org.mitre.oval:def:100046Unknown vulnerability in the installation of Adobe License Management Service, as used in Adobe Photoshop CS, Adobe Creative Suite 1.0, and Adobe Premiere Pro 1.5, allows attackers to gain administrator privileges.http://www.adobe.com/support/techdocs/331688.html101416810141691014170PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation."DSA-662VU#20321414096The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable.20050207 DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation'http://www.digitalmunition.com/DMA[2005-0131a].txtGLSA-200502-13MDKSA-2005:031RHSA-2005:103RHSA-2005:1052005-000320050202 [USN-72-1] Perl vulnerabilities12426perl-perliodebug-file-overwrite(19207)14120FLSA-2006:152845CLSA-2006:105621646MDKSA-2005:031Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree.20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUGhttp://www.digitalmunition.com/DMA[2005-0131b].txtGLSA-200502-13MDKSA-2005:031RHSA-2005:103RHSA-2005:1052005-000320050202 [USN-72-1] Perl vulnerabilities12426perl-perliodebug-bo(19208)14120FLSA-2006:152845CLSA-2006:1056MDKSA-2005:031The confirm add-on in SmartList 3.15 and earlier allows attackers to subscribe arbitrary e-mail addresses by using a valid cookie that specifies an address other than the address for which the cookie was assigned.DSA-720SmartList ListManager Arbitrary List Addition VulnerabilityFormat string vulnerability in bidwatcher before 1.3.17 allows remote malicious web servers from eBay, or a spoofed eBay server, to cause a denial of service and possibly execute arbitrary code via certain responses.DSA-687GLSA-200503-06The tpkg-* scripts in the toolchain-source 3.0.4 package on Debian GNU/Linux 3.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files.toolchain-source -- insecure temporary filesbid 12540toolchain-source-symlink(19317)14277Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages.20050222 unace-1.2b multiple buffer overflows and directory traversal bugs14359SUSE-SR:2005:016VU#21500612630Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames.20050222 unace-1.2b multiple buffer overflows and directory traversal bugs14359SUSE-SR:2005:01612628Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code.20050126 Openswan XAUTH/PAM Buffer Overflow Vulnerabilityhttp://www.openswan.org/support/vuln/IDEF0785/openswan-xauth-pam-bo(19078)FEDORA-2005-082123771319510130141403814062squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated users to bypass username-based Access Control Lists (ACLs) via a username with a space at the beginning or end, which is ignored by the LDAP server.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaceshttp://www.squid-cache.org/bugs/show_bug.cgi?id=1187http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patchCLA-2005:923DSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:006VU#92419820050207 [USN-77-1] Squid vulnerabilities12431FLSA-2006:152809MDKSA-2005:034Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsingCLA-2005:931MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#768702FEDORA-2005-373FLSA-2006:15280912412MDKSA-2005:034Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splittingCLA-2005:931DSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#625878http://www.squid-cache.org/Advisories/SQUID-2005_5.txtFEDORA-2005-373FLSA-2006:15280912433MDKSA-2005:034The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released.20050215 [USN-82-1] Linux kernel vulnerabilitiesCLA-2005:930RHSA-2005:092OVAL1225RHSA-2005:47212598oval:org.mitre.oval:def:1225 20060402-01-U 19607nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow.http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQCLA-2005:930RHSA-2005:09220050215 [USN-82-1] Linux kernel vulnerabilities12598Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores.http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8ACLA-2005:930RHSA-2005:09220050215 [USN-82-1] Linux kernel vulnerabilities12598Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call.20050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesCLA-2005:930RHSA-2005:092RHSA-2005:66317002ADV-2005-1878Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions.20050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesCLA-2005:930RHSA-2005:092MDKSA-2005:218MDKSA-2005:219121981782620050107 grsecurity 2.1.0 release / 5 Linux kernel advisoriesMDKSA-2005:218MDKSA-2005:219The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack.20050111 Mod_dosevasive symlink and race vulnerabilityhttp://security.lss.hr/index.php?page=details&ID=LSS-2005-01-0112181moddosevasive-symlink(18765)13725ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to execute arbitrary commands via shell metacharacters in a command line argument.20050111 Squirrelmail vacation v0.15 local root exploithttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03vacation-ftpfile-command-execution(18855)12222101286613791Directory traversal vulnerability in ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to read arbitrary files via a .. (dot dot) in a get request.20050111 Squirrelmail vacation v0.15 local root exploithttp://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03vacation-ftpfile-directory-traversal(18856)12222101286613791Stack-based buffer overflow in NodeManager Professional 2.00 allows remote attackers to execute arbitrary commands via a LinkDown-Trap packet that contains a long OCTET-STRING in the Trap variable-bindings field.20050117 [SIG^2 G-TEC] NodeManager Professional V2.00 Buffer Overflow Vulnerabilityhttp://www.security.org.sg/vuln/nodemanager200.html13881nodemanager-linkdown-bo(18937)122831012915Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port.20050119 Vulnerability in Cisco IOS Embedded Call Processing Solutionscisco-ios-sccp-dos(18956)101294513913Stack-based buffer overflow in the SetSkin function in AtHoc toolbar allows remote attackers to execute arbitrary code via a long skin name.20041006 Patch available for high risk flaws in the AtHoc Toolbar20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c)http://www.ngssoftware.com/advisories/athoc-01full.txt11341athoc-toolbar-bo(17627)Format string vulnerability in the SetBaseURL function in AtHoc toolbar allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log.20041006 Patch available for high risk flaws in the AtHoc Toolbar20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c)http://www.ngssoftware.com/advisories/athoc-01full.txt11341athoc-toolbar-format-string(17628)Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)http://service.real.com/help/faq/security/040928_player/EN/VU#6983901231120041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e)Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f)http://www.ngssoftware.com/advisories/real-02full.txthttp://service.real.com/help/faq/security/040928_player/EN/1130812672realplayer-media-file-deletion(17551)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f)Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)http://www.ngssoftware.com/advisories/real-03full.txthttp://service.real.com/help/faq/security/040928_player/EN/realplayer-long-filename-offbyone-bo(18982)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)Directory traversal vulnerability in the parsing of Skin file names in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an RJS filename.20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)http://www.ngssoftware.com/advisories/real-03full.txthttp://service.real.com/help/faq/security/040928_player/EN/realplayer-rjs-filenane-directory-traversal(18984)20041006 Patch available for multiple high risk vulnerabilities in RealPlayer20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g)Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code.20050122 Mac OS X 10.3 iSync Privilege EscalationAPPLE-SA-2005-04-19isync-mrouter-bo(19011)12334101297413965Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings.http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patchhttp://www.squid-cache.org/bugs/show_bug.cgi?id=1166http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_aclsCLA-2005:923DSA-66720050221 [USN-84-1] Squid vulnerabilitiesVU#260421FLSA-2006:152809Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet.20050126 Multiple Crafted IPv6 Packets Cause ReloadTA05-026AVU#472582cisco-ios-ipv6-dos(19072)Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet.20050126 Cisco IOS Misformed BGP Packet Causes ReloadTA05-026AVU#689326cisco-ios-bgp-packetdos(19074)101301314034Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface.20050126 Crafted Packet Causes Reload on Cisco RoutersTA05-026AVU#583638cisco-ios-mpls-dos(19071)12369101301514031A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users.VU#702777http://www.kb.cert.org/vuls/id/CRDY-68QSL5GLSA-200502-02MDKSA-2005:026RHSA-2005:1281239110130371405714097MDKSA-2005:026Integer underflow in the Lists_MakeMask() function in lists.c in ngIRCd before 0.8.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MODE line that causes an incorrect length calculation, which leads to a buffer overflow.[ngIRCd-ML] 20050126 ngIRCd 0.8.2http://bugs.gentoo.org/show_bug.cgi?id=79705GLSA-200501-4012397ngircd-listmakemask-bo(19143)10130471405614059TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2004-1386.GLSA-200501-41http://tikiwiki.org/art102http://www.lovebug.org/imd_advisory.txt13948D-BUS (dbus) before 0.22 does not properly restrict access to a socket, if the socket address is known, which allows local users to listen or send arbitrary messages on another user's per-user session bus via that socket.MDKSA-2005:105RHSA-2005:102ESB-2005.0435USN-144-112435101307514119156381583315844Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences.20050209 Administrivia: List Compromised due to Mailman VulnerabilityAPPLE-SA-2005-03-21DSA-674GLSA-200502-11MDKSA-2005:037RHSA-2005:136RHSA-2005:13720050209 [USN-78-1] Mailman vulnerability101314514211MDKSA-2005:037SUSE-SA:2005:007** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none.Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction.RHSA-2005:092RHSA-2005:2932006-00061878412598KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp.20050228 KPPP Privileged File Descriptor Leak Vulnerabilityhttp://www.kde.org/info/security/advisory-20050228-1.txtCLA-2005:934DSA-692RHSA-2005:175The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities.xpdf security updatebid 11501MDKSA-2005:041MDKSA-2005:042MDKSA-2005:043MDKSA-2005:044MDKSA-2005:052MDKSA-2005:056RHSA-2005:034RHSA-2005:053RHSA-2005:057RHSA-2005:132xpdf-pdf-bo(17818)MDKSA-2005:041MDKSA-2005:042MDKSA-2005:043MDKSA-2005:044MDKSA-2005:052MDKSA-2005:056Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT.CLA-2005:930SUSE-SA:2005:00312330RHSA-2005:366The HTML parsing functions in Gaim before 1.1.4 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0473.http://gaim.sourceforge.net/security/?id=12CLA-2005:933GLSA-200503-03MDKSA-2005:049RHSA-2005:21520050225 [USN-85-1] Gaim vulnerabilitiesVU#79581214386FLSA:15854312660SUSE-SA:2005:036MDKSA-2005:049Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments.20050315 [USN-95-1] Linux kernel vulnerabilitiesCLA-2005:945SUSE-SA:2005:018RHSA-2005:36612598RHSA-2005:420Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice.20050315 [USN-95-1] Linux kernel vulnerabilitiesCLA-2005:945SUSE-SA:2005:018MDKSA-2005:218MDKSA-2005:219RHSA-2005:366RHSA-2005:6631281614966142951782617002ADV-2005-1878MDKSA-2005:218MDKSA-2005:219Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflowhttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patchDSA-667MDKSA-2005:034RHSA-2005:060RHSA-2005:061SUSE-SA:2005:00620050207 [USN-77-1] Squid vulnerabilitiesVU#8860061243213319101304514076FLSA-2006:152809MDKSA-2005:034The Amp II engine as used by Gore: Ultimate Soldier 1.50 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero byte UDP packet.http://aluigi.altervista.org/adv/amp2zero-adv.txt12192amp-3d-socket-dos(18789)1375420050106 Socket unreacheable in Amp II engineDirectory traversal vulnerability in WinHKI 1.4d allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a zip file.20050106 WinAc AND WinHKI ZIP File Directory Transversal 12176winhki-zip-directory-traversal(18798)101279813738Directory traversal vulnerability in Simple PHP Blog (SPHPBlog) 0.3.7c allows remote attackers to read or create arbitrary files via a .. (dot dot) in the entry parameter.20050107 Simple PHP Blog directory traversal vulnerability 20050107 Simple PHP Blog directory traversal vulnerability 12193sphp-dotdot-directory-traversal(18802)Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value.20050107 Mozilla XBM Image Vulnerabilitymozilla-xbm-dos(18803)Cross-site scripting (XSS) vulnerability in formmail.php in Woltlab Burning Board Lite 1.0.0, 1.0.1e, and possibly other versions, allows remote attackers to inject arbitrary web sript and HTML via the userid parameter.20050108 Security Advisory: Woltlab Burning Board Lite formmail.php XSS 12199wbb-formmail-userid-xss(18814)13782SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter.20050109 SQL Injection Vulnerability in Invision Community Blog12205icb-sql-injection(18815)12817101283113783ClamAV 0.80 and earlier allows remote attackers to bypass virus scanning via a base64 encoded image in a data: (RFC 2397) URL.http://sourceforge.net/project/shownotes.php?release_id=300116GLSA-200501-46MDKSA-2005:02513900MDKSA-2005:025Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the index field in add_comment.php, (2) set_albumName, (3) slide_index, (4) slide_full, (5) slide_loop, (6) slide_pause, (7) slide_dir fields in slideshow_low.php, or (8) username field in search.php.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-multiple-xss(18938)gallery-multiple-scripts-xss(43473)Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 allows remote attackers to inject arbitrary web script or HTML via the username field.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting VulnerabilityGLSA-200501-45http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=14713887gallery-multiple-xss(18938)Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://theinsider.deep-ice.com/texts/advisory69.txthttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-multiple-xss(18938)gallery-g2formsubject-xss(43472)main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitive information by changing the value of g2_subView parameter, which reveals the path in an error message.20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerabilityhttp://theinsider.deep-ice.com/texts/advisory69.txthttp://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147gallery-mainphp-obtain-information(18940)The Software Development Kit (SDK) and Run Time Environment (RTE) 1.4.1 and 1.4.2 for Tru64 UNIX allows remote attackers to cause a denial of service (Java Virtual Machine hang) via object deserialization.SSRT4875Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 through 4.7, when running the TGA daemon, allows remote attackers to cause a denial of service via certain network traffic.SSRT590014082firehol.sh in FireHOL before 1.224 creates temporary files with predictable file names, which could allow local users to overwrite arbitrary files via a symlink attack.GLSA-200502-01http://cvs.sourceforge.net/viewcvs.py/firehol/firehol/firehol.sh123361313710129691397014102firehol-symlink(19032)Format string vulnerability in the Log_Resolver function in log.c for ngIRCd 0.8.2 and earlier, when compiled with IDENT, logging to SYSLOG, and with DEBUG enabled, allows remote attackers to execute arbitrary code.20050203 ngIRCd <= v0.8.2 Format String Vulnerabilityhttp://www.nosystem.com.ar/advisories/advisory-11.txt1411412434PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension.[pgsql-bugs] 20050121 Privilege escalation via LOAD[pgsql-announce] 20050201 PostgreSQL Security ReleaseDSA-668200502-08MDKSA-2005:040RHSA-2005:138RHSA-2005:1502005-000320050201 [USN-71-1] PostgreSQL vulnerability12948SUSE-SA:2005:036 12411MDKSA-2005:040** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1388. Reason: This candidate is a duplicate of CVE-2004-1388. Notes: All CVE users should reference CVE-2004-1388 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file under the web root, which allows remote attackers to steal credit card information via a direct request to newfile.txt.bid 1240220050212 Credit Card data disclosure in CitrusDBhttp://www.citrusdb.org/forums/viewtopic.php?t=49citrus-information-disclosure(19145)1013040Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging."GLSA-200503-30OVAL100033SUSE-SA:2006:02219823oval:org.mitre.oval:def:10003320050207 Firedragging [Firefox 1.0]http://www.mikx.de/firedragging/https://bugzilla.mozilla.org/show_bug.cgi?id=279945http://www.mozilla.org/security/announce/mfsa2005-25.htmlGLSA-200503-10Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing."20050207 Firetabbing [Firefox 1.0]http://www.mikx.de/firetabbing/https://bugzilla.mozilla.org/show_bug.cgi?id=280056http://www.mozilla.org/security/announce/mfsa2005-26.htmlGLSA-200503-10GLSA-200503-30SUSE-SA:2005:016mozilla-firefox-tab-gain-access(19264)OVAL100032RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100032Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing."http://www.mikx.de/fireflashing/https://bugzilla.mozilla.org/show_bug.cgi?id=280664http://www.mozilla.org/security/announce/mfsa2005-27.htmlGLSA-200503-10GLSA-200503-30RHSA-2005:323SUSE-SA:2005:016mozilla-firefox-aboutconfig-modify(19266)20050207 Fireflashing [Firefox 1.0]RHSA-2005:176RHSA-2005:384The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttp://www.mozilla.org/security/announce/mfsa2005-29.htmlGLSA-200503-10GLSA-200503-30SUSE-SA:2005:016multiple-browsers-idn-spoof(19236)OVAL100029RHSA-2005:176RHSA-2005:38412461oval:org.mitre.oval:def:100029The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtAPPLE-SA-2005-03-21multiple-browsers-idn-spoof(19236)12461The International Domain Name (IDN) support in Opera 7.54 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtmultiple-browsers-idn-spoof(19236)12461SUSE-SA:2005:031The International Domain Name (IDN) support in Omniweb 5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs.http://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txtmultiple-browsers-idn-spoof(19236)12461The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attacks20050206 Re: state of homograph attackshttp://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttp://www.kde.org/info/security/advisory-20050316-2.txtMDKSA-2005:05814162multiple-browsers-idn-spoof(19236)RHSA-2005:325FLSA:17860612461MDKSA-2005:058The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks.20050206 state of homograph attackshttp://www.shmoo.com/idnhttp://www.shmoo.com/idn/homograph.txthttps://bugzilla.redhat.com/beta/show_bug.cgi?id=147399multiple-browsers-idn-spoof(19236)12461viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the cert parameter.20050207 SquirrelMail S/MIME Plugin Command Injection Vulnerabilityhttp://www.squirrelmail.org/plugin_view.php?id=54VU#502328squirrelmail-smime-command-execution(19242)Format string vulnerability in chdev on IBM AIX 5.2 allows local users to execute arbitrary code via format string specifiers in a command line argument, which is not properly handled when printing an error message.20050207 IBM AIX chdev Local Format String VulnerabilityIY67455IY67654aix-chdev-format-string(19244)The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers, which might allow remote attackers to poison the cache or bypass access controls based on header size.http://www.squid-cache.org/bugs/show_bug.cgi?id=1216http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-oversize_reply_headershttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patchCLA-2005:931RHSA-2005:060RHSA-2005:061SUSE-SA:2005:006VU#823350squid-http-cache-poisoning(19060)14091FLSA-2006:15280912412The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions.http://secunia.com/secunia_research/2004-6/advisory/11815Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions.http://secunia.com/secunia_research/2005-2/advisory/13712PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command.[pgsql-hackers] 20050127 Permissions on aggregate component functionsMDKSA-2005:040RHSA-2005:13820050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-security-bypass(19184)SUSE-SA:2005:036 12417MDKSA-2005:040Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247.[pgsql-patches] 20050120 Re: WIP: pl/pgsql cleanup[pgsql-committers] 20050121 pgsql: Prevent overrunning a heap-allocated buffer is more than 1024[pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser.DSA-683MDKSA-2005:040RHSA-2005:138RHSA-2005:15020050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-cursor-bo(19188)SUSE-SA:2005:036 12417MDKSA-2005:040The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays.[pgsql-committers] 20050127 pgsql: Fix security and 64-bit issues in contrib/intagg.MDKSA-2005:040RHSA-2005:13820050210 [USN-79-1] PostgreSQL vulnerabilities12948postgresql-contribintagg-dos(19185)SUSE-SA:2005:036 12417MDKSA-2005:040Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245.[pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser.DSA-683GLSA-200502-19MDKSA-2005:040RHSA-2005:138RHSA-2005:150SUSE-SA:2005:02720050210 [USN-79-1] PostgreSQL vulnerabilitiespostgresql-fetch-makefetchstmt-bo(19378)postgresql-makeselectstmt-arbitrary-bo(19377)postgresql-makeselectstmt-input-bo(19376)postgresql-readsqlconstruct-bo(19375)SUSE-SA:2005:036 12417MDKSA-2005:040The Solaris Management Console (SMC) GUI for Solaris 8 and 9, when creating user accounts that are configured for password aging, creates the accounts with a blank password, which allows remote or local attackers to break into those accounts.57717P-0961226013803solaris-smc-blank-password(18868)122601012860Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header.20050208 Symantec AntiVirus Library Heap Overflowhttp://www.symantec.com/avcenter/security/Content/2005.02.08.htmlVU#107822upx-engine-gain-control(18869)1013133Format string vulnerability in auditselect on IBM AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via format string specifiers in a command line argument.20050208 IBM AIX auditselect Local Format String VulnerabilityIY67519IY67472IY67802VU#8967291249614198aix-auditselect-format-string(19255)1013103Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the search parameter.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583Directory traversal vulnerability in index.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to delete arbitrary files via a Delete action and .. (dot dot) sequences in the database_name parameter.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading and executing those files.20050217 Advisory: Multiple Vulnerabilities in BibORB20050217 Advisory: Multiple Vulnerabilities in BibORB12583String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption.20050228 Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Errorhttp://www.mozilla.org/security/announce/mfsa2005-18.htmlGLSA-200503-10GLSA-200503-30RHSA-2005:277RHSA-2005:337SUSE-SA:2005:016OVAL100040RHSA-2005:176SUSE-SA:2006:0221982312659oval:org.mitre.oval:def:100040The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command.20050225 WU-FTPD File Globbing Denial of Service VulnerabilityDSA-70557795SCOSA-2005.6318210HPSBUX02110ADV-2005-0588ADV-2006-12711441119561101699oval:org.mitre.oval:def:1265oval:org.mitre.oval:def:1333oval:org.mitre.oval:def:176214203Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter.phpBB Group phpBB2 Arbitrary File Unlink VulnerabilityPhPBB CHANGELOGbid 12623GLSA-200503-02phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target file.phpBB Group phpBB Arbitrary File Disclosure VulnerabilityPhPBB CHANGELOGbid 12621GLSA-200503-02VU#77468614362Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call.20050209 Computer Associates BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow Vulnerabilityhttp://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1brightstor-discovery-bo(19251)101313814183lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop privileges before processing the -f option, which allows local users to read one line of arbitrary files.20050210 IBM AIX lspath Local File Access VulnerabilityIY67457IY67655ibm-aix-ispath-information-disclosure(19281)1251314232Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -d argument.20050210 IBM AIX ipl_varyon Local Buffer Overflow VulnerabilityIY67812IY67750IY66933ibm-aix-iplvaryon-bo(19282)1251614231Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -O argument.20050210 IBM AIX netpmon Local Buffer Overflow VulnerabilityIY67807IY67136IY67124ibm-aix-netpmon-bo(19278)1251714237Multiple cross-site scripting (XSS) vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) expand or (2) order parameter.20050101 Various Vulnerabilities in OWL Intranet Engine12114owl-intranet-engine-xss(18705)13695Multiple SQL injection vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to execute arbitrary SQL commands via the (1) parent or (2) sortposted parameter.20050101 Various Vulnerabilities in OWL Intranet Engine12114owl-intranet-engine-sql-injection(18704)13695Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter.20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution12113sugar-sales-index-xss(18719)index.php in FlatNuke 2.5.1 allows remote attackers to create an andministrator account via carriage returns and #10 in the url_avatar field, which is interpreted as a sensitive directive.20050102 Multiple Vulnerabilities in FlatNuke12150flatnuke-indexphp-gain-access(18741)Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field.20050102 Multiple Vulnerabilities in FlatNuke12150flatnuke-indexphp-xss(18746)The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters.20050103 STG Security Advisory: [SSA-20041224-21] File extensionsgnuboard-gbupdate-file-upload(18729)1214913711Multiple cross-site scripting (XSS) vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to inject arbitrary web script or HTML via the (1) si parameter to showcat.php, (2) cat or (3) page parameter to showproduct.php, or (4) report parameter to reportproduct.php.20050103 Serious Vulnerabilities In PhotoPost ReviewPosthttp://www.gulftech.org/?node=research&article_id=00062-0102200513697reviewpost-php-xss(18731)Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php.20050103 Serious Vulnerabilities In PhotoPost ReviewPosthttp://www.gulftech.org/?node=research&article_id=00062-0102200513697reviewpost-php-sql-injection(18732)ReviewPost PHP Pro before 2.84 allows remote attackers to upload and execute arbitrary PHP files by posting a review file with multiple extensions, which bypasses the intended restrictions.20050103 Serious Vulnerabilities In PhotoPost ReviewPost13697reviewpost-php-file-upload(18735)Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter.20050103 Multiple PhotoPost Pro Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00063-010320051215613680photopost-php-showgallery-xss(18744)Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters.20050103 Multiple PhotoPost Pro Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00063-010320051215613680photopost-php-showgallery-xss(18744)TFTP in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) via a GET request containing an MS-DOS device name.20050104 3Com 3CDaemon Multiple Vulnerabilities3cdaemon-reserved-name-dos(18750)Multiple format string vulnerabilities in the FTP service in 3Com 3CDaemon 2.0 revision 10 allow remote attackers to cause a denial of service (application crash) via format string specifiers in (1) the username, (2) cd, (3) delete, (4) rename, (5) rmdir, (6) literal, (7) stat, or (8) CWD commands.20050104 3Com 3CDaemon Multiple Vulnerabilities121553cdaemon-login-dos(18751)Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls.20050104 3Com 3CDaemon Multiple Vulnerabilities20050218 3com 3CDaemon FTP Unauthorized 121553cdaemon-long-command-dos(18754)The FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to gain sensitive information via a cd command that contains an MS-DOS device name, which reveals the installation path in an error message.20050104 3Com 3CDaemon Multiple Vulnerabilities121553cdaemon-command-obtain-information(18756)Soldner Secret Wars 30830 and earlier does not properly handle the "message too long" socket error, which allows remote attackers to cause a denial of service (socket termination) via a long UDP packet.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-dos(18749)13716Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-format-string(18752)13716Cross-site scripting (XSS) vulnerability in the web interface in Soldner Secret Wars 30830 allows remote attackers to inject arbitrary web script or HTML via a user message, which is not filtered or quoted when the administrator views the server logs.20050104 Socket termination, format string and XSS in Soldner Secret Wars12162soldner-secret-wars-xss(18753)13716SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the uid parameter.20050104 MyBB SQL Injection12161mybb-member-sql-injection(18755)Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. (dot dot) and a %00 at the end of the filename in the page parameter.20050104 QWikiwiki directory traversal vulnerability12163qwikiwiki-directory-traversal(18748)12044SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter.20050110 Woltlab Burning Book addentry.php SQL Injectionwoltlab-book-addentry-sql-injection(18859)Webseries Payment Application does not properly restrict privileged operations, which allows remote authenticated users to gain privileges by directly accessing certain URLs.20050110 Portcullis Security Advisory 05-00112216webseries-pa-url-security-bypass(18848)101285413821eMotion MediaPartner Web Server 5.0 and 5.1 allows remote attackers to obtain sensitive information via an HTTP request for a .bhtml file that contains a (1) . (dot) or (2) + (plus sign) at the end, which returns the source code for that file.20050110 Portcullis Security Advisory 05-00412236mediapartner-bhtml-source-disclosure(18861)101285513820Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values.20050110 Portcullis Security Advisory 05-009webseries-report-execution(18862)101285413821The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords.20050110 Portcullis Security Advisory 05-00812231webseries-pa-password-gain-access(18860)101285413821Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs.20050115 Apple Airport WDS DoSapple-airport-dos(18865)1215213753NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension.20050117 Multiple Vulnerabilities in Netgear FVS318 Router20050117 Multiple Vulnerabilities in Netgear FVS318 Router12278netgear-fvs318-filter-bypass(18920)101291313787Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase.20050117 Multiple Vulnerabilities in Netgear FVS318 Router20050117 Multiple Vulnerabilities in Netgear FVS318 Router12278netgear-fvs318-log-xss(18921)13012101291313787Multiple SQL injection vulnerabilities in index.php in PHP Gift Registry (phpGiftReg) 1.4.0, and possibly other versions before 1.5.0b1, allow remote attackers to execute arbitrary SQL commands via the (1) messageid, (2) shopper, (3) shopfor, or (4) itemid parameters.20050116 phpGiftReq SQL Injection20050116 phpGiftReq SQL Injection20050307 Re: phpGiftReq SQL Injection1228913873phpgiftregistry-sql-injection(18925)1012910Directory traversal vulnerability in minis.php in Minis 0.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the month parameter.20050116 Minis directory traversal vulnerability12279minis-month-directory-traversal(18928)101291113866minis.php in Minis 0.2.1 allows remote attackers to cause a denial of service (infinite loop) via an HTTP request for a file that the web server does not have permission to read, as demonstrated using the month parameter.20050116 Minis directory traversal vulnerability20050116 Minis directory traversal vulnerabilityminis-month-dos(18929)101291113866npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges.20050116 Unrestricted I/O access vulnerability in INCA Gameguard12280nprotect-npptnt2-gain-access(18952)13928** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect login and a modified (1) error or (2) modify parameter that returns template files or the "about" information page. NOTE: the vendor has disputed this issue.20050117 Novell GroupWise WebAccess error modules loading20050121 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)20050127 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report)http://support.novell.com/servlet/tidfinder/1009625112285groupwise-error-auth-bypass(18954)13135SQL injection vulnerability in Oracle Database 9i and 10g allows remote attackers to execute arbitrary SQL commands and gain privileges.20050118 Multiple high risk vulnerabilities in Oracle RDBMS 10g/9iThe DIRECTORY objects in Oracle 8i through Oracle 10g contain the location of a specific operating system directory, which allows users with read privileges to a DIRECTORY object to obtain sensitive information.20050118 PeteFinnigan.com - Oracle security advisoryhttp://www.petefinnigan.com/directory_traversal.pdfhttp://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdforacle-directory-lob-obtain-info(18947)Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php.20050120 STG Security Advisory: [SSA-20050120-24] GForge 3.x directory12318gforge-dir-dirname-directory-traversal(18988)1012950Directory traversal vulnerability in session.php in JSBoard 2.0.9 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the table parameter.20050120 STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure12319jsboard-session-file-include(18990)101294913920comersus_backoffice_install10.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to bypass authentication and gain privileges via a direct request to the program.20050121 bug report comersus Back Office Lite 6.0 and 6.0.1http://www.comersus.org/forum/displayMessage.asp?mid=32753http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.htmlbackoffice-lite-administrative-bypass(19010)SQL injection vulnerability in default.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to execute arbitrary SQL commands via the referer field in the HTTP header.20050121 bug report comersus Back Office Lite 6.0 and 6.0.1http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.htmlbackoffice-lite-sql-injection(19013)Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_supportError.asp or (2) comersus_backofficelite_supportError.asp in BackOffice Lite 6.0 and 6.01 allow remote attackers to inject arbitrary web script or HTML via the error parameter.20050121 bug report comersus Back Office Lite 6.0 and 6.0.1http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.htmlbackoffice-lite-xss(19014)Directory traversal vulnerability in DivX Player 2.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a filename in a ZIP file for a skin.20050121 Arbitrary files overwriting through skins in DivX Player 2.612332divx-player-directory-traversal(19030)13969CRLF injection vulnerability in users.php in Siteman 1.1.10 and earlier allows remote attackers to add arbitrary users and gain privileges via the line parameter in a docreate operation.20050120 God Admin Injection Vulnerability in Siteman 1.0.x,20050122 Siteman User Database Line Insertion Vulnerability12304siteman-gain-access(18998)131311012951MercuryBoard 1.1.1 allows remote attackers to gain sensitive information via an HTTP request with the n parameter set to 0, which causes a divide-by-zero error and reveals the path in the resulting error message.20050124 Multiple vulnerabilities in MercuryBoard 1.1.112359mercuryboard-multiple-script-path-disclosure(19048)Multiple cross-site scripting (XSS) vulnerabilities in index.php in MercuryBoard 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) s, (2) l, (3) a, (4) t, (5) to, or (6) re parameters.20050124 Multiple vulnerabilities in MercuryBoard 1.1.112359mercuryboard-multiple-scripts-xss(19050)Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier allows remote attackers to execute arbitrary code via a large import or export function name.20050124 Local buffer-overflow in W32Dasm 8.9312352w32dasm-wsprintf-bo(19044)101299713986Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php or (2) mod.php in Exponent 0.95 allow remote attackers to inject arbitrary web script or HTML via the module parameter.20050125 Vulnerabilities in eXponent 0.9512358exponent-module-xss(19061)1318813190Exponent 0.95 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) search.info.php, (2) permissions.info.php, (3) security.info.php, (4) formcontrol.php, or (5) file_modules.php, which reveals the path in an error message because the pathos_core_version variable is undefined.20050125 Vulnerabilities in eXponent 0.95exponent-pathoscoreversion-path-disclosure(19064)Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources.20050127 Ingate Firewall: Removed PPTP tunnels not deactivated12383ingate-firewall-unath-access(19123)101302214060WarFTPD 1.82 RC9, when running as an NT service, allows remote authenticated users to cause a denial of service (access violation) via a CWD command with a crafted pathname, as demonstrated using a large string of "%s" sequences, possibly indicating a format string vulnerability.20050127 WarFTPD 1.82 RC9 DoShttp://support.jgaa.com/index.php?cmd=ShowReport&ID=0264312384warftpd-cwd-dos(19129)Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or delete arbitrary directories and files via the IMAP commands (3) CREATE, (4) EXAMINE, (5) SELECT, or (6) DELETE.20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities12388magic-winmail-command-directory-traversal(19114)magicwinmail-uploadphp-file-upload(19108)101301714053Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail Server 4.0 Build 1112 allows remote attackers to inject arbitrary web script or HTML via the personal information fields.20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities12388magic-winmail-userphp-xss(19113)101301714053The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify that the IP address in a PORT command is the same as the IP address of the user of the FTP session, which allows remote authenticated users to use the server as an intermediary for port scanning.20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities12388magicwinmail-ftp-obtain-information(19115)101301714053WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions.20050128 WebWasher Classic - HTTP CONNECT weaknesshttp://www.oliverkarow.de/research/WebWasherCONNECT.txt1239414058webwasher-classic-connect-gain-access(19144)1013036Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter.20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.212395webadmin-usereditaccountwdm-xss(19161)101303814079useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validate account edits by the logged in user, which allows remote authenticated users to edit other users' account information via a modified user parameter.20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2123951013038Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to load external webpages that appear to come from the WebAdmin server, which allows remote attackers to inject arbitrary HTML or web script to facilitate cross-site scripting (XSS) and phishing attacks.20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.212395webadmin-html-injection(19162)Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to login.html, (2) accountid parameter to accountsettings_add.html, or the (3) note, (4) title, and (5) location fields to calendar.html.20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes12396merak-icewarp-multiple-xss(19147)MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the installation path.20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holesmerak-icewarp-user-path-disclosure(19152)MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 and Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 uses weak encryption in the (1) users.cfg, (2) settings.cfg, (3) users.dat or (4) user.dat files, which allows local users to extract the passwords.20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holesmerak-icewarp-weak-password-encryption(19153)Cross-site scripting (XSS) vulnerability in Infinite Mobile Delivery Webmail 2.6 allows remote attackers to inject arbitrary web script or HTML via the URL.20050129 XSS in Infinite Mobile Delivery v2.6 Webmailinfinite-mobile-delivery-xss(19151)12399101304414075Infinite Mobile Delivery Webmail 2.6 allows remote attackers to gain sensitive information via an HTTP request that contains invalid characters for a Windows foldername, which reveals the path in an error message.20050129 XSS in Infinite Mobile Delivery v2.6 Webmailinfinite-mobile-delivery-path-disclosure (19154)12399101304414075Xpand Rally 1.0.0.0 allows remote attackers or remote malicious game servers to cause a denial of service (application crash) via a packet with large values that are not properly handled in certain malloc or memcpy operations.20050130 Broadcast crash in Xpand Rally 1.0.0.012409xpand-rally-memory-dos(19150)10130431407320050130 Broadcast crash in Xpand Rally 1.0.0.0pafiledb.php in PaFileDB 3.1 allows remote attackers to gain sensitive information via an invalid or missing action parameter, which reveals the path in an error message when it cannot include a login.php script.20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Finalpafiledb-login-path-disclosure(19175)pafiledb.php in Pafiledb 3.1 may allow remote attackers to execute arbitrary PHP code via a modified action parameter that is used in an include statement for login.php.20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Finalpafiledb-login-file-include(19176)Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address.20050131 Zyxel / Netgear and probably other routers leaking information.zyxel-netgear-ping-information-disclosure(20609)Directory traversal vulnerability in ZipGenius 5.5 and earlier allows remote attackers to create and possibly modify arbitrary files via a ZIP file with a file whose name includes .. (dot dot) sequences.20050202 7a69Adv#19 - ZipGenius unpack path disclosurehttp://securitytracker.com/id?101354212419zipgenius-path-disclosure(19203)14123Buffer overflow in Painkiller 1.35 and earlier, and possibly other versions before 1.61, allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a long cd-key hash.1242314113painkiller-long-cdkey-bo(19205)101306620050202 Limited buffer-overflow in Painkiller 1.35Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file.20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure12422winrar-dotdotdotdirectory-traversal(20585)Directory traversal vulnerability in DeskNow Mail and Collaboration Server 2.5.12 allows remote attackers to (1) upload and possibly execute files outside the directory via the AttachmentsKey parameter to attachment.do, as demonstrated using JSP pages, or (2) delete arbitrary files via the select_file parameter to file.do.20050202 [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilitieshttp://www.security.org.sg/vuln/desknow2512.html12421desknow-attachmentkey-file-upload(19206)desknow-jsp-gain-access(19211)desknow-filedo-file-deletion(19212)101306014116LANChat Pro Revival 1.666c allows remote attackers to cause a denial of service (application crash) via a malformed UDP packet.20050203 DoS in LANChat Pro Revival 1.666chttp://www.autistici.org/fdonato/advisory/LANChatRevival1.666c-adv.txt12439lanchatpro-udp-packet-dos(19213)Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value.20050203 [ RSTACK Public Security Advisory ] Remote DOS against Linksys PSUS41244314136linksys-psus4-dos(19222)Directory traversal vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.20050110 Portcullis Security Advisory 05-010http://www.securitytracker.com/alerts/2005/Jan/1012838.html12236mediapartner-dotdot-directory-traversal(18842)101283813820Cross-site scripting (XSS) vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to inject arbitrary HTML or web script, as demonstrated using a URL containing .. sequences and HTML, which results in a directory browsing page that does not properly filter the HTML.20050110 Portcullis Security Advisory 05-010http://www.securitytracker.com/alerts/2005/Jan/1012838.html12236mediapartner-url-xss(18845)101283813820Postfix 2.1.3, when /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, allows remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname.20050204 [USN-74-1] Postfix vulnerabilityhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=2678371244514137postfix-ipv6-security-bypass(19218)RHSA-2005:152Buffer overflow in Savant Web Server 3.1 allows remote attackers to execute arbitrary code via a long HTTP request.20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.120050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.120050204 Exploit For Savant Web Server 3.1 (tested on win2003)12429savant-bo(19177)Buffer overflow in Foxmail 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long MAIL FROM command.20050205 Foxmail Server Remote Buffer Overflow Vulnerability12454foxmail-mailfrom-bo(19229)Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet.20050208 AppleFileServer Denial of Service.APPLE-SA-2005-03-21Applefileserver-fploginext-dos(19263)12478Apple Safari 1.2.4 does not obey the Content-type field in the HTTP header and renders text as HTML, which allows remote attackers to inject arbitrary web script or HTML and perform cross-site scripting (XSS) attacks.20050204 Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12http://tigger.uic.edu/~jrockw2/safari_20050204.txthttp://www.securitytracker.com/alerts/2005/Feb/1013087.htmlsafari-contenttype-xss(19227)1013087The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file.20050207 [OSX Finder] DS_Store arbitrary file overwrite vulnerability.1245814188Finder-dsstore-file-overwrite(19253)APPLE-SA-2005-05-03SQL injection vulnerability in PerlDesk 1.x allows remote attackers to inject arbitrary SQL commands via the view parameter.20050207 [SePro Bugtraq] SQL-Injection in PerlDesk 1.xhttp://www.security-project.org/projects/board/showthread.php?p=5172#post51721247112512perldesk-view-sql-injection(19245)Directory traversal vulnerability in 602LAN SUITE 2004.0.04.1221 allows remote authenticated users to upload and execute arbitrary files via a .. (dot dot) in the filename parameter.20050208 [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directorieshttp://www.security.org.sg/vuln/602lansuite1221.html14169602lansuite-webmail-directory-traversal(19258)1013106viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter.20050208 php-fusion 4.x vulnphpfusion-viewthread-obtain-information(19257)12482SafeNet SoftRemote VPN Client stores the VPN password (pre-shared key) in cleartext in memory of the IreIKE.exe process, which allows local users to gain sensitive information if they have access to that process.20050208 SafeNet SoftRemote VPN Client Issue: Clear-text passwordhttp://www.nta-monitor.com/news/vpn-flaws/safenet/index.htmsoftremote-vpn-password-disclosure(19256)1013134Integer overflow in RealArcade 1.2.0.994 and earlier allows remote attackers to execute arbitrary code via an RGS file with an invalid size string for the GUID and game name, which leads to a buffer overflow.20050208 Integer overflow and arbitrary files deletion in RealArcade1418720050208 Integer overflow and arbitrary files deletion in RealArcaderealarcade-rgs-bo(19259)1013128Directory traversal vulnerability in RealArcade 1.2.0.994 allows remote attackers to delete arbitrary files via an RGP file with a .. (dot dot) in the FILENAME tag.20050208 Integer overflow and arbitrary files deletion in RealArcade1418720050208 Integer overflow and arbitrary files deletion in RealArcaderealarcade-rgp-file-deletion(19260)124941013128The production release of the UniversalAgent for UNIX in BrightStor ARCserve Backup 11.1 contains hard-coded credentials, which allows remote attackers to access the file system and possibly execute arbitrary commands.http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO63672&os=UNIX&returninput=020050210 Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability101314412522ADV-2005-01451370614233Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive.20050210 F-Secure AntiVirus Library Heap Overflowhttp://www.f-secure.com/security/fsc-2005-1.shtmlBuffer overflow in (1) termsh, (2) atcronsh, and (3) auditsh in SCO OpenServer 5.0.6 and 5.0.7 might allow local users to execute arbitrary code via a long HOME environment variable.SCOSA-2005.1513062Servers Alive 4.1 and 5.0, when running as a service, does not drop SYSTEM privileges before loading local manual under the help menu, which allows local users to gain privileges.20050316 Servers Alive: Local Privilege Escalation1282214616serversalive-gain-privileges(19715)Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093.20050307 CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflowhttp://www.cirt.dk/advisories/cirt-30-advisory.pdf20050313 [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager ExploitVU#1087901274214511sentinel-license-manager-bo(19621)Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old.20050518 Vulnerability in a Variant of the TCP Timestamps OptionVU#637934136761541715393tcp-ip-timestamp-dos(20635)FreeBSD-SA-05:15SCOSA-2005.641822218662EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 rely on AUTH_UNIX authentication, which relies on user ID for authentication and allows remote attackers to bypass authentication and gain privileges by spoofing a username or UID.Authentication and nwadmin, nsradmin, nsrports101886VU#606857145821880010147131647016464legato-authunix-bypass-authentication(21887)EMC Legato NetWorker, Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 6.0 through 7.2 do not properly verify authentication tokens, which allows remote attackers to gain privileges by modifying an authentication token.Retrieving HTTP content in .NET101886VU#407641145821880110147131647016464legato-token-gain-privileges(21892)The Legato PortMapper in EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 does not restrict access to the pmap_set and pmap_unset commands, which allows remote attackers to (1) cause a denial of service by using pmap_unset to un-register a NetWorker service, or (2) obtain sensitive information from NetWorker services by using pmap_set to register a new service.Legato PortMapper and Remote RPC Access101886VU#801089145821880210147131647016464legato-portmapper-obtain-information(21893)The Microsoft Log Sink Class ActiveX control in pkmcore.dll is marked as "safe for scripting" for Internet Explorer, which allows remote attackers to create or append to arbitrary files.VU#165022awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=29448816089awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter.DSA-682http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service.HPSBUX0111714220hpux-bind-dos(19276)The dcopidlng script in KDE 3.2.x and 3.3.x creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack.20050211 insecure temporary file creation in kdelibs 3.3.2http://bugs.kde.org/show_bug.cgi?id=97608http://www.kde.org/info/security/advisory-20050316-2.txtGLSA-200503-14MDKSA-2005:045MDKSA-2005:058FEDORA-2005-245101352514254RHSA-2005:325MDKSA-2005:045MDKSA-2005:058The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed.http://www.pgp.com/library/ctocorner/openpgp.htmlhttp://eprint.iacr.org/2005/033.pdfGLSA-200503-29MDKSA-2005:057VU#303094125291013166SuSE-SR:2005:00713775MDKSA-2005:057Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1.8.7.3 allow remote authenticated users to read, delete, or upload arbitrary files via a .. (dot dot) in (1) the filename of an e-mail attachment, (2) the _msgatt.rec file, (3) and the /msg, /delete, /folderadd, and /folderdelete operations for the Folder parameter.20050209 [SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilitieshttp://www.security.org.sg/vuln/argosoftmail1873.htmlMultiple SQL injection vulnerabilities in CMScore allow remote attackers to execute arbitrary SQL commands via the (1) EntryID or (2) searchterm parameter to index.php, or (3) username parameter to authenticate.php.20050209 CMS Core SQL injection1245714142cmscore-multiple-sql-injection(19235)Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 earlier allows remote attackers to cause a denial of service (application crash) via a packet with a large (1) descriptor ID or (2) claim_id, which exceeds the boundaries of an array.20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (network disconnection) via an empty UDP packet, which is not properly distinguished from the "no new packets" state of the associated socket.20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (freeze) via a large number of player connections that do not send any data.20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command.DSA-686GLSA-200502-27CLSA-2005:957FEDORA-2005-309FEDORA-2005-31012539OVAL717RHSA-2005:410oval:org.mitre.oval:def:717MDKSA-2005:050Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as digestmda5.c), as used in the DIGEST-MD5 SASL plugin for Cyrus-SASL but not in any official releases, allows remote attackers to execute arbitrary code.https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c?rev=1.171&content-type=text/x-cvsweb-markuphttps://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171[openbsd-ports] 20040717 UPDATE: cyrus-sasl-2.1.19GLSA-200410-05MDKSA-2005:054SUSE-SR:2005:00611347cyrus-sasl-digestmda5-bo(17642)MDKSA-2005:054Cross-site scripting (XSS) vulnerability in Bitboard 2.5 and earlier allows remote attackers to inject arbitrary web script or HTML via an [img] bbcode image tag with an event such as mouseover.20050112 Security Advisory: BiTBOARD xss12248bitshifters-bitboard-xss(18871)1012864imageview.php in SGallery 1.01 allows remote attackers to obtain sensitive information via an HTTP request with (1) idalbum and (2) idimage unset, which reveals the installation path in an error message for the sql_fetch_row function.20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNukehttp://www.waraxe.us/advisory-39.htmlsgallery-path-disclosure(18877)1012868PHP remote file inclusion vulnerability in SGallery 1.01 allows local and possibly remote attackers to execute arbitrary PHP code by modifying the DOCUMENT_ROOT parameter to reference a URL on a remote web server that contains (1) config.php or (2) sql_layer.php.20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNukehttp://www.waraxe.us/advisory-39.html13824sgallery-file-include(18878)1012868SQL injection vulnerability in imageview.php for SGallery 1.01 allows remote attackers to execute arbitrary SQL commands via the (1) idalbum or (2) idimage parameters.20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNukehttp://www.waraxe.us/advisory-39.html1224913824sgallery-imageview-sql-injection(18876)1012868Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to prefs.php or (2) url parameter to index.php.20050113 Cross Site Scripting holes found in Horde 3.0http://www.hyperdose.com/advisories/H2005-01.txt12255horde-prefs-index-xss(18881)1012892Multiple directory traversal vulnerabilities in ZeroBoard 4.1pl5 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the _zb_path parameter to (1) _head.php or (2) outlogin.php, or the dir parameter to (3) write.php.20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilitieshttp://securitytracker.com/alerts/2005/Jan/1012884.html12257zeroboard-file-disclosure(18891)1012884Multiple PHP remote file inclusion vulnerabilities in (1) print_category.php, (2) login.php, (3) setup.php, (4) ask_password.php, or (5) error.php in ZeroBoard 4.1pl5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the dir parameter to reference a URL on a remote web server that contains the code.20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilitieshttp://securitytracker.com/alerts/2005/Jan/1012884.html122061225813769zeroboard-printcategory-file-include(18892)zeroboard-zero-vote-file-include(18893)10128841292812930129311293212929Cross-site scripting (XSS) vulnerability in f.aspx in forumKIT 1.0 allows remote attackers to inject arbitrary web script or HTML via the members parameter.20050113 XSS Vulnerability in ForumKIT12256http://www.securitytracker.com/alerts/2005/Jan/1012895.htmlforumkit-members-xss(18880)1012895Breed patch 1 and earlier allows remote attackers to cause a denial of service (application crash) via an empty UDP packet, which triggers a null dereference.20050113 Server crash in Breed patch #11226213211breed-udp-datagram-dos(18890)Trend Micro Control Manager 3.0 Enterprise Edition allows remote attackers to gain privileges via a replay attack of the encrypted username and password.20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attackhttp://www.cirt.dk/advisories/cirt-28-advisory.pdfcontrol-manager-replay-attack(18887)Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client.RHSA-2005:283RHSA-2005:28420050315 [USN-95-1] Linux kernel vulnerabilitiesSUSE-SA:2005:0182005-0009FLSA:152532USN-95-1RHSA-2005:293RHSA-2005:366DSA-1070DSA-1067DSA-1069128102016320202DSA-108220338Buffer overflow in luxman before 0.41, if used with certain insecure svgalib libraries, allows local users to execute arbitrary code via a long -f command line argument.20050314 DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow'http://www.digitalmunition.com/DMA[2005-0310a].txt DSA-6931279714582luxman-bo-execute-commands(19680)Cross-site scripting (XSS) vulnerability in network.cgi in mailreader before 2.3.29 earlier allows remote attackers to inject arbitrary web script or HTML via MIME text/enriched or text/richtext messages.DSA-70014777remstats 1.0.13 and earlier, when processing uptime data, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.DSA-704Unknown vulnerability in the remoteping service in remstats 1.0.13 and earlier allows remote attackers to execute arbitrary commands "due to missing input sanitising."DSA-704** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0814. Reason: This candidate is a duplicate of CVE-2005-0814. Notes: All CVE users should reference CVE-2005-0814 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in the HTTP redirection capability in conn.c for Axel before 1.0b may allow remote attackers to execute arbitrary code.http://www.mail-archive.com/debian-devel-changes@lists.debian.org/msg118978.htmlGLSA-200504-091305914831DSA-706geneweb 4.10 and earlier does not properly check file permissions and content during conversion, which allows attackers to modify arbitrary files.DSA-712geneweb-insecure-file-permission(20176)ppxp does not drop root privileges before opening log files, which allows local users to execute arbitrary commands.DSA-725The helper scripts for crip 3.5 do not properly use temporary files, which allows local users to have an unknown impact with unknown attack vectors.DSA-733** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none.Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in KDE before 3.4 allows local users to cause a denial of service (dcopserver consumption) by "stalling the DCOP authentication process."20050316 Multiple KDE Security Advisories (2005-03-16)http://www.kde.org/info/security/advisory-20050316-1.txtGLSA-200503-22MDKSA-2005:058RHSA-2005:307RHSA-2005:325FLSA:178606MDKSA-2005:05812820Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications.20050303 [USN-90-1] Imagemagick vulnerabilityDSA-702GLSA-200503-11http://bugs.gentoo.org/show_bug.cgi?id=83542RHSA-2005:320SUSE-SA:2005:017imagemagick-filename-format-string(19586)RHSA-2005:070The KAME racoon daemon in ipsec-tools before 0.5 allows remote attackers to cause a denial of service (crash) via malformed ISAKMP packets.[ipsec-tools-devel] 20050312 potential remote crash in racoonGLSA-200503-33RHSA-2005:232https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=viewhttp://www.k-otik.com/english/advisories/2005/0264http://securitytracker.com/id?10134331280414584racoon-isakmp-header-dos(19707)MDKSA-2005:062http://www.frsirt.com/english/advisories/2005/0264MDKSA-2005:062Heap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size.20050323 Mozilla Foundation GIF Overflowhttp://www.mozilla.org/security/announce/mfsa2005-30.htmlhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150877GLSA-200503-30RHSA-2005:323RHSA-2005:335RHSA-2005:336RHSA-2005:337VU#557948P-160http://www.frsirt.com/english/advisories/2005/029614654gif-extension-overflow(19269)12881OVAL100028SCOSA-2005.4915495SUSE-SA:2006:02219823oval:org.mitre.oval:def:100028The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block.Information leak in the Linux kernel ext2 implementation20050401 [USN-103-1] Linux kernel vulnerabilitieskernel-ext2-information-disclosure(19866)http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.614713FLSA:152532USN-103-1RHSA-2006:0190RHSA-2006:019118684RHSA-2005:366RHSA-2005:6631700220050401 Information leak in the Linux kernel ext2 implementation12932ADV-2005-1878FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2."20050324 Firescrolling 2 [Firefox 1.0.1]http://mikx.de/firescrolling2/http://www.mozilla.org/security/announce/mfsa2005-32.htmlGLSA-200503-30RHSA-2005:335RHSA-2005:336http://www.frsirt.com/english/advisories/2005/02961465412885OVAL100026RHSA-2005:384oval:org.mitre.oval:def:100026Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page.http://www.mozilla.org/security/announce/mfsa2005-31.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=284627RHSA-2005:336http://www.frsirt.com/english/advisories/2005/029614654OVAL100027oval:org.mitre.oval:def:100027init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure.RHSA-2005:293KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email.[kmail-devel] 20050215 [Bug 96020] HTML Allows Spoofing of Emails Contenthttp://bugs.kde.org/show_bug.cgi?id=96020http://www.securiteam.com/unixfocus/5GP0B0AFFE.html14925A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.20050214 Advisory: JPEG EXIF information disclosure20050214 Advisory: JPEG EXIF information disclosureCross-site scripting (XSS) vulnerability in Openconf 1.04, and possibly other versions before 1.10, allows remote attackers to inject arbitrary HTML and web script via the paper title.20050214 Advisory: Cross Site Scripting Vulnerability in Openconf Conference Management Software1255414294CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable.20050214 Advisory: Authentication bypass in CitrusDB20050214 Advisory: Authentication bypass in CitrusDBCitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities.20050214 Advisory: Upload Authorization bypass in CitrusDB20050214 Advisory: Upload Authorization bypass in CitrusDBSQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and earlier allows remote attackers to inject data via the fields of a CSV file.20050214 Advisory: SQL-Injection in CitrusDB20050214 Advisory: SQL-Injection in CitrusDBDirectory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter.20050214 Advisory: Directory traversal in CitrusDB20050214 Advisory: Directory traversal in CitrusDBCross-site scripting (XSS) vulnerability in Spidean PostWrap allows remote attackers to inject arbitrary HTML and web script via the page parameter.XSS VULNERABILITY AT MODULE PostWrapPostWrap Lets Remote Users Conduct Cross-Site Scripting AttacksPostWrap cross-site scriptingMultiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the fid in forum.php, (2) the member parameter in member.php, (3) the email parameter in forgot.php, or (4) the nbuser or nbpass parameters in include.php. NOTE: it was later reported that vector 2 exists in 3.0 and earlier.Several SQL injection bugs in myPHP Forum v.1.0MyPHP Forum Input Validation Holes Let Remote Users Inject SQL Commandsmyphpforum-multiple-sql-injection(19272)1250114205myphpforum-member-sql-injection(39348)SQL injection vulnerability in post.php for MercuryBoard 1.1.1 allows remote attackers to execute arbitrary SQL commands via a reply post action for index.php with (1) the t parameter or (2) the qu parameter.MercuryBoard 'func/post.php' Input Validation Error in 'qu' Parameter Lets Remote Users Inject SQL CommandsMultiple vulnerabilities in MercuryBoard 1.1.120050209 Mercuryboard =?iso-8859-1?Q?<=3D?= 1.1.1 Working Sql Injectionmercuryboard-index-sql-injection(19051)Multiple memory leaks in the MQL parser in Emdros before 1.1.22 allow remote attackers to cause a denial of service (memory consumption) via malformed MQL statements.Malformed MQL can lead to DOS attackbid 12498emdros-mql-dos(19273)The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow.Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution (891711)bid 12233Microsoft Windows USER32.DLL ANI header overflowhttp://eeye.com/html/research/advisories/AD20050111.html20050111 EEYE: Windows ANI File Parsing Buffer Overflow20050112 Windows ANI File Parsing Proof Of Concept (MS05-002)Unknown "high risk" vulnerability in DB2 Universal Database 8.1 and earlier has unknown impact and attack vectors. NOTE: due to the delayed disclosure of details for this issue, this candidate may be SPLIT in the future. In addition, this may be a duplicate of other issues as reported by the vendor.Patch available for high risk IBM DB2 Universal Database flawbid 12508http://www.ngssoftware.com/advisories/db2-09-05-05.htmArgument injection vulnerability in Java Web Start for J2SE 1.4.2 up to 1.4.2_06, on Mac OS X, allows untrusted applications to gain privileges via the value parameter of a property tag in a JNLP file. NOTE: it is highly likely that this item will be MERGED with CVE-2005-0836.APPLE-SA-2005-03-24Multiple heap-based buffer overflows in 3Com 3CServer allow remote authenticated users to execute arbitrary code via long FTP commands, as demonstrated using the STAT command.Vulnerability in 3Com 3CServer v1.13cserver-multiple-command-bo(19250)Microsoft Outlook Web Access (OWA), when used with Exchange, allows remote attackers to redirect users to arbitrary URLs for login via a link to the owalogon.asp application.Microsoft Outlook Web Access bid 12459Microsoft Outlook Web Access owalogon.asp script URL redirect20050206 Microsoft Outlook Web Access URL Injection VulnerabilityADV-2005-0105DelphiTurk FTP 1.0 stores usernames and passwords in the profile.dat file, which allows local users to gain privileges.DelphiTurk FTP Discloses Passwords to Local Usersdelphiturkcodebank-obtain-information(19248)DelphiTurk CodeBank (aka KodBank) 3.1 and earlier stores usernames and passwords in the Codebank registry key, which allows local users to gain privileges.DelphiTurk FTP Discloses Passwords to Local UsersDelphiturkCodeBank obtain informationSQL injection vulnerability in login.asp in ASPjar Guestbook allows remote attackers to execute arbitrary SQL commands via the password field.bid 12521AspJar Guestbook Two Vulnerabilities AspJar Guestbook Two VulnerabilitiesASPjar Guestbook login.asp SQL injection20050210 ASPjar guestbook (Injection in login page)Unknown vulnerability in the delete.asp program in certain versions of ASPjar Guestbook allows remote attackers to delete messages. NOTE: there is insufficient information to know if this is the same issue as CVE-2002-1730.bid 12521 AspJar Guestbook Two VulnerabilitiesASPjar Guestbook delete.asp message deletion20050210 ASPjar guestbook (Injection in login page)Unknown vulnerability in IBM Websphere Application Server 5.0, 5.1, and 6.0 when running on Windows, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via a crafted URL that causes the page to be processed by the file serving servlet instead of the JSP engine.Possible JSP source code exposurePossible JSP source code exposureIBM WebSphere Application Server JSP Source Code DisclosureUnknown vulnerability in Solaris 8 and 9 allows remote attackers to cause a denial of service (panic) via "Heavy UDP Usage" that triggers a NULL dereference.Heavy UDP Usage May Cause a System to Panic12385solaris-udp-end-point-dos(19119)The ebuild of Webmin before 1.170-r3 on Gentoo Linux includes the encrypted root password in the miniserv.users file when building a tbz2 of the webmin package, which allows remote attackers to obtain and possibly crack the encrypted password.Webmin: Information leak in Gentoo binary packageapp-admin/webmin binary package contains sensitive infowebmin-encrypted-password(19315)The DNSPacket::expand method in dnspacket.cc in PowerDNS before 2.9.17 allows remote attackers to cause a denial of service by sending a random stream of bytes.PowerDNS: Denial of Service vulnerabilitybid 12446PowerDNS random bytes denial of servicehttp://doc.powerdns.com/changelog.html#CHANGELOG-2-9-17http://ds9a.nl/cgi-bin/cvstrac/pdns/tktview?tn=21Direct code injection vulnerability in forumdisplay.php in vBulletin 3.0 through 3.0.4, when showforumusers is enabled, allows remote attackers to execute inject arbitrary PHP commands via the comma parameter.20050213 vbulletin 3.0.x PHP code execution12542The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow.1253420050212 Infostring crash and shutdown in the Quake 3 engineBarracuda Spam Firewall 3.1.10 and earlier does not restrict the domains that white-listed domains can send mail to, which allows members of white-listed domains to use Barracuda as an open mail relay for spam.20050210 Barracuda Spam Firewall <= 3.1.10 acts as open relay for whitelisted senders.14243barracuda-open-relay(19283)BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pack 3 and earlier, generates different login exceptions that suggest why an authentication attempt fails, which makes it easier for remote attackers to guess passwords via brute force attacks.http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA05-74.00.jsp14298Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message.http://www.waraxe.us/advisory-40.html12561phpnuke-multiple-scripts-path-disclosure(19344)Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation.http://www.waraxe.us/advisory-40.html12561phpnuke-downloads-weblinks-xss(19346)awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog.20050214 AWStats <= 6.4 Multiple vulnerabilities14299awstats-awstatpl-obtain-information(19333)Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter.20050214 AWStats <= 6.4 Multiple vulnerabilities14299awstats-function-code-execution(19336)13832Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter.20050214 AWStats <= 6.4 Multiple vulnerabilities14299awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter.20050214 AWStats <= 6.4 Multiple vulnerabilities14299awstats-information-disclosure(19477)Buffer overflow in the decode_post function in ELOG before 2.5.7 allows remote attackers to execute arbitrary code via attachments with long file names.http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880http://midas.psi.ch/elogs/Forum/94112556http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880elog-weblog-bo(19313)ELOG before 2.5.7 allows remote attackers to bypass authentication and download a configuration file that contains a sensitive write password via a modified URL.http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880http://midas.psi.ch/elogs/Forum/94112556http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880Multiple stack-based buffer overflows in Sybase Adaptive Server Enterprise (ASE) 12.x before 12.5.3 ESD#1 allow remote authenticated users to execute arbitrary code via the (1) attrib_valid function, (2) covert function, (3) declare statement, or (4) a crafted query plan, or remote authenticated users with database owner or "sa" role privileges to execute arbitrary code via (5) a crafted install java statement.20041222 Sybase ASE 12.5.2 vulnerabilities20050321 Details of Sybase ASE bugs withheld20050405 Sybase ASE Multiple Security Issues (#NISR05042005)http://www.ngssoftware.com/advisories/sybase-ase.txthttp://www.sybase.com/detail?id=1034520http://www.sybase.com/detail?id=10347521208013632sybase-adaptive-server(19354)sybase-ase-attribvalid-bo(19974)sybase-ase-convert-bo(19976)sybase-ase-declare-bo(19978)sybase-ase-abstract-bo(19979)sybase-ase-install-java-bo(19980)Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter.20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities20050406 RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosurehttp://www.cubecart.com/site/forums/index.php?showtopic=57411254914272cubecart-dotdot-directory-traversal(19322)index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message.20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilitieshttp://www.cubecart.com/site/forums/index.php?showtopic=574112549cubecart-index-xss(19328)14064VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries using a path that includes the rrdharan world-writable temporary directory, which allows local users to execute arbitrary code.GLSA-200502-18Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows remote attackers to inject arbitrary HTML or web script via the domain name parameter (logindomain) in the login page.14253http://turtle.ee.ncku.edu.tw/openwebmail/doc/changes.txthttp://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/2.5x.patchIndex of /openwebmail/download/currentopen-webmail-logindomain-xss(19335)125471013172Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_asserthttp://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE8-dns_assert.patchCLA-2005:931DSA-688GLSA-200502-25MDKSA-2005:047RHSA-2005:17320050221 [USN-84-1] Squid vulnerabilities14271squid-xstrndup-dos(19332)FLSA-2006:15280912551RHSA-2005:201MDKSA-2005:047Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (hang) via a flood of certain ARP packets.576731428612553solaris-arp-dos(19331)1013179Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452.20050309 [USN-94-1] Perl vulnerabilityDSA-696GLSA-200501-38RHSA-2005:881USN-94-118075HPSBUX01208MDKSA-2005:0791276720060101-01-U1453118517FLSA-2006:152845RHSA-2005:67417079CLSA-2006:1056oval:org.mitre.oval:def:728MDKSA-2005:079The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function.[netdev] 20050124 Re: skb_checksum_helpRHSA-2005:283RHSA-2005:28420050215 [USN-82-1] Linux kernel vulnerabilitiesCLA-2005:945SUSE-SA:2005:018FLSA:152532USN-82-1MDKSA-2005:218RHSA-2005:293RHSA-2005:366DSA-1017DSA-101819374193691259820060402-01-U19607MDKSA-2005:218Directory traversal vulnerability in Sami HTTP Server 1.0.5 allows remote attackers to read arbitrary files via an HTTP request containing (1) .. (dot dot) or (2) "%2e%2e" (encoded dot dot) sequences.101319114283Sami HTTP Server 1.0.5 allows remote attackers to cause a denial of service via an HTTP request containing two CRLF sequences, which triggers a NULL dereference.101319114283Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.NET (.Net) 1.0 and 1.1 to SP1 allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<".20050217 XSS vulnerabilty in ASP.Net [with details]http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml1257414214The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension.http://article.gmane.org/gmane.comp.web.lighttpd/1171GLSA-200502-2114297Multiple SQL injection vulnerabilities in DCP-Portal 6.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the lcat, doc, or uid parameters to index.php, or (2) the mid or bid parameters to forums.php.20050216 [hackgen-2005-#003] - SQL injection bugs in DCP-Portalhttp://www.hackgen.org/advisories/hackgen-2005-003.txt101321620051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities12573dcpportal-multiple-sql-injection(19361)108Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value.20050301 RealNetworks RealPlayer .smil Buffer Overflow Vulnerabilityhttp://service.real.com/help/faq/security/050224_playerRHSA-2005:26520050301 RealNetworks RealPlayer .smil Buffer Overflow VulnerabilityRHSA-2005:271Opera 7.54 and earlier does not properly validate base64 encoded binary data in a data: (RFC 2397) URL, which causes the URL to be obscured in a download dialog, which may allow remote attackers to trick users into executing arbitrary code.http://www.opera.com/linux/changelogs/754u2/GLSA-200502-17VU#88292613818opera-data-dialog-spoofing(18867)SUSE-SA:2005:031Opera 7.54 and earlier on Gentoo Linux uses an insecure path for plugins, which could allow local users to gain privileges by inserting malicious libraries into the PORTAGE_TMPDIR (portage) temporary directory.GLSA-200502-17http://bugs.gentoo.org/show_bug.cgi?id=81747Cross-site scripting (XSS) vulnerability in contact_us.php in osCommerce 2.2-MS2 allows remote attackers to inject arbitrary web script or HTML via the enquiry parameter.20050215 [NOBYTES.COM: #3] osCommerce 2.2-MS2 - XSS VulnerabilityphpMyAdmin 2.6.2-dev, and possibly earlier versions, allows remote attackers to determine the full path of the web root via a direct request to select_lang.lib.php, which reveals the path in a PHP error message.1013210index.php in MercuryBoard 1.0.x and 1.1.x allows remote attackers to obtain sensitive information by setting the debug parameter.http://lostmon.blogspot.com/2005/02/mercuryboard-debug-information.html1378714284Unknown vulnerability in NewsBruiser 2.x before 2.6.1 allows remote attackers to "take actions on comments."http://newsbruiser.tigris.org/source/browse/newsbruiser/CHANGELOG?rev=1.283&content-type=text/x-cvsweb-markuphttp://newsbruiser.tigris.org/servlets/NewsItemView?newsItemID=101614262Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1.x allows remote attackers to inject arbitrary HTML and web script via the f parameter.http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html13937Unknown "major security flaws" in Ulog-php before 1.0, related to input validation, have unknown impact and attack vectors, probably related to SQL injection vulnerabilities in (1) host.php, (2) port.php, and (3) index.php.http://www.inl.fr/article.php3?id_article=71261013853101322014321gr_osview in SGI IRIX 6.5.22, and possibly other 6.5 versions, does not drop privileges when opening description files while in debug mode, which allows local users to read a line from arbitrary files via the -d and -D options, which prints the line as a formatting error.20050407 SGI IRIX gr_osview Information Disclosure Vulnerability20050402-01-P15351101366214875gr_osview in SGI IRIX does not drop privileges before opening files, which allows local users to overwrite arbitrary files via the -s option.20050407 SGI IRIX gr_osview File Overwrite Vulnerability20050402-01-P101366214875Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated.20050221 Multiple PuTTY SFTP Client Packet Parsing Integer Overflow Vulnerabilitieshttp://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.htmlhttp://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.htmlGLSA-200502-2814333putty-sftppktgetstring-bo(19403)17214Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated.20050328 Multiple Telnet Client env_opt_add() Buffer Overflow VulnerabilityFreeBSD-SA-05:01.telnethttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txtDSA-703MDKSA-2005:061RHSA-2005:327RHSA-2005:33020050405-01-PDSA-731VU#341908147455775557761USN-224-117899CLA-2005:96212919101671101665MDKSA-2005:061Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands.20050328 Multiple Telnet Client slc_add_reply() Buffer Overflow VulnerabilityFreeBSD-SA-05:01.telnethttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txtDSA-697DSA-699DSA-703GLSA-200503-36MDKSA-2005:061RHSA-2005:327RHSA-2005:33020050405-01-P57755VU#291924DSA-7311474557761USN-224-11789912918101671101665MDKSA-2005:061Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data.wpa_supplicant: Buffer overflow vulnerabilitywpa_supplicant EAPOL-Key Frames Buffer Overflowwpa_supplicant buffer overflow[HostAP] 20050213 wpa_supplicant - new stable releases v0.3.8 and v0.2.71013226Sun Java JRE 1.1.x through 1.4.x writes temporary files with long filenames that become predictable on a file system that uses 8.3 style short names, which allows remote attackers to write arbitrary files to known locations and facilitates the exploitation of vulnerabilities in applications that rely on unpredictable file names.Sun Java Plugin may create temporary files with predictable namesSun Java Plugin Predictable File Location WeaknessSun Java Plugin Predictable File Location Weakness Sun Java Plugin Predictable File Location Weaknesshttp://secunia.com/secunia_research/2004-7/advisory/sun-java-create-files(19285)Gaim before 1.1.3 allows remote attackers to cause a denial of service (infinite loop) via malformed SNAC packets from (1) AIM or (2) ICQ.Gaim SNAC packet denial of serviceGaim vulnerable to malformed SNAC packet infinite processing loopGaim VulnerabilityDSA-716GLSA-200503-03MDKSA-2005:049RHSA-2005:21514322RHSA-2005:432FLSA:15854312589CLA-2005:93320050225 [USN-85-1] Gaim vulnerabilitiesSUSE-SA:2005:036MDKSA-2005:049The HTML parsing functions in Gaim before 1.1.3 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0208.Important: gaim security updateGaim vulnerable to HTML processing denial of serviceGaim HTML denial of servicehttp://gaim.sourceforge.net/security/index.php?id=11GLSA-200503-03MDKSA-2005:04914322FLSA:15854312589CLA-2005:93320050225 [USN-85-1] Gaim vulnerabilitiesSUSE-SA:2005:036MDKSA-2005:049SQL injection vulnerability in the user_valid_crypt function in user.php in WebCalendar 0.9.45 allows remote attackers to execute arbitrary SQL commands via an encoded webcalendar_session cookie.WebCalendar: SQL Injection from encoded cookieWebCalendar "webcalendar_session" SQL InjectionWebCalendar webcalendar_session parameter SQL injection20050217 [ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie139181013231SQL injection vulnerability in paFAQ Beta4, and possibly other versions, allows remote attackers to execute arbitrary SQL code via the (1) offset, (2) limit, (3) order, or (4) orderby parameter to question.php, (5) offset parameter to answer.php, (6) search_item parameter to search.php, (7) cat_id, (8) cid, or (9) id parameter to comment.php.paFAQ Beta4 Sql InjectionpaFAQ SQL injectionCross-site scripting (XSS) vulnerability in hpm_guestbook.cgi allows remote attackers to inject arbitrary web script or HTML by posting a message.hpm-guestbook-xss(19372)20050217 hpm_guestbook.cgi JavaScript-InjectionCross-site scripting (XSS) vulnerability in the SML code for Invision Power Board 1.3.1 FINAL allows remote attackers to inject arbitrary web script via (1) a signature file or (2) a message post containing an IMG tag within a COLOR tag whose style is set to background:url.Invision Power Boards 1.3.1 FINAL XSS Exploitbid 12607invision-power-board-sml-xss(19399)Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script.Multiple vulnerabilities in TrackerCam 5.12bid 12592trackercam-php-bo(19411)trackercam-useragent-bo(19409)Directory traversal vulnerability in ComGetLogFile.php3 for TrackerCam 5.12 and earlier allows remote attackers to read arbitrary files via ".." sequences and (1) "/" slash), (2) "\" (backslash), or (3) hex-encoded characters in the fn parameter.Multiple vulnerabilities in TrackerCam 5.12bid 12592trackercam-fn-directory-traversal(19414)Cross-site scripting (XSS) vulnerability in TrackerCam 5.12 and earlier allows remote attackers to inject arbitrary HTML or web script via the login request, which is recorded in a log file but not properly handled when the administrator views the log file.Multiple vulnerabilities in TrackerCam 5.12bid 12592trackercam-xss(19416)TrackerCam 5.12 and earlier allows remote attackers to read log files via the fn parameter in a direct request to the ComGetLogFile.php3 script.Multiple vulnerabilities in TrackerCam 5.12bid 12592trackercam-fn-path-disclosure(19415)TrackerCam 5.12 and earlier allows remote attackers to cause a denial of service (crash) via (1) a large number of connections with a negative Content-Length header, possibly triggering an integer signedness error, or (2) a large amount of data.Multiple vulnerabilities in TrackerCam 5.12bid 12592trackercam-contentlength-dos(19417)Multiple directory traversal vulnerabilities in sitenfo.sh, sitezipchk.sh, and siteziplist.sh in Glftpd 1.26 to 2.00 allow remote authenticated users to (1) determine the existence of arbitrary files, (2) list files in restricted directories, or (3) read arbitrary files from within ZIP or gzip files, via .. (dot dot) sequences and globbing ("*") characters in a SITE NFO command.Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-insbid 12586glftpd-sitenfosh-directory-traversal(19401)Format string vulnerability in gprostats for GProFTPD before 8.1.9 may allow remote attackers to execute arbitrary code via an FTP transfer with a crafted filename that causes format string specifiers to be inserted into the ProFTPD transfer log.GProFTPD: gprostats format string vulnerabilitynet-ftp/gproftpd: gprostats format string vulnerabilityCross-site scripting (XSS) vulnerability in comment.php for paNews 2.0b4 for PHP Arena allows remote attackers to inject arbitrary HTML and web script via the showpost parameter.paNews v2.0b4 XSS Vulnerabilitybid 12576paNews comment.php script cross-site scriptingTarantella Secure Global Desktop Enterprise Edition 4.00 and 3.42, and Tarantella Enterprise 3 3.40 and 3.30, when using RSA SecurID and multiple users have the same username, reveals sensitive information during authentication, which allows remote attackers to identify valid usernames and the authentication scheme.Tarantella Security Bulletin #11bid 12591tarantella-enterprise-obtain-information(19407)Cross-site scripting (XSS) vulnerability in index.php for Kayako ESupport 2.3.1, and possibly other versions, allows remote attackers to inject arbitrary HTML and web script via the nav parameter.Kayako eSupport v2.3.1 Support Tracker XSSbid 12563kayako-index-xss(18571)Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.20050614 Multiple Vendor Telnet Client Information Disclosure Vulnerability5775557761VU#800829RHSA-2005:504SUSE-SR:2005:016OVAL11391014203RHSA-2005:56217135101671101665APPLE-SA-2006-08-012125313940ADV-2006-310119289oval:org.mitre.oval:def:1139 TA06-214AThe /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory.This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.27DSA-1070DSA-1067DSA-10692016320202DSA-10821817320338Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication.20050221 Multiple Unix/Linux Vendor cURL/libcURL NTLM Authentication Buffer Overflow Vulnerability20050221 Multiple Unix/Linux Vendor cURL/libcURL Kerberos Authentication Buffer Overflow VulnerabilityCLA-2005:940GLSA-200503-20MDKSA-2005:04820050228 [USN-86-1] cURL vulnerabilitycurl-kerberos-bo(19423)RHSA-2005:340SUSE-SA:2005:011MDKSA-2005:0481261512616Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request.20050218 Knox Arkeia remote root/system exploit1259414327arkeia-backup-client-bo(19398)Adobe Acrobat Reader 6.0.3 and 7.0.0 allows remote attackers to cause a denial of service (application crash) via a PDF file that contains a negative Count value in the root page node.20050218 Adobe Reader invalid root page node Count value DOShttp://www.adobe.com/support/techdocs/331468.htmlhttp://www.frsirt.com/english/advisories/2005/0310adobe-root-page-node-dos(19946)14813CRLF injection vulnerability in bizmail.cgi in Biz Mail Form before 2.2 allows remote attackers to bypass the email check and send spam e-mail via CRLF sequences and forged mail headers in the email parameter.Upgrade to newest version.20050218 BizMail 2.1 Spam ExploitThe RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request.20050219 Thomson TCW690 POST Password Validation Vulnerability14353thomson-tcw690-gain-access(19387)Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote attackers to inject arbitrary web script or HTML via the (1) sn1, (2) year, or (3) page parameter to zboard.php or (4) filename to view_image.php.20050219 Multiples vulnerability in ZeroBoard,http://securitytracker.com/id?1013243zeroboard-xss(19420)Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands.20050220 Arkeia Network Backup Client Remote Accesshttp://metasploit.com/research/arkeia_agent/http://securitytracker.com/id?1013256arkeia-backup-client-gain-access(20667)ADP Elite System Max 9000 allows remote authenticated users to gain privileges by uploading a .profile that sets the ADPROOT environment variable to the root directory.20050219 ADP Elite System Max 9000 Series Login Vulnerabilityadp-elite-gain-privileges(20622)Gigafast router (aka CompUSA router) allows remote attackers to gain sensitive information and bypass the login page via a direct request to backup.cfg, which reveals the administrator password in plaintext.20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilitiesgigafast-backupcfg-plaintext-password(19422)Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries.20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilitiesgigafast-dns-queries-dos(19426)Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to spoof the domain name of a URL in a titlebar for a script-initiated popup window, which could facilitate phishing attacks.20050221 WindowsXPSP2 script-initiated popup window12602ie-title-bar-spoofing(19452)14335Buffer overflow in Bontago 1.1 and earlier allows remote attackers exeucte arbitrary code via a long nickname.http://aluigi.altervista.org/adv/bontagobof-adv.txt1435012603bontago-nickname-bo(19406)Directory traversal vulnerability in Xinkaa 1.0.3 and earlier allows remote attackers to read arbitrary files via (1) ../ and (2) ..\ characters in an HTTP request.1434912606ADV-2005-0189xinkaa-web-directory-traversal(19404)uim before 0.4.5.1 trusts certain environment variables when libUIM is used in setuid or setgid applications, which allows local users to gain privileges.[uim] 20050220 uim 0.4.5.1 releasedMDKSA-2005:0461260413981MDKSA-2005:046Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value. grsecurity 2.1.0 release / 5 Linux, kernel, advisoriesbid 12195Linux kernel, MOXA serial driver buffer overflow20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories1013273RHSA-2005:529RHSA-2005:551RHSA-2005:66317002DSA-1070DSA-1067DSA-10692016320202DSA-1082ADV-2005-187820338USN-508-126651RHSA-2008:0237Unknown vulnerability in Information Resource Manager (IRM) before 1.5.2.1 allows remote attackers has "potentially serious" impact, related to LDAP logins.Release Name: 1.5.2.1IRM LDAP Login Security Bypass VulnerabilityIRM LDAP security bypassThe Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic.Avaya IP Office Phone Manager - Sensitive Information CleartextSensitive information leakageRe: Avaya IP Office Phone Manager - Sensitive Information Cleartext VulnerabilityAvaya IP Softphone plaintext passwordDirectory traversal vulnerability in SD Server 4.0.70 and earlier allows remote attackers to read arbitrary files via .. sequences in an HTTP request.SD Server 4.0.70 Directory Traversal BugSD Server Directory Traversal Vulnerabilityhttp://www.gdsoftware.dk/20050222 SD Server 4.0.70 Directory Traversal BugUnknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue."bid 12619Batik Squiggle Browser Unspecified Security Bypasshttp://xml.apache.org/batik/#SecurityWarningMultiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 implementation of ASP.NET (.Net) allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<".XSS vulnerabilty in ASP.Net [with details]Mono ASP.NET Unicode Conversion Cross-Site Scripting20050217 XSS vulnerabilty in ASP.Net [with details]http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xmlThe daemon for fallback-reboot before 0.995 allows attackers to cause a denial of service (daemon exit), possibly related to verbose debug messages when the daemon is not on a tty.fallback-reboot Daemon Status Denial of Service Vulnerabilitymisc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter.20050222 [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection1432612622PHP remote file inclusion vulnerability in Tar.php in Mambo 4.5.2 allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2004-1693.http://mamboforge.net/frs/download.php/4043/Patch_4.5.2_to_4.5.2.1.zip14337PHP remote file inclusion vulnerability in mail_autocheck.php in the Email This Entry add-on for pMachine Pro 2.4, and possibly other versions including pMachine Free, allows remote attackers to execute arbitrary PHP code by directly requesting mail_autocheck.php and modifying the pm_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2003-1086.20050219 pMachine Pro / pMachine Free Remote Code Execution1259715473Cross-site scripting (XSS) vulnerability in Verity Ultraseek before 5.3.3 allows remote attackers to inject arbitrary HTML and web script via search parameters.20041223 Cross-Site Scripting - an industry-wide problemhttp://www.mikx.de/index.php?p=6VU#71614414367Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files.http://secunia.com/secunia_research/2004-20/advisory/http://www.webroot.com/services/mfp_advisory.php1284213577The ImageGalleryPlugin (ImageGalleryPlugin.pm) in Twiki allows remote attackers to execute arbitrary commands via certain commands that generate thumbnails.20050223 Robustness patch for TWiki, vulnerability in ImageGalleryPluginhttp://www.enyo.de/fw/security/notes/twiki-robustness.htmlhttp://static.enyo.de/fw/patches/twiki/imagegallery-robustness-20041128.diff14384PeerFTP_5 stores sensitive information such as passwords in plaintext in the PeerFTP.ini files, which allows local users to gain privileges.http://securitytracker.com/id?1013263eXeem 0.21 stores sensitive information such as passwords in plaintext in the Exeem registry key, which allows local users to gain privileges via the proxy_user and proxy_password values.http://securitytracker.com/id?1013266ArGoSoft FTP Server before 1.4.2.7 allows remote attackers to read arbitrary files by uploading a ZIP file containing a shortcut (.LNK) file, using SITE UNZIP to extract the .LNK file onto the server, then accessing the file, a different vulnerability than CVE-2005-0520.http://www.argosoft.com/ftpserver/changelist.aspx141721158913614argosoft-ink-file-upload(17939)12487ArGoSoft FTP Server before 1.4.2.8 allows remote attackers to read arbitrary files via shortcut (.LNK) files in the SITE COPY command, a different vulnerability than CVE-2005-0519.http://www.argosoft.com/ftpserver/changelist.aspx143721263214061argosoft-site-copy-files(19442)SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges.http://securitytracker.com/id?1013269Chat Anywhere 2.72a stores sensitive information such as passwords in plaintext in the .INI file for a chatroom, which allows local users to gain privileges.http://securitytracker.com/id?1013270Format string vulnerability in ProZilla 1.3.7.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the Location header.http://www.securiteam.com/exploits/5WP082KEUW.htmlDSA-71912635The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value.20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilitieshttp://www.frsirt.com/english/advisories/2005/0305http://securitytracker.com/id?101361914792php-phphandleiff-dos(19920)GLSA-200504-15MDKSA-2005:072RHSA-2005:405RHSA-2005:406APPLE-SA-2005-06-08MDKSA-2005:07215183The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek.20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilitieshttp://www.frsirt.com/english/advisories/2005/0305http://securitytracker.com/id?101361914792GLSA-200504-15MDKSA-2005:072RHSA-2005:405DSA-708RHSA-2005:406DSA-729APPLE-SA-2005-06-08MDKSA-2005:07215184Multiple cross-site scripting (XSS) vulnerabilities in PBLang 4.65 allow remote attackers to inject arbitrary web script or HTML via (1) the search string to search.php, (2) the subject of a PM, which is processed by pm.php, or (3) the body of a PM, which is processed by pmpshow.php.20050222 Software PBLang 4.65 pm.php XSS vulnerability20050222 Software PBLang 4.65 pmpshow.php XSS vulnerability20050222 Software PBLang 4.65 search.php XSS vulnerabilityhttp://securitytracker.com/id?1013277Firefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling."20050225 Firescrolling [Firefox 1.0]http://www.mikx.de/?p=11http://www.mozilla.org/security/announce/mfsa2005-27.htmlGLSA-200503-10GLSA-200503-30http://securitytracker.com/id?1013301OVAL100031RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100031** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0985. Reason: This candidate is a duplicate of CVE-2003-0985. Notes: All CVE users should reference CVE-2003-0985 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context.20050215 linux kernel 2.6 fun. windoze is a jokehttp://www.guninski.com/where_do_you_want_billg_to_go_today_3.htmlhttp://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQCLA-2005:930SUSE-SA:2005:01820050315 [USN-95-1] Linux kernel vulnerabilitiesRHSA-2005:366Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument.20050215 linux kernel 2.6 fun. windoze is a jokehttp://www.guninski.com/where_do_you_want_billg_to_go_today_3.htmlhttp://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3wCLA-2005:930SUSE-SA:2005:01820050315 [USN-95-1] Linux kernel vulnerabilitiesRHSA-2005:366The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments.20050215 linux kernel 2.6 fun. windoze is a jokehttp://www.guninski.com/where_do_you_want_billg_to_go_today_3.htmlhttp://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3ACLA-2005:93020050315 [USN-95-1] Linux kernel vulnerabilitiesRHSA-2005:366The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types.20050215 linux kernel 2.6 fun. windoze is a jokehttp://www.guninski.com/where_do_you_want_billg_to_go_today_3.htmlhttp://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQSUSE-SA:2005:01820050315 [USN-95-1] Linux kernel vulnerabilitiesHeap-based buffer overflow in Trend Micro AntiVirus Library VSAPI before 7.510, as used in multiple Trend Micro products, allows remote attackers to execute arbitrary code via a crafted ARJ file with long header file names that modify pointers within a structure.20050224 Trend Micro AntiVirus Library Heap Overflowhttp://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+executionhttp://securitytracker.com/id?1013289http://securitytracker.com/id?10132901264314396Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script.http://sourceforge.net/project/shownotes.php?release_id=307067GLSA-200502-33http://securitytracker.com/id?101326014360GLSA-200502-33Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users.GLSA-200502-33http://securitytracker.com/id?101326014360GLSA-200502-33Directory traversal vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to delete arbitrary files or determine file existence via a parameter related to image deletion.http://sourceforge.net/project/shownotes.php?release_id=307067GLSA-200502-33http://securitytracker.com/id?101326014360GLSA-200502-33Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters.20050221 [NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection14369http://securitytracker.com/id?1013268Directory traversal vulnerability in (1) GinpPictureServlet.java and (2) PicCollection.java in ginp (Java Photo Gallery Web Application) before 0.22 allows remote attackers to read arbitrary files.http://sourceforge.net/project/shownotes.php?release_id=30751814373Unknown vulnerability in IBM Hardware Management Console (HMC) before 4.4 for POWER5 servers allows local users to gain privileges, related to the Guided Setup Wizard.http://techsupport.services.ibm.com/server/hmc/power5/fixes/ptf_MH00220.html14377Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to obtain sensitive information via a direct request to the /about.html page.20050224 Cyclades AlterPath Manager Vulnerabilitieshttp://www.cirt.net/advisories/alterpath_disclosure.shtml1407314378consoleConnect.jsp in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to connect to arbitrary consoles by modifying the consolename parameter.20050224 Cyclades AlterPath Manager Vulnerabilitieshttp://www.cirt.net/advisories/alterpath_console.shtml1407514378saveUser.do in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows local users to gain privileges by setting the adminUser parameter to true.20050224 Cyclades AlterPath Manager Vulnerabilitieshttp://www.cirt.net/advisories/alterpath_privesc.shtml1407414378Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_family parameter in theme_right.css.php.20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4GLSA-200503-071264414382phpmyadmin-multiple-php-xss(19462)phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message.14382http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_id=23067&atid=377408GLSA-200503-07Microsoft Windows XP Pro SP2 and Windows 2000 Server SP4 running Active Directory allow local users to bypass group policies that restrict access to hidden drives by using the browse feature in Office 10 applications such as Word or Excel, or using a flash drive. NOTE: this issue has been disputed in a followup post.20050223 Office 10 applications & flashdrives can be used to browse restricted drives20050225 Re: Office 10 applications & flashdrives can be used to browse restricted12641Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd.[info-cyrus] 20050214 Cyrus IMAPd 2.2.11 ReleasedCLA-2005:937GLSA-200502-29http://bugs.gentoo.org/show_bug.cgi?id=82404MDKSA-2005:05120050228 [USN-87-1] Cyrus IMAP server vulnerability143831013278RHSA-2005:408FLSA:156290MDKSA-2005:05112636Unknown vulnerability in ftpd on HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23 allows remote authenticated users to gain "unauthorized access to files."HPSBUX0111912651hp-ux-ftpd-gain-access(19467)Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search function.20050328 Multiple XSS issues in Sun AnswerBook257737Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the "View Log Files" function.20050328 Multiple XSS issues in Sun AnswerBook257737Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability".MS05-018OVAL1271OVAL2043OVAL4397OVAL4832oval:org.mitre.oval:def:1271oval:org.mitre.oval:def:2043oval:org.mitre.oval:def:4397oval:org.mitre.oval:def:4832Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value.MS05-01820050412 Microsoft Windows CSRSS.EXE Stack Overflow VulnerabilityOVAL1822OVAL266OVAL3544OVAL777oval:org.mitre.oval:def:1822oval:org.mitre.oval:def:266oval:org.mitre.oval:def:3544oval:org.mitre.oval:def:777Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability".20050412 Microsoft Internet Explorer DHTML Engine Race Condition VulnerabilityMS05-02014922ie-dhtml-bo(19831)TA05-102AVU#774338OVAL1695OVAL3100OVAL3752OVAL4874OVAL4985oval:org.mitre.oval:def:1695oval:org.mitre.oval:def:3100oval:org.mitre.oval:def:3752oval:org.mitre.oval:def:4874oval:org.mitre.oval:def:4985Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability."MS05-02020050412 Microsoft Windows Internet Explorer Long Hostname Heap Corruption Vulnerability14922TA05-102AVU#756122OVAL1196OVAL2253OVAL2559OVAL3817OVAL789oval:org.mitre.oval:def:1196oval:org.mitre.oval:def:2253oval:org.mitre.oval:def:2559oval:org.mitre.oval:def:3817oval:org.mitre.oval:def:789Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability."MS05-02014922ie-content-advisor-bo(19842)TA05-102AVU#222050OVAL2077OVAL2786OVAL3157OVAL3926OVAL4674oval:org.mitre.oval:def:2077oval:org.mitre.oval:def:2786oval:org.mitre.oval:def:3157oval:org.mitre.oval:def:3926oval:org.mitre.oval:def:4674Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document.MS05-023word-document-bo(19828)OVAL1236OVAL2415OVAL2685OVAL4234oval:org.mitre.oval:def:1236oval:org.mitre.oval:def:2415oval:org.mitre.oval:def:2685oval:org.mitre.oval:def:4234Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port.MS05-021149201546720050412 Microsoft Exchange Remote Compromise20050419 MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoCTA05-102AVU#275193OVAL4032oval:org.mitre.oval:def:4032GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width.MS05-02214915msn-messenger-gif-execute-code (19950)TA05-102AVU#633446OVAL4927oval:org.mitre.oval:def:4927Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL ("jav&#X41sc&#0010;ript:") in an IMG tag.20050614 Microsoft Outlook Web Access Cross-Site Scripting VulnerabilityMS05-02915697Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information.20050712 Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow VulnerabilityMS05-035OVAL1190OVAL1331TA05-193AVU#218621oval:org.mitre.oval:def:1190oval:org.mitre.oval:def:1331The Announce module in phpWebSite 0.10.0 and earlier allows remote attackers to execute arbitrary PHP code by setting the Image field to reference a PHP file whose name contains a .gif.php extension.20050224 phpWebSite-0.10.0_exploitGLSA-200503-04http://securitytracker.com/id?101329814399phpwebsite-announce-execute-code(19482)Buffer overflow in Golden FTP Server Pro (goldenftpd) 2.x allows remote attackers to execute arbitrary code via a long RNTO command.20050122 several BO's in goldenftpdhttp://www.goldenftpserver.comVU#6208621233313966golden-ftp-rnto-bo(19015)1012973Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code.20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1http://sourceforge.net/tracker/index.php?func=detail&aid=1149381&group_id=23067&atid=3774081264514382phpmyadmin-file-include(19465)Soldier of Fortune II 1.03 gold allows remote attackers to cause a denial of service (application crash) via a large cl_guid value, which results in an invalid pointer dereference.1013291126501328920050224 In-game cl_guid crash in Soldier of Fortune II 1.03Multiple SQL injection vulnerabilities in PunBB 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) language parameter to register.php, (2) change email feature in profile.php, (3) posts or (4) topics parameter to moderate.php.20050224 Multiple vulns in punBBhttp://www.punbb.org/changelogs/1.2.1_to_1.2.2.txt126521439414538punbb-multiple-sql-injection(19473)profile.php in PunBB 1.2.1 allows remote attackers to cause a denial of service (account lockout) by setting the user's password to NULL.20050224 Multiple vulns in punBB1265214394punbb-profile-dos(19483)admin_loader.php in PunBB 1.2.1 allows remote attackers to read arbitrary files via the plugin parameter.20050224 Multiple vulns in punBBhttp://www.punbb.org/changelogs/1.2.1_to_1.2.2.txthttp://www.punbb.org/download/patch/punbb-1.2.1_to_1.2.2.patch14394punbb-file-disclosure(19478)index.php in phpWebSite 0.10.0 and earlier allows remote attackers to obtain sensitive information via an invalid SEA_search_module parameter, which reveals the path in a PHP error message.20050225 phpWebSite 0.10.0 Full Path disclosurehttp://neossecurity.net/Advisories/Advisory-05.txtGLSA-200503-04phpwebsite-search-path-disclosure(19480)Gaim 1.1.3 on Windows systems allows remote attackers to cause a denial of service (client crash) via a file transfer in which the filename contains "(" or ")" (parenthesis) characters.20050224 GAIM exploithttp://securitytracker.com/id?1013300Directory traversal vulnerability in CIS WebServer 3.5.13 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the URL.20050225 CIS WebServer Directory Traversal Bug12662Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request.20050225 Knet <= 1.04c Buffer Overflow Bug1267114400Unknown vulnerability in Standard Type Services Framework (STSF) Font Server Daemon (stfontserverd) in Solaris 9 allows local users to modify or delete arbitrary files.126561438157738Format string vulnerability in DNA MKBold-MKItalic 0.06_1 and earlier allows remote attackers to execute arbitrary code via crafted BDF font files.http://www.vuxml.org/freebsd/32d4f0f1-85c3-11d9-b6dc-0007e900f747.htmlhttp://www.freshports.org/x11-fonts/mkbold-mkitalic/14398Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory.http://www.mozilla.org/security/announce/mfsa2005-28.htmlGLSA-200503-10GLSA-200503-30RHSA-2005:176RHSA-2005:38412659nxagent in FreeNX before 0.2.8 does not properly handle when the XAUTHORITY environment variable is not set, which allows local users to access the X server without X authentication.[FreeNX-kNX] 20050217 Security: Serious bug in authority handling found and fixedSUSE-SR:2005:006cmd5checkpw, when running setuid, does not properly drop privileges before calling the execvp function, which allows local users to read the poppasswd file.GLSA-200502-30Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format.20050302 Computer Associates License Client/Server GCR Checksum Buffer Overflow20050302 Computer Associates License Client/Server GCR Network Buffer Overflow20050302 Computer Associates License Client/Server GETCONFIG Buffer Overflow20050302 Computer Associates License Client and Server Invalid Command Buffer Overflowhttp://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp20050302 License Patches Are Now Available To Address Buffer OverflowsBuffer overflow in Computer Associates (CA) License Client 0.1.0.15 allows remote attackers to execute arbitrary code via a long filename in a PUTOLF request.20050302 Computer Associates License Client PUTOLF Buffer Overflowhttp://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp20050302 License Patches Are Now Available To Address Buffer OverflowsDirectory traversal vulnerability in Computer Associates (CA) License Client 0.1.0.15 allows remote attackers to create arbitrary files via .. (dot dot) sequences in a PUTOLF request.20050302 Computer Associates License Client PUTOLF Directory Traversalhttp://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp20050302 License Patches Are Now Available To Address Buffer OverflowsFirefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks.https://bugzilla.mozilla.org/show_bug.cgi?id=277574http://www.mozilla.org/security/announce/mfsa2005-24.htmlGLSA-200503-10GLSA-200503-30OVAL100034RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100034Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks.http://secunia.com/secunia_research/2004-15/advisory/http://www.mozilla.org/security/announce/mfsa2005-23.htmlGLSA-200503-10GLSA-200503-3013599OVAL100035RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100035Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content.13258http://www.mozilla.org/security/announce/mfsa2005-22.htmlGLSA-200503-10OVAL100036RHSA-2005:176RHSA-2005:38412659oval:org.mitre.oval:def:100036Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file.http://www.mozilla.org/security/announce/mfsa2005-21.htmlOVAL100037SUSE-SA:2006:0221982312659oval:org.mitre.oval:def:100037Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system.http://www.mozilla.org/security/announce/mfsa2005-20.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=271209GLSA-200503-10GLSA-200503-30OVAL100038RHSA-2005:176RHSA-2005:38412659oval:org.mitre.oval:def:100038The Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability.http://www.mozilla.org/security/announce/mfsa2005-19.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=270697GLSA-200503-10OVAL100039RHSA-2005:17612659oval:org.mitre.oval:def:100039The installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname.http://www.mozilla.org/security/announce/mfsa2005-17.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=268059GLSA-200503-10GLSA-200503-30OVAL100041RHSA-2005:176RHSA-2005:384SUSE-SA:2006:0221982312659oval:org.mitre.oval:def:100041Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing."20050111 Firespoofing [Firefox 1.0]http://www.mikx.de/index.php?p=7http://www.mikx.de/firespoofing/http://www.mozilla.org/security/announce/mfsa2005-16.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=260560GLSA-200503-10GLSA-200503-301223413786web-browser-modal-spoofing(18864)RHSA-2005:176RHSA-2005:384oval:org.mitre.oval:def:100042Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value.http://www.mozilla.org/security/announce/mfsa2005-15.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=241440GLSA-200503-10GLSA-200503-30OVAL100043RHSA-2005:176SUSE-SA:2006:0221982312659oval:org.mitre.oval:def:100043Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site.http://www.mozilla.org/security/announce/mfsa2005-14.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=258048https://bugzilla.mozilla.org/show_bug.cgi?id=268483https://bugzilla.mozilla.org/show_bug.cgi?id=277564https://bugzilla.mozilla.org/show_bug.cgi?id=276720GLSA-200503-10GLSA-200503-30OVAL100044RHSA-2005:176RHSA-2005:38412659oval:org.mitre.oval:def:100044Buffer overflow in the Netinfo Setup Tool (NeST) allows local users to execute arbitrary code.APPLE-SA-2005-05-03TA05-136AVU#354486Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers execute arbitrary code via a long mfcisapicommand parameter.20050226 Badblue HTTP Server, ext.dll buffer overflow1267314405PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size.12665SUSE-SR:2005:006Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection."20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities1264814395cisco-tcp-acns-dos(19466)The RealServer RealSubscriber on Cisco devices running Application and Content Networking System (ACNS) 5.1 allow remote attackers to cause a denial of service (CPU consumption) via malformed packets.20050224 ACNS Denial of Service and Default Admin Password VulnerabilitiesVU#5792401264814395cisco-realserver-realsubscriber-dos(19469)Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, or 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (CPU consumption) via malformed IP packets.20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities1264814395cisco-ip-packet-dos(19468)Cisco ACNS may be vulnerable to DoS via malformed IP packetsCisco devices running Application and Content Networking System (ACNS) 5.0, 5.1 before 5.1.13.7, or 5.2 before 5.2.3.9 allow remote attackers to cause a denial of service (bandwidth consumption) via "crafted IP packets" that are continuously forwarded.20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities1264814395cisco-acns-dos(19470)Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, 5.1, or 5.2 use a default password when the setup dialog has not been run, which allows remote attackers to gain access.20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities1264814395cisco-acns-gain-access(19471)Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges.20050228 7a69Adv#22 - UNIX unzip keep setuid and setgid filesMDKSA-2005:1972005-00531704517342MDKSA-2005:19710315014447ADV-2007-386627684200844viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message.20050225 -==phpBB 2.0.12 Full path disclosure==-http://www.phpbb.com/phpBB/viewtopic.php?t=26756314413lnss.exe in GFI Languard Network Security Scanner 5.0 stores the username and password in memory in plaintext, which could allow local administrators to obtain domain administrator credentials.20050228 [Hat-Squad] GFI L.N.S.S 5.0 Insecure Credential Storagehttp://www.hat-squad.com/en/000160.htmlscan.c for LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow.https://bugs.freedesktop.org/attachment.cgi?id=1909GLSA-200503-08GLSA-200503-15http://bugs.gentoo.org/show_bug.cgi?id=83655http://bugs.gentoo.org/show_bug.cgi?id=8359820050316 [USN-97-1] libxpm vulnerability20050307 [USN-92-1] LessTif vulnerabilitiesRHSA-2005:331http://securitytracker.com/id?101333912714DSA-723RHSA-2005:412APPLE-SA-2005-08-15APPLE-SA-2005-08-17USN-92-1USN-97-1SCOSA-2005.571446018049SCOSA-2006.518316FLSA-2006:152803RHSA-2005:044RHSA-2005:198RHSA-2005:47320060403-01-U 19624RHSA-2008:0261Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname, (7) search, or (8) page parameters.http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.htmlhttp://www.cubecart.com/site/forums/index.php?showtopic=6032http://securitytracker.com/id?10133041265814416cubecart-multiple-xss(20637)CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8) cat_navi.php, or (9) check_sum.php, which reveals the path in a PHP error message.http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.htmlhttp://www.cubecart.com/site/forums/index.php?showtopic=6032http://securitytracker.com/id?1013304cubecart-multiple-path-disclosure(20638)Heap-based buffer overflow in server.cpp for WebMod 0.47 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a POST request with a Content-Length that is less than the amount of data that is actually sent.14302http://djeyl.net/forum/index.php?showtopic=41440Multiple symlink vulnerabilities in portupgrade before 20041226_2 in FreeBSD allow local users to (1) overwrite arbitrary files and possibly replace packages to execute arbitrary code via pkg_fetch, (2) overwrite arbitrary files via temporary files when portupgrade upgrades a port or package, or (3) create arbitrary zero-byte files via the pkgdb.fixme temporary file.http://www.vuxml.org/freebsd/22f00553-a09d-11d9-a788-0001020eed82.html1310614903Heap-based buffer overflow in RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1, allows remote attackers to execute arbitrary code via .WAV files.20050302 RealOne Player / Real .WAV Heap Overflow File Format Vulnerability20050302 RealOne Player / Real .WAV Heap Overflow File Format Vulnerabilityhttp://service.real.com/help/faq/security/050224_player/EN/RHSA-2005:26520050302 RealOne Player / Real .WAV Heap Overflow File Format Vulnerability20050302 RealOne Player / Real .WAV Heap Overflow File Format VulnerabilityRHSA-2005:271Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain hard-coded default SNMP community strings, which allows remote attackers to gain access, cause a denial of service, and modify configuration.20050202 Default SNMP Community Strings in Cisco IP/VC Products14122124241013067Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files.12676sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie.20050301 phpBB <= 2.0.12 UID Exploit20050304 phpBB 2.0.12 Session Handling Administrator Authentication Bypasshttp://www.phpbb.com/phpBB/viewtopic.php?t=26756314413Multiple SQL injection vulnerabilities in (1) index.php, (2) modules.php, or (3) admin.php in PostNuke 0.760-RC2 allow remote attackers to execute arbitrary SQL code via the catid parameter.20050228 [SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>xhttp://news.postnuke.com/Article2669.htmlhttp://securitytracker.com/id?1013324Multiple cross-site scripting (XSS) vulnerabilities in the Download module for PostNuke 0.750 and 0.760-RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) Program name, (2) File link, (3) Author name (4) Author e-mail address, (5) File size, (6) Version, or (7) Home page variables.20050228 [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2http://news.postnuke.com/Article2669.htmlhttp://securitytracker.com/id?1013324SQL injection vulnerability in dl-search.php in PostNuke 0.750 and 0.760-RC2 allows remote attackers to execute arbitrary SQL commands via the show parameter.20050228 [SECURITYREASON.COM] PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3http://news.postnuke.com/Article2669.htmlhttp://securitytracker.com/id?1013324The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R firmware after 1.5Z and before 1.68, Gateway Security 360/360R and 460/460R firmware before vuild 858, and Nexland Pro800turbo, when configured for load balancing between two WANs, might send SMTP traffic to a trusted network through an untrusted network.http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html14428Einstein 1.0.1 stores sensitive information such as usernames and passwords in plaintext in the registry, which allows local users to gain privileges.http://www.milw0rm.com/id.php?id=846http://securitytracker.com/id?10133161445514212 846Einstein 1.0 stores credit card information in plaintext in the world-readable wallets.dat file, which allows local users to steal the information.14455Scrapland 1.0 and earlier allows remote attackers to cause a denial of service (server termination) by triggering an error, which is treated as a fatal error by the server, as demonstrated using (1) signed integers for size values, (2) an invalid model, (3) a "newpos" value that is less than or equal to a size value, or (4) partial packets.1443520050228 Server termination in Scrapland 1.0RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to view the PHP source code via an HTTP GET request for a filename with a trailing (1) . (dot) or (2) space.20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilitieshttp://www.security.org.sg/vuln/raidenhttpd1132.html14453Buffer overflow in RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to execute arbitrary code via a long URL.20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilitieshttp://www.security.org.sg/vuln/raidenhttpd1132.html14453reportbug before 2.62 creates the .reportbugrc configuration file with world-readable permissions, which allows local users to obtain email smarthost passwords.20050228 [USN-88-1] reportbug information disclosurehttps://bugzilla.ubuntu.com/show_bug.cgi?id=6600http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=29540714422reportbug-file-world-readable(19504)reportbug 3.2 includes settings from .reportbugrc in bug reports, which exposes sensitive information such as smtpuser and smtppasswd.6600: 295407: reportbug: config files are world readablehttps://bugzilla.ubuntu.com/show_bug.cgi?id=671714422reportbug-smtppasswd-information-disclosure(19520)20050228 [USN-88-1] reportbug information disclosureRace condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie20050308 [USN-93-1] Squid vulnerabilitysquid-set-cookie-race-condition(19581)RHSA-2005:415USN-93-1FLSA-2006:15280912716Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs.GLSA-200503-01http://bugs.gentoo.org/show_bug.cgi?id=7518112695Multiple cross-site scripting (XSS) vulnerabilities in Forumwa 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in search.php or the (2) body or (3) subject of a forum message.20050301 Forumwa search.php xss vulnerability1268914418Multiple cross-site scripting (XSS) vulnerabilities in profile.php in 427BB 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) Avatar parameters.20050301 427BB profile.php XSS vulnerability.20050301 427BB profile.php XSS vulnerability.http://securitytracker.com/id?10133371269314434427bb-profile-xss(19546)sendpm.php in PBLang 4.63 allows remote authenticated users to read arbitrary files via a full pathname in the orig parameter.20050301 Software PBLang 4.63 sendpm.php reply file read vulnerability12690pblang-sendpm-obtain-information(19544)delpm.php in PBLang 4.63 allows remote authenticated users to delete arbitrary PM files by modifying the "id" and "a" parameters.20050301 Software PBLang 4.63 delpm.php authentication vulnerability12694pblang-delpm-delete-messages(19552)PHP remote file inclusion vulnerability in auth.php in PHPNews 1.2.4 and possibly 1.2.3, allows remote attackers to execute arbitrary PHP code via the path parameter.20050301 PHP News <= 1.2.4 - Remote File Inclusion (VXSfx)20050303 PHP News <= 1.2.4 - Remote File Inclusion Exploit12696http://securitytracker.com/id?101334514449Buffer overflow in Trillian 3.0 and Pro 3.0 allows remote attackers to execute arbitrary code via a crafted PNG image file.20050306 See-security advisory: Trillian Basic 3.0 PNG Processing Buffer overflow12703http://www.frsirt.com/english/advisories/2005/0221http://www.securiteam.com/exploits/5KP030KF5E.htmlBuffer overflow in Golden FTP Server 1.92 allows remote attackers to execute arbitrary code via a long USER command.20050302 Golden Ftp server 1.29 Username remote Buffer Overflow12704ADV-2006-493623323Buffer overflow in Foxmail Server 2.0 allows remote attackers to execute arbitrary code via a long USER command.20050302 Foxmail server http://securitytracker.com/id?10133561271114145Format string vulnerability in Foxmail Server 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the USER command.20050302 Foxmail server http://securitytracker.com/id?10133561271114145The copy functions in locore.s such as copyout in OpenBSD 3.5 and 3.6, and possibly other BSD based operating systems, may allow attackers to exceed certain address boundaries and modify kernel memory.http://securitytracker.com/id?101333320050228 028: SECURITY FIX: February 28, 200520050316 012: SECURITY FIX: March 16, 2005 amd64 only1282514432openbsd-copy-functions(19531)xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command.DSA-695GLSA-200503-05http://bugs.gentoo.org/show_bug.cgi?id=79762144591446214365RHSA-2005:33212712 FLSA-2006:152923Multiple vulnerabilities in xli before 1.17 may allow remote attackers to execute arbitrary code via "buffer management errors" from certain image properties, some of which may be related to integer overflows in PPM files.DSA-695GLSA-200503-05http://bugs.gentoo.org/show_bug.cgi?id=7976214459Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 does not properly initialize the "Change Credentials for Database" window, which allows local users to recover the SQL Admin password via certain methods.http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo6432314454Cross-site scripting (XSS) vulnerability in the Reporter for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to inject arbitrary HTML or web script via the (1) name or (2) description in a report template.http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo6432314454SQL injection vulnerability in the Query Designer for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to execute arbitrary SQL via an imported file.http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo6432314454Buffer overflow in McAfee Scan Engine 4320 with DAT version before 4357 allows remote attackers to execute arbitrary code via crafted LHA files.http://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdf1024314628McAfee Scan Engine vulnerable to buffer overflow in LHA decoderBuffer overflow in McAfee Scan Engine 4320 with DAT version before 4436 allows remote attackers to execute arbitrary code via a malformed LHA file with a type 2 header file name field, a variant of CVE-2005-0643.20050317 McAfee AntiVirus Library Stack Overflowhttp://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdfVU#361180http://securitytracker.com/id?1013463102431283214628Cross-site scripting (XSS) vulnerability in show.inc.php in cuteNews 1.3.6 allows remote attackers to inject arbitrary HTML, web script, and PHP code via the (1) CLIENT-IP or (2) X-FORWARDED-FOR header in an HTTP POST request to show_news.php.20050301 Kernelpanik Labs Digest 2005-2http://www.kernelpanik.org/docs/kernelpanik/cutenews.txtSQL injection vulnerability in auth.php in paNews 2.0.4b allows remote attackers to execute arbitrary SQL via the mysql_prefix parameter.20050301 Kernelpanik Labs Digest 2005-2http://www.kernelpanik.org/docs/kernelpanik/panews.txtadmin_setup.php in paNews 2.0.4b allows remote attackers to inject arbitrary PHP code via the (1) $form[comments] or (2) $form[autoapprove] parameters, which are written to config.php.20050301 Kernelpanik Labs Digest 2005-2http://www.kernelpanik.org/docs/kernelpanik/panews.txtMultiple vulnerabilities in Pixel-Apes SafeHTML before 1.3.0 allow remote attackers to bypass cross-site scripting (XSS) protection via (1) "decimal HTML entities" or (2) "the \x00 symbol."http://pixel-apes.com/safehtml/feedhttp://securitytracker.com/id?1013315Pixel-Apes SafeHTML before 1.2.1 allows remote attackers to bypass cross-site scripting (XSS) protection via "hexadecimal HTML entities."http://pixel-apes.com/safehtml/feed13869Multiple cross-site scripting (XSS) vulnerabilities in ProjectBB 0.4.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) the pages parameter to divers.php (incorrectly referred to as "drivers.php" by some sources), (2) in the search feature text area, (3) forum name, (4) site name or (5) the maximum avatar size in the option section, (5) new category or (6) new forum fields in the forum section.20050308 failles dans ProjectBB v0.4.5.1http://securitytracker.com/id?1013332http://www.frsirt.com/english/advisories/2005/02231270914533projectbb-multiple-xss(19556)Multiple SQL injection vulnerabilities in ProjectBB 0.4.5.1 allow remote attackers to execute arbitrary SQL commands via (1) liste or (2) desc parameters to divers.php (incorrectly referred to as "drivers.php" by some sources), (3) the search feature text area, (4) post name in the post creation feature, (5) City, (6) Homepage, (7) ICQ, (8) AOL, (9) Yahoo!, (10) MSN, or (11) e-mail fields in the profile feature or (12) the new field in the moderator section.20050308 failles dans ProjectBB v0.4.5.1http://securitytracker.com/id?1013332http://www.frsirt.com/english/advisories/2005/02231271014533projectbb-mulitple-sql-injection(19557)Unknown vulnerability in HP OpenVMS VAX 7.x and 6.x and OpenVMS Alpha 7.x or 6.x allows local users to access privileged files.SSRT486614444openvms-gain-access(19566)phpMyAdmin 2.6.1 does not properly grant permissions on tables with an underscore in the name, which grants remote authenticated users more privileges than intended.GLSA-200503-07http://bugs.gentoo.org/show_bug.cgi?id=83792gifload.exe in GIMP 2.0.5, 2.2.3, and possibly 2.2.4 allows remote attackers or local users to cause a denial of service (application crash) via the image descriptor (1) height or (2) width fields set to zero.20050304 GIMP gifload.exe GIF file (image width)*(image height)==0 DOS vulnerabilityauraCMS 1.5 allows remote attackers to obtain sensitive information via an HTTP request with an invalid id parameter to (1) teman.php, (2) hal.php, or (3) arsip.php, which reveals the path in a PHP error message.20050302 Vulnerabilities in Aura CMShttp://securitytracker.com/id?1013357Multiple cross-site scripting (XSS) vulnerabilities in auraCMS 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) hits parameter to hits.php, (2) query parameter to index.php, or (3) theCount parameter to counter.php.20050302 Vulnerabilities in Aura CMShttp://securitytracker.com/id?101335714458Directory traversal vulnerability in Computalynx CProxy 3.3.x and 3.4.x through 3.4.4 allows remote attackers to read arbitrary files or cause a denial of service (application crash) via a .. (dot dot) in an HTTP request.20050302 Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities14461computalynx-cproxy-directory-traversal(19573)computalynx-cproxy-get-dos(19574)SQL injection vulnerability in a third party extension to TYPO3 allows remote attackers to execute arbitrary SQL commands via the category_uid parameter.20050303 TYPO3 SQL Injection vunerabilitie20050304 RE: TYPO3 SQL Injection vunerabilitie20050304 Re: TYPO3 SQL Injection vunerabilitie14465phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive information via a direct request to oracle.php, which reveals the path in a PHP error message.20050304 -==phpBB 2.0.13 Full path disclosure==-http://neosecurityteam.net/Advisories/Advisory-09.txthttp://securitytracker.com/id?1013377Multiple cross-site scripting (XSS) vulnerabilities in D-Forum 1.11 allows remote attackers to inject arbitrary web script or HTML via certain fields, as demonstrated using the page parameter in nav.php3.http://securitytracker.com/id?101334914464SQL injection vulnerability in the getwbbuserdata function in session.php for Woltlab Burning Board 2.0.3 through 2.3.0 allows remote attackers to execute arbitrary SQL commands via the (1) userid or (2) lastvisit cookie.http://securitytracker.com/id?101335114450Cross-site scripting (XSS) vulnerability in index.php for MercuryBoard 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the Avatar field.1430814414SQL injection vulnerability in index.php for MercuryBoard 1.1.2 allows remote attackers to inject arbitrary SQL commands via the f parameter.1430814414mercuryboard-index-sql-injection(19051)Buffer overflow in the EXIF library (libexif) 0.6.9 does not properly validate the structure of the EXIF tags, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a JPEG image with a crafted EXIF tag.DSA-709GLSA-200503-17MDKSA-2005:06420050307 [USN-91-1] EXIF library vulnerabilityhttps://bugzilla.ubuntu.com/show_bug.cgi?id=7152http://securitytracker.com/id?1013398USN-91-1102041ADV-2005-0240ADV-2005-256517705RHSA-2005:300MDKSA-2005:064Format string vulnerability in xv before 3.10a allows remote attackers to execute arbitrary code via format string specifiers in a filename.GLSA-200503-09http://bugs.gentoo.org/show_bug.cgi?id=83686Unknown vulnerability in PaX from the September 2003 release to 2.2 before 2005.03.05, related to SEGMEXEC or RANDEXEC and VMA mirroring, allows local users and possibly remote attackers to bypass intended access restrictions and execute arbitrary code.20050305 PaX privilege elevation security bug1272914489Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message.http://sylpheed.good-day.net/changelog.html.enhttp://sylpheed.good-day.net/changelog-devel.html.enGLSA-200503-26RHSA-2005:303http://securitytracker.com/id?101337614491Unknown vulnerability in HTTP Anti Virus Proxy (HAVP) before 0.51 prevents viruses from being properly detected in certain files such as (1) .CAB or (2) .ZIP files.http://www.bemberg.de/server-side/index.htmhttp://securitytracker.com/id?1013370Multiple SQL injection vulnerabilities in mod.php for phpCOIN 1.2.0 through 1.2.1b allow remote attackers to execute arbitrary SQL commands via the (1) the faq_id in the faq mod, (2) the id parameter in the pages mod, (3) the id parameter in the siteinfo module, (4) the topic_id parameter in the articles module, (5) the ord_id in the orders module, (6) the dom_id parameter in the domains module, or (7) the invd_id parameter in the invoices module.http://lostmon.blogspot.com/2005/03/phpcoin-posible-sql-injection-comands.htmlhttp://forums.phpcoin.com/index.php?showtopic=4118http://forums.phpcoin.com/index.php?showtopic=4116http://forums.phpcoin.com/index.php?showtopic=410112686http://securitytracker.com/id?101332914439phpcoin-id-sql-injection(19571)Cross-site scripting (XSS) vulnerability in phpCOIN 1.2.0 through 1.2.1b allows remote attackers to inject arbitrary web script or HTML via (1) the new parameter to mod.php, (2) the w parameter to mod.php, (3) the e parameter to login.php, (4) the o parameter to login.php, and possibly other scripts.http://lostmon.blogspot.com/2005/03/phpcoin-posible-sql-injection-comands.htmlhttp://forums.phpcoin.com/index.php?showtopic=4118http://forums.phpcoin.com/index.php?showtopic=4116http://forums.phpcoin.com/index.php?showtopic=410112686http://securitytracker.com/id?101332914439phpcoin-xss(19572)Format string vulnerability in Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via format string specifiers in a command.http://aluigi.altervista.org/adv/ca3dex-adv.txthttp://securitytracker.com/id?10133611272714483Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via text strings that are not null terminated, which triggers a null dereference.http://aluigi.altervista.org/adv/ca3dex-adv.txthttp://securitytracker.com/id?10133611272714483Cross-site scripting (XSS) vulnerability in usercp_register.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the (1) allowhtml, (2) allowbbcode, or (3) allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are processed by privmsg.php or viewtopic.php.http://securitytracker.com/id?101336214475Cross-site scripting (XSS) vulnerability in the News module for paBox 1.6 allows remote attackers to inject arbitrary web script or HTML via the text hidden parameter in an HTTP POST request.20050303 [XSS] paBox 1.6http://securitytracker.com/id?10133631271914474Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.5 allows remote attackers to inject arbitrary web script or HTML via the (1) list or (2) frommethod parameters.http://securitytracker.com/id?10133659497index.php in Zorum 3.5 allows remote attackers to trigger an SQL error, and possibly inject arbitrary SQL commands, via the search capability.http://securitytracker.com/id?1013365index.php for Zorum 3.5 allows remote attackers to perform certain actions as other users by modifying the id parameter.http://securitytracker.com/id?1013365PHP remote file inclusion vulnerability in formmail.inc.php for Form Mail Script 2.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the script_root to reference a URL on a remote web server that contains the code.20050304 PHP Form Mail Script (2.3) - Arbitrary File Inclusion (VXSfx)http://securitytracker.com/id?1013378http://www.stadtaus.com/forum/t-1579.html14505PHP remote file inclusion vulnerability in tell_a_friend.inc.php for Tell A Friend Script 2.7 before 20050305 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. NOTE: it was later reported that 2.4 is also affected.http://www.stadtaus.com/forum/t-1579.htmlhttp://securitytracker.com/id?10133901462820070727 Friend Script 2.5 - 2.4 Remote File Includetellafriend-scriptroot-file-include(19630)PHP remote file inclusion vulnerability in download_center_lite.inc.php for Download Center Lite 1.6 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code.20050304 Download Center Lite (DCL) - Arbitrary File Inclusion (VXSfx)http://www.stadtaus.com/forum/t-1579.html14513Nokia Symbian 60 allows remote attackers to cause a denial of service (phone restart) via a Bluetooth nickname.http://securitytracker.com/id?10133801274314574nokia-symbian-dos(19594)Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs.http://drupal.org/drupal-4.5.2http://drupal.org/files/drupal-4.5-xss-fix.patch14515** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0659. Reason: This candidate is a duplicate of CVE-2005-0659. Notes: All CVE users should reference CVE-2005-0659 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a long file parameter after a percent ("%") sign or (2) a long Lock-Token string to the WebDAV functionality, which is not properly handled by the getLockTokenHeader function in WDVHandler_CommonUtils.c.20050425 MySQL MaxDB Webtool Remote Stack Overflow Vulnerability20050425 MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerabilityhttp://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAV20050425 MySQL MaxDB Webtool Remote Stack Overflow Vulnerability20050425 MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability13368Multiple access validation errors in OutStart Participate Enterprise (PE) allow remote attackers to (1) browse arbitrary directory trees by modifying the rootFolder parameter to displaynavigator.jsp, (2) rename arbitrary directory objects by modifying the selectedObject parameter to renamepopup.jsp, (3) delete arbitrary directory objects by modifying the selectedObjectsCSV parameter to displaydeletenavigator.jsp, and conduct other unauthorized activities via the (4) showDeleteView, (5) showWebFolderView, (6) showLibraryView, (7) showMyLibraryView, (8) singleSelectObject, (9) processRadioSelection, (10) processCheckboxSelection, (11) singleSelectObject, (12) addToSelectedObjects, or (13) removeFromSelectedObjects commands.20050308 PE Multiple Remote Access Validation Vulnerabilities (Participate Systems Inc. / Outstart Inc.)http://security.honour.ca/outstartpsi.txt1275214542pe-access-validation-dos(19632)Integer overflow in mlterm 2.5.0 through 2.9.1, with gdk-pixbuf support enabled, allows remote attackers to execute arbitrary code via a large image file that is used as a background.GLSA-200503-13https://sourceforge.net/project/shownotes.php?release_id=310416Format string vulnerability in Hashcash 1.16 allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via format string specifiers in a reply address, which is not properly handled when printing the header.GLSA-200503-12http://bugs.gentoo.org/show_bug.cgi?id=8354114487Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016).20050305 Windows Server 2003 and XP SP2 LAND attack vulnerabilityMS05-019OVAL1288OVAL1685OVAL4978MS06-064ADV-2006-398322341HPSBST02161oval:org.mitre.oval:def:1288oval:org.mitre.oval:def:1685oval:org.mitre.oval:def:4978oval:org.mitre.oval:def:482includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter.20050307 Remote Command Execution20050308 Re: Remote Command Execution12738Gene6 FTP Server does not properly restrict access to the control console, which allows local users to modify the server configuration and gain privileges, as demonstrated by defining a SITE command.20050307 Gene6 FTP Server Local Privilege Escalation Vulnerabilityhttp://secway.org/Advisory/ad20050303.txt20050308 Re: Gene6 FTP Server Local Privilege Escalation Vulnerability1273914436PHP remote file inclusion vulnerability in article mode for modules.php in SocialMPN allows remote attackers to execute arbitrary PHP code by modifying the name parameter to reference a URL on a remote web server that contains the code.20050307 Remote Testing SocialMPN Remote File Inclusion by y3dipshttp://waraxe.us/ftopic-542-0-days0-orderasc-.htmlCross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript.20050306 PHP-FUSION 5.* XSS VULNERABILITY14492Buffer overflow in JoWood Chaser 1.50 and earlier allows remote attackers to cause a denial of service (client or server crash) and execute arbitrary code via a long nickname.http://aluigi.altervista.org/adv/chasercool-adv.txt12733Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under the web root, which allows remote attackers to obtain sensitive information via a direct request to HCDiskQuotaService.csv.20050307 Hosting Controller Multiple Unauthenticated information disclosehttp://isun.shabgard.org/hc2.txt14522The password recovery feature (forgotpassword.asp) in Hosting Controller 6.1 Hotfix 1.7 and earlier allows remote attackers to determine the owner's e-mail address by providing a portion of the domain name to the "login ID" field.20050307 Hosting Controller Multiple Unauthenticated information disclosehttp://isun.shabgard.org/hc2.txt14522Buffer overflow in ArGoSoft FTP Server 1.4.2.8 allows remote authenticated users to execute arbitrary code via a long DELE command. NOTE: this issue was later reported to also affect 1.4.3.5.20050308 ArGoSoft FTP Server 1.4.2.8 Buffer Overflow127551452620060225 ArGoSoft FTP server remote heap overflow20060225 ArGoSoft FTP server remote heap overflow1015681494SQL injection vulnerability in the process_picture function xp_publish.php in CopperExport 0.2.1 allows remote attackers to execute arbitrary SQL commands, possibly via the (1) title, (2) caption, or (3) keywords parameters.http://www.zzamboni.org/copperexport/14401PHP remote file inclusion vulnerability in PHPWebLog 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) G_PATH parameter to init.inc.php or the (2) PATH parameter to index.php to reference a URL on a remote web server that contains the code.20050307 phpWebLog <= 0.5.3 arbitrary file inclusion (VXSfx)12747Multiple buffer overflows in the dissect_a11_radius function in the CDMA A11 (3G-A11) dissector (packet-3g-a11.c) for Ethereal 0.10.9 and earlier allow remote attackers to execute arbitrary code via RADIUS authentication packets with large length values.20050308 Ethereal remote buffer overflowhttp://www.ethereal.com/appnotes/enpa-sa-00018.htmlGLSA-200503-16MDKSA-2005:053RHSA-2005:30612759FLSA-2006:15292220050309 RE: Ethereal remote buffer overflow - addon20050314 Ethereal 0.10.9 and below remote root exploitMDKSA-2005:053The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie.http://www.frsirt.com/exploits/20050307.aztek.c.php12745Directory traversal vulnerability in Oracle Database Server 8i and 9i allows remote attackers to read or rename arbitrary files via "\\.\\.." (modified dot dot backslash) sequences to UTL_FILE functions such as (1) UTL_FILE.FOPEN or (2) UTL_FILE.frename.20050307 - Argeniss - Oracle Database Server Directory transversal20050307 - Argeniss - Oracle Database Server Directory transversalhttp://www.argeniss.com/research/ARGENISS-ADV-030501.txtSQL injection vulnerability in phpMyFAQ 1.4 and 1.5 allows remote attackers to add FAQ records to the database via the username field in forum messages.http://www.phpmyfaq.de/advisory_2005-03-06.php14516Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, has an "unauthenticated account," which allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-1179.http://www.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf14507Buffer overflow in the Etheric dissector in Ethereal 0.10.7 through 0.10.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code.http://www.ethereal.com/appnotes/enpa-sa-00018.htmlGLSA-200503-16MDKSA-2005:053RHSA-2005:306FLSA-2006:15292212762MDKSA-2005:053The GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9, with the "ignore cipher bit" option enabled. allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00018.htmlGLSA-200503-16MDKSA-2005:053RHSA-2005:306FLSA-2006:15292212762MDKSA-2005:053Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected.http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714GLSA-200503-21RHSA-2005:30412770grip-cddb-bo(19648)FLSA:152919Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collaboration Suite (ICS) before 8.15 Hotfix 1 allows remote authenticated users to execute arbitrary code via a long EXAMINE command.20050310 Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerabilityhttp://securitytracker.com/id?10134101278014546ipswitch-imail-imapexamine-bo(19655)The sendfile system call in FreeBSD 4.8 through 4.11 and 5 through 5.4 can transfer portions of kernel memory if a file is truncated while it is being sent, which could allow remote attackers to obtain sensitive information.FreeBSD Kernel SendFile System Call Local Information Disclosure VulnerabilityESB-2005.0273 -- FreeBSD-SA-05:02.sendfile -- sendfile kernel memory disclosure MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit.20050310 Mysql CREATE FUNCTION libc arbitrary code execution.20050310 Mysql CREATE FUNCTION libc arbitrary code execution.DSA-707GLSA-200503-19MDKSA-2005:060RHSA-2005:334SUSE-SA:2005:0192005-000920050316 [USN-96-1] mySQL vulnerabilities1278120050310 Mysql CREATE FUNCTION libc arbitrary code execution.USN-96-1APPLE-SA-2005-08-15APPLE-SA-2005-08-17RHSA-2005:348101864MDKSA-2005:060MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table, which is processed by the udf_init function.20050310 Mysql CREATE FUNCTION mysql.func table arbitrary library injection20050310 Mysql CREATE FUNCTION mysql.func table arbitrary library injectionDSA-707GLSA-200503-19MDKSA-2005:060RHSA-2005:334SUSE-SA:2005:0192005-000920050316 [USN-96-1] mySQL vulnerabilities12781mysql-udfinit-gain-access(19658)20050310 Mysql CREATE FUNCTION mysql.func table arbitrary library injectionUSN-96-1APPLE-SA-2005-08-15APPLE-SA-2005-08-17RHSA-2005:348101864MDKSA-2005:060MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack.20050310 Mysql insecure temporary file creation with CREATE TEMPORARY TABLE privilege escalationDSA-707GLSA-200503-19MDKSA-2005:060RHSA-2005:334SUSE-SA:2005:0192005-000920050316 [USN-96-1] mySQL vulnerabilities12781USN-96-1APPLE-SA-2005-08-15APPLE-SA-2005-08-17RHSA-2005:348101864MDKSA-2005:060Mac OS X before 10.3.8 users world-writable permissions for certain directories, which may allow local users to gain privileges, possibly via the receipt cache or ColorSync profiles.APPLE-SA-2005-03-21Apple Mac OS X Unsafe Directory Permissions May Let Local Users Gain Elevated PrivilegesThe Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges.APPLE-SA-2005-03-21** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0340. Reason: This candidate is a reservation duplicate of CVE-2005-0340. Notes: All CVE users should reference CVE-2005-0340 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Drop Boxes," which allows local users to read the contents of a Drop Box.APPLE-SA-2005-03-21Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable.20050321 Mac OS X CF_CHARSET_PATH Buffer Overflow VulnerabilityAPPLE-SA-2005-03-2113224Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory.http://www.squid-cache.org/bugs/show_bug.cgi?id=1224http://www1.uk.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-postCLA-2005:93120050414 [USN-111-1] Squid vulnerabilityUSN-111-1RHSA-2005:415FLSA-2006:1528091316612508squid-put-post-dos(19919)RHSA-2005:489Unknown vulnerability in the systems message queue in HP Tru64 Unix 4.0F PK8 through 5.1B-2/PK4 allows local users to cause a denial of service (process crash) for processes such as nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat, and xntpd.HPSBTU011091276814549tru64-system-message-dos(19642)PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code.20050307 PHP mcNews <= 1.3 arbitrary file inclusion (VXSfx)14528mcnews-skinfile-file-include(19616)20070811 mcNews (skinfile) Remote File Include Vulnerability12776PHP remote file inclusion vulnerability in modules.php in eXPerience2 allows remote attackers to execute arbitrary PHP code by modifying the file parameter to reference a URL on a remote web server that contains the code.20050307 Multiples VulnerabilitieseXPerience2 allows remote attackers to obtain the full path for the web root via a direct request to modules.php without any parameters, which leaks the path in a PHP error message.20050307 Multiples VulnerabilitiesCross-site scripting (XSS) vulnerability in the jumpmenu function in functions.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameters, which is not properly cleansed in the $pageurl variable, as demonstrated using pafiledb.php.20050308 Multiple vulnerabilities in paFileDBpaFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via (1) an invalid str parameter to pafiledb.php, or a direct request to (2) viewall.php, (3) stats.php, (4) search.php, (5) rate.php, (6) main.php, (7) license.php, (8) category.php, (9) download.php, (10) file.php, (11) email.php, or (12) admin.php, which reveals the path in a PHP error message.20050308 Multiple vulnerabilities in paFileDBSQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php.20050308 Wfsection 1.07 vulnerabilitieswfsections-wfsfiles-sql-injection(19660)SQL injection vulnerability in editpost.php in UBB.threads 6.0 allows remote attackers to execute arbitrary SQL commands via the Number parameter.20050311 UBB.threads 6 SQL Injection** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0735. Reason: This candidate is a duplicate of CVE-2005-0735. Notes: All CVE users should reference CVE-2005-0727 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0736. Reason: This candidate is a duplicate of CVE-2005-0736. Notes: All CVE users should reference CVE-2005-0736 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Format string vulnerability in Xpand Rally 1.1.0.0 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a message.Xpand Rally Format String Vulnerability14545xpandrally-message-format-string(19649)PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service via a request to a file on the floppy drive, as demonstrated using A:\a.txt.20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServerhttp://secway.org/advisory/ad20050104.txt14553active-webcam-dos(19647)PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to Filelist.html.20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServerhttp://secway.org/advisory/ad20050104.txt14553active-webcam-filelist-dos(19650)PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to obtain the full path of the web server via a request for a non-existent filename, which leaks the full path in an error message.20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServerhttp://secway.org/advisory/ad20050104.txt14553active-webcam-path-disclosure(19652)PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to determine the existence of files via an HTTP request with a full pathname, which produces different messages whether the file exists or not.20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServerhttp://secway.org/advisory/ad20050104.txt14553active-webcam-file-disclosure(19654)PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (memory exhaustion and process crash) via a large number of HTTP requests.20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServerhttp://secway.org/advisory/ad20050104.txt14553active-webcam-memory-dos(19653)newsscript.pl for NewsScript allows remote attachers to gain privileges by setting the mode parameter to admin.12761newsscript-script-security-bypass Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events.20050309 overwriting low kernel memoryhttp://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1dSUSE-SA:2005:01820050315 [USN-95-1] Linux kernel vulnerabilities12763USN-95-1RHSA-2005:293RHSA-2005:366Buffer overflow in Yahoo! Messenger allows remote attackers to execute arbitrary code via the offline mode.1275020050308 Yahoo! Messenger Offline Mode Status Remote Buffer Overflow VulnerabilityStack overflow in Microsoft Exchange Server 2003 SP1 allows users to cause a denial of service (hang) by deleting or moving a folder with deeply nested subfolders, which causes Microsoft Exchange Information Store service (Store.exe) to hang as a result of a large number of recursive calls.89150414543The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could leave it vulnerable to buffer overflows, as demonstrated using modified length values that are not properly handled by the the dissect_pdus and pduval_to_str functions.http://www.ethereal.com/appnotes/enpa-sa-00018.htmlDSA-718GLSA-200503-16MDKSA-2005:053RHSA-2005:306FLSA-2006:1529221276220050312 Ethereal remote buffer overflow #2MDKSA-2005:053The TCP stack (tcp_input.c) in OpenBSD 3.5 and 3.6 allows remote attackers to cause a denial of service (system panic) via crafted values in the TCP timestamp option, which causes invalid arguments to be used when calculating the retransmit timeout.20050111 027: RELIABILITY FIX: January 11, 2005http://securitytracker.com/id?10128611225013819Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a usersrecentposts action.http://securitytracker.com/id?101342012756Cross-site scripting (XSS) vulnerability in Sun Java System Application Server 7 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.1277557742The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered.20050308 [SCAN Associates Security Advisory] xoops 2.0.9.2 and below weak file extension validationhttp://www.xoops.org/modules/news/article.php?storyid=21141275414520xoops-uploader-file-upload(19634)The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers to hijack sessions and gain administrator privileges by (1) sniffing the connection on TCP port 51100 and replaying the authentication information or (2) obtaining and replaying the PCZQX02 authentication cookie from the browser.http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htmhttp://securitytracker.com/id?101340614527ichain-gain-access(19646)UTStarcom iAN-02EX VoIP Analog Terminal Adaptor (ATA) allows local users to bypass ATA access restrictions by dialing "*#26845#" and causing a device reset.20050307 Re: Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability14544The Mini FTP server in Novell iChain 2.2 and 2.3 SP2 and earlier allows remote unauthenticated attackers to obtain the full path of the server via the PWD command.20050315 [ISR] - Novell iChain Mini FTP Server Unauthorized Remote Path Disclosure Vulnerabilityhttp://www.infobyte.com.ar/adv/ISR-03.htmlhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htmhttp://securitytracker.com/id?10134071276614537ichain-path-disclosure(19643)ApplyYourself i-Class allows remote attackers to obtain sensitive information about their own applications by reusing the hidden ID field, as demonstrated using the id parameter to ApplicantDecision.asp.http://securitytracker.com/id?1013400PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code.http://www.frsirt.com/english/advisories/2005/024812773101340914550webinsta-initdb-file-include(19651)The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer.20050401 [USN-103-1] Linux kernel vulnerabilitieshttp://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.614713kernel-loadelflibrary-dos(19867)FLSA:152532USN-103-1RHSA-2005:293RHSA-2005:366RHSA-2005:529RHSA-2005:55120060402-01-U19607The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value.20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.520050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5kernel-bluezsockcreate-integer-underflow(19844)RHSA-2005:283RHSA-2005:284FLSA:152532RHSA-2005:293RHSA-2005:36612911** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none.The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag.http://www.mozilla.org/security/announce/mfsa2005-34.htmlRHSA-2005:38314938OVAL100024oval:org.mitre.oval:def:100024 13228Buffer overflow in CVS before 1.11.20 allows remote attackers to execute arbitrary code.GLSA-200504-16SuSE-SA:2005:02414976cvs-bo(20148)RHSA-2005:38754352DSA-742Kommander in KDE 3.2 through KDE 3.4.0 executes data files without confirmation from the user, which allows remote attackers to execute arbitrary code.20050422 [KDE Security Advisory]: Kommander untrusted code executionhttp://www.kde.org/info/security/advisory-20050420-1.txtftp://ftp.kde.org/pub/kde/security_patches/post-3.4.0-kdewebdev-kommander.diff1506013313Heap-based buffer overflow in RealPlayer 10 and earlier, Helix Player before 10.0.4, and RealOne Player v1 and v2 allows remote attackers to execute arbitrary code via a long hostname in a RAM file.http://service.real.com/help/faq/security/050419_player/EN/RHSA-2005:363RHSA-2005:392RHSA-2005:39420050420 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflowhttp://pb.specialised.info/all/adv/real-ram-adv.txtFEDORA-2005-32920050420 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflowptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash).USN-137-1DSA-922DSA-921138911805618059RHSA-2005:514RHSA-2005:663FLSA:157459-2FLSA:157459-31707317002ADV-2005-1878The xattr file system code, as backported in Red Hat Enterprise Linux 3 on 64-bit systems, does not properly handle certain offsets, which allows local users to cause a denial of service (system crash) via certain actions on an ext3 file system with extended attributes enabled.RHSA-2005:294DSA-922DSA-921136801805618059zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script.GLSA-200505-05http://bugs.gentoo.org/show_bug.cgi?id=90626OVAL1081OVAL1107FLSA:158801SCOSA-2005.5818100MDKSA-2006:026MDKSA-2006:027RHSA-2005:357USN-158-113582163711013928gzip-zgrep-file-installation(20539)RHSA-2005:47420060301-01-U19183SSA:2006-26222033oval:org.mitre.oval:def:1081oval:org.mitre.oval:def:1107OpenPKG-SA-2007.002APPLE-SA-2007-07-31MDKSA-2006:026MDKSA-2006:02725159ADV-2007-273226235ImageMagick before 6.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image with an invalid tag.RHSA-2005:070SUSE-SA:2005:01712875DSA-702http://securitytracker.com/id?1013550The TIFF decoder in ImageMagick before 6.0 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file.RHSA-2005:070SUSE-SA:2005:017http://securitytracker.com/id?1013550DSA-702Unknown vulnerability in ImageMagick before 6.1.8 allows remote attackers to cause a denial of service (application crash) via a crafted PSD file.RHSA-2005:070SuSE-SA:2005:01712876http://securitytracker.com/id?1013550Heap-based buffer overflow in the SGI parser in ImageMagick before 6.0 allows remote attackers to execute arbitrary code via a crafted SGI image file.RHSA-2005:070SuSE-SA:2005:017DSA-702http://securitytracker.com/id?1013550Buffer overflow in Midnight Commander (mc) 4.5.55 and earlier may allow attackers to execute arbitrary code.DSA-698RHSA-2005:512Buffer overflow in command.C for rxvt-unicode before 5.3 allows remote attackers to execute arbitrary code via a crafted file containing long escape sequences.GLSA-200503-23http://bugs.gentoo.org/show_bug.cgi?id=84680Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00018.htmlGLSA-200503-16MDKSA-2005:05312762MDKSA-2005:053Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 through 0.10.9 allows remote attackers to cause a denial of service (application crash).http://www.ethereal.com/appnotes/enpa-sa-00018.htmlGLSA-200503-16MDKSA-2005:05312762MDKSA-2005:053Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root.20050315 [USN-95-1] Linux kernel vulnerabilitiesCLA-2005:945USN-95-1RHSA-2005:366Buffer overflow in the administration web server for GoodTech Telnet Server 4.0 and 5.0, and possibly all versions before 5.0.7, allows remote attackers to execute arbitrary code via a long string to port 2380.20050315 GoodTech Telnet Server Buffer Overflow Vulnerabilityhttp://unsecure.altervista.org/security/goodtechtelnet.htmMultiple buffer overflows in OpenSLP before 1.1.5 allow remote attackers to have an unknown impact via malformed SLP packets.GLSA-200503-25MDKSA-2005:055SUSE-SA:2005:01520050317 [USN-98-1] OpenSLP vulnerabilities1279214561openslp-slp-bo(19683)USN-98-1HPSBUX02129ADV-2006-387922128MDKSA-2005:055Format string vulnerability in DataRescue Interactive Disassembler and Debugger (IDA) Pro 4.7.0.830 allows remote attackers or local users to cause a denial of service (CPU consumption or application crash) and possibly execute arbitrary code via format string specifiers in a dynamic link library (DLL) name.20050316 ADVISORY: DataRescue Interactive Disassembler Pro Debugger Format String Vulnerabilityhttp://pb.specialised.info/all/adv/ida-debugger-adv.txthttp://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic;f=2;t=000155;p=01461012819VERITAS Backup Exec Server (beserver.exe) 9.0 through 10.0 for Windows allows remote unauthenticated attackers to modify the registry by calling methods to the RPC interface on TCP port 6106.20050623 Veritas Backup Exec Server Remote Registry Access Vulnerabilityhttp://seer.support.veritas.com/docs/276605.htmhttp://seer.support.veritas.com/docs/277429.htmTA05-180AVU#58450510142731578920050623 Veritas Backup Exec Server Remote Registry Access VulnerabilityVERITAS Backup Exec 9.0 through 10.0 for Windows Servers, and 9.0.4019 through 9.1.307 for Netware, allows remote attackers to cause a denial of service (Remote Agent crash) via (1) a crafted packet in NDMLSRVR.DLL or (2) a request packet with an invalid (non-0) "Error Status" value, which triggers a null dereference.20050623 Veritas Backup Exec Remote Agent NDMLSRVR.DLL DoS Vulnerability20050623 Veritas Backup Exec Remote Agent NDMLSRVR.DLL DoS Vulnerability20050623 Veritas Backup Exec Agent Error Status Remote DoS Vulnerabilityhttp://seer.support.veritas.com/docs/276533.htmhttp://seer.support.veritas.com/docs/277485.htm101427315789Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument.20050623 Veritas Backup Exec Agent CONNECT_CLIENT_AUTH Buffer Overflow Vulnerabilityhttp://seer.support.veritas.com/docs/276604.htmhttp://seer.support.veritas.com/docs/277429.htmTA05-180AVU#4921051402210142731578920050623 Veritas Backup Exec Agent CONNECT_CLIENT_AUTH Buffer Overflow Vulnerability17624SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter.20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities1277914576photopost-uid-sql-injection(19675)The reportpost action in misc.php for PhotoPost PHP 5.0 RC3 does not limit the logging data that is sent to the admistrator, which allows remote attackers to send large amounts of email to the admistrator.20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities1277914576photopost-email-security-bypass(19676)adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify administrative privileges before manipulating photos, which could allow remote attackers to manipulate other users' photos.20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities1277914576photopost-image-modification(19677)Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5.0 RC3 allow remote attackers to inject arbitrary web script or HTML via (1) the check_tags function or (2) the editbio field in the user profile.20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities1277914576photopost-editbio-xss(19678)PhotoPost PHP 5.0 RC3 does not fully verify that an uploaded file is an image file, which allows remote attackers to inject arbitrary Javascript by uploading non-image files with an image extension such as .gif.20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities1277914576photopost-file-upload(19679)PlatinumFTP 1.0.18, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via multiple connection attempts with a \ (backslash) in the username.20050312 PlatinumFTP 1.0.18 remote DoS12790platinumftp-username-dos(19674)20070101 Re: PlatinumFTP 1.0.18 remote DoSpaFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message.20050312 [SECURITYREASON.COM] Mass Full Path Disclosure in paFileDBSQL injection vulnerability in (1) viewall.php and (2) category.php in paFileDB 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter to pafiledb.php.20050312 [SECURITYREASON.COM] SQL injection and XSS in paFileDB12788pafiledb-viewall-category-sql-injection(19688)Cross-site scripting (XSS) vulnerability in (1) viewall.php and (2) category.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the start parameter to pafiledb.php.20050312 [SECURITYREASON.COM] SQL injection and XSS in paFileDB20050330 PaFileDB Version 3.1 and below are exploitable via a XSS and a SQL injection vulnerabilityhttp://digitalparadox.org/advisories/pafdb.txt12788pafiledb-viewall-category-xss(19690)Cross-site scripting (XSS) vulnerability in Phorum before 5.0.14a allows remote attackers to inject arbitrary web script or HTML via the filename of an attached file.20050313 3 XSS Vulnerabilities in Phorum <= 5.0.141280014554Multiple cross-site scripting (XSS) vulnerabilities in Phorum before 5.0.15 allow remote attackers to inject arbitrary web script or HTML via (1) the subject line to follow.php or (2) the subject line in the user's personal control panel.20050313 3 XSS Vulnerabilities in Phorum <= 5.0.141280014554Cross-site scripting (XSS) vulnerability in usersrecentposts in YaBB 2.0 rc1 allows remote attackers to inject arbitrary web script or HTML via the username parameter.20050313 YaBB2 rc1 XSShttp://www.securitytracker.com/alerts/2005/Mar/1013420.html12756yabb-usersrecentposts-xss(19671)1013420SQL injection vulnerability in gb_new.inc in SimpGB allows remote attackers to execute arbitrary SQL commands via the quote parameter to guestbook.php.20050313 SimpGB SQL Injection Vulnerability1280114583simpgb-gbnew-sql-injection(19694)Wine 20050211 and earlier creates temp files with world readable permissions and predictable file names, which allows local users to obtain sensitive information, such as passwords.20050314 [ZH2005-02SA] Insecure tmp file creation in Winehttp://bugs.winehq.org/show_bug.cgi?id=2715http://www.zone-h.org/advisories/read/id=7300127911013428wine-registry-information-disclosure(19697)LimeWire 4.1.2 through 4.5.6 allows remote attackers to read arbitrary files by specifying the full pathname in a Gnutella GET request.20050314 LimeWire Gnutella client two vulnerabilitiesGLSA-200503-3714555limewire-client-information-disclosure(19693)Directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request.20050314 LimeWire Gnutella client two vulnerabilitiesGLSA-200503-3714555limewire-magnet-directory-traversal(19695)phpAdsNew 2.0.4 allows remote attackers to obtain sensitive information via a direct request to (1) lib-xmlrpcs.inc.php, (2) maintenance-activation.php, (3) maintenance-cleantables.php, (4) maintenance-autotargeting.php, (5) maintenance-reports.php, (6) phpads.php, (7) remotehtmlview.php, (8) click.php, (9) adcontent.php, which reveal the path in a PHP error message.20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc1013429Cross-site scripting (XSS) vulnerability in adframe.php in phpAdsNew 2.0.4-pr1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the refresh parameter.20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc1280314592147871013429SQL injection vulnerability in ZPanel 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) uname parameter to index.php or (2) page parameter to zpanel.php.20050315 Few remote bugs in zPanel20050320 Re: Few remote bugs in zPanel1280914602zpanel-index-sql-injection(19709)PHP remote file inclusion vulnerability in zpanel.php in ZPanel allows remote attackers to (1) execute arbitrary PHP code in ZPanel 2.0 or (2) include local files in ZPanel 2.5 beta 10 and earlier by modifying the page parameter.20050315 Few remote bugs in zPanel20050320 Re: Few remote bugs in zPanel12809ZPanel 2.0 and 2.5 beta 10 does not remove or protect installation scripts after they have been used, which allows remote attackers to reinstall the software and possibly cause a denial of service via a direct request to install.php.20050315 Few remote bugs in zPanel20050320 Re: Few remote bugs in zPanel14602HolaCMS 1.4.9 does not restrict file access to the holaDB/votes directory, which allows remote attackers to overwrite arbitrary files via a modified vote_filename parameter.20050315 Virginity Security Advisory 2005-001 : Hola CMS - File destruction and System accesshttp://www.holacms.de/?content=changelog14566Directory traversal vulnerability in HolaCMS 1.4.9-1 allows remote attackers to overwrite arbitrary files via a "holaDB/votes" followed by a .. (dot dot) in the vote_filename parameter, which bypasses the check by HolaCMS to ensure that the file is in the holaDB/votes directory.http://www.holacms.de/?content=changelog1456620050315 Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System accessNovell iChain Mini FTP Server 2.3 displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks.20050315 [ISR] - Novell iChain Mini FTP Server Valid User Disclosure Vulnerabilityhttp://www.infobyte.com.ar/adv/ISR-04.html1281114607Novell iChain Mini FTP Server 2.3, and possibly earlier versions, does not limit the number of incorrect logins, which makes it easier for remote attackers to conduct brute force login attacks.20050315 [ISR] - Novell iChain Mini FTP Server Bruteforce Problemhttp://www.infobyte.com.ar/adv/ISR-05.htmlhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm14607146481013408MySQL 4.1.9, and possibly earlier versions, allows remote attackers with certain privileges to cause a denial of service (application crash) via a use command followed by an MS-DOS device name such as (1) LPT1 or (2) PRN.http://bugs.mysql.com/bug.php?id=91481456420050315 Denial of Service Vulnerability in MySQL Server for WindowsPHP remote file inclusion vulnerability in install.php in mcNews 1.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the l parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2005-0720.20050317 PHP mcNews arbitrary file inclusion1283514528mcnews-install-file-include(19726)20060906 mcNews v1.3 - Remote File IncludeDirectory traversal vulnerability in includer.cgi in The Includer allows remote attackers to read arbitrary files via (1) a .. (dot dot) or (2) a full pathname in the URL.20050317 Another includer.cgi problem?Cross-site scripting (XSS) vulnerability in search.asp in ACS Blog 0.8 through 1.1b allows remote attackers to execute arbitrary web script or HTML via the search parameter.12836101347014625acs-blog-search-xss(19728)1486120050317 XSS in ACS blogThe GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability."1283414631MS05-053OVAL1121OVAL1152OVAL1215OVAL1240OVAL6711015168VU#134756ADV-2005-234820580win-2000-gdi32dll-dos(19727)174611722320050317 Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially crafted EMF file DOS vulnerabilityoval:org.mitre.oval:def:1121oval:org.mitre.oval:def:1152oval:org.mitre.oval:def:1215oval:org.mitre.oval:def:1240oval:org.mitre.oval:def:671TA05-312AFormat string vulnerability in MailEnable 1.8 allows remote attackers to cause a denial of service (application crash) via format string specifiers in the mailto field.128331462720050317 See-security Advisory: Format string vulnerability in MailEnable 1.8SQL injection vulnerability in index.php in Subdreamer Light, when magic_quotes_gpc is enabled, allows remote attackers to execute arbitrary SQL commands via certain parameters that are used as global variables, as demonstrated using the imageid parameter, which is not properly handled by imagegallery.php.1283920050318 possible SQL injection in Subdreamer20060621 Re: possible SQL injection in SubdreamerEvolution 2.0.3 allows remote attackers to cause a denial of service (application crash or hang) via crafted messages, possibly involving charsets in attachment filenames.http://bugzilla.ximian.com/show_bug.cgi?id=72609MDKSA-2005:059RHSA-2005:397USN-166-1MDKSA-2005:059Multiple buffer overflows in Cain & Abel before 2.67 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via (1) an IKE packet with a large ID field that is not properly handled by the PSK sniffer filter, (2) the HTTP sniffer filter, or the (3) POP3, (4) SMTP, (5) IMAP, (6) NNTP, or (7) TDS sniffer filters.http://www.oxid.it/12840101347614630cain-abel-ikepsk-bo(19742)cain-abel-http-filter-bo(19744)20050318 Cain & Abel PSK Sniffer Heap overflowApache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007.http://www.kb.cert.org/vuls/id/JGEI-6A2LEFhttp://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.htmlVU#20471012795tomcat-manager-ajp12-dos(19681)NotifyLink, when configured for client key retrieval, allows remote attackers to obtain AES keys via a direct request to /hwp/get.asp, then uses a weak encryption scheme (fixed byte reordering) to protect the key, which allows remote attackers to obtain the key via a brute force attack.VU#5810681284314617SQL injection vulnerability in NotifyLink before 3.0 allows remote attackers to execute arbitrary SQL commands via the URL.VU#2640971284314617The web interface in NotifyLink 3.0 does not properly restrict access to functions that have been disabled in the GUI, which allows remote authenticated users to bypass intended restrictions via a direct request to certain URLs.VU#1318281284314617The web interface in NotifyLink 3.0 displays passwords in cleartext on the administrative page, which could allow remote attackers or local users to obtain sensitive information.VU#7705321284314617Buffer overflow in Initial Redirect (ir) Squid Proxy Plug-In 0.1 and 0.2 may allow attackers to cause a denial of service and execute arbitrary code via unknown vectors.http://www.vanheusden.com/ir/128271367414832Unknown vulnerability in lshd in Lysator LSH 1.x and 2.x before 2.0.1 allows remote attackers to cause a denial of service via unknown vectors.[lsh-bugs] 20050316 ANNOUNCE: LSH-2.0.1, fix for denial of service bugDSA-71714609lsh-lshd-dos(19724)Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem.20050317 Linux ISO9660 handling flawshttp://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc112837kernel-iso9660-filesystem(19741)FLSA:152532RHSA-2006:0190RHSA-2006:019118684RHSA-2005:366RHSA-2005:66317002MDKSA-2006:072ADV-2005-1878MDKSA-2006:072Buffer overflow in newgrp in Solaris 7 through 9 allows local users to gain root privileges.57710128381013462solaris-newgrp-bo(19729)Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway Security 5400 2.x and 5300 1.x, Enterprise Firewall 7.0.x and 8.x, and VelociRaptor 1100/1200/1300 1.5, allows remote attackers to poison the DNS cache and redirect users to malicious sites.http://www.isc.sans.org/diary.php?date=2005-03-04http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html101345114595sef-dns-spoofing(16423)Cross-site scripting (XSS) vulnerability in PunBB 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) email or (2) Jabber parameters.1013446punbb-email-jabber-xss(19725)The xvesa code in Novell Netware 6.5 SP2 and SP3 allows remote attackers to redirect the xsession without authentication via a direct request to GUIMirror/Start.http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971038.htm128311013460Microsoft Office InfoPath 2003 SP1 includes sensitive information in the Manifest.xsf file in a custom .xsn form, which allows attackers to obtain printer and network information, obtain the database name, username, and password, or obtain the internal web server name.86744312824148821013454Unknown vulnerability in Citrix MetaFrame Conferencing Manager 3.0 allows conference members to bypass organizer restrictions to control the keyboard and mouse.http://support.citrix.com/kb/entry.jspa?externalID=CTX105574128211013457metaframe-conferencing-gain-access(19723)Citrix Metaframe Password Manager 2.5 and earlier stores a password in cleartext although it is obfuscated when presented to a user, which allows users to view their secondary passwords even if it is not allowed by policy.http://support.citrix.com/kb/entry.jspa?externalID=CTX105762http://support.citrix.com/kb/entry.jspa?entryID=5970&categoryID=254 24041 1018077ThePoolClub (1) iPool and (2) iSnooker 1.6.81 and earlier stores usernames and passwords in cleartext in the MyDetails.txt file, which allows local users to gain privileges.128301013458101345914629ipool-mydetails-plaintext-password(19717)isnooker-mydetails-plaintext-password(19718)The internal_dump function in Mathopd before 1.5p5, and 1.6x before 1.6b6 BETA, when Mathopd is running with the -n option, allows local users to overwrite arbitrary files via a symlink attack on dump files that are triggered by a SIGWINCH signal.14524http://www.mail-archive.com/mathopd%40mathopd.org/msg00272.htmlBuffer overflow in LTris before 1.0.10 allows local users to execute arbitrary code via a crafted highscores file.http://lgames.sourceforge.net/index.php?action=show_news&news_action=show_item&item_id=108GLSA 200503-24http://bugs.gentoo.org/show_bug.cgi?id=8577014635OllyDbg 1.10 and earlier allows remote attackers to cause a denial of service (application crash) via a dynamic link library (DLL) with a long filename.20050319 OllyDbg long process Module debug Vulnerability128501013478ollydbg-long-filename-do(19750)Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allow remote attackers to obtain sensitive information via an invalid parameter to the convertorderbytrans function, which reveals the path in a PHP error message.20050319 Ciamos Installation path(IHS)20050318 runcms installation pathhttp://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdf14641ciamos-viewcat-path-disclosure(19755)highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allows remote attackers to read arbitrary PHP files by specifying the pathname in the file parameter, as demonstrated by reading database configuration information from mainfile.php.20050318 runcms highlight.php hole20050319 Ciamos Highlight.php Security Hole(IHS)http://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdfhttp://www.ihsteam.com/download/advisory/Exoops%20highlight%20hole.txt128481464814641ciamos-file-information-disclosure(19754)148901013485Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters.20050319 [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection20050319 Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability20050319 Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html InjectionMultiple buffer overflows in Xzabite DYNDNSUpdate 0.6.15 and earlier, including the ipcheck function in dyndnsupdate.c, allow remote attackers who spoof a dyndns.org server to execute arbitrary code via unknown vectors.GLSA-200503-27http://bugs.gentoo.org/show_bug.cgi?id=8465914663PHP-Post allows remote attackers to spoof the names of other users by registering with a username containing hex-encoded characters.20050318 PHP-Post Exploit12845Cross-site scripting (XSS) vulnerability in PHP-Post before 0.33 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.php-post.co.uk/index.php?s=content&p=download12845Belkin 54G (F5D7130) wireless router allows remote attackers to access restricted resources by sniffing URIs from UPNP datagrams, then accessing those URIs, which do not require authentication.12846Belkin 54G (F5D7130) wireless router enables SNMP by default in a manner that allows remote attackers to obtain sensitive information.12846The SNMP service in the Belkin 54G (F5D7130) wireless router allows remote attackers to cause a denial of service via unknown vectors.12846Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up to 1.4.2_06 allows untrusted applications to gain privileges via the value parameter of a property tag in a JNLP file.20050318 Java Web Start argument injection vulnerabilityhttp://jouko.iki.fi/adv/ws.html57740GLSA-200503-281284714640SUSE-SA:2005:032IceCast 2.20 allows remote attackers to bypass the XSL parser and obtain the source for XSL files via a request for a .xsl file with a trailing . (dot).20050318 IceCast up to v2.20 multiple vulnerabilities12849101347514644icecast-get-bypass-security(19760)Multiple buffer overflows in the XSL parser for IceCast 2.20 may allow attackers to cause a denial of service and possibly execute arbitrary code via (1) a long test value in an xsl:when tag, (2) a long test value in an xsl:if tag, or (3) a long select value in an xsl:value-of tag.20050318 IceCast up to v2.20 multiple vulnerabilities128491013475icecast-xsl-gain-pivileges(19753)Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions.[linux-kernel] 20050301 Re: Breakage from patch: Only root should be able to set the N_MOUSE line discipline.http://linux.bkbits.net:8080/linux-2.6/cset@41fa6464E1UuGu6zmketEYxm73KSyQRHSA-2005:366FLSA:157459-3** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0706. Reason: This candidate is a duplicate of CVE-2005-0706. Notes: All CVE users should reference CVE-2005-0706 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.SQL injection vulnerability in (1) people.php, (2) track.php, (3) edit.php, (4) document.php, (5) census.php, (6) passthru.php and possibly other php files in phpMyFamily 1.4.0 allows remote attackers to execute arbitrary SQL commands, as demonstrated via (1) the person parameter to people.php or (2) the Login field.20050321 phpMyFamily 1.4.0 SQL vulnerabilities10134931286014642phpmyfamily-multiple-scripts-sql-injection(19787)Cross-site scripting (XSS) vulnerability in index.php in Kayako eSupport 2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) _i or (2) _c parameter.20050322 Kayako eSupport Cross Site Scripting13563CRLF injection vulnerability in search.php in Phorum 5.0.14a allows remote attackers to perform HTTP Response Splitting attacks via the body parameter, which is included in the resulting Location header.20050322 [ Positive Technologies #SA] Phorum 14680Nortel VPN client 5.01 stores the cleartext password in the memory or the Extranet.exe process, which could allow local users to obtain sensitive information.20050322 Nortel VPN Client Issue: Clear-text password stored in memoryhttp://www.nta-monitor.com/news/vpn-flaws/nortel/nortel-client/1013512nortel-contivity-information-disclosure(19791)Directory traversal vulnerability in the Webmail interface in SurgeMail 2.2g3 allows remote authenticated users to write arbritrary files or directories via a .. (dot dot) in the attach_id parameter.20050323 [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSShttp://www.security.org.sg/vuln/surgemail22g3.htmlhttp://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.surgemail&item=8814&utag=14658Multiple cross-site scripting (XSS) vulnerabilities in the email auto-reply message in SurgeMail 2.2g3 allow remote attackers to inject arbitrary web script or HTML via the (1) message subject or (2) message header field.20050323 [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSShttp://www.security.org.sg/vuln/surgemail22g3.htmlhttp://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.surgemail&item=8814&utag=14658Code Ocean FTP server 1.0 allows remote attackers to cause a denial of service via a large number of connections.http://www.milw0rm.com/id.php?id=8931466212859ocean-ftp-connection-dos(19777) 893Multiple games developed by FUN labs, including 4X4 Off-road Adventure III, Big Game Hunter, Dangerous Hunts, Deer Hunt, Revolution, Secret Service, Shadow Force, and US Most Wanted, allow remote attackers to cause a denial of service via an empty UDP packet to the server, which cannot detect that a new packet has arrived using the socket ioctl.101349214638funlabs-games-upd-dos(19762)Multiple games developed by FUN labs, including 4X4 Off-road Adventure III, Big Game Hunter, Dangerous Hunts, Deer Hunt, Revolution, Secret Service, Shadow Force, and US Most Wanted, allow remote attackers to cause a denial of service (crash from invalid memory access) via a malformed join packet with values that cause the server to copy more memory than was actually provided in the packet.101349214638FileZilla FTP server before 0.9.6 allows remote attackers to cause a denial of service via a request for a filename containing an MS-DOS device name such as CON, NUL, COM1, LPT1, and others.http://sourceforge.net/project/shownotes.php?group_id=21558&release_id=31447312865FileZilla FTP server before 0.9.6, when using MODE Z (zlib compression), allows remote attackers to cause a denial of service (infinite loop) via certain file uploads or directory listings.http://sourceforge.net/project/shownotes.php?group_id=21558&release_id=31447312865Microsoft Windows XP SP1 allows local users to cause a denial of service (system crash) via an empty datagram to a raw IP over IP socket (IP protocol 4), as originally demonstrated using code in Python 2.3.20050322 Possible windows+python bug12870betaparticle blog (bp blog) stores the database under the web root, which allows remote attackers to obtain sensitive information via a direct request to (1) dbBlogMX.mdb for versions before 3.0, or (2) Blog.mdb for versions 3.0 and later.1286114668betaparticle-web-root-information-disclosure(19779)betaparticle blog (bp blog), posisbly before version 4, allows remote attackers to bypass authentication and (1) upload files via a direct request to upload.asp or (2) delete files via a direct request to myFiles.asp.1286114668betaparticle-blog-authentication-bypass(19781)CoolForum 0.8.1 beta and earlier allows remote attackers to obtain sensitive path information via direct requests to (1) entete.php, (2) profile_accueil.php, (3) profile_mdp.php, (4) profile_notify.php, (5) profile_options.php, (6) profile_perso.php, (7) profile_pm.php, or (8) readannonce.php, which leaks the full pathname in a PHP error message.1013474CoolForum 0.8.1 beta and earlier allows remote attackers to manipulate SQL commands via certain requests to (1) alert.php or (2) viewip.php, possibly due to a SQL injection vulnerability.1013474Cross-site scripting (XSS) vulnerability in avatar.php for CoolForum 0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the img parameter.128521013474coolforum-avatar-xss(19758)Multiple SQL injection vulnerabilities in CoolForum 0.8 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to entete.php or (2) the login parameter to register.php.128521013474coolforum-adminentete-sql-injection(19759)coolforum-register-sql-injection(19761)PHP remote file inclusion vulnerability in CzarNews 1.13b allows remote attackers to execute arbitrary PHP code via the tpath parameter to (1) headlines.php or (2) news.php. NOTE: some sources have reported the "dir" parameter as being affected; however, this is likely a cut-and-paste error from the wrong section of the original vulnerability report. Also, the news.php version was later reported to be in 1.12 through 1.14.12857101348614670czarnews-multiple-scripts-file-include(19765)149251492618411czarnews-news-config-file-include(27733)PHP remote file inclusion vulnerability in TRG News Script 3.0 allows remote attackers to execute arbitrary PHP code via the dir parameter to (1) article.php, (2) authorall.php, (3) comment.php, (4) display.php, or (5) displayall.php.12855101348714669Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays."http://www.delegate.org/mail-lists/delegate-en/284014649delegate-bo(19775)Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter to (1) poc_loginform.php or (2) phpbb/poc.php, the poc_root_path parameter to (3) phpbb/poc.php, (4) phpnuke/ENGLISH_poc.php, (5) phpnuke/poc.php, or (6) yabbse/poc.php, or (7) the sourcedir parameter to yabbse/poc.php.http://www.zone-h.org/advisories/read/id=731012817101343414600phpopenchat-file-include(19721)148071480814809 20070410 PhpOpenChat <= 3.0.1 (poc.php) Multiple Remote File Include VulnerabilitiesCross-site scripting (XSS) vulnerability in PHPOpenChat v3.x allows remote attackers to inject arbitrary web script or HTML via (1) the chatter parameter to regulars.php or (2) the chatter, chatter1, chatter2, chatter3, or chatter4 parameters to register.php.1284114651phpopenchat-regulars-register-xss(19748)The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and possibly other products, allows remote attackers to read arbitrary files via a full pathname in the HTTP request.http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txthttp://zone-h.org/en/advisories/read/id=7339/12864Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) root, (2) admin, or (3) user users, which allows remote attackers to gain privileges via Telnet or an HTTP request to adsl.cgi.http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txthttp://zone-h.org/en/advisories/read/id=7339/128641013615cdrecord before 4:2.0, when DEBUG is enabled, allows local users to overwrite arbitrary files via a symlink attack on temporary files.20050324 [USN-100-1] cdrecord vulnerabilityhttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291376USN-100-1Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file.SuSE-SA:2005:018RHSA-2005:366FLSA:157459-3AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC.20050323 Backdoors in AS/400 emulations allow the server to attack connected PC workstationshttp://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdfphpSysInfo 2.3 allows remote attackers to obtain sensitive information via a direct request to (1) class.OpenBSD.inc.php, (2) class.NetBSD.inc.php, (3) class.FreeBSD.inc.php, (4) class.Darwin.inc.php, (5) XPath.class.php, (6) system_header.php, or (7) system_footer.php, which reveal the path in a PHP error message.20050323 [SECURITYREASON.COM] phpSysInfo 2.3 Multiple vulnerabilities14690phpsysinfo-path-disclosure(19808)Multiple cross-site scripting (XSS) vulnerabilities in phpSysInfo 2.3, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) sensor_program parameter to index.php, (2) text[language], (3) text[template], or (4) hide_picklist parameter to system_footer.php.20050323 [SECURITYREASON.COM] phpSysInfo 2.3 Multiple vulnerabilities14690phpsysinfo-sensor-program-xss(19807)DSA-724DSA-89820051115 Advisory 22/2005: Multiple vulnerabilities in phpSysInfoDSA-899MDKSA-2005:21215414DSA-897176161764312887MDKSA-2005:212calendar_scheduler.php in Topic Calendar 1.0.1 module for phpBB, when running on a Microsoft IIS server, allows remote attackers to obtain sensitive information via invalid parameters, which reveal the path in an error message.20050324 Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBBhttp://www.securitytracker.com/alerts/2005/Mar/1013554.html14659topic-calendar-path-disclosure(19824)1013554Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter.http://www.securitytracker.com/alerts/2005/Mar/1013554.html14659topic-calendar-start-xss(19821)101355420050324 Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBBMultiple cross-site scripting (XSS) vulnerabilities in test.jsp in Oracle Reports Server 10g (9.0.4.3.3) allow remote attackers to inject arbitrary web script or HTML via the (1) desname or (2) repprod parameter.20050324 Oracle Reports Server 10g Vulnerable to XSS12892TA05-292AVU#2105241513417250Multiple buffer overflows in the (1) AIM, (2) MSN, (3) RSS, and other plug-ins for Trillian 2.0 allow remote web servers to cause a denial of service (application crash) via a long string in an HTTP 1.1 response header.20050324 LogicLibrary BugScan VSR,Trillian 2.0, 3.0 and 3.114689150041013557Multiple buffer overflows in the Yahoo plug-in for Trillian 2.0, 3.0, and 3.1 allow remote web servers to cause a denial of service (application crash) via a long string in an HTTP 1.1 response header.20050324 LogicLibrary BugScan VSR,Trillian 2.0, 3.0 and 3.114689Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file.http://www.thekelleys.org.uk/dnsmasq/CHANGELOG1289714691dnsmasq-dhcp-offbyone-bo(19825)Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq.http://www.thekelleys.org.uk/dnsmasq/CHANGELOG1289714691dnsmasq-dns-cache-poisoning(19826)Cross-site scripting (XSS) vulnerability in MercuryBoard before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the title field of a PM (private message).1287214679mercuryboard-title-pm-xss(19797)PHP remote file include vulnerability in (1) content.php and (2) index.php for Vortex Portal allows remote attackers to execute arbitrary PHP code via a URL in the act parameter.20050323 Vortex Portal1287814707vortexportal-act-file-include(19809)14958149591013545content.php in Vortex Portal allows remote attackers to obtain sensitive information via an invalid act parameter, which leaks the full pathname in a PHP error message.20050323 Vortex Portalvortex-portal-path-disclosure(19811)Cross-site scripting (XSS) vulnerability in articles.newcomment for Interspire ArticleLive 2005 allows remote attackers to inject arbitrary web script or HTML via the Articleld parameter.20050323 Interspire ArticleLive 2005 (php version) is vulnerable to XSS1287914708articlelive-articleid-xss(19817)20050823 Re: Interspire ArticleLive 2005 (php version) is vulnerable to XSSSQL injection vulnerability in admincore.php in BirdBlog before 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) userid or (2) userpw parameters.http://birdblog.sourceforge.net/ChangeLoghttp://cvs.sourceforge.net/viewcvs.py/birdblog/birdblog/admin/admincore.php?r1=1.4&r2=1.5http://securitytracker.com/id?10135481288014676birdblog-admincore-sql-injection(19799)Multiple cross-site scripting (XSS) vulnerabilities in base.php for DigitalHive 2.0 allow remote attackers to inject arbitrary web script or HTML via (1) the mt parameter to the membres.php page or (2) the -afs-1- query string to the msg.php page.http://securitytracker.com/id?10135161288314702digitalhive-basephp-xss(19803)DigitalHive 2.0 allows remote attackers to re-install the product by directly accessing the install script.http://securitytracker.com/id?1013516digitalhive-reinstall(19802)Multiple cross-site scripting (XSS) vulnerabilities in XMB Forum 1.9.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Mood or (2) "Send To" fields.http://securitytracker.com/id?101351512886Cross-site scripting (XSS) vulnerability in Invision Power Board 2.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an HTTP POST request.12888Eval injection vulnerability in Double Choco Latte before 0.9.4.3 allows remote attackers to execute arbitrary PHP code via the menuAction variable in (1) functions.inc.php or (2) main.php, which causes code to be injected into an eval statement.http://sourceforge.net/project/shownotes.php?release_id=315144http://securitytracker.com/id?101355914688dcl-file-include(19806)Multiple cross-site scripting (XSS) vulnerabilities in functions.inc.php for Double Choco Latte 0.9.4.3 allow remote attackers to inject arbitrary web script or HTML via the (1) class or (2) method name.http://sourceforge.net/project/shownotes.php?release_id=315160http://securitytracker.com/id?101355914688dcl-xss(19805)Cross-site scripting (XSS) vulnerability in index.php for Dream4 Koobi CMS 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the area parameter.http://securitytracker.com/id?101355812895SQL injection vulnerability in Dream4 Koobi CMS 4.2.3 allows remote attackers to execute arbitrary SQL commands via the area parameter.http://securitytracker.com/id?10135581289614696Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image.RHSA-2005:344FLSA-2005:155510MDKSA-2005:21417657RHSA-2005:343CLSA-2005:95812950MDKSA-2005:214Buffer overflow in smail 3.2.0.120 allows remote attackers or local users to execute arbitrary code via a long string in the MAIL FROM command and possibly other SMTP commands.20050325 smail remote and local root holesDSA-722modes.c in smail 3.2.0.120 implements signal handlers with certain unsafe library calls, which may allow attackers to execute arbitrary code via signal handler race conditions, possibly using xmalloc.20050325 smail remote and local root holesOpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp.20050325 RX250305 - OpenMosixView : Multiple Race conditions - advisory and exploit1290214693Netcomm 1300NB DSL Modem allows remote attackers to cause a denial of service (device hang) via a large number of ping packets.20050325 Netcomm 1300NB DSL Modem Denial of Service12901Multiple cross-site scripting (XSS) vulnerabilities in review.php in phpMyDirectory 10.1.3-rel allow remote attackers to inject arbitrary web script or HTML via the (1) subcat, (2) page, or (3) subsubcat parameter.20050325 phpMyDirectory 10.1.3-rel Cross site scripting1290014692PHP remote file inclusion vulnerability in catalog.php in E-Store Kit-2 PayPal Edition allows remote attackers to execute arbitrary PHP code by modifying the menu and main parameters to reference a URL on a remote web server that contains the code.20050325 File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition12910Cross-site scripting (XSS) vulnerability in downloadform.php in E-Store Kit-2 PayPal Edition allows remote attackers to inject arbitrary web script or HTML via the txn_id parameter.20050325 File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition12909AS/400 running OS400 5.2 installs and enables LDAP by default, which allows remote authenticated users to obtain OS/400 user profiles by performing a search.20050325 AS/400 LDAP user accounts disclosuremarks.php in NukeBookmarks 0.6 for PHP-Nuke allows remote attackers to obtain sensitive information via an invalid (1) file or (2) category parameter, which reveal the path in an error message.20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6http://zone-h.org/advisories/read/id=7356http://nukebookmarks.sourceforge.net/Multiple cross-site scripting (XSS) vulnerabilities in NukeBookmarks 0.6 for PHP-Nuke allow remote attackers to inject arbitrary web script or HTML via the (1) catname, (2) markname, (3) comment, or (4) category parameter.20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6http://zone-h.org/advisories/read/id=7356http://nukebookmarks.sourceforge.net/SQL injection vulnerability in marks.php in NukeBookmarks 0.6 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the category parameter.20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6http://zone-h.org/advisories/read/id=7356http://nukebookmarks.sourceforge.net/Buffer overflow in QuickTime PictureViewer 6.5.1 allows remote attackers to cause a denial of service (application crash) via a JPEG file with crafted Huffman Table (marker DHT) data.20050326 QuickTime malformed JPEG buffer overflow12905Remote Desktop in Windows XP SP1 does not verify the "Force shutdown from a remote system" setting, which allows remote attackers to shut down the system by executing TSShutdn.exe.http://securitytracker.com/id?1013552889323windows-desktop-tsshutdnexe-dos(19819)Maxthon 1.2.0 allows remote malicious web sites to obtain potentially sensitive data from the search bar via the m2_search_text property.http://www.raffon.net/advisories/maxthon/searchbarid.htmlhttp://forum.maxthon.com/forum/index.php?showtopic=18207128981471220050325 Maxthon browser search bar information disclosureBuffer overflow in a player logging function in the Tincat network library 2.x before 2.0.28, as used in games such as Sacred and The Settlers: Heritage of Kings, allows remote attackers to execute arbitrary code.20050328 Buffer-overflow in Tincat 2 minor than 2.0.28 (Sacred, Settlers 5 and others)129121476214767Multiple SQL injection vulnerabilities in Valdersoft Shopping Cart 3.0 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to category.php, (2) the id parameter to item.php, (3) the lang parameter to index.php, (4) the searchQuery parameter to search_result.php, (5) or the searchTopCategoryID parameter to search_result.php.http://securitytracker.com/id?101356520050327 Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0Multiple cross-site scripting (XSS) vulnerabilities in Valdersoft Shopping Cart 3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to index.php or (2) the searchTopCategoryID parameter to search_result.php.http://securitytracker.com/id?101356520050327 Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0PHP remote file inclusion vulnerability in shoutact.php for TKai's Shoutbox allows remote attackers to execute arbitrary PHP code via the query parameter.20050328 THai's Shoutbox correction name12914Multiple cross-site scripting (XSS) vulnerabilities in exoops allow remote attackers to inject arbitrary web script or HTML via (1) the sortdays parameter to viewforum.php or (2) the viewcat parameter to index.php.http://securitytracker.com/id?1013566Multiple SQL injection vulnerabilities in exoops may allow remote attackers to execute arbitrary SQL commands via (1) the viewcat parameter to index.php or (2) the artid parameter in the viewarticle action for index.php.http://securitytracker.com/id?1013566Unknown vulnerabilities in deplate before 0.7.2 have unknown impact, possibly involving elements.rb.http://securitytracker.com/id?1013555http://sourceforge.net/project/shownotes.php?release_id=315034Unknown vulnerability in the regex_replace modifier (modifier.regex_replace.php) in Smarty before 2.6.8 allows attackers to execute arbitrary PHP code.http://news.php.net/php.smarty.dev/2673http://securitytracker.com/id?1013556GLSA-200503-351294114729smarty-regexreplace-security-bpass(19880)Multiple cross-site scripting (XSS) vulnerabilities in CPG Dragonfly 9.0.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) the profile parameter to index.php or (2) the cat parameter.http://security.talte.net/content/view/252/46/http://securitytracker.com/id?1013573Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to bypass authentication and perform certain administrator actions via a direct HTTP POST request to (1) ajout_admin2.php or (2) suppr.php.http://securitytracker.com/id?1013570AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail.http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab?q=io_queue_init&rnum=3#7ce3c5a514a497abhttp://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw2005:05012987PHP remote file inclusion vulnerability in index_header.php for EncapsBB 0.3.2_fixed, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the root parameter.http://securitytracker.com/id?10135691476115078The NPSVG3.dll ActiveX control for Adobe SVG Viewer 3.02 and earlier, when running on Internet Explorer, allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not.http://www.hyperdose.com/advisories/H2005-07.txthttp://www.adobe.com/support/techdocs/323585.html152551013890Adventia Chat 3.1 and Server Pro 3.0 allows remote attackers to inject arbitrary web script or HTML into the chat space, which leaves other users vulnerable to cross-site scripting (XSS) attacks.20050329 Adventia Chathttp://exploitlabs.com/files/advisories/EXPL-A-2005-003-adventiachat.txthttp://securitytracker.com/id?1013588129271294015156adventia-chat-field-xss(21317)Multiple SQL injection vulnerabilities in Bugtracker.NET 2.0.1 allow remote attackers to execute arbitrary SQL commands via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=31583012925Microsoft Outlook 2002 Connector for IBM Lotus Domino 2.0 allows local users to save passwords and login credentials locally, even when password caching is disabled by a group policy.89609312913Unknown vulnerability in the Auto-Protect module in Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (system hang or crash) by triggering a scan of a certain file type.http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.htmlhttp://securitytracker.com/id?1013585http://securitytracker.com/id?1013586http://securitytracker.com/id?101358714741VU#14602012923The SmartScan feature in the Auto-Protect module for Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (CPU consumption and system crash) by renaming a file on a network share.http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.htmlhttp://securitytracker.com/id?1013585http://securitytracker.com/id?1013586http://securitytracker.com/id?101358714741VU#71362012924Cross-site scripting (XSS) vulnerability in Adventia E-Data 2.0 allows remote attackers to inject arbitrary web script or HTML via a query keyword.20050329 E-Datahttp://exploitlabs.com/files/advisories/EXPL-A-2005-004-edata.txthttp://securitytracker.com/id?10135891473912927edata-new-user-xss(19889)Cross-site scripting (XSS) vulnerability in login.asp for Ublog Reload 1.0 through 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the msg parameter.1293120050329 [PersianHacker.NET 200503-11]Ublog reload 1.0.4 and priorhttp://www.persianhacker.net/news/news-2945.html10136031472515121Buffer overflow in Sylpheed before 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attachments with MIME-encoded file names.http://sylpheed.good-day.net/changelog.html.enSylpheed MIME attachment buffer overflowUnknown vulnerability in subs.pl for WebAPP 0.9.9 through 0.9.9.2 has unknown impact and attack vectors, probably involving shell metacharacters or .. sequences.http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=195http://sourceforge.net/project/shownotes.php?release_id=31603814716Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 5.x allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) password, (3) ppuser, (4) sort, or (5) si parameters to showgallery.php, the (6) ppuser, (7) sort, or (8) si parameters to showmembers.php, or (9) the photo parameter to slideshow.php.http://securitytracker.com/id?10135811474220050328 Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software.150961509715098SQL injection vulnerability in PhotoPost PHP Pro 5.x may allow remote attackers to execute arbitrary SQL commands via (1) the sl parameter to showmembers.php or (2) the photo parameter to showphoto.php.http://securitytracker.com/id?10135811474220050328 Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software.20050328 Re: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software.1509915100Cross-site scripting (XSS) vulnerability in message.php in Chatness 2.5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) the user field or (2) the message parameter to message.php.20050329 [PersianHacker.NET 200503-12]Chatness 2.5.1 and prior XSS Vulnerabilities12929http://www.persianhacker.net/news/news-2946.html1013604PHP remote file inclusion vulnerability in The Includer 1.0 and 1.1 allows remote attackers to execute arbitrary PHP code.12926Multiple SQL injection vulnerabilities in phpCOIN 1.2.1b and earlier allow remote attackers to execute arbitrary SQL commands (1) via the search engine, (2) the username or email fields in the "forgotten password" feature, or (3) the domain name in a package order.http://www.gulftech.org/?node=research&article_id=00065-0329200512917http://www.gulftech.org/?node=research&article_id=00065-03292005Directory traversal vulnerability in auxpage.php for phpCOIN 1.2.1b and earlier allows remote attackers to read arbitrary files via the page parameter.http://www.gulftech.org/?node=research&article_id=00065-0329200512917http://www.gulftech.org/?node=research&article_id=00065-03292005Multiple cross-site scripting (XSS) vulnerabilities in WackoWiki R4 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.http://wackowiki.com/WackoDownload/InEnglish#h4828-414720Multiple SQL injection vulnerabilities in ESMI PayPal Storefront allow remote attackers to execute arbitrary SQL commands via the (1) idpages parameter to pages.php or the (2) id2 parameter to products1.php.http://www.hackerscenter.com/Archive/view.asp?id=1774http://securitytracker.com/id?1013563129031471120050330 Multiple sql injection, and xss vulnerabilities in Pay pal Storefront1505715058Cross-site scripting vulnerability in products1h.php in ESMI PayPal Storefront allows remote attackers to inject arbitrary web script or HTML via the id parameter.http://www.hackerscenter.com/Archive/view.asp?id=1774http://securitytracker.com/id?1013563129041471120050330 Multiple sql injection, and xss vulnerabilities in Pay pal Storefront15059Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions.http://lkml.org/lkml/2005/2/22/123http://linux.bkbits.net:8080/linux-2.6/cset@421cfc11zFsK9gxvSJ2t__FCmuUd3QFLSA:157459-3RHSA-2005:420Ublog Reload 1.0 through 1.0.4 stores ublogreload.mdb under the web root, which allows remote attackers to read usernames and hashed passwords via a direct request to ublogreload.mdb.20050329 [PersianHacker.NET 200503-11]Ublog reload 1.0.4 and priorhttp://securitytracker.com/id?101360314725** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0490. Reason: This candidate was inadvertently referenced in a vendor advisory due to a typo. Notes: All CVE users should reference CVE-2005-0490 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow.20050412 OpenOffice DOC document Heap Overflowhttp://www.openoffice.org/issues/show_bug.cgi?id=46388GLSA-200504-13RHSA-2005:37513092SUSE-SR:2005:02117027The XP Server process (xp_server) in Sybase Adaptive Server Enterprise (ASE) XP Server 12.x before 12.5.3 ESD#1 allows attackers to cause a denial of service (process crash) via malformed data sent to the XP Server TCP port.20041222 Sybase ASE 12.5.2 vulnerabilities20050321 Details of Sybase ASE bugs withheldhttp://www.sybase.com/detail?id=1034520http://www.sybase.com/detail?id=10347521208013632sybase-adaptive-server(19354)20050405 Sybase ASE Multiple Security Issues (#NISR05042005)http://www.ngssoftware.com/advisories/sybase-ase.txtCisco VPN 3000 series Concentrator running firmware 4.1.7.A and earlier allows remote attackers to cause a denial of service (device reload or drop user connection) via a crafted HTTPS packet.20050330 Cisco VPN 3000 Concentrator Vulnerable to Crafted SSL Attack1294814784cisco-vpn-3000-dos(19903)Unknown vulnerability in Microsoft Jet DB engine (msjet40.dll) 4.00.8618.0, related to insufficient data validation, allows remote attackers to execute arbitrary code via a crafted mdb file.20050331 [HV-HIGH] Microsoft Jet DB engine vulnerabilitieshttp://www.hexview.com/docs/20050331-1.txtVU#17638020060804 Will Microsoft patch remarkable old Msjet40.dll issue?20060808 Re: Will Microsoft patch remarkable old Msjet40.dll issue?Cross-site scripting (XSS) vulnerability in ACS Blog 1.1.1 allows remote attackers to inject arbitrary web script or HTML via onmouseover or onload events in (1) img, (2) link, or (3) mail tags.20050328 Multiple XSS vulnerabilities in ACS Bloghttp://www.securitytracker.com/alerts/2005/Mar/1013584.html14744acsblog-tags-xss(19864)1013584SQL injection vulnerability in phpCoin 1.2.1b and earlier allows remote attackers to execute arbitrary SQL commands via the (1) term/keywords field on the search page, (2) username or (3) e-mail field on the forgot password page, or (4) domain name on the ordering new package page.20050329 Multiple phpCoin Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00065-032920051291720050329 Multiple phpCoin Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00065-03292005Directory traversal vulnerability in auxpage.php in phpCoin 1.2.1b and earlier allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the page parameter.20050329 Multiple phpCoin Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00065-0329200512917phpcoin-auxpage-file-include(19896)20050329 Multiple phpCoin Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00065-03292005SQL injection vulnerability in ad_click.asp for PortalApp allows remote attackers to execute arbitrary SQL commands via the banner_id parameter.20050329 Multiple sql injection, and xss vulnerabilities in PortalApphttp://securitytracker.com/id?10135911293614749portalapp-adclick-sql-injection(19892)Multiple cross-site scripting (XSS) vulnerabilities in content.asp in Iatek PortalApp allow remote attackers to inject arbitrary web script or HTML via the (1) contenttype or (2) keywords parameter.20050329 Multiple sql injection, and xss vulnerabilities in PortalApp1293614749portalapp-contentasp-xss(19891)1013591Directory traversal vulnerability in FastStone 4in1 Browser 1.2 allows remote attackers to read arbitrary files via a (1) ... (triple dot) or (2) ..\ (dot dot backslash) in the URL.20050329 directory traversal in FastStone 4in1 Browser 1.2http://www.autistici.org/fdonato/advisory/FastStone4in1Browser1.2-adv.txthttp://www.securitytracker.com/alerts/2005/Mar/1013596.html1293714743faststone-dotdot-directory-traversal(19900)1013596** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate was created as a result of an analysis error for a researcher advisory for an issue that already existed. It stated an incorrect parameter, which was not part of the vulnerability at all. Notes: CVE users should not reference this candidate at all.Cross-site scripting vulnerability in pafiledb.php in PaFileDB 3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.20050330 PaFileDB Version 3.1 and below are exploitable via a XSS and a SQL injection vulnerability20061008 XSS IN paFileDB 3.1 pafiledb-action-xss(29394)Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete.20050330 bzip2 TOCTOU file-permissions vulnerability12954bzip2-toctou-symlink(19926)DSA-730OVAL1154FLSA:158801MDKSA-2006:026RHSA-2005:47420060301-01-U19183oval:org.mitre.oval:def:1154OpenPKG-SA-2007.002APPLE-SA-2007-11-14MDKSA-2006:026103118TA07-319A26444ADV-2007-3525ADV-2007-38682727427643200191NetBSD-SA2008-00429940Windows Explorer and Internet Explorer in Windows 2000 SP1 allows remote attackers to cause a denial of service (CPU consumption) via a malformed Windows Metafile (WMF) file.20050331 WindowsXP malformed .wmf files DoShttp://www.securiteam.com/windowsntfocus/5CP081FFFY.html9892winxp-explorer-wmf-dos(15507)SQL injection vulnerability in InterAKT MX Shop 1.1.1 allows remote attackers to execute arbitrary SQL commands via the id_ctg parameter.20050331 MX Shop 1.1.1 and MX Kart 1.1.2 are vulnerable to multiple SQL injection vulnerabilities1479312957Multiple SQL injection vulnerabilities in index.php in InterAKT MX Kart 1.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) idp, (2) id_ctg, or (3) id_man parameter.20050331 MX Shop 1.1.1 and MX Kart 1.1.2 are vulnerable to multiple SQL injection vulnerabilities14793Bay Technical Associates RPC-3 Telnet Host 3.05 allows remote attackers to bypass authentication by pressing the escape and enter keys at the username prompt.20050331 Bay Technical Associates telnet server logon bypass12955rpc3-logon-bypass-authentication(19921)Format string vulnerability in the log_do function in log.c for YepYep mtftpd 0.0.3, when the statistics option is enabled, allows remote attackers to execute arbitrary code via the CWD command.http://unl0ck.org/files/papers/mtftpd.txthttp://www.securiteam.com/exploits/5KP0W0AF5K.htmlhttp://www.tripbit.org/advisories/TA-040305.txt12947Buffer overflow in the mt_do_dir function in YepYep mtftpd 0.0.3 may allow attackers to execute arbitrary code via a long path.12947Multiple vulnerabilities in the SACK functionality in (1) tcp_input.c and (2) tcp_usrreq.c OpenBSD 3.5 and 3.6 allow remote attackers to cause a denial of service (memory exhaustion or system crash).20050330 [3.6] 013: RELIABILITY FIX: March 30, 200520050330 [3.5] 030: RELIABILITY FIX: March 30, 2005http://securitytracker.com/id?101361112951Cross-site scripting (XSS) vulnerability in Horde 3.0.4 before 3.0.4-RC2 allows remote attackers to inject arbitrary web script or HTML via the parent frame title.http://lists.horde.org/archives/announce/2005/000176.htmlhttp://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.49&r2=1.515.2.93&ty=h14730SUSE-SR:2005:016SQL injection vulnerability in index.php for Lighthouse Squirrelcart allows remote attackers to execute arbitrary SQL commands via the (1) crn parameter in a show action or (2) rn parameter in a show_detail action.1294414770squirrelcart-index-sql-injection(19904)An error in the Toshiba ACPI BIOS 1.6 causes the BIOS to only examine the first slot in the Master Boot Record (MBR) table for an active partition, which prevents the system from booting even though the MBR is not malformed. NOTE: it has been debated as to whether or not this issue poses a security vulnerability, since administrative privileges would be required, and other DoS attacks are possible with such privileges.20050329 Portcullis Security Advisory 05-011 ACPI 1.6 BIOS20050331 Re: Portcullis Security Advisory 05-011 ACPI 1.6 BIOS20050331 RE: Portcullis Security Advisory 05-011 ACPI 1.6 BIOStoshiba-acpi-bios-dos(19895)Unknown vulnerability in Kerio Personal Firewall 4.1.2 and earlier allows local users to bypass firewall rules via a malicious process that impersonates a legitimate process that has fewer restrictions.http://www.kerio.com/security_advisory.html#0503http://securitytracker.com/id?10136071294614717kerio-firewall-rule-security-bypass(19893)The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read.20050401 multiple remote denial of service vulnerabilities in Gaimhttp://gaim.sourceforge.net/security/index.php?id=13MDKSA-2005:07114815FLSA:158543RHSA-2005:36512999SUSE-SA:2005:036MDKSA-2005:071The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions.20050401 multiple remote denial of service vulnerabilities in Gaimhttp://sourceforge.net/project/shownotes.php?group_id=235&release_id=317750gaim-irc-plugin-bo(19937)gaim-ircmsginvite-dos(19939)http://gaim.sourceforge.net/security/index.php?id=14MDKSA-2005:07114815FLSA:158543RHSA-2005:36513003SUSE-SA:2005:036MDKSA-2005:071Gaim 1.2.0 allows remote attackers to cause a denial of service (application crash) via a malformed file transfer request to a Jabber user, which leads to an out-of-bounds read.http://gaim.sourceforge.net/security/?id=15http://sourceforge.net/tracker/?func=detail&aid=1172115&group_id=235&atid=100235101364514815MDKSA-2005:071FLSA:158543RHSA-2005:36513004SUSE-SA:2005:036MDKSA-2005:071Computer Associates (CA) eTrust Intrusion Detection 3.0 allows remote attackers to cause a denial of service via large size values that are not properly validated before calling the CPImportKey function in the Crypto API.20050405 Computer Associates eTrust Intrusion Detection System CPImportKey DoS VulnerabilityHeap-based buffer overflow in the syscall emulation functionality in Mac OS X before 10.3.9 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via crafted parameters.APPLE-SA-2005-04-15Mac OS X 10.3.9 and earlier allows users to install, create, and execute setuid/setgid scripts, contrary to the the intended design, which may allow attackers to conduct unauthorized activities with escalated privileges via vulnerable scripts.APPLE-SA-2005-04-15Stack-based buffer overflow in the semop system call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments.APPLE-SA-2005-04-15VU#212190Integer overflow in the searchfs system call in Mac OS X 10.3.9 and earlier allows local users to execute arbitrary code via crafted parameters.APPLE-SA-2005-04-15VU#185702Unknown vulnerability in the setsockopt system call in Mac OS X 10.3.9 and earlier allows local users to cause a denial of service (memory exhaustion) via crafted arguments.APPLE-SA-2005-04-15Unknown vulnerability in the nfs_mount call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments.APPLE-SA-2005-04-15VU#713614APPLE-SA-2005-05-19Integer signedness error in the parse_machfile function in the mach-o loader (mach_loader.c) for the Darwin Kernel as used in Mac OS X 10.3.7, and other versions before 10.3.9, allows local users to cause a denial of service (CPU consumption) via a crafted mach-o header.20050119 Darwin Kernel Vulnerabilityhttp://felinemenace.org/advisories/macosx.txtAPPLE-SA-2005-04-15P-185http://www.frsirt.com/english/advisories/2005/0041123141012941101373513902macos-machloader-dos(18979)AppleWebKit (WebCore and WebKit), as used in multiple products such as Safari 1.2 and OmniGroup OmniWeb 5.1, allows remote attackers to read arbitrary files via the XMLHttpRequest Javascript component, as demonstrated using automatically mounted disk images and file:// URLs.http://remahl.se/david/vuln/001/APPLE-SA-2005-04-15The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address.20050401 [USN-103-1] Linux kernel vulnerabilitieshttp://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsghttp://lkml.org/lkml/2005/2/5/11112970USN-103-1RHSA-2005:366FLSA:157459-3Directory traversal vulnerability in the Object Push service in IVT BlueSoleil 1.4 allows remote attackers to upload arbitrary files via a .. (dot dot) in a PUSH command.20050401 DMA[2005-0401a] - 'IVT BlueSoleil Directory Transversal'http://www.digitalmunition.com/DMA%5B2005-0401a%5D.txt1296114790bluesoleil-object-push-directory-traversal(19930)Multiple buffer overflows in RUMBA 7.3 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted values in a profile file, as demonstrated using a long SysName field.20050401 Buffer Overflow within the RUMBA product12965rumba-profile-values-bo(19934)PHP remote file inclusion vulnerability in index.php in AlstraSoft EPay Pro 2.0 allows remote attackers to execute arbitrary PHP code by modifying the view parameter to reference a URL on a remote web server that contains the code.20050402 AlstraSoft EPay Pro v2.0 has file include and multiple xss1297314802Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft EPay Pro 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) payment or (2) send parameter.20050402 AlstraSoft EPay Pro v2.0 has file include and multiple xss1297414802Multiple cross-site scripting (XSS) vulnerabilities in Yet Another Forum.net 0.9.9 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) location, or (3) Subject field.20050402 Yet Another Forum.net XSS vulnerabilities1013632Quake 3 engine, as used in multiple games, allows remote attackers to cause a denial of service (client disconnect) via a long message, which is not properly truncated and causes the engine to process the remaining data as if it were network data.BUGFIX: Oversize server commands129761481120050402 In-game players kicking in the Quake 3 engineBuffer overflow in the G_Printf function in Star Wars Jedi Knight: Jedi Academy 1.011 and earlier allows remote attackers to execute arbitrary code via a long message using commands such as (1) say and (2) tell.129771480920050402 In-game server buffer-overflow in Jedi Academy 1.011Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows local users to cause a denial of service (temporary hang) via unspecified attack vectors related to the fan control unit (FCU) driver.NLSCCSTR.DLL in the web service in IBM Lotus Domino Server 6.5.1, 6.0.3, and possibly other versions allows remote attackers to cause a denial of service (deep recursion and nHTTP.exe process crash) via a long GET request containing UNICODE decimal value 430 characters, which causes the stack to be exhausted. NOTE: IBM has reported that it is unable to replicate this issue.20050406 IBM Lotus Domino Server Web Service DoS Vulnerabilityhttp://www-1.ibm.com/support/docview.wss?uid=swg21202446http://news.zdnet.co.uk/software/applications/0,39020384,39194293,00.htm14858ADV-2005-0322Unknown vulnerability in IRC Services NickServ LISTLINKS before 5.0.50 allows remote attackers to obtain the links of a nick.1013622http://www.ircservices.esper.net/Changes.txtRace condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete.20050404 gzip TOCTOU file-permissions vulnerability12996DSA-752OVAL1169SCOSA-2005.5818100RHSA-2005:357101816APPLE-SA-2006-08-0121253ADV-2006-31011548719289SSA:2006-26222033oval:org.mitre.oval:def:1169oval:org.mitre.oval:def:765TA06-214AThe find_replen function in jsstr.c in the the Javascript engine for Mozilla Suite 1.7.6, Firefox 1.0.1 and 1.0.2, and Netscape 7.2 allows remote attackers to read portions of heap memory in a Javascript string via the lambda replace method.https://bugzilla.mozilla.org/show_bug.cgi?id=2886881482014821http://www.mozilla.org/security/announce/mfsa2005-33.htmlGLSA-200504-18RHSA-2005:383RHSA-2005:38610136351013643OVAL100025SCOSA-2005.4915495RHSA-2005:384RHSA-2005:60112988SUSE-SA:2006:02219823oval:org.mitre.oval:def:100025unshar (unshar.c) in sharutils 4.2.1 allows local users to overwrite arbitrary files via a symlink attack on the unsh.X temporary file.20050404 [USN-104-1] unshar vulnerability302412: exploitable temporary file race in unshar8459RHSA-2005:377sharutils-temp-file-symlink(19957)USN-104-1RC.BOOT in IBM AIX 5.1, 5.2, and 5.3 does not "use a secure location for temporary files," which allows local users to have an unknown impact, probably by overwriting files.IY59205IY59206IY5920712992Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter.http://www.arrelnet.com/advisories/adv20050403.htmlhttp://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-31298214799phpmyadmin-convcharset-xss(19940)20050404 phpMyAdmin Cross-site Scripting VulnerabilityGLSA-200504-08Buffer overflow in nwprint in SCO OpenServer 5.0.7 allows local users to execute arbitrary code via a long command line argument.20050404 possible privilege escalation on Sco OpenServer 5.0.712986Multiple SQL injection vulnerabilities in ProductCart 2.7 allow remote attackers to execute arbitrary SQL commands via (1) the Category or resultCnt parameters to advSearch_h.asp, and possibly (2) the offset parameter to tarinasworld_butterflyjournal.asp. NOTE: it is possible that item (2) is the result of a typo or editing error from the original research report.12990148331526315265Multiple cross-site scripting (XSS) vulnerabilities in ProductCart 2.7 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter to advSearch_h.asp, (2) the redirectUrl parameter to NewCust.asp, (3) the country parameter to storelocator_submit.asp, or (4) the error parameter to techErr.asp. NOTE: it has been reported that storelocator_submit.asp does not exist in ProductCart.1299014833152641526615268Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the email or url parameters in the Add function, (2) the min parameter in the viewsdownload function, or (3) the min parameter in the search function.20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Downloads Module cXIb8O3.13Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the email or url parameters in the Add function, (2) the url parameter in the modifylinkrequestS function, (3) the orderby or min parameters in the viewlink function, (4) the orderby, min, or show parameters in the search function, or (5) the ratenum parameter in the MostPopular function.20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Web_Links Module cXIb8O3.14The Web_Links module for PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via an invalid show parameter, which triggers a division by zero PHP error that leaks the full pathname of the server.20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Web_Links Module cXIb8O3.14SQL injection vulnerability in the Top module for PHP-Nuke 6.x through 7.6 allows remote attackers to execute arbitrary SQL commands via the querylang parameter.20050406 [waraxe-2005-SA#041] - Critical Sql Injection in PhpNuke 6.x-7.6http://www.waraxe.us/advisory-41.htmlMultiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to the EmailStats op in banners.pgp, (2) the ratenum parameter in the TopRated and MostPopular actions in the Web_Links module, (3) the ttitle parameter in the viewlinkdetails, viewlinkeditorial, viewlinkcomments, and ratelink actions in the Web_Links module, or (4) the username parameter in the Your_Account module.20050404 [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12phpnuke-modulesphp-xss(19952)20050403 Full path disclosure and XSS in PHPNukePHP-Nuke 7.6 allows remote attackers to obtain sensitive information via direct requests to (1) the Surveys module with the file parameter set to comments or (2) 3D-Fantasy/theme.php, which leaks the full pathname of the web server in a PHP error message.:REFERENCEURL:http://archives.neohapsis.com/archives/bugtraq/2005-04/0037.html20050404 [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12phpnuke-modulesphp-path-disclosure(19953)logwebftbs2000.exe in Logics Software File Transfer (LOG-FT) allows remote attackers to read arbitrary files via modified (1) VAR_FT_LANG and (2) VAR_FT_TMPL parameters.129981485120050405 Logics Software BS2000 Host to Web Client ALL PLATFORMSDirectory traversal vulnerability in index.php for ProfitCode PayProCart 3.0 allows remote attackers to include arbitrary PHP files via .. (dot dot) sequences in the modID parameter.20050404 Authenticaion bypass, Directory transversal and XSS101364014832payprocart-dotdot-directory-traversal(19954)Cross-site scripting (XSS) vulnerability in usrdetails.php in ProfitCode PayProCart 3.0 allows remote attackers to inject arbitrary web script or HTML via the sgnuptype parameter.20050404 Authenticaion bypass, Directory transversal and XSS101364014832Payprocart-usrdetails-xss(19955)ProfitCode PayProCart 3.0 allows remote attackers to bypass authentication and gain administrative privileges to the admin control panel, as demonstrated via a direct request to adminshop/index.php with hex-encoded .. sequences in the ftoedit parameter.20050404 Authenticaion bypass, Directory transversal and XSS101364014832payprocart-index-bypass-authentication(19956)Multiple cross-site scripting (XSS) vulnerabilities in SonicWALL SOHO 5.1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) the user login name, which is not filtered when the administrator views the log file.20050404 SonicWALL SOHO/10 - XSS vulnerabilityhttp://www.oliverkarow.de/research/SonicWall.txt12984101363814823sonicwall-http-get-requests-xss(19958)sonicwall-username-code-execution(19960)1526115262Unknown vulnerability in the LIST functionality in CommuniGate Pro before 4.3c3 allows remote attackers to cause a denial of service (server crash) via certain multipart messages.http://www.stalker.com/CommuniGatePro/History.html1525714604communigatepro-list-dos(19961)Cross-site scripting (XSS) vulnerability in posts.asp for ASP-DEv XM Forum RC3 allows remote attackers to inject arbitrary web script or HTML via a "javascript:" URL in an IMG tag.129581013614Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that leads to a heap-based buffer overflow, or (2) local users to execute arbitrary code via a long Name entry in the configure.cfg file.20050401 [Hat-Squad Advisory] Bakbone NetVault Heap overflow Vulnerabilitieshttp://www.hat-squad.com/en/000164.htmlhttp://www.class101.org/netv-remhbof.pdfhttp://www.hat-squad.com/en/000165.htmlhttp://www.class101.org/netv-locsbof.pdf12967101362514814netvault-configurecfg-bo(19932)Cross-site scripting (XSS) vulnerability in Comersus Cart 6 allows remote attackers to inject arbitrary web script or HTML via the account username.13000101363414825comersus-username-xss(19962)SQL injection vulnerability in content.asp in SiteEnable allows remote attackers to execute arbitrary SQL commands via the sortby parameter.http://www.zone-h.com/en/advisories/read/id=7367/129851013631Cross-site scripting (XSS) vulnerability in Iatek SiteEnable allows remote attackers to inject arbitrary web script or HTML via (1) the contenttype parameter to content.asp, (2) the title, or (3) the description.http://www.zone-h.com/en/advisories/read/id=7367/1013631portalapp-contentasp-xss(19891)The SMTP service in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to cause a denial of service (server crash) via an EHLO command with a Unicode string.20050405 MailEnable Smtpd remote Dos [x0n3-h4ck]http://www.securiteam.com/windowsntfocus/5HP031PFFG.htmlhttp://www.mailenable.com/hotfix/12994101363714812mailenable-smtp-dos(19948)mailenable-ehlo-dos(19973)15232Buffer overflow in the IMAP service for MailEnable Enterprise 1.04 and earlier and Professional 1.54 allows remote attackers to execute arbitrary code via a long AUTHENTICATE command.20050405 MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]http://www.mailenable.com/hotfix/12995101363714812mailenable-imap-dos(19947)Buffer overflow in MailEnable Imapd (MEIMAP.exe) allows remote attackers to execute arbitrary code via a long LOGIN command.20050406 Re: MailEnable Imapd remote BoF + Exploit [x0n3-h4ck]Cross-site scripting (XSS) vulnerability in links_add_form.asp for MaxWebPortal 1.33 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript URL in a banner URL.http://www.hackerscenter.com/archive/view.asp?id=180712968101361714752maxwebportal-linksaddform-xss(19929)SQL injection vulnerability in the Update_Events function in events_functions.asp in MaxWebPortal 1.33 and earlier allows remote attackers to execute abritrary SQL commands via the EVENT_ID parameter, as demonstrated using events.asp.http://www.hackerscenter.com/archive/view.asp?id=180712968101361714752maxwebportal-eventsfunctions-sql-injection(19928)Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or execute arbitrary code via an agent request to TCP port 6050 with a large argument before the option field.20050411 Computer Associates BrightStor ARCserve Backup UniversalAgent Buffer Overflow20050414 Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup UniversalAgent buffer overflow vulnerabilityBuffer overflow in the getConfig function in Aeon 0.2a and earlier allows local users to gain privileges via a long HOME environment variable.20050404 Local buffer overflow on Aeon<=0.2ahttp://security-tmp.h14.ru/exploits/23laeon.c.txtaeon-getconfig-bo(19951)Secure Shell (SSH) 2 in Cisco IOS 12.0 through 12.3 allows remote attackers to cause a denial of service (device reload) (1) via a username that contains a domain name when using a TACACS+ server to authenticate, (2) when a new SSH session is in the login phase and a currently logged in user issues a send command, or (3) when IOS is logging messages and an SSH session is terminated while the server is sending data.20050406 Vulnerabilities in Cisco IOS Secure Shell Server13043101365514854cisco-ios-sshv2-tacacs-authentication-dos(19987)cisco-ios-authentication-send-dos(19989)cisco-ios-ssh-message-log-dos(19990)Memory leak in Secure Shell (SSH) in Cisco IOS 12.0 through 12.3, when authenticating against a TACACS+ server, allows remote attackers to cause a denial of service (memory consumption) via an incorrect username or password.20050406 Vulnerabilities in Cisco IOS Secure Shell Server13042101365514854cisco-ios-memory-leak-dos(19991)15303ColdFusion 6.1 Updater 1 places Java .class files under the web root in the /WEB-INF/cfclasses directory, which allows remote attackers to obtain sensitive information.http://www.macromedia.com/devnet/security/security_zone/mpsb05-02.html20050607 Macromedia Security Bulletin - ColdFusion MX 6.1Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) min parameter to the Search module, (2) the categories parameter to the FAQ module, or (3) the ltr parameter to the Encyclopedia module. NOTE: the bid parameter issue in banners.php is already an item in CVE-2005-1000.20050403 Full path disclosure and XSS in PHPNukehttp://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txtphpnuke-modulesphp-xss(19952)modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) my_headlines, (2) userinfo, or (3) search, which reveals the path in a PHP error message.20050403 Full path disclosure and XSS in PHPNukehttp://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txtphpnuke-modulesphp-path-disclosure(19953)The FTP server in AS/400 4.3, when running in IFS mode, allows remote attackers to obtain sensitive information via a symlink attack using RCMD and the ADDLNK utility, as demonstrated using the QSYS.LIB library.20050404 Disclosure of AS/400 user accounts via the FTP serverhttp://www.venera.com/downloads/AS400_user_accounts_ftp_disclosure.pdf15300Multiple SQL injection vulnerabilities in SnailSource phpBB 2.0.x mods allow remote attackers to execute arbitrary SQL commands via the (1) file_id parameter to dlman.php in DLMan Pro or (2) id parameter to links.php in Linkz Pro (aka LinksLinks Pro).20050404 SQL INJECTION in DLMan Pro. PHPBB Mod.20050404 SQL INJECTION in LinksLinks Pro. PHPBB Mod.1302813030http://www.snailsource.com/forum/dlman.php?func=file_info&file_id=77Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x through 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in the Your_Account module, (2) avatarcategory parameter in the Your_Account module, or (3) lid parameter in the Downloads module.20050404 [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 320030511 PHPNuke "Your Account" XSS Vulnerability7570phpnuke-modules-xss(11994)PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message.20050404 [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3Multiple SQL injection vulnerabilities in Active Auction House allow remote attackers to execute arbitrary SQL commands via the (1) catid, (2) SortDir, or (3) Sortby parameter to default.asp, (4) itemID parameter to ItemInfo.asp, or (5) Email field to sendpassword.asp.20050406 Active Auction House has multiple Sql injection, error and XSS130321303413035101364914839aah-multiple-scripts-sql-injection(19977)152811528215283Multiple cross-site scripting (XSS) vulnerabilities in Active Auction House allow remote attackers to inject arbitrary web script or HTML via the (1) ReturnURL, (2) password, (3) username parameter, (4) ReturnURL parameter to account.asp, (5) Table, (6) Title parameter to sendpassword.asp, or (7) itemid to watchthisitem.asp.20050406 Active Auction House has multiple Sql injection, error and XSS130361303813039101364914839aah-multiple-scripts-xss(19975)15284152851528615287RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), when "Allow custom avatar upload" is enabled, does not properly verify uploaded files, which allows remote attackers to upload arbitrary files.20050406 runcms/e-xoops 1.1A and below file upload vulnerabilityhttp://www.runcms.org/public/modules/news/1302714869exoops-runcms-upload-files(20001)** REJECT ** cart.php in LiteCommerce might allow remote attackers to obtain sensitive information via invalid (1) category_id or (2) product_id parameters. NOTE: this issue was originally claimed to be due to SQL injection, but the original researcher is known to be frequently inaccurate with respect to bug type and severity. The vendor has disputed this issue, saying "These reports are credited to malicious person we refused to hire. We have not taken legal action against him only because he is located in India. The vulnerabilites reported can not be reproduced, hence information you provide is contrary to fact." Further investigation by CVE personnel shows that an invalid SQL syntax error could be generated, but it only reveals portions of underlying database structure, which is already available in documentation from the vendor, and it does not appear to lead to path disclosure. Therefore, this issue is not a vulnerability or an exposure, and it probably should be REJECTED.20050406 LiteCommerce Sql injection and reveling errors vulnerability130441531414857litecommerce-cart-sql-injection(19998)CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to view_product.php, which reveals the path in a PHP error message.20050406 [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure101366014064SurgeFTP 2.2m1 allows remote attackers to cause a denial of service (application hang) via the LEAK command.20050407 [SIG^2 G-TEC] SurgeFTP LEAK Command Denial-Of-Service Vulnerabilityhttp://www.security.org.sg/vuln/surgeftp22m1.html13054101366414888surgeftp-leak-ftp-dos(20011)Multiple buffer overflows in Pavuk before 0.9.32 have unknown attack vectors and impact.http://sourceforge.net/project/shownotes.php?release_id=31343614571FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain privileges.FreeBSD-SA-05:03Unknown vulnerability in AIX 5.3.0, when configured as an NIS client, allows remote attackers to gain root privileges.IY68825http://www.niscc.gov.uk/niscc/docs/br-20050405-00278.html?lang=en14856crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235.20050406 crontab from vixie-cron allows read other users crontabs13024RHSA-2005:361RHSA-2006:011720060401-01-U19532 20666 SUSE-SR:2007:007 24995Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files.13053Multiple unknown vulnerabilities in netapplet in Novell Linux Desktop 9 allow local users to gain root privileges, related to "User input [being] passed to network scripts without verification."SUSE-SR:2005:010The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route.[bk-commits-head] 20050319 [PATCH] Fix crash while reading /proc/net/route13267SUSE-SA:2005:06817918RHSA-2005:366FLSA:157459-3Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count.http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.33&r2=1.118.2.34&ty=uhttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154021GLSA-200504-15MDKSA-2005:072RHSA-2005:40520050414 [USN-112-1] PHP4 vulnerabilitiesRHSA-2005:406USN-112-1APPLE-SA-2005-06-08MDKSA-2005:072exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion.https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154025http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.29&r2=1.118.2.30&ty=uGLSA-200504-15MDKSA-2005:07220050414 [USN-112-1] PHP4 vulnerabilitiesRHSA-2005:406USN-112-1APPLE-SA-2005-06-08MDKSA-2005:072** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0941. Reason: This candidate is a duplicate of CVE-2005-0941. Notes: All CVE users should reference CVE-2005-0941 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.OpenText FirstClass 8.0 client does not properly sanitize strings before passing them to the Windows ShellExecute API, which allows remote attackers to execute arbitrary commands via a UNC path in a bookmark.20050408 OpenText FirstClass 8.0 Client Arbitrary File Execution1307914898firstclass-bookmark-command-execution(20032)101366515356Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file.SuSE-SA:2005:022http://bugs.kde.org/show_bug.cgi?id=10232814908DSA-714http://www.frsirt.com/english/advisories/2005/0331RHSA-2005:393FLSA:178606 13096103170ADV-2007-424128114201320Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allows remote authenticated users to execute arbitrary commands by uploading PHP files, then directly requesting them from the uploads directory.20050408 phpBB Upload Script 1013671SQL injection vulnerability in modules.php in PostNuke 0.760 RC3 allows remote attackers to execute arbitrary SQL statements via the sid parameter. NOTE: the vendor reports that they could not reproduce the issues for 760 RC3, or for .750.20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC314868postnuke-sid-sql-injection(20019)http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2679153711013670Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) module parameter to admin.php or (2) op parameter to user.php. NOTE: the vendor reports that certain issues could not be reproduced for 760 RC3, or for .750. However, the op/user.php issue exists when the pnAntiCracker setting is disabled.20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19130751307614868postnuke-adminphp-userphp-xss(20018)http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2679153701013670The modload op in the Reviews module for PostNuke 0.760-RC3 allows remote attackers to obtain sensitive information via an invalid id parameter, which reveals the path in a PHP error message.20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3postnuke-modules-full-path-disclosure(20020)1013670SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action.20050408 PunBB <= 1.2.4 - change email to become admin exploit130711488220050408 PunBB <= 1.2.4 - change email to become admin exploitMicrosoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not properly display comma separated addresses in the From field in an e-mail message, which could allow remote attackers to spoof e-mail addresses.20050408 Microsoft Multiple E-Mail Client Address Spoofing Vulnerabilityowa-email-spoofing(20026)Multiple cross-site scripting (XSS) vulnerabilities in orderwiz.php in ModernBill 4.3.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) c_code or (2) aid parameters.20050410 Multiple ModernBill 4.3.0 And Earlier Vulnerabilities101367214890modernbill-orderwiz-xss(20035)15426PHP remote file inclusion vulnerability in news.php in ModernBill 4.3.0 and earlier allows remote attackers to execute arbitrary PHP code by modifying the DIR parameter to reference a URL on a remote web server that contains the code.20050410 Multiple ModernBill 4.3.0 And Earlier Vulnerabilities101367214890modernbill-news-file-include(20036)15427TowerBlog 0.6 and earlier stores the login data file under the web root, which allows remote attackers to obtain the MD5 checksums of the username and password via a direct request to the _dat/login file.20050410 TowerBlog <= 0.6 Admin Account View [x0n3-h4ck]101367514884towerblog-datlogin-information-disclosure(20039)15425Unknown vulnerability in HP OpenView Network Node Manager (NMM) 6.2 through 6.4, and 7.01 through 7.50, allows remote attackers to cause a denial of service.HPSBMA011251486513029153211013651openview-network-node-manager-dos(19993)Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH version 6 authentication, allows remote attackers to bypass authentication via a "malformed packet."20050406 Vulnerabilities in the Internet Key Exchange Xauth ImplementationCisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile that specifies XAUTH authentication after Phase 1 negotiation, may not process certain attributes in the ISAKMP profile that specifies XAUTH, which allows remote attackers to bypass XAUTH and move to Phase 2 negotiations.20050406 Vulnerabilities in the Internet Key Exchange Xauth ImplementationLinksys WET11 1.5.4 allows remote attackers to change the password without providing the original password via the data parameter to changepw.html.20050407 Cisco Linksys WET11 Password Resetting Vulnerability1305114871linksys-wet11-security-bypass(20008)Unknown vulnerability in the TCP/IP functionality (TCPIP.NLM) in Novell Netware 6.x allows remote attackers to cause a denial of service (ABEND by Page Fault Processor Exception) via certain packets.1306714874novell-netware-tcpipnlm-dos(20024)The secure script in LogWatch before 2.6-2 allows attackers to prevent LogWatch from detecting malicious activity via certain strings in the secure file that are later used as part of a regular expression, which causes the parser to crash, aka "logwatch log processing regular expression DoS."RHSA-2005:364https://bugzilla.redhat.com/bugzilla-old/show_bug.cgi?id=137502The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to quickly obtain passwords that are 5 characters or less via brute force methods. http://research.tic.udc.es/scg/advisories/20050429-1.txt20050429 [CAN-2005-1062] Administration protocol abuse allows local/remote password crackinghttp://www.kerio.com/security_advisory.htmlThe administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to cause a denial of service (CPU consumption) via certain attacks that force the product to "compute unexpected conditions" and "perform cryptographic operations."20050429 [CAN-2005-1063] Administration protocol abuse leads to Service and System Denial of Servicehttp://www.kerio.com/security_advisory.htmlThe copy_symlink function in rsnapshot 1.2.0 and 1.1.x before 1.1.7 changes the ownership of files that a symlink points to rather than the symlink itself, which allows local users to obtain access to arbitrary files.20050410 rsnapshot Security Advisory 001http://www.rsnapshot.org/security/2005/001.html101367414878GLSA-200504-1215420tetex in Novell Linux Desktop 9 allows local users to determine the existence of arbitrary files via a symlink attack in the /var/cache/fonts directory.SUSE-SR:2005:01013072Race condition in rpdump in Pine 4.62 and earlier allows local users to overwrite arbitrary files via a symlink attack.20050411 rpdump TOCTOU file-permissions vulnerability1489915456Vulnerability in Access_user Class before 1.75 allows local users to gain access as other users via the password "new".http://freshmeat.net/projects/access_user/?branch_id=53852&release_id=1927701489715348Cross-site scripting (XSS) vulnerability in sCssBoard 1.11 and earlier allows remote attackers to execute arbitrary Javascript via [url] tags.http://sourceforge.net/project/shownotes.php?release_id=31834613041101365914694scssboard-url-tag-xss(20021)Unknown vulnerability in sCssBoard 1.11 and earlier has unknown impact, related to "an exploit on the Profile page."http://sourceforge.net/project/shownotes.php?release_id=318346101365914694scssboard-profile-unknown(20022)SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter.20050411 Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability [PATCH INCLUDED]130971013676invision-memberlist-sql-injection(20059)SQL injection vulnerability in banner.inc.php in JPortal Web Portal 2.3.1 allows remote attackers to execute arbitrary SQL commands via the haslo parameter.1491920050412 Sql injection in jPortal version 2.3.1 (module banner)15476Cross-site scripting (XSS) vulnerability in PunBB before 1.2.5 allows remote attackers to inject arbitrary web script or HTML.http://www.punbb.org/14882Directory traversal vulnerability in index.php for RadScripts RadBids Gold 2 allows remote attackers to read arbitrary files via the read parameter.20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2130801542814906radbids-gold-php-xss(20038)SQL injection vulnerability in index.php for RadScripts RadBids Gold 2 allows remote attackers to execute arbitrary SQL commands via the mode parameter.20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2130801542914906radbids-gold-index-sql-injection(20040)Multiple cross-site scripting (XSS) vulnerabilities in RadScripts RadBids Gold 2 allow remote attackers to inject arbitrary web script or HTML via (1) the farea parameter to faq.php or the (2) cat, (3) order, or (4) area parameters to index.php.20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v213080154301543114906radbids-gold-php-xss(20038)Cross-site scripting (XSS) vulnerability in the discussion board functionality for WebCT Campus Edition 4.1 allows remote attackers to inject arbitrary web script or HTML via the message field.20050411 WebCT 4.1 vulnerable to XSS attacks13101Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.4.x allow remote attackers to inject arbitrary web script or HTML via (1) cds.php, (2) Guestbook-EN.pl, or (3) phonebook.php.20050412 XAMPP131261312713128XAMPP 1.4.x has multiple default or null passwords, which allows attackers to gain privileges.20050412 XAMPP13131SQL injection vulnerability in index.php for zOOm Media Gallery 2.1.2 allows remote attackers to execute arbitrary SQL commands via the catid parameter.http://www.securiteam.com/unixfocus/5LP0G0AFFY.html1492920050413 zOOM Media Gallery - Simple SQL Injection discoveryDirectory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2, 1.5 allows remote attackersto write arbitrary files via a .. (dot dot) in filenames in a .jar file.http://www.securiteam.com/securitynews/5IP0C0AFGW.html1490220050412 7a69Adv#23 - Jar tool directory transversal vulnerabilityCross-site scripting (XSS) vulnerability in view.php in AzDGDatingPlatinum 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter.20050409 AzDGDatingPlatinum multiple vulnerabilities13082azdgdating-platinum-viewphp-xss(20052)Multiple SQL injection vulnerabilities in AzDGDatingPlatinum 1.1.0 allows remote attackers to execute arbitrary SQL commands via (1) the id parameter to view.php or (2) the from parameter to members/index.php.20050409 AzDGDatingPlatinum multiple vulnerabilities13082azdgdating-platinum-sql-injection(20051)1552520060628 AzDGDatingPlatinum<<--v1.1.0 "view.php" SQL Injection azdgdatingplatinum-view-sql-injection(27436)index.php in aeDating 3.2 allows remote attackers to include arbitrary files via the skin parameter.14913SQL injection vulnerability in sdating.php in aeDating 3.2 allows remote attackers to execute arbitrary SQL commands files via the event parameter.14913Cross-site scripting (XSS) vulnerability in the control panel in aeDating 3.2 allows remote attackers to inject arbitrary web script or HTML.14913Buffer overflow in the cmdIS.DLL plugin for AN HTTPD Server 1.42n allows remote attackers to execute arbitrary code via an HTTP request with a long User-Agent header.http://www.security.org.sg/vuln/anhttpd142n.html1306615361101366614861an-httpd-cmdisdll-bo(20029)CRLF injection vulnerability in the cmdIS.DLL plugin for AN HTTPD Server 1.42n allows remote attackers to spoof or hide entries in the logfile, and possibly read files using an injected type command, via CRLF sequences in an HTTP request.http://www.security.org.sg/vuln/anhttpd142n.html15362101366614861an-httpd-logfile-character-injection(20031)Unknown vulnerability in DameWare NT Utilities 4.8 and earlier, and Mini Remote Control 4.8 and earlier, allows local users to gain additional rights.http://www.dameware.com/support/security/bulletin.asp?ID=SB51302315275101365314829dameware-elevated-privileges(19997)18732Unknown vulnerability in DC++ before 0.674 allows attackers to append data to arbitrary files.http://dcplusplus.sourceforge.net/index.php?t=8&s=11488015433Directory traversal vulnerability in the readFile and writeFile API for Maxthon 1.2.0 and 1.2.1 allows remote attackers to read or write arbitrary files.http://www.raffon.net/advisories/maxthon/multvulns.html130741542314918maxthon-directory-traversal(20033)Maxthon 1.2.0 and 1.2.1 allows remote attackers to bypass the security ID and use restricted plugin API functions via script that includes the max.src file into the source page.http://www.raffon.net/advisories/maxthon/multvulns.html130731542414918Lightspeed DeluxeFTP 6.01 stores usernames and passwords in plaintext in sites.xml, which is world-readable, which allows local users to gain privileges.http://lostmon.blogspot.com/2005/04/deluxeftp-plain-text-passwords.html131051542114923Buffer overflow in the PopUp Plus 2.0.3.8 plugin for Miranda IM, with "Use SmileyAdd Setting" enabled, allows remote attackers to execute arbitrary code.http://sec.org.il/coverages.php?c=8913048154821013661popupplus-message-bo(20013)http://forums.miranda-im.org/showthread.php?t=1070http://forums.miranda-im.org/showthread.php?p=9624http://www.miranda-im.org/FTP Now 2.6.14 stores usernames and passwords in plaintext in sites.xml, which is world-readable, which allows local users to gain privileges.101365714889ftpnow-sites-information-disclosure(20025)15296Cross-site scripting (XSS) vulnerability in main.asp for Ocean12 Membership Manager Pro 1.x allows remote attackers to inject arbitrary web script or HTML via the page parameter.http://www.hackerscenter.com/archive/view.asp?id=18651304615306101366714864ocean12-membershipmgr-mainasp-xss(20014)SQL injection vulnerability in main.asp for Ocean12 Membership Manager Pro 1.x allows remote attackers to execute arbitrary SQL commands via the UserID parameter.http://www.hackerscenter.com/archive/view.asp?id=18651304915307101366714864ocean12-membershipmgr-mainasp-sql-injection(20015)Rebrand P2P Share Spy 2.2 stores the user password in plaintext in the txtPassword value in the registry, which allows local users to gain privileges.1013673GetDataBack for NTFS 2.31 stores the username and license key in plaintext in the Name value in the License registry key, which may allow local users to obtain sensitive information.152101013644getdataback-ntfs-information-disclosure(19967)Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities.GLSA-200504-1015492101367814941gld-serverc-bo(20066)20050413 Gld 1.5 released (security fix)http://www.gasmi.net/down/gld-historyFormat string vulnerability in the ErrorLog function in cnf.c in Greylisting daemon (GLD) 1.3 and 1.4 allows remote attackers to execute arbitrary code via format string specifiers in data that is passed directly to syslog.20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities.GLSA-200504-1015493101367814941gld-cnfc-format-string(20067)Multiple buffer overflows in Lotus Domino Server 6.0.5 and 6.5.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via large amounts of data in certain (1) time or (2) date fields.20050412 Remote Buffer Overflow in Lotus Dominohttp://www.ngssoftware.com/advisories/lotus-01.txthttp://www-1.ibm.com/support/docview.wss?rs=463&uid=swg212024311536414879lotus-timedate-bo(20042)Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post.20050412 WordPress XSS and HTML injectionhttp://wordpress.org/support/topic.php?id=30721GLSA-200506-04http://bugs.gentoo.org/show_bug.cgi?id=88926Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5 through 4.1 does not prevent the security policy from being updated by unprivileged users, which allows local users to modify the policy by exporting the policy file, changing it, and importing it back into SSA.20050412 IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail OpenMultiple cross-site scripting (XSS) vulnerabilities in Centra 7 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name fields.20050412 Centra 7 XSS Exploit14930Directory traversal vulnerability in the MimeBodyPart.getFileName method in JavaMail 1.3.2 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in the Content-Disposition header.20050412 JavaMail allows directory traversal in attachmentsPictureViewer in QuickTime for Windows 6.5.2 allows remote attackers to cause a denial of service (application crash) via a GIF image with the maximum depth start value, possibly triggering an integer overflow.20050413 QuickTime for Windows malformed GIF DoSMcAfee Internet Security Suite 2005 uses insecure default ACLs for installed files, which allows local users to gain privileges or disable protection by modifying certain files.20050418 McAfee Internet Security Suite 2005 Insecure File Permission VulnerabilityThe ij_untrusted_url function in JunkBuster 2.0.2-r2, with single-threaded mode enabled, allows remote attackers to overwrite the referrer field via a crafted HTTP request.GLSA-200504-11http://bugs.gentoo.org/show_bug.cgi?id=88537131471550214932junkbuster-ijuntrustedurl-gain-access(20093)DSA-713The filtering of URLs in JunkBuster before 2.0.2-r3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via heap corruption.GLSA-200504-11http://bugs.gentoo.org/show_bug.cgi?id=88537131461550314932junkbuster-heap-corruption(20094)DSA-713Stack-based buffer overflow in the RespondeHTTPPendiente function in the HTTP server for SUMUS 0.2.2 allows remote attackers to execute arbitrary code via a large packet sent to TCP port 81.20050414 sumus[v0.2.2]: (httpd) remote buffer overflow exploit.1013717sumus-respondehttppendiente-bo(20110)Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete.20050413 cpio TOCTOU file-permissions vulnerability13159SCOSA-2005.32OVAL358USN-189-1DSA-846SCOSA-2006.218290FreeBSD-SA-06:031572518395RHSA-2005:8061712317532RHSA-2005:37816998SUSE-SR:2006:01020117oval:org.mitre.oval:def:358IBM WebSphere Application Server 6.0 and earlier, when sharing the document root of the web server, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via an HTTP request with an invalid Host header, which causes the page to be processed by the web server instead of the JSP engine.20050413 IBM WebSphere Widespread configuration JSP disclosure14962ibm-websphere-information-disclosure(20099)10136971550113160Multiple cross-site scripting (XSS) vulnerabilities in PhpBB Plus 1.52 and earlier allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) groupcp.php, (2) index.php, (3) portal.php, (4) viewforum.php, or (5) viewtopic.php, (6) the c parameter to index.php, or (7) the article parameter to portal.php.20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modulesphpbb-multiple-modules-xss(20085)Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters.20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modulesphpbb-multiple-modules-sql-injection(20086)http://www.digitalparadox.org/advisories/phpbbp.txt1315515931Multiple cross-site scripting (XSS) vulnerabilities in Photo Album 2.0.53 module for phpBB allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) album_cat.php or (2) album_comment.php.20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modules1315713158Cross-site scripting (XSS) vulnerability in the Calendar module for phpBB allow remote attackers to inject arbitrary web script or HTML via the start parameter to calendar_scheduler.php.20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modulesPHP remote file inclusion vulnerability in index.php in All4WWW-Homepagecreator 1.0a allows remote attackers to execute arbitrary PHP code by modifying the site parameter to reference a URL on a remote web server that contains the code.20050414 All4WWW-Homepagecreator Remote Command Execution1316914972Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the RSA Authentication Agent for Web 5.2 allows remote attackers to inject arbitrary web script or HTML via the postdata parameter.http://www.oliverkarow.de/research/rsaxss.txt13168101372414954rsa-auth-postdata-xss(20098)VU#366372Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary files via a symlink attack on temporary files.13171Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail 0.8.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the e-mail (1) body, (2) filename, or (3) MIME type.1317514957ilohamail-mail-attached-file-xss(20095)155061013701DSA-101019266Format string vulnerability in the my_xlog function in lib.c for Oops! Proxy Server 1.5.23 and earlier, as called by the auth functions in the passwd_mysql and passwd_pgsql modules, may allow attackers to execute arbitrary code via a URL.13172http://rst.void.ru/papers/advisory24.txtGLSA-200505-02oops-format-string(20191)DSA-726Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "double expansion error").GLSA-200504-14http://bugs.gentoo.org/show_bug.cgi?id=879161495315511Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service (memory corruption) via a request for a zero byte file.GLSA-200504-14http://bugs.gentoo.org/show_bug.cgi?id=879161495315512Unknown vulnerability in the libgss Generic Security Services Library in Solaris 7, 8, and 9 allows local users to gain privileges by loading their own GSS-API.577341551614971Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed.20050415 [Overflow.pl] Libsafe - Safety Check Bypass Vulnerabilityhttp://www.overflow.pl/adv/libsafebypass.txt13190The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory.FreeBSD-SA-05:041551414959freebsd-ifconf-information-disclosure(20114)APPLE-SA-2005-10-3115252ADV-2005-225617368Format string vulnerability in the log function in Net::Server 0.87 and earlier, as used in Postfix Greylisting Policy Server (Postgrey) 1.18 and earlier, and possibly other products, allows remote attackers to cause a denial of service (crash) via format string specifiers that are not properly handled before being sent to syslog, as demonstrated using sender addresses to Postgrey.20050415 Use of function [postgrey] 20050414 Problem with crashing postgrey[postgrey] 20050414 Re: Problem with crashing postgrey[postgrey] 20050414 ANNOUNCE: Postgrey 1.21 (SECURITY)1551714958postgrey-logging-dos(20108)DSA-1121DSA-1122MDKSA-2006:131211642115221149GLSA-200608-181319321452MDKSA-2006:131Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via certain inputs from HTTP POST queries.155411013703eGroupWare 1.0.6 and earlier, when an e-mail is composed with an attachment but not sent, will send that attachment in the next e-mail, which may cause sensitive information to be sent to the wrong recipient.20050412 eGroupWare Leaks Files131371549914940egroupware-email-information-disclosure(20088)Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart allows remote attackers to inject arbitrary web script or HTML via the pg parameter.http://systemsecure.org/board/index.php?showtopic=8131381548514924pinnaclecart-index-xss(20092)Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier has unknown attack vectors and unknown but "critical" impact.20040413 Patch available for critical Veritas i3 Server vulnerabilityhttp://seer.support.veritas.com/docs/276119.htm1314215498101369414934LG U8120 mobile phone allows remote attackers to cause a denial of service (device crash) via a malformed MIDI file.20050413 LG U8120 Mobile Phone Denial of Service131541013777lg-u8120-mobile-phone-dos(20091)The POP3 server in IBM iSeries AS/400 returns different error messages when the user exists or not, which allows remote attackers to determine valid user IDs on the server.1315620050414 Enumeration of AS/400 users and their status via POP3SQL injection vulnerability in exit.php for Serendipity 0.8 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) url_id or (2) entry_id parameters.20050413 serendipity SQL Injection vulnerabilityhttp://www.s9y.org/5.html13161serendipity-urlid-entryid-sql-injection(20119)http://www.s9y.org/63.html#A915542101369915145Cross-site scripting (XSS) vulnerability in search.php for Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter.http://echo.or.id/adv/adv12-y3dips-2005.txthttp://www.waraxe.us/ftopict-651.html1317020050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblogSimple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) config.txt files under the web document root, which allows remote attackers to obtain sensitive information and crack passwords via a direct request to these files.http://echo.or.id/adv/adv12-y3dips-2005.txthttp://www.waraxe.us/ftopict-651.html20050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblogSimple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain sensitive information via a direct request to sb_functions.php, which leaks the full pathname in a PHP error message.http://echo.or.id/adv/adv12-y3dips-2005.txt20050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblogUnknown vulnerability in WebMail in Kerio MailServer before 6.0.9 allows remote attackers to cause a denial of service (CPU consumption) via certain e-mail messages.http://www.kerio.com/kms_history.html1013708Opera 8 Beta 3, when using first-generation vetted digital certificates, displays the Organizational information of an SSL certificate, which is easily spoofed and can facilitate phishing attacks.http://www.geotrust.com/resources/advisory/sslorg/sslorg-advisory.htmhttp://www.geotrust.com/resources/advisory/sslorg/index.htm13176SUSE-SA:2005:031opera-ssl-spoofing(40503)Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments.20050415 myBloggie 2.1.113192Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which leads to a heap-based buffer overflow.20050415 [Overflow.pl] GOCR - Multiple vulnerabilitieshttp://www.overflow.pl/adv/gocr.txtHeap-based buffer overflow in the readpgm function in pnm.c for GOCR 0.40, when it is not using netpbm, allows remote attackers to execute arbitrary code via a P3 format PNM file with more data than implied by its width and height values.20050415 [Overflow.pl] GOCR - Multiple vulnerabilitieshttp://www.overflow.pl/adv/gocr.txtCross-site scripting (XSS) vulnerability in index.php in EasyPHPCalendar before 6.2.8 allows remote attackers to inject arbitrary web script or HTML via the yr parameter.http://www.snkenjoi.com/secadv/secadv4.txt155441013704http://docs.easyphpcalendar.com/Change%20Log/changeLog.htmpopup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message.Version 6.2.8 and above are fixed.http://www.snkenjoi.com/secadv/secadv4.txt155451013704http://docs.easyphpcalendar.com/Change%20Log/changeLog.htm** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in calendar.pl in CalendarScript 3.20 allows remote attackers to inject arbitrary web script or HTML via the template parameter, a different vulnerability than CVE-2005-1146.http://www.snkenjoi.com/secadv/secadv3.txt155471013705** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in the login command in calendar.pl in CalendarScript 3.21 allows remote attackers to inject arbitrary web script or HTML via the username parameter, a different vulnerability than CVE-2005-1145.http://www.snkenjoi.com/secadv/secadv3.txt1013705calendarscript-calendarpl-xss(20103)calendar.pl in CalendarScript 3.20 allows remote attackers to obtain sensitive information via invalid (1) calendar or (2) template parameters, which leaks the full pathname and debug information.http://www.snkenjoi.com/secadv/secadv3.txt155461013705calendarscript-path-disclosure(20102)calendar.pl in CalendarScript 3.21 allows remote attackers to obtain sensitive information via invalid (1) year or (2) month parameters, which leaks the full pathname and debug information.http://www.snkenjoi.com/secadv/secadv3.txt1013705calendarscript-path-disclosure(20102)SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters.13148101368115494Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier, when running on Windows systems, allows attackers to cause a denial of service (hang).577601550414961qpopper 4.0.5 and earlier does not properly drop privileges before processing certain user-supplied files, which allows local users to overwrite or create arbitrary files as root.DSA-728GLSA-200505-17http://bugs.gentoo.org/show_bug.cgi?id=90622154751547815505popauth.c in qpopper 4.0.5 and earlier does not properly set the umask, which may cause qpopper to create files with group or world-writable permissions.DSA-728GLSA-200505-179062258329154751547815505Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option.http://www.mozilla.org/security/announce/mfsa2005-35.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=289204GLSA-200504-18RHSA-2005:383RHSA-2005:3861493814992OVAL100023SCOSA-2005.4915495RHSA-2005:384oval:org.mitre.oval:def:100023Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution."http://www.mozilla.org/security/announce/mfsa2005-36.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=289675GLSA-200504-18RHSA-2005:383RHSA-2005:3861493814992OVAL100022SCOSA-2005.4915495RHSA-2005:384oval:org.mitre.oval:def:100022 13230The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking."http://www.mikx.de/firelinking/http://www.mozilla.org/security/announce/mfsa2005-37.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=290036GLSA-200504-18RHSA-2005:383RHSA-2005:386VU#9733091493814992OVAL100021SCOSA-2005.4915495RHSA-2005:384oval:org.mitre.oval:def:100021 13216Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1."http://www.mikx.de/firesearching/http://www.mozilla.org/security/announce/mfsa2005-38.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=290037GLSA-200504-18RHSA-2005:383RHSA-2005:386132111013745149381499214996mozilla-plugin-xss(20125)OVAL100020SCOSA-2005.4915495RHSA-2005:384oval:org.mitre.oval:def:100020Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to replace existing search plugins with malicious ones using sidebar.addSearchEngine and the same filename as the target engine, which may not be displayed in the GUI, which could then be used to execute malicious script, aka "Firesearching 2."http://www.mikx.de/firesearching/http://www.mozilla.org/security/announce/mfsa2005-38.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=290037RHSA-2005:383RHSA-2005:38613211149381499214996mozilla-plugin-xss(20125)SCOSA-2005.4915495RHSA-2005:384Multiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar.http://www.mozilla.org/security/announce/mfsa2005-39.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=290079RHSA-2005:38314938OVAL100019oval:org.mitre.oval:def:100019 13231The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type.http://www.mozilla.org/security/announce/mfsa2005-40.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=290162GLSA-200504-18RHSA-2005:383RHSA-2005:38613232101374210137431493814992mozilla-installtrigger-command-execution(20123)OVAL100018SCOSA-2005.4915495RHSA-2005:384RHSA-2005:601SUSE-SA:2006:02219823oval:org.mitre.oval:def:100018The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object.http://www.mozilla.org/security/announce/mfsa2005-41.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=289074https://bugzilla.mozilla.org/show_bug.cgi?id=289083https://bugzilla.mozilla.org/show_bug.cgi?id=289961GLSA-200504-18RHSA-2005:383RHSA-2005:3861493814992OVAL100017SCOSA-2005.4915495RHSA-2005:384RHSA-2005:60113233SUSE-SA:2006:02219823oval:org.mitre.oval:def:100017Multiple SQL injection vulnerabilities in OneWorldStore allow remote attackers to execute arbitrary SQL commands via the idProduct parameter to (1) owAddItem.asp or (2) owProductDetail.asp, (3) idCategory parameter to owListProduct.asp, or (4) bSpecials parameter to owListProduct.asp.20050414 Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore131811318213183155181551915520101372014969oneworldstore-product-category-sql-injection(20097)http://www.oneworldstore.com/support_security_issue_updates.asp#April_15_2005_DCrabMultiple cross-site scripting (XSS) vulnerabilities in OneWorldStore allow remote attackers to inject arbitrary web script or HTML via the (1) sEmail parameter to owContactUs.asp, (2) bSub parameter to owListProduct.asp, or the (3) Name, (4) Email, or (5) Comment fields in owProductDetail.asp.20050414 Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore131841318513186155211552215523101372014969oneworldstore-xss(20096)http://www.oneworldstore.com/support_security_issue_updates.asp#April_15_2005_DCrabMultiple buffer overflows in Yager 5.24 and earlier allow remote attackers execute arbitrary code via (1) a crafted nickname or (2) a packet with a large amount of data.1317713178155071550814967yager-datablock-bo(20101)yager-nickname-bo(20100)20050414 Multiple vulnerabilities in Yager 5.24Yager 5.24 and earlier allows remote attackers to cause a denial of service (application hang) via a packet with a game header that provides less data than indicated by the length.131791550914967yager-freeze-datablock-dos(20104)20050414 Multiple vulnerabilities in Yager 5.24Yager 5.24 and earlier allows remote attackers to cause a denial of service (application crash) via certain malformed data.yager-corrupt-data-dos(20105)20050414 Multiple vulnerabilities in Yager 5.24The DNTUS26 process in Dameware NT Utilities and the DWRCS process in MiniRemote Control 4.9 and earlier stores the username and password in cleartext in memory, which could allow attackers to obtain sensitive information.20050415 Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerabilityhttp://www.shellsec.net/leer_advisory.php?id=7101372515275Musicmatch 10.00.2047 and earlier store log files in the Program Files directory instead of the user profile, which may allow local users to obtain sensitive information.20050415 Improper log file storage in Musicmatch softwarehttp://www.hyperdose.com/advisories/H2005-02.txtDiagCollectionControl.dll in Musicmatch 10.00.2047 and earlier allows remote attackers to overwrite arbitrary files via the bstrSavePath argument.20050415 Arbitrary file overwrite possible by Musicmatch ActiveX control13167Mafia Blog .4 BETA does not properly protect the admin directory, which allows remote attackers to execute arbitrary PHP code by using writeinfo.php to inject the code into info.php.20050415 Mafia Bloghttp://chrisnowak.org/projects/mafia/13194SQL injection vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter.20050416 phpBB datenbank mod has XSS/SQL Injection in the id variableCross-site scripting (XSS) vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter.20050416 phpBB datenbank mod has XSS/SQL Injection in the id variable1321015812phpbb-modphp-xss(20146)Cross-site scripting (XSS) vulnerability in init.inc.php in Coppermine Photo Gallery 1.3.x allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For parameter.20050418 Vulnerability in Coppermine Photo Gallery 1.3.*http://coppermine.sourceforge.net/board/index.php?topic=171341321815004Buffer overflow in PMSoftware Simple Web Server 1.0 allows remote attackers to execute arbitrary code via a long GET request.20050418 ERNW Security Advisory 01/2005MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.20050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDCVU#259798http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txtDSA-757APPLE-SA-2005-08-15APPLE-SA-2005-08-1720050703-01-USuSE-SR:2005:017TLSA-2005-782005-0036USN-224-114240ADV-2005-106616041kerberos-kdc-krb5-tcp-connection-dos(21327)178991014460RHSA-2005:567101809IY85474ADV-2006-207420364oval:org.mitre.oval:def:397Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txtDSA-757VU#885830APPLE-SA-2005-08-15APPLE-SA-2005-08-1720050703-01-USuSE-SR:2005:017TLSA-2005-782005-0036USN-224-114236ADV-2005-106616041kerberos-kdc-krb5-udp-tcp-bo(21328)178991014460RHSA-2005:562RHSA-2005:5671713520050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC101809IY85474ADV-2006-207420364oval:org.mitre.oval:def:736Race condition in JFS2 on AIX 5.2 and 5.3, when deleting a file while I/O is still occurring for that file, may write data to a different file, which could leak sensitive information.IY70032IY70034aix-jfs2-race-condition(20604)Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 causes Webmin to change permissions and ownership of configuration files, with unknown impact.http://www.webmin.com/changes.htmlhttp://www.webmin.com/uchanges.html1013723webmin-config-file-permissions(20607)SQL injection vulnerability in Oracle Forms 10g allows remote attackers to execute arbitrary SQL commands via the Query/Where feature.http://www.red-database-security.com/wp/sql_injection_forms_us.pdfhttp://www.securiteam.com/securitynews/5HP0I0UFFI.htmloracle-forms-query-where-popup-sql-injection(20080)Unknown vulnerability in Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, related to SNMP authentication, allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-0703.http://www.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf1450713196xerox-workcentre-snmp-auth-bypass(20192)HTTP Response Splitting vulnerability in the Surveys module in PHP-Nuke 7.6 allows remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the forwarder parameter.http://www.digitalparadox.org/advisories/pnuke.txt1564714965php-nuke-http-response-splitting(20116)20050415 Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below** DISPUTED ** NOTE: this issue has been disputed by the vendor. PHP remote code injection vulnerability in loader.php for Ariadne CMS 2.4 allows remote attackers to execute arbitrary PHP code by modifying the ariadne parameter to reference a URL on a remote web server that contains the code. NOTE: the vendor has disputed this issue, saying that loader.php first requires the "ariadne.inc" file, which defines the $ariadne variable, and thus it cannot be modified by an attacker. In addition, CVE personnel have partially verified the dispute via source code inspection of Ariadne 2.4 as available on July 5, 2005.155491013721ariadne-loaderphp-file-include(20611)Unknown vulnerability in Incoming Remote Command (iSeries Access for Windows Remote Command service) in IBM OS/400 R510, R520, and R530 allows attackers to cause a denial of service (IRC shutdown) via certain inputs.http://www-1.ibm.com/support/docview.wss?uid=nas29afd3991f5f290b086256fdb0053b29314970ibm-irc-dos(20612)Cross-site scripting (XSS) vulnerability in mvnForum 1.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the Search parameter.1321315760mvnforum-search-xss(20613)The TCP/IP stack in multiple operating systems allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the correct sequence number but the wrong Acknowledgement number, which generates a large number of "keep alive" packets. NOTE: some followups indicate that this issue could not be replicated.20050416 TCP/IP Stack Vulnerability20050418 Re: TCP/IP Stack Vulnerability20050418 Re: TCP/IP Stack Vulnerability13215multiple-tcpip-dos(40502)Unquoted Windows search path vulnerability in Musicmatch Jukebox 10.00.2047 and earlier allows local users to gain privileges via a malicious C:\program.exe file, which is run by MMFWLaunch.exe when it attempts to execute launch.exe.http://www.hyperdose.com/advisories/H2005-05.txt1013718jukebox-mmfwlaunch-gain-privileges(20129)20050414 Trojan file issue in Musicmatch softwareMusicmatch Jukebox 10.00.2047 and earlier adds the musicmatch.com domain to the Trusted Sites zone in Internet Explorer, which allows systems in the domain to conduct unauthorized activities, as demonstrated using cross-site scripting (XSS) attacks.20050414 Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatchhttp://www.hyperdose.com/advisories/H2005-04.txt1013718jukebox-mmfwlaunch-gain-privileges(20129)Heap-based buffer overflow in WinHex 12.05 SR-14, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. NOTE: since this overflow is in the command line of an unprivileged program, it is highly likely that this is not a vulnerability.http://www.unl0ck.org/files/papers/winhex.txt1013727winhex-filename-bo(20139)Cross-site scripting (XSS) vulnerability in comersus_searchItem.asp in Comersus 3.90 to 4.51 allows remote attackers to inject arbitrary web script or HTML via the curPage parameter.http://lostmon.blogspot.com/2005/04/comersus-asp-shopping-cart-variable.html13125155391013747comersus-comersussearchitem-xss(20147)Cross-site scripting (XSS) vulnerability in WebcamXP PRO v2.16.468 and earlier allows remote attackers to inject arbitrary web script or HTML via the chat name, as demonstrated by using an IFRAME to redirect users to other sites.The vulnerability has reportedly been fixed in the beta version 2.16.478.101375314999webcamxp-chat-xss(20166)WebcamXP PRO v2.16.468 and earlier allows remote attackers to cause a denial of service via a long chat name, which takes up too much display space and prevents the chat frame from being properly rendered.1013753webcamxp-chatname-dos(20615)The Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file.20050419 File Selection May Lead to Command Execution (GM#015-IE)http://security.greymagic.com/security/advisories/gm015-ie13248MS05-024ADV-2005-0509windows-web-view-command-execution(20380)OVAL3585oval:org.mitre.oval:def:3585Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060.HPSBUX01137HP Security Bulletin HPSBUX01137 -- SSRT5954 rev.0 HP-UX TCP/IP Remote Denial of Service (DoS) 13367oval:org.mitre.oval:def:1407oval:org.mitre.oval:def:1533oval:org.mitre.oval:def:1552oval:org.mitre.oval:def:1607oval:org.mitre.oval:def:935262The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag.20050507 phpbb 2.0.15 released - patches high critical vuln20050508 phpbb 2.0.15 released - patches high critical vulnhttp://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194VU#1131961354516439101391815298phpbb-url-bbcode-file-include(20574)http://castlecops.com/t123194-.html1014117Stack-based buffer overflow in the ieee_putascii function for nasm 0.98 and earlier allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2004-1287.RHSA-2005:381Multiple heap-based buffer overflows in the code used to handle (1) MMS over TCP (MMST) streams or (2) RealMedia RTSP streams in xine-lib before 1.0, and other products that use xine-lib such as MPlayer 1.0pre6 and earlier, allow remote malicious servers to execute arbitrary code.http://www.mplayerhq.hu/homepage/design7/news.html#vuln10http://www.mplayerhq.hu/homepage/design7/news.html#vuln11GLSA-200504-19157111571215014mplayer-mmst-stream-bo(20175)mplayer-rtsp-stream-bo(20171)20050421 xine security announcement: multiple heap overflows in MMS and Real RTSP streaming clients1013771SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter.20050418 phpBB - Knowledge Base MOD - SQL-Injection and Full Path DisclosureSQL injection vulnerability in the SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET procedure in Oracle Database Server 10g allows remote attackers to execute arbitrary SQL commands via the CHANGE_SET_NAME parameter.http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdfTA05-117AVU#94848620050418 [AppSecInc Team SHATTER Security Advisory] SQL Injection in CREATE_SCN_CHANGE_SET procedureDirectory traversal vulnerability in apexec.pl for Anaconda Foundation Directory allows remote attackers to read arbitrary files via hex-encoded null characters (%00) in the middle of ".." sequences in the template parameter.20050419 Directoy Traversal Attack in apexec.pl (.%00./-Bug)SQL injection vulnerability in printthread.php in UBB.Threads allows remote attackers to execute arbitrary SQL commands via the main parameter.13253156981502420050419 UBB Thread printthread.php SQL InjectionPHP remote file inclusion vulnerability in main_index.php in AZ Bulletin Board (AZbb) 1.0.07a through 1.0.07c allows remote attackers to execute arbitrary PHP code by modifying the (1) dir_src or (2) abs_layer parameter to reference a URL on a remote web server that contains the code.http://azbb.cyaccess.com/azbb.php?109177854815013az-bulletin-board-file-include(20181)20050420 Multiple Security Issues Found In AZBBMultiple directory traversal vulnerabilities in AZ Bulletin board (AZbb) before 1.0.08 allow (1) remote authenticated users with administrative privileges to delete arbitrary files via a .. (dot dot) in the URL to admin_avatar.php or admin_attachment.php or (2) remote attackers to enumerate files via a .. (dot dot) in the attachment parameter to attachment.php, which displays a different message when a file exists or does not exist.http://azbb.cyaccess.com/azbb.php?109177854815013az-bulletin-board-file-modification(20180)az-bulletin-board-file-existence(20183)157011570220050420 Multiple Security Issues Found In AZBBMultiple cross-site scripting (XSS) vulnerabilities in eGroupware before 1.0.0.007 allow remote attackers to inject arbitrary web script or HTML via the (1) ab_id, (2) page, (3) type, or (4) lang parameter to index.php or (5) category_id parameter.http://sourceforge.net/project/shownotes.php?release_id=3207681321214982GLSA-200504-241575120050420 Multiple eGroupware VulnerabilitiesMultiple SQL injection vulnerabilities in index.php in eGroupware before 1.0.0.007 allow remote attackers to execute arbitrary SQL commands via the (1) filter or (2) cats_app parameter.http://sourceforge.net/project/shownotes.php?release_id=3207681321214982GLSA-200504-241575320050420 Multiple eGroupware VulnerabilitiesDesktop Rover 3.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a crafted packet to TCP port 61427, which causes an invalid memory access.http://www.evilpacket.net/advisories/EP-000-0003.html1503220050420 Neslo Desktop Rover Remote DoS VulnerabilityThe Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.20050614 Multiple Vendor Telnet Client Information Disclosure VulnerabilityMS05-033VU#80082915690OVAL1132OVAL605OVAL784101420313940oval:org.mitre.oval:def:1132oval:org.mitre.oval:def:605oval:org.mitre.oval:def:784Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability."MS05-027TA05-165AVU#48939715694OVAL1142OVAL259OVAL467oval:org.mitre.oval:def:1142oval:org.mitre.oval:def:259oval:org.mitre.oval:def:467Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters.MS05-02815696OVAL1255OVAL721oval:org.mitre.oval:def:1255oval:org.mitre.oval:def:721Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer.20050614 eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer OverflowMS05-026TA05-165AVU#8518691568313953OVAL1057OVAL381OVAL463oval:org.mitre.oval:def:1057oval:org.mitre.oval:def:381oval:org.mitre.oval:def:463Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file.MS05-025TA05-165AVU#189754OVAL1115OVAL1239OVAL258OVAL770OVAL782139411014201oval:org.mitre.oval:def:1115oval:org.mitre.oval:def:1239oval:org.mitre.oval:def:258oval:org.mitre.oval:def:770oval:org.mitre.oval:def:782Buffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field.20050614 Microsoft Windows Interactive Training Buffer Overflow VulnerabilityMS05-0311566920050614 Microsoft Windows Interactive Training Buffer Overflow VulnerabilityOVAL1224139441014194oval:org.mitre.oval:def:1224Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field.20050614 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow VulnerabilityMS05-030OVAL1088OVAL167OVAL989VU#130614101420013951oval:org.mitre.oval:def:1088oval:org.mitre.oval:def:167oval:org.mitre.oval:def:989Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page.MS05-03215689OVAL1194OVAL682OVAL90613948oval:org.mitre.oval:def:1194oval:org.mitre.oval:def:682oval:org.mitre.oval:def:906Microsoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers.MS05-03415693OVAL1145139561014193oval:org.mitre.oval:def:1145Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter.MS05-03415693VU#367077OVAL468139541014193oval:org.mitre.oval:def:468The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests.http://security-protocols.com/modules.php?name=News&file=article&sid=2783[Dailydave] 20050714 SPIKE actually scores.20050715 Any info on potential 0day RDP vuln?MS05-041TA05-221Ahttp://www.microsoft.com/technet/security/advisory/904797.mspx14259VU#490628OVAL100092oval:org.mitre.oval:def:100092oval:org.mitre.oval:def:180oval:org.mitre.oval:def:346oval:org.mitre.oval:def:376oval:org.mitre.oval:def:609oval:org.mitre.oval:def:618Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags.MS05-03616004TA05-193AVU#720742OVAL330OVAL440OVAL769OVAL1125OVAL128014214oval:org.mitre.oval:def:330oval:org.mitre.oval:def:440oval:org.mitre.oval:def:769oval:org.mitre.oval:def:1125oval:org.mitre.oval:def:1280Shoutbox SCRIPT 3.0.2 and earlier allows remote attackers to obtain sensitive information via a direct request to db/settings.dat, which displays usernames and password hashes.1569515015knusperleicht-settings-info-disclosure(20177)20050419 Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval [x0n3-h4ck]SQL injection vulnerability in login.asp for Ecommerce-Carts EcommPro 3.0 allows remote attackers to execute arbitrary SQL commands via the password field.http://www.ihssecurity.com/download/advisory/ecomerce-cart.txtecomm-pro-sql-injection(20200)20050419 Ecommerce-Carts SQL injection vulnerability ( IHSTeam )cat_for_gen.php in Annuaire Netref 4.2 allows remote attackers to execute arbitrary PHP code by setting the ad_direct parameter to reference cat_for_gen.php, then including the code in the m_for_racine parameter, which is then written to cat_for_gen.php.1571715040netref-catforgen-code-execution(20198)20050419 Annuaire Netref v4.2 [ fwrite php ] vulnerabilityMultiple SQL injection vulnerabilities in Ocean12 Calendar manager 1.01 allow remote attackers to execute arbitrary SQL commands via the Admin_id field.101376215026ocean12-calendar-manager-sql-injection(20174)20050420 [HSC Security Group] Ocean12 Calendar manager 1.01 SQL injectionMultiple SQL injection vulnerabilities in DUware DUportal Pro 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the iData parameter to detail.asp or result.asp, the (5) POL_ID, (6) POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters to toppages.asp, a different set of vulnerabilities than CVE-2005-1236.http://www.digitalparadox.org/advisories/dup.txt15044duportal-multiple-sql-injection(20197)http://www.securiteam.com/windowsntfocus/5TP0O0AFFQ.html1503120050420 DUportal Pro 3.4 has MANY Sql injection and Sql Errors.20061202 [Aria-Security Team] DuWare DuPortal SQL Injection Vuln13285duportal-default-cat-sql-injection(30671)SQL injection vulnerability in Coppermine Photo Gallery 1.3.2 allows remote attackers to execute arbitrary SQL commands via the favs parameter to (1) init.inc.php or (2) zipdownload.php.http://www.waraxe.us/advisory-42.html15004coppermine-initincphp-sql-injection(20205)20050420 [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2Coppermine Photo Gallery 1.3.2 stores passwords in plaintext, which allows remote attackers to obtain sensitive information.http://www.waraxe.us/advisory-42.htmlcoppermine-password-plaintext(20206)20050420 [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2Cross-site scripting (XSS) vulnerability in PHProjekt 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the chatroom text submission form.1572015039phprojekt-url-tag-xss(20212)20050420 Secure Science Corporation Application Software Advisory 055Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=30525515047gzip-n-directory-traversal(20199)DSA-752OVAL382SCOSA-2005.5818100RHSA-2005:35720050420 gzip directory traversal vulnerability101816APPLE-SA-2006-08-0121253ADV-2006-31011572119289SSA:2006-26222033oval:org.mitre.oval:def:382oval:org.mitre.oval:def:170 TA06-214ADirectory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file.cpio-directory-traversal(20204)SCOSA-2005.32USN-189-1DSA-846SCOSA-2006.218290FreeBSD-SA-06:03132911793918395171231699820050420 cpio directory traversal vulnerabilitySUSE-SR:2006:01020117MDKSA-2007:23327857Directory traversal vulnerability in Yawcam 0.2.5 allows remote attackers to read arbitrary files via "..\" (dot dot backslash) sequences in a GET request.http://www.autistici.org/fdonato/advisory/Yawcam0.2.5-adv.txt1573215052N/A20050421 directory traversal in Yawcam 0.2.5Cross-site scripting (XSS) vulnerability in the NewTerm function in GlossaryModel.php in JAWS 0.4 allows remote attackers to inject arbitrary web script or HTML via the (1) term or (2) description.20050418 XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2))http://www.securiteam.com/unixfocus/5RP0M0AFFS.html13254Buffer overflow in Sun Java System Web Proxy Server (aka Sun ONE Proxy Server) 3.6 SP6 allows remote attackers to execute arbitrary code via unknown vectors.57763Cross-site scripting (XSS) vulnerability in index.php in PHP Labs proFile allows remote attackers to inject arbitrary web script or HTML via the (1) dir or (2) file parameters.http://www.snkenjoi.com/secadv/secadv7.txthttp://www.frsirt.com/english/advisories/2005/0370132761328215697101375615027profile-indexphp-xss(20169)Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the (1) u parameter to auction_rating.php or (2) ar parameter to action_offer.php.http://www.snkenjoi.com/secadv/secadv9.txthttp://www.phpbb-auction.com/sutra5600.html13283132841570415705101377915029phpbb-auction-sql-injection(20203)20060725 PHP-Auction SQL injectionauction_my_auctions.php in phpbb-Auction 1.2m and earlier allows remote attackers to obtain sensitive information via an invalid mode parameter, which leaks the full path in a PHP error message.Fixed updated version on http://www.phpbb-auction.com/http://www.snkenjoi.com/secadv/secadv9.txthttp://www.phpbb-auction.com/sutra5600.html15706101377915029Multiple SQL injection vulnerabilities in DUware DUportal 3.1.2 and 3.1.2 SQL allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to channel.asp or search.asp, (2) iData parameter to detail.asp or inc_rating.asp, (3) iCat parameter to detail.asp or type.asp, (4) DAT_PARENT parameter to inc_poll_voting.asp, or (5) iRate parameter to inc_rating.asp, a different set of vulnerabilities than CVE-2005-1224.http://www.digitalparadox.org/advisories/dup.txt1328815044SQL injection vulnerability in news.php in FlexPHPNews 0.0.3 allows remote attackers to execute arbitrary SQL commands via the newsid parameter.http://www.frsirt.com/english/advisories/2005/0373132971571514905flexphpnews-newsphp-sql-injection(20214) 3631 20070411 Rediscovery: Flexphpnews news.php/newsid SQL injection 23247 flexphpnew-news-sql-injection(33362)By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request.20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdfmultiple-vendor-security-bypass(20260)Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.Fix is available on http://www.razlee.com/20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf13310multiple-vendor-security-bypass(20260)Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdfCastlehill Secure/Net May Let Remote Users Bypass AS/400 FTP Access Controlsmultiple-vendor-security-bypass(20260)Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf13312multiple-vendor-security-bypass(20260)Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdfmultiple-vendor-security-bypass(20260)Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request.20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdfmultiple-vendor-security-bypass(20260)** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable."20050420 Canonicalization and directory traversal in iSeries FTP security productshttp://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf157911013810multiple-vendor-security-bypass(20260)Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, when using HTML Tidy ($wgUseTidy), allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=322146133011571914993mediawiki-unknown-xss(20210)Format string vulnerability in the snmppd_log function in snmppd_util.c for snmppd 0.4.5 and earlier may allow remote attackers to cause a denial of service or execute arbitrary code via format string specifiers that are not properly handled in a syslog call.20050425 [INetCop Security Advisory] Snmppd potentially format string vulnerability.http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-027-SNMPPD.txt15120webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to cause a denial of service via malformed ASN.1 packets in corrupt client certificates to an SSL server, as demonstrated using an exploit for the OpenSSL ASN.1 parsing vulnerability.20050424 [CIRT.DK - Advisory] Novell Nsure Audit 1.0.1 Denial of Servicehttp://www.cirt.dk/advisories/cirt-31-advisory.pdfhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10097379.htm20040115 OpenSSL ASN.1 parsing bugs PoC / brute forcerBuffer overflow in Apple iTunes before 4.8 allows remote attackers to execute arbitrary code via a crafted MPEG4 file.APPLE-SA-2005-05-091356516243101392715310apple-itunes-mpeg4-bo(20498)http://www.ngssoftware.com/advisories/itunes.txthttp://docs.info.apple.com/article.html?artnum=301596ADV-2005-0504The IMAP daemon (IMAPD32.EXE) in Ipswitch Collaboration Suite (ICS) allows remote attackers to cause a denial of service (CPU consumption) via an LSUB command with a large number of null characters, which causes an infinite loop.20050524 Ipswitch IMail IMAP LSUB DoS Vulnerabilityhttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html1014047SQL injection vulnerability in the logon screen of the web front end (NmConsole/Login.asp) for IpSwitch WhatsUp Professional 2005 SP1 allows remote attackers to execute arbitrary SQL commands via the (1) User Name field (sUserName parameter) or (2) Password (sPassword parameter).20050622 IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerabilityhttp://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699http://secunia.com/secunia_research/2005-13/advisory/http://www.corsaire.com/advisories/c050323-001.txtDirectory traversal vulnerability in the Web Calendaring server in Ipswitch Imail 8.13, and other versions before IMail Server 8.2 Hotfix 2, allows remote attackers to read arbitrary files via "..\" (dot dot backslash) sequences in the query string argument in a GET request to a non-existent .jsp file.20050524 Ipswitch IMail Web Calendaring Arbitrary File Read Vulnerabilityhttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html1014047Stack-based buffer overflow in the IMAP server for Ipswitch IMail 8.12 and 8.13, and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to cause a denial of service (crash) via a SELECT command with a large argument.20050524 Ipswitch IMail IMAP SELECT Command DoS Vulnerabilityhttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html1014047Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allow remote attackers to execute arbitrary code via a LOGIN command with (1) a long username argument or (2) a long username argument that begins with a special character.20050524 Ipswitch IMail IMAP LOGIN Remote Buffer Overflow Vulnerabilitieshttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html1014047Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to execute arbitrary code via a STATUS command with a long mailbox name.20050524 Ipswitch IMail IMAP STATUS Remote Buffer Overflow Vulnerabilityhttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html1014047bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb").20050517 [USN-127-1] bzip2 vulnerabilitiesDSA-741USN-127-1OVAL749FLSA:158801RHSA-2005:47420060301-01-U1365719183oval:org.mitre.oval:def:749APPLE-SA-2007-11-14103118TA07-319A26444ADV-2007-3525ADV-2007-3868154472727427643200191Stack-based buffer overflow in the URL parsing function in Gaim before 1.3.0 allows remote attackers to execute arbitrary code via an instant message (IM) with a large URL.RHSA-2005:432ADV-2005-0519FLSA:15854313590http://gaim.sourceforge.net/security/index.php?id=16RHSA-2005:429Gaim 1.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed MSN message.http://gaim.sourceforge.net/security/index.php?id=17RHSA-2005:429ADV-2005-0519FLSA:15854313591SUSE-SA:2005:036The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow.http://www.isec.pl/vulnerabilities/isec-0023-coredump.txtADV-2005-052420050511 Linux kernel ELF core dump privilege elevationOVAL1122RHSA-2005:472RHSA-2005:529RHSA-2005:551FLSA:157459-1FLSA:157459-2FLSA:157459-319185oval:org.mitre.oval:def:1122 20060402-01-U 19607Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589.[linux-kernel] 20050517 [PATCH] Fix root hole in raw device20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerabilityhttp://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10ADV-2005-055713651RHSA-2005:420FLSA:157459-3The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash).USN-137-1DSA-92213893180561014152RHSA-2005:514FLSA:157459-317073Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3 allows remote attackers to cause a denial of service (CPU consumption and slowdown) via a message with a long Content-Type header without any boundaries.http://www.vuxml.org/freebsd/cc4ce06b-e01c-11d9-a8bd-000cf18bbe54.htmlGLSA-200506-17http://bugs.gentoo.org/show_bug.cgi?id=94722[spamassassin-announce] 20050615 Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3DSA-736MDKSA-2005:106RHSA-2005:498 13978The bgp_update_print function in tcpdump 3.x does not properly handle a -1 return value from the decode_prefix4 function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet.https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159208FEDORA-2005-4062005-002815634DSA-85417118RHSA-2005:505FLSA:156139 13906Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte.https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163013MDKSA-2005:129RHSA-2005:582DSA-805TSLSA-2005-0059OVAL134614366102198ADV-2006-078919072HPSBUX0207419185SUSE-SA:2005:046SUSE-SR:2005:018oval:org.mitre.oval:def:1346oval:org.mitre.oval:def:1714oval:org.mitre.oval:def:1747604Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name.http://gaim.sourceforge.net/security/?id=18USN-139-1GLSA-200506-11MDKSA-2005:09913931DSA-734OVAL744FLSA:158543RHSA-2005:518SUSE-SA:2005:036oval:org.mitre.oval:def:744MDKSA-2005:099The (1) check_update.sh and (2) rkhunter script in Rootkit Hunter before 1.2.3-r1 create temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack.GLSA-200504-25133991586115127rootkit-hunter-checkupdate-symlink(20279)** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1343. Reason: This candidate is a reservation duplicate of CVE-2005-1343. Notes: All CVE users should reference CVE-2005-1343 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050.http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239VU#27977414453brightstor-enterprise-backup-bo(21656)20050803 CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer OverflowStack-based buffer overflow in the getIfHeader function in the WebDAV functionality in MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via an HTTP unlock request and a long "If" parameter.20050426 MySQL MaxDB Webtool Remote 'If' Stack Overflow VulnerabilityHeap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value.20050424 [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflowhttp://www.overflow.pl/adv/imheapoverflow.txthttp://bugs.gentoo.org/show_bug.cgi?id=90423http://www.imagemagick.org/script/changelog.php13351MDKSA-2005:107OVAL711RHSA-2005:413oval:org.mitre.oval:def:711** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1766. Reason: This candidate is a duplicate of CVE-2005-1766. Notes: This duplicate occurred due to insufficient coordination across three separate parties. All CVE users should reference CVE-2005-1766 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet.20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits.RHSA-2005:417RHSA-2005:421SCOSA-2005.601814615125FLSA:156139 13392tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not properly handled by the ldp_print function.20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits.RHSA-2005:417RHSA-2005:421DSA-850SCOSA-2005.60181461512517101FLSA:156139 13389The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4.20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS.RHSA-2005:417RHSA-2005:421SCOSA-2005.601814615125FLSA:156139 13390Ethereal 0.10.10 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4.20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS.Ethereal RSVP Decoding Routines Denial Of Service VulnerabilityMultiple cross-site scripting (XSS) vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the src parameter in an IMG tag, (2) User settings, or (3) Address book input boxes in the webmail interface.1332615100argosoft-mail-server-html-tag-filter-xss(20225)20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6Multiple directory traversal vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote authenticated users to (1) read arbitrary files via the UIDL parameter to the msg script or (2) copy or move the user's .eml file to arbitrary locations via the delete script, a different vulnerability than CVE-2005-0367.1582115823argosoft-mail-server-dir-traversal(20229)argosoft-mail-server-eml-files-dir-traversal(20226)20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6The addnew script in Argosoft Mail Server Pro 1.8.7.6 allows remote attackers to create arbitrary accounts, even if "Allow Creation of Accounts From the Web Interface" is disabled, via a direct HTTP POST request.1332315822argosoft-mail-server-add-new-mail-account(20228)20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6Cross-site scripting (XSS) vulnerability in thread.php in WoltLab Burning Board 2.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the hilight parameter.15058101379020050422 [SePro Bugtraq] WBB - WoltLab Burning Board <= 2.3.1 - XSS13325Unquoted Windows search path vulnerability in BitDefender 8 allows local users to prevent BitDefender from starting by creating a malicious C:\program.exe, possibly due to the lack of quoting of the full pathname when executing a process.158181507620050422 BitDefender 8 - Race condition vulnerabilityMultiple SQL injection vulnerabilities in BK Forum 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to member.asp, (2) forum parameter to forum.asp, or (3) various parameters in register.asp.http://www.digitalparadox.org/advisories/bkdev.txt15072101379315784157851578620050423 Multiple Sql injection vulnerabilities in BK Forum v.420060421 BK Forum <<--V.4.0 SQL Injection20060423 BK Forum <= 4.0 Remote SQL Injectioninc_login_check.asp ACS Blog 0.8 through 1.1.3 allows remote attackers to gain administrator privileges via the "in" value in a cookie.1510510137951578720050423 ACSblog bugindex.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and possibly (2) cat parameters.15054101378020050423 E-Cart v1.1 Remote Command ExecutionMultiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight parameter to viewtopic.php, or (3) forumname or forumdesc parameters to admin_forums.php.http://neosecurityteam.net/Advisories/Advisory-14.txt20050423 -==phpBB 2.0.14 Multiple Vulnerabilities==-Multiple SQL injection vulnerabilities in CartWIZ ASP Cart allow remote attackers to execute arbitrary SQL commands via the idProduct parameter to (1) addToCart.asp or (2) productDetails.asp, the (3) priceFrom, (4) idCategory, or (5) priceTo parameter to searchResults.asp, or (6) the idParentCategory parameter to productCatalogSubCats.asp.15055cartwiz-multiple-sql-injection(20246)10137921577115772157731577420050423 Multiple Sql injection and XSS in CartWIZ ASP CartMultiple cross-site scripting (XSS) vulnerabilities in CartWIZ ASP Cart allow remote attackers to inject arbitrary web script or HTML via the idProduct parameter to (1) tellAFriend.asp or (2) addToWishlist.asp, redirect parameter to (3) access.asp or (4) login.asp, message parameter to (5) login.asp or (6) error.asp, or (7) sku or (8) name parameter to searchResults.asp.15055cartwiz-multiple-script-xss(20249)1013792157751577615777157781578020050423 Multiple Sql injection and XSS in CartWIZ ASP CartMultiple SQL injection vulnerabilities in default.asp in StorePortal 2.63 allow remote attackers to execute arbitrary SQL commands via the (1) language, (2) bpic, (3) idcategory, (4) content, (5) keyword, or (6) idproduct parameter.http://digitalparadox.org/advisories/storeportal.txt1507120050424 Multiple SQL Injections in StorePortal 2.63The affix_sock_register in the Affix Bluetooth Protocol Stack for Linux might allow local users to gain privileges via a socket call with a negative protocol value, which is used as an array index.http://www.digitalmunition.com/DMA%5B2005-0423a%5D.txthttp://affix.sourceforge.net/patch_hci_3_2_020050424 DMA[2005-0423a] - 'Nokia Affix Bluetooth Integer Underflow'include.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument.20050425 remote command execution in include.cgi scriptinclude.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.20050425 remote command execution in include.cgi scriptCross-site scripting (XSS) vulnerability in the include.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument.20050425 remote command execution in include.cgi scriptThe inserter.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument.inserter.cgi File Inclusion and Command Execution Vulnerabilities20050425 remote command execution in inserter.cgi scriptThe inserter.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.inserter.cgi File Inclusion and Command Execution Vulnerabilities20050425 remote command execution in inserter.cgi scriptCross-site scripting (XSS) vulnerability in the inserter.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument.inserter.cgi File Inclusion and Command Execution Vulnerabilities20050425 remote command execution in inserter.cgi scriptnProtect:Netizen 2005.3.17.1 does not properly verify that the update module is downloaded from an authorized site, which allows remote malicious web sites to write arbitrary files.http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/80_e.htmlhttp://jvn.jp/jp/JVN%23AF02FB4B/index.html157881510120050425 [SNS Advisory No.80] nProtect:Netizen Arbitrary File Download VulnerabilitySQL injection vulnerability in Confixx 3.08 and earlier allows remote attackers to execute arbitrary SQL commands via the "change user" field.15815151211335520050425 Sql Injection in Confixx 3.06 & 3.08 & 3.?? ?694The citat.pl script allows remote attackers to read arbitrary files via a full pathname in the argument.20050424 remote command execution in citat.pl scriptThe citat.pl script allows remote attackers to execute arbitrary files via shell metacharacters in the argument.20050424 remote command execution in citat.pl scriptThe hyper.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument.20050424 hyper.cgi script file show bugThe Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability."http://www.adobe.com/support/techdocs/331710.html13962The (1) stopserver.sh and (2) startserver.sh scripts in Adobe Version Cue on Mac OS X uses the current working directory to find and execute the productname.sh script, which allows local users to execute arbitrary code by copying and calling the scripts from a user-controlled directory.http://www.securiteam.com/exploits/5EP0D20FQC.html20050516 Mac OS X - Adobe Version Cue local root exploit [c version exploit]20041206 Local root exploit on Mac OS X with Adobe Version Cue118331229712298101244613399version-cue-gain-privileges(18445)SqWebMail allows remote attackers to inject arbitrary web script or HTML via CRLF sequences in the redirect parameter followed by the desired script or HTML.1337415119Cross-site scripting (XSS) vulnerability in bBlog 0.7.4 allows remote attackers to inject arbitrary web script or HTML via the (1) entry title field or (2) comment body text.15754157551013811SQL injection vulnerability in bBlog 0.7.4 allows remote attackers to execute arbitrary SQL commands via the postid parameter.157561013811Cross-site scripting (XSS) vulnerability in Yappa-NG before 2.3.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=323206133721582815107PHP remote file inclusion vulnerability in Yappa-NG before 2.3.2 allows remote attackers to execute arbitrary PHP code via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=323206133711582915107Cross-site scripting (XSS) vulnerability in Horde Passwd module before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[sork] 20050422 Passwd 2.2.2 (final)15075Cross-site scripting (XSS) vulnerability in Horde Kronolith module before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[kronolith] 20050422 Kronolith 1.1.4 (final)15080Cross-site scripting (XSS) vulnerability in Horde Turba module before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[turba] 20050422 Turba 1.2.5 (final)15074Cross-site scripting (XSS) vulnerability in Horde Accounts module before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[sork] 20050422 Accounts 2.1.2 (final)15081Cross-site scripting (XSS) vulnerability in Horde Chora module before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.20050422 Chora 1.2.3 (final)15083Cross-site scripting (XSS) vulnerability in Horde Forwards E-Mail Forwarding Manager before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[sork] 20050422 Forwards 2.2.2 (final)15082Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[imp] 20050422 IMP 3.2.8 (final)15080Cross-site scripting (XSS) vulnerability in Horde Mnemo Note Manager before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[mnemo] 20050422 Mnemo 1.1.4 (final)15078Cross-site scripting (XSS) vulnerability in Horde Vacation module before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[sork] 20050422 Vacation 2.2.2 (final)15073Cross-site scripting (XSS) vulnerability in Horde Nag Task List Manager before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title.[nag] 20050422 Nag 1.1.3 (final)15079Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command.20050426 ADV: NetTerms NetFtpd 4.2.2 Buffer Overflow + PoC Exploithttp://www.securenetterm.com/html/what_s_new.html13396ADV-2005-04071586515140netterm-netftpd-user-bo(20285)Multiple cross-site scripting (XSS) vulnerabilities in index.php for phpMyVisites allow remote attackers to inject arbitrary web script or HTML via the (1) part, (2) per, or (3) site parameters.http://www.frsirt.com/english/advisories/2005/03781578915084phpmyvisites-index-xss(20255)set_lang.php in phpMyVisites 1.3 allows remote attackers to read and include arbitrary files via the mylang parameter.1337020050426 [exploits] phpMyVisites 1.3 local file retrievalBuffer overflow in VooDoo cIRCle BOTNET before 1.0.33 allows remote authenticated attackers to cause a denial of service (client crash) via a crafted packet.http://sourceforge.net/project/shownotes.php?release_id=3232541583015110Cross-site scripting (XSS) vulnerability in pms.php for Woltlab Burning Board 2.3.1 PL2 and earlier allows remote attackers to inject arbitrary web script or HTML via the folderid parameter.20050424 WoltLab Burning Board 2.3.113353OneWorldStore allows remote attackers to cause a denial of service (application crash) via a direct request to owConnections/chksettings.asp.http://lostmon.blogspot.com/2005/04/oneworldstore-critical-failure.htmlhttp://www.oneworldstore.com/support_security_issue_updates.asp#April_20_2005_Lostmon1332215724101378215057owOfflineCC.asp in OneWorldStore allows remote attackers to obtain sensitive information by modifying the idOrder parameter.http://lostmon.blogspot.com/2005/04/oneworldstore-user-information.htmlhttp://www.oneworldstore.com/support_security_issue_updates.asp#April_24_2005_Lostmon1336115781101379615104AppKit in Mac OS X 10.3.9 allows attackers to cause a denial of service (Cocoa application crash) via a malformed TIFF image that causes the NXSeek to use an incorrect offset, leading to an unhandled exception.APPLE-SA-2005-05-03The AppleScript Editor in Mac OS X 10.3.9 does not properly display script code for an applescript: URI, which can result in code that is different than the actual code that would be run, which could allow remote attackers to trick users into executing malicious code via certain URI characters such as NULL, control characters, and homographs.http://remahl.se/david/vuln/010/APPLE-SA-2005-05-0313480ADV-2005-045515227Bluetooth-enabled systems in Mac OS X 10.3.9 enables the Bluetooth file exchange service by default, which allows remote attackers to access files without the user being notified, and local users to access files via the default directory.APPLE-SA-2005-05-03http://docs.info.apple.com/article.html?artnum=301381TA05-136AVU#258390Directory traversal vulnerability in the Bluetooth file and object exchange (OBEX) services in Mac OS X 10.3.9 allows remote attackers to read arbitrary files.APPLE-SA-2005-05-03APPLE-SA-2005-06-0813491** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1579. Reason: This candidate is a duplicate of CVE-2005-1579. Notes: All CVE users should reference CVE-2005-1579 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Unknown vulnerability in Mac OS X 10.3.9 allows local users to gain privileges via (1) chfn, (2) chpass, and (3) chsh, which "use external helper programs in an insecure manner."APPLE-SA-2005-05-03TA05-136AVU#331694Buffer overflow in the Foundation framework for Mac OS X 10.3.9 allows local users to execute arbitrary code via a long environment variable.APPLE-SA-2005-05-03TA05-136AVU#582934Apple Help Viewer 2.0.7 and 3.0.0 in Mac OS X 10.3.9 allows remote attackers to read and execute arbitrary scrpts with less restrictive privileges via a help:// URI.http://remahl.se/david/vuln/004/APPLE-SA-2005-05-03Mac OS X 10.3.9, when using an LDAP server that does not use ldap_extended_operation, may store initial LDAP passwords for new accounts in plaintext.APPLE-SA-2005-05-03lukemftpd in Mac OS X 10.3.9 allows remote authenticated users to escape the chroot environment by logging in with their full name.APPLE-SA-2005-05-03The HTTP proxy service in Server Admin for Mac OS X 10.3.9 does not restrict access when it is enabled, which allows remote attackers to use the proxy.APPLE-SA-2005-05-03Apple Terminal 1.4.4 allows attackers to execute arbitrary commands via terminal escape sequences.http://remahl.se/david/vuln/012/APPLE-SA-2005-05-03VU#99451013480ADV-2005-045516083101388215227The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3.9 does not cleanse terminal escape sequences, which allows remote attackers to execute arbitrary commands.http://remahl.se/david/vuln/011/APPLE-SA-2005-05-03VU#35607013480ADV-2005-04551608415227TA05-136AStack-based buffer overflow in the VPN daemon (vpnd) for Mac OS X before 10.3.9 allows local users to execute arbitrary code via a long -i (Server_id) argument.APPLE-SA-2005-05-03APPLE-SA-2005-06-08TA05-136AVU#706838Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to execute arbitrary code via a long realm argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is executed from a CGI program. Therefore this may not be a vulnerability.http://www.lucaercoli.it/advs/htdigest.txthttp://www.securiteam.com/unixfocus/5EP061FEKC.html12848APPLE-SA-2005-05-03APPLE-SA-2005-08-15APPLE-SA-2005-08-1713537APPLE-SA-2005-08-15Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_errorhttp://www.squid-cache.org/bugs/show_bug.cgi?id=1255CLA-2005:948DSA-721RHSA-2005:415FLSA-2006:152809Multiple Symantec AntiVirus products, including Norton AntiVirus 2005 11.0.0, Web Security Web Security 3.0.1.72, Mail Security for SMTP 4.0.5.66, AntiVirus Scan Engine 4.3.7.27, SAV/Filter for Domino NT 3.1.1.87, and Mail Security for Exchange 4.5.4.743, when running on Windows, allows remote attackers to cause a denial of service (component crash) and avoid detection via a crafted RAR file.http://securityresponse.symantec.com/avcenter/security/Content/2005.04.27.html** UNVERIFIABLE ** NOTE: this issue describes a problem that can not be independently verified as of 20050421. Adobe Acrobat reader (AcroRd32.exe) 6.0 and earlier allows remote attackers to cause a denial of service ("Invalid-ID-Handle-Error" error) and modify memory beginning at a particular address, possibly allowing the execution of arbitrary code, via a crafted PDF file. NOTE: the vendor has stated that the reporter refused to provide sufficient details to confirm the issue. In addition, due to the lack of details in the original advisory, an independent verification is not possible. Finally, the reliability of the original reporter is unknown. This item has only been assigned a CVE identifier for tracking purposes, and to serve as a concrete example of the newly defined UNVERIFIABLE and PRERELEASE content decisions in CVE, which must be discussed by the Editorial Board. Without additional details or independent verification by reliable sources, it is highly likely that this item will be REJECTED.http://www.alphahackers.com/advisories/acrobat6.txt158501013774acrobat-reader-invalid-id-handle-bo(20216)Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a long HTTP Authorization header.20050424 MailEnable HTTPS Buffer Overflow [x0n3-h4ck]157371013786Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation.GLSA-200504-2615130convert-uulib-bo(20275)MDKSA-2006:02213401MDKSA-2006:022The ad.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument.20050424 remote command execution in ad.cgi scriptThe ad.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.20050424 remote command execution in ad.cgi scriptCross-site scripting (XSS) vulnerability in the ad.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument.20050424 remote command execution in ad.cgi scriptThe forum.pl script allows remote attackers to read arbitrary files via a full pathname in the argument.20050424 remote command execution in forum.pl scriptThe forum.pl script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.20050424 remote command execution in forum.pl scriptincluder.cgi in The Includer allows remote attackers to read arbitrary files via a full pathname in the argument, a similar vulnerability to CVE-2005-0801.20050424 remote command execution in includer.cgi scriptCross-site scripting (XSS) vulnerability in includer.cgi script in The Includer allows remote attackers to inject arbitrary web script or HTML via the argument.20050424 remote command execution in includer.cgi scripttext.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument.20050425 remote command execution in text.cgi scripttext.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.20050425 remote command execution in text.cgi scriptCross-site scripting (XSS) vulnerability in text.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument.20050425 remote command execution in text.cgi scriptPHP remote file inclusion vulnerability in error.php in GrayCMS 1.1 allows remote attackers to execute arbitrary PHP code by modifying the path_prefix parameter to reference a URL on a remote web server that contains the code.133811586015133graycms-pathprefix-error-include(20278)20050426 GrayCMS php code injectionMultiple SQL injection vulnerabilities in MetaCart e-Shop 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) intProdID parameter in product.asp or (2) strCatalog_NAME parameter to productsByCategory.asp.1337613377metacart-eshop-sql-injection(20283)20050426 Multiple SQL Injections in MetaCart e-Shop V-8Multiple SQL injection vulnerabilities in MetaCart 2.0 for Paypal allow remote attackers to execute arbitrary SQL commands via the (1) intProdID parameter to product.asp, (2) intCatalogID or (3) strSubCatalogID parameters to productsByCategory.asp, (4) chkText, (5) strText, (6) chkPrice, (7) intPrice, (8) chkCat, or (9) strCat parameters to searchAction.asp.1337720050426 Multiple SQL Injections in MetaCart2 for SQL Server Special Edition U.KMultiple SQL injection vulnerabilities in MetaCart 2.0 for PayFlow allow remote attackers to execute arbitrary commands via (1) intCatalogID, (2) strSubCatalogID, or (3) strSubCatalog_NAME parameter to productsByCategory.asp, (4) curCatalogID, (5) strSubCatalog_NAME, (6) intCatalogID, or (7) page parameter to productsByCategory.asp or (8) intProdID parameter to product.asp.1337720050426 MetaCart2 for PayFlow Multiple Sql Injection VulnerabilitiesMultiple SQL injection vulnerabilities in MetaBid Auctions allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password fields in logIn.asp, or (3) intAuctionID parameter to item.asp.http://digitalparadox.org/advisories/metabid.txt13395158681586915136metabid-item-login-sql-injection(20286)20050426 Multiple SQL Injections in MetaBid AuctionsPico Server (pServ) 3.2 and earlier allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences.20050516 Advisory: Pico Server (pServ) Remote Command Injectionhttp://sourceforge.net/project/shownotes.php?release_id=32770813642http://www.redteam-pentesting.de/advisories/rt-sa-2005-010.txtPico Server (pServ) 3.2 and earlier allows remote attackers to obtain the source code for CGI scripts via "dirname/../cgi-bin" in a URL.20050516 Pico Server (pServ) Information Disclosure Of CGI Sourceshttp://sourceforge.net/project/shownotes.php?release_id=32770813638http://www.redteam-pentesting.de/advisories/rt-sa-2005-011.txtPico Server (pServ) 3.2 and earlier allows local users to read arbitrary files as the pServ user via a symlink to a file outside of the web document root.20050516 Pico Server (pServ) Local Information Disclosurehttp://www.redteam-pentesting.de/advisories/rt-sa-2005-012.txtThe key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP.http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8http://linux.bkbits.net:8080/linux-2.6/cset%40423078fafVa6mAyny23YZ87hDipmTwFLSA:157459-3The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associated store function.http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8http://lkml.org/lkml/2005/4/20/159FLSA:157459-3Unknown vulnerability in Radia Management Agent (RMA) in HP OpenView Radia Management Portal (RMP) 1.x and 2.x allows remote attackers to execute arbitrary commands via unknown vectors.HPSBMA011381341415960101382915089hp-openview-radia-gain-access(20307)20050428 High risk flaw in HP OpenView Radia Management AgentBPFTPServer service in BulletProof FTP Server 2.4.0.31 does not properly drop privileges before opening files through the Help menu, which allows local users to gain privileges.13410ADV-2005-04191515215898bpftp-gain-privilege(20301)20050427 Privilege escalation in BulletProof FTP Server v2.4.0.31nvstatsmngr.exe process in BakBone NetVault 7.1 does not properly drop privileges before opening files, which allows local users to gain privileges via the Help menu.13408ADV-2005-04201590015158bakbone-netvault-gain-privileges(20302)20050427 Privilege escalation in BakBone NetVault 7.1Multiple SQL injection vulnerabilities in index.php in Dream4 Koobi CMS 4.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) q or (2) p parameters.134121341314696koobi-parameter-search-sql-injection(20293)1599720050427 SQL-injections in koobi-cmsMultiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to inject arbitrary web script or HTML via (1) exercise_result.php, (2) exercice_submit.php, (3) agenda.php, (4) learningPathList.php, (5) learningPathAdmin.php, (6) learningPath.php, (7) userLog.php, (8) tool parameter to toolaccess_details.php, (9) data parameter to user_access_details.php, or (10) coursePath parameter to myagenda.php.http://www.claroline.net/news.php#8513407101382215161claroline-multiple-scripts-xss(20295)1572520050427 ZRCSA-200501 - Multiple vulnerabilities in ClarolineMultiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary SQL commands via (1) learningPath.php, (2) learningPathAdmin.php, (3) learnPath_details.php, (4) modules_pool.php, (5) module.php, (6) uInfo parameter in userInfo.php, or (7) exo_id parameter to exercises_details.php.http://www.claroline.net/news.php#8513407101382215161claroline-multiple-sql-injection(20298)20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline15725Multiple directory traversal vulnerabilities in (1) document.php or (2) insertMyDoc.php in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote project administrators to upload arbitrary files.http://www.claroline.net/news.php#8513407101382215161claroline-document-directory-traversal(20287)20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline15725Multiple PHP remote file inclusion vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary PHP code via unknown vectors.http://www.claroline.net/news.php#8513407101382215161claroline-file-include(20300)20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline15725SQL injection vulnerability in posting_notes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $post_id variable, and other attack vectors.13417ADV-2005-041615899101382715154phpbb-notes-module-sql-injection(20303)20050427 phpBB Notes Mod SQL Injection VulnerabilityThe LAM runtime environment package (lam-runtime-7.0.6-2mdk) on Mandrake Linux installs the mpi user without a password, which allows local users to gain privileges.1343120050428 insecure user account lam-runtime-7.0.6-2mdk rpmCross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action.http://www.red-database-security.com/advisory/bea_css_in_admin_console.html1340015895101381715128weblogic-jndiframesetaction-xss(20276)20050428 Cross Site Scripting in BEA Admin ConsoleMultiple cross-site scripting (XSS) vulnerabilities in Oracle Webcache 9i allow remote attackers to inject arbitrary web script or HTML via the (1) cache_dump_file or (2) PartialPageErrorPage parameter.http://www.red-database-security.com/advisory/oracle_webcache_CSS_vulnerabilities.html13421134221591015143oracle9ias-application-cache-xss(20309)20050428 Cross Site Scripting in Oracle Webcache 9i Adminstrator ApplicationThe webcacheadmin module in Oracle Webcache 9i allows remote attackers to corrupt arbitrary files via a full pathname in the cache_dump_file parameter.http://www.red-database-security.com/advisory/oracle_webcache_append_file_vulnerabilitiy.html134201590915143oracle9ias-application-cache-file-corruption(20310)20050428 File appending vulnerability in Oracle Webcache 9iThe OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, in Oracle Application Server allows remote attackers to bypass HTTP Server mod_access restrictions via a request to the webcache TCP port 7778.http://www.red-database-security.com/advisory/oracle_webcache_bypass.html134181590815143oracle9ias-application-cache-url-bypass(20311)20050428 Webcache Client Requests Bypass OHS mod_access RestrictionsMultiple SQL injection vulnerabilities in phpCoin 1.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) search parameter to index.php, (2) phpcoinsessid parameter to login.php, (3) id, (4) dtopic_id, or (5) dcat_id to mod.php.http://digitalparadox.org/viewadvisories.ah?view=3613433ADV-2005-04231013834phpcoin-multiple-sql-injection(20308)20050428 Multiple Sql injections in phpCoin v1.2.2 and belowSafari 1.3 allows remote attackers to cause a denial of service (application crash) via a long https URL that triggers a NULL pointer dereference.16006101383520050428 Safari HTTPS Overflow20050429 Re: Safari HTTPS Overflow20050429 Re: Safari HTTPS OverflowPHP-Nuke 7.6 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) ipban.php, (2) db.php, (3) lang-norwegian.php, (4) lang-indonesian.php, (5) lang-greek.php, (6) a request to Web_Links with the portuguese language (lang-portuguese.php), (7) a request to Web_Links with the indonesian language (lang-indonesian.php), (8) a request to the survey module with the indonesian language (lang-indonesian.php), (9) a request to the Reviews module with the portuguese language, or (10) a request to the Journal module with the portuguese language, which reveal the path in an error message.20050429 Multiples Full Path Disclosure in php-nuke 7.6 (and below)Cocktail 3.5.4 and possibly earlier in Mac OS X passes the administrative password on the command line to sudo in cleartext, which allows local users to gain sensitive information by running listing processes.13449160461520120050429 Mac OS X Cocktail 3.5.4 admin password disclosureCross-site scripting (XSS) vulnerability in SURVIVOR before 0.9.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.columbia.edu/acis/dev/projects/survivor/doc/todo.html#changelog1590513415** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0175. Reason: This candidate is a duplicate of CVE-2005-0175. Notes: All CVE users should reference CVE-2005-0175 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0174. Reason: This candidate is a duplicate of CVE-2005-0174. Notes: All CVE users should reference CVE-2005-0174 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Buffer overflow in the add_port function in APSIS Pound 1.8.2 and earlier allows remote attackers to execute arbitrary code via a long Host HTTP header.20050426 remote buffer overflow in pound 1.8.2 + question abotu Host headerGLSA-200504-2913436ADV-2005-043715963101382415142pound-addport-bo(20316)DSA-934152021567918381The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script.GLSA-200504-30ADV-2005-043616053Multiple buffer overflows in ArcGIS for ESRI ArcInfo Workstation 9.0 allow local users to execute arbitrary code via long command line arguments to (1) asmaster, (2) asuser, (3) asutility, (4) se, or (5) asrecovery.http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt10138521519620050430 DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilitiesFormat string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr.http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt10138521519620050430 DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilitiesBuffer overflow in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier may allow local users to gain privileges via a long (1) XAPPLRESLANGPATH or (2) XAPPLRESDIR environment variable, or (3) command line argument.20050501 DMA[2005-0501a] - ARPUS/Ce setuid buffer overflow and file overwritehttp://www.digitalmunition.com/DMA[2005-0501a].txt101385515197Race condition in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier allows local users to write to arbitrary files via a symlink attack on the ce_edit_log temporary file.Upgrade to version 2.620050501 DMA[2005-0501a] - ARPUS/Ce setuid buffer overflow and file overwritehttp://www.digitalmunition.com/DMA[2005-0501a].txt16050101385515197SQL injection vulnerability in search.php for PHP-Calendar before 0.10.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=32348313405ADV-2005-04181586615116php-calendar-searchphp-sql-injection(20297)phpcart.php in PHPCart 3.2 allows remote attackers to change product price information by modifying the (1) price or (2) postage parameters.http://lostmon.blogspot.com/2005/04/phpcart-price-manipulation.html134061585915147FreeBSD 4.6 to 4.11 and 5.x to 5.4 uses insecure default permissions for the /dev/iir device, which allows local users to execute restricted ioctl calls to read or modify data on hardware that is controlled by the iir driver.FreeBSD-SA-05:06The i386_get_ldt system call in FreeBSD 4.7 to 4.11 and 5.x to 5.4 allows local users to access sensitive kernel memory via arguments with negative or very large values.07Format string vulnerability in the client for Mtp-Target 1.2.2 and earlier allows remote attackers to execute arbitrary code via game messages or other text.20050501 Clients format string and server crash in Mtp-Target 1.2.2Integer signedness error in certain older versions of the NeL library, as used in Mtp-Target 1.2.2 and earlier, and possibly other products, allows remote attackers to cause a denial of service (memory consumption or server crash) via a negative value in a STLport call, which is not caught by a signed comparison.20050501 Clients format string and server crash in Mtp-Target 1.2.2Multiple cross-site scripting (XSS) vulnerabilities in JustWilliam's Amazon Webstore 04050100 allow remote attackers to inject arbitrary web script or HTML via the (1) image parameter to closeup.php, the (2) currentIsExpanded or (3) searchFor parameters to index.php, (4) the currentNumber parameter to software_CAD_Technical_60002_uk.htm, or (5) a cookie.http://lostmon.blogspot.com/2005/04/amazon-webstore-script-injection-and.html134271589410138361515515892MyPHP Forum 1.0 allows remote attackers to spoof the username by modifying the (1) nbuser parameter to post.php or (2) sender parameter to privmsg.php.20050426 myPHP Forum v3 (possible v1 & 2 also) Identification spoof13430159021590315166HTTP response splitting vulnerability in the @SetHTTPHeader function in Lotus Domino 6.5.x before 6.5.4 and 6.0.x before 6.0.5 allows attackers to poison the web cache via malicious applications.15365101383914879lotus-sethttpheader-injection(20045)The kernel in FreeBSD 4.x to 4.11 and 5.x to 5.4 does not properly clear certain fixed-length buffers when copying variable-length data for use by applications, which could allow those applications to read previously used sensitive memory.FreeBSD-SA-05:08APPLE-SA-2005-10-3115252ADV-2005-22561736813526Skype for Windows 1.2.0.0 to 1.2.0.46 allows local users to bypass the identity check for an authorized application, then call arbitrary Skype API functions by modifying or replacing that application.http://www.skype.com/security/ssa-2005-01.htmlApple Keynote 2.0 and 2.0.1 allows remote attackers to read arbitrary files via the keynote: URI handler in a crafted Keynote presentation.http://remahl.se/david/vuln/016/APPLE-SA-2005-05-25Demonstration of exploit101405315508PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability."http://www.postgresql.org/about/news.315[pgsql-announce] 20050502 IMPORTANT: two new PostgreSQL security problems foundADV-2005-0453OVAL676RHSA-2005:43313476SUSE-SA:2005:036oval:org.mitre.oval:def:676 FLSA-2006:157366The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments.http://www.postgresql.org/about/news.315[pgsql-announce] 20050502 IMPORTANT: two new PostgreSQL security problems foundADV-2005-0453bid13475OVAL1086RHSA-2005:433SUSE-SA:2005:036oval:org.mitre.oval:def:1086 FLSA-2006:157366Cybration ICUII 7.0 stores passwords in plaintext in the world-readable icuii.ini file, which allows local users to gain privileges.http://osvdb.org/ref/14/14688-icuii.txt1344114688101382815171icuii-password-disclosure(20321)SQL injection vulnerability in verify.asp for Ecomm Professional Guestbook 3.x allows remote attackers to execute arbitrary SQL commands via the AdminPWD parameter.1596715190Multiple SQL injection vulnerabilities in enVivo!CMS allow remote attackers to execute arbitrary SQL commands and gain privileges via the (1) username or (2) password parameters to admin_login.asp, or the (3) searchstring and possibly (4) ID parameters to default.asp.http://digitalparadox.org/viewadvisories.ah?view=371343713439134401596515966151731013843envivo-username-password-sql-injection(20313)1596420070711 durito: enVivo!CMS SQL injection24860ExoticSoft FilePocket 1.2 stores sensitive proxy information, including proxy passwords, in plaintext in the registry, which allows local users to gain privileges.13445146851013823 filepocket-registry-plaintext-password(26187)Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command.20050501 Remote buffer overflow in GlobalScape Secure FTP server 3.0.2http://www.cuteftp.com/gsftps/history.asp13454Directory traversal vulnerability in 04WebServer 1.81 allows remote attackers to read files outside of the web root but within the installation folder.ADV-2005-04481606715230Multiple SQL injection vulnerabilities in MaxWebPortal 2.x, 1.35, and other versions allow remote attackers to execute arbitrary SQL commands via (1) article_popular.asp, (2) arguments to dl_popular.asp, (3) arguments to links_popular.asp, (4) arguments to pic_popular.asp, (5) article_rate.asp, (6) dl_rate.asp, (7) links_rate.asp, (8) pic_rates.asp, (9) article_toprated.asp, (10) dl_toprated.asp, (11) links_toprated.asp, (12) arguments to pic_toprated.asp, or (13) the TOPIC_ID or Forum_ID parameters to custom_link.asp.The vulnerabilities have been partially fixed in versions 1.3.5 and 2.0. The remaining vulnerabilities will reportedly be fixed in the upcoming 2.1 version.http://www.maxwebportal.info/downloads/mwp_security_fixes.zip13466101384515214NetLeaf Limited NotJustBrowsing 1.0.3 stores the View Lock Password in plaintext in the notjustbrowsing.prf file, which allows local users to gain privileges.1344214687101382615184notjustbrowsing-password-disclosure(20319)SQL injection vulnerability in the admin login panel for Ocean12 Mailing List Manager 1.06 allows remote attackers to execute arbitrary SQL commands via the Admin_id parameter.20050428 [HSC Security Group] Ocean12 Mailing List Manager Pro SQL injection15959101383315178Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to determine the full pathname of the server via a request for an invalid page, as demonstrated using "%20" (hex-encoded space).http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt1013860Directory traversal vulnerability in Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to read arbitrary files via ".." (dot dot) sequences in an HTTP request.http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt1013860Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to conduct administrator operations and cause a denial of service (server or camera shutdown) via a direct request to admin.html.http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt1013860Directory traversal vulnerability in the mail program in 602LAN SUITE 2004.0.05.0413 allows remote attackers to cause a denial of service and determine the presence of arbitrary files via .. sequences in the A parameter.1606915231StumbleInside GoText 1.01 stores sensitive username, mail address,and phone number information in plaintext in the GoText.bin file, which allows local users to obtain that information.13443146861013825gotext-user-information-disclosure(20315)Uapplication Uguestbook stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to guestbook.mdb.159951013830uapplication-information-disclosure(20314)20070107 Uguestbook Remote Password Disclosure VulnerabilityUapplication Ublog Reload stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to blog.msb.159961013830uapplication-information-disclosure(20314)Uapplication Uphotogallery stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to uphotogallery.mdb.159941013830uapplication-information-disclosure(20314)edit_image.asp in Uapplication Uphotogallery allows remote attackers to upload arbitrary files.1013830uapplication-information-disclosure(20314)SQL injection vulnerability in login.asp in WWWguestbook 1.1 allows remote attackers to execute arbitrary SQL commands via the password parameter.13404101383715968Mac OS X 10.3.x and earlier uses insecure permissions for a pseudo terminal tty (pty) that is managed by a non-setuid program, which allows local users to read or modify sessions of other users.20050501 Insecure pty permissions in OS X < 10.413467The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c.[gnutls-dev] 20050428 GnuTLS 1.2.3 and 1.0.25 16054101386115193gnutls-record-parsing-dos(20328)RHSA-2005:430Multiple unknown vulnjerabilities HP OpenView Event Correlation Services (OV ECS) 3.32 and 3.33 allow attackers to cause a denial of service or execute arbitrary code.HPSBMA0114115226Multiple unknown vulnerabilities in OpenView Network Node Manager (OV NNM) 6.2, 6.4, 7.01, and 7.50 allow attackers to cause a denial of service or execute arbitrary code.HPSBMA0114015223Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename.http://sourceforge.net/forum/message.php?msg_id=3128678101385915225Multiple cross-site scripting (XSS) vulnerabilities in osTicket allow remote attackers to inject arbitrary web script or HTML via (1) the t parameter to view.php, (2) the osticket_title parameter to header.php, (3) the em parameter to admin_login.php, (4) the e parameter to user_login.php, (5) the err parameter to open_submit.php, or (6) the name and subject fields when adding a ticket.http://www.gulftech.org/?node=research&article_id=00071-0502200515216Downloads1627016271162721627316274Multiple SQL injection vulnerabilities in osTicket allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to admin.php or (2) cat parameter to view.php.http://www.gulftech.org/?node=research&article_id=00071-050220051521616277PHP remote file inclusion vulnerability in main.php in osTicket allows remote attackers to execute arbitrary PHP code via the include_dir parameter.http://www.gulftech.org/?node=research&article_id=00071-050220051521616278Directory traversal vulnerability in attachments.php in osTicket allows remote attackers to read arbitrary files via .. sequences in the file parameter.http://www.gulftech.org/?node=research&article_id=00071-050220051521616279Multiple cross-site scripting (XSS) vulnerabilities in ViArt Shop Enterprise 2.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) various parameters to basket.php, (2) the nickname, email, topic, and message fields in forum.php, as demonstrated using forum_new_thread.php and forum_thread.php, (3) the page parameter to page.php, (4) category_id and item_id parameters to reviews.php, (5) the category_id parameter to product_details.php, (6) the category_id or search_string parameters to products.php, or (7) the rp or page parameters to news_view.php.http://lostmon.blogspot.com/2005/04/viart-shop-enterprise-multiple.html134621595115952159531595415955159561595715958101385315181Format string vulnerability in Lotus Domino 6.0.x before 6.0.5 and 6.5.x before 6.5.4 allows remote attackers to cause a denial of service via the Notes protocol (NRPC).http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg212025251344615366101384214879lotus-nrpc-format-string(20043)Buffer overflow in the Lotus Notes client for Domino 6.5 before 6.5.4 and 6.0 before 6.0.5 allows local users to cause a denial of service (client crash) and possibly execute arbitrary code via the NOTES.INI file.http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg2120252613447153671013841lotus-notesini-bo(20044)Multiple cross-site scripting (XSS) vulnerabilities in index.php for Invision Power Board (IPB) 2.0.3 and 2.1 Alpha 2 allows remote attackers to inject arbitrary web script or HTML via the (1) act, (2) Members, (3) calendar, or (4) HID parameters.1013863Multiple cross-site scripting (XSS) vulnerabilities in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to inject arbitrary web script or HTML via (1) the v, show, or sec_name parameters to main.php, (2) the inadmin, newsev, or postid parameters to 5.php, or (3) the id parameter to 0.php.http://www.gulftech.org/?node=research&article_id=00072-05032005http://forum.sitepanel2.com/index.php?showtopic=27115213162621626316264Multiple directory traversal vulnerabilities in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to (1) delete arbitrary files via the id parameter in a rmattach action to 5.php, or (2) read arbitrary files via the lang parameter to index.php.http://www.gulftech.org/?node=research&article_id=00072-05032005http://forum.sitepanel2.com/index.php?showtopic=2711521316266SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to upload and execute arbitrary files such as PHP scripts via an attachment to a trouble ticket.http://www.gulftech.org/?node=research&article_id=00072-05032005http://forum.sitepanel2.com/index.php?showtopic=27115213PHP remote file inclusion vulnerability in main.php in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to execute arbitrary PHP code via the p parameter.http://www.gulftech.org/?node=research&article_id=00072-05032005http://forum.sitepanel2.com/index.php?showtopic=2711521316268Cross-site scripting (XSS) vulnerability in the BBCode plugin for Serendipity before 0.8 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.s9y.org/63.html#A9134111587615145Unknown vulnerability in serendipity_config_local.inc.php for Serendipity before 0.8 has unknown impact.http://www.s9y.org/63.html#A915145Unknown vulnerability in "the function used to validate path-names for uploading media" in Serendipity before 0.8 has unknown impact.http://www.s9y.org/63.html#A91587715145The media manager in Serendipity before 0.8 allows remote attackers to upload and execute arbitrary (1) .php or (2) .shtml files.http://www.s9y.org/63.html#A91587815145Serendipity before 0.8 allows Chief users to "hide plugins installed by other users."http://www.s9y.org/63.html#A915145fetchnews in leafnode 1.9.48 to 1.11.1 allows remote NNTP servers to cause a denial of service (crash) by closing the connection while fetchnews is reading (1) an article header or (2) an article body, which also prevents fetchnews from querying other servers.http://leafnode.sourceforge.net/leafnode-SA-2005-01.txtADV-2005-046815252SQL injection vulnerability in the radius_xlat function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via (1) group_membership_query, (2) simul_count_query, or (3) simul_verify_query configuration entries.GLSA-200505-13135401013909freeradius-xlat-sql-injection(20449)SUSE-SR:2005:01420050520 ERRATA: [ GLSA 200505-13 ] FreeRADIUS: SQL injection and Denial of Service vulnerabilityhttp://www.freeradius.org/security.htmlRHSA-2005:524Buffer overflow in the sql_escape_func function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote attackers to cause a denial of service (crash).GLSA-200505-13135411013909freeradius-sqlescapefunc-bo(20450)SUSE-SR:2005:01420050520 ERRATA: [ GLSA 200505-13 ] FreeRADIUS: SQL injection and Denial of Service vulnerabilityhttp://www.freeradius.org/security.htmlRHSA-2005:524Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (abort).http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash).http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown "other problems" in the KINK dissector in Ethereal before 0.10.11 have unknown impact and attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown vulnerabilities in the (1) WSP, (2) BER, (3) SMB, (4) NDPS, (5) IAX2, (6) RADIUS, (7) TCAP, (8) MRDISC, (9) 802.3 Slow, (10) SMBMailslot, or (11) SMB PIPE dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error).http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error) via an invalid protocol tree item length.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Double free vulnerability in the ICEP dissector in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple format string vulnerabilities in the (1) DHCP and (2) ANSI A dissectors in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (infinite loop).http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Unknown vulnerability in the NCP dissector in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (long loop).http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Unknown vulnerability in the DICOM dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (large memory allocation) via unknown vectors.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (memory exhaustion) via unknown vectors.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown vulnerabilities in the (1) WSP, (2) Q.931, (3) H.245, (4) KINK, (5) MGCP, (6) RPC, (7) SMBMailslot, and (8) SMB NETLOGON dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) via unknown vectors that lead to a null dereference.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11 allows remote attackers to cause the dissector to access an invalid pointer.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, (4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors.http://www.ethereal.com/appnotes/enpa-sa-00019.htmlhttp://www.ethereal.com/news/item_20050504_01.htmlFLSA-2006:152922RHSA-2005:42713504CLSA-2005:963Heap-based buffer overflow in RSA SecurID Web Agent 5, 5.2, and 5.3 allows remote attackers to execute arbitrary code via crafted chunked-encoding data.1522220050506 [SEC-1 LTD] RSA SecurID Web Agent Heap OverflowCertain system calls in Apple Mac OS X 10.4.1 do not properly enforce the permissions of certain directories without the POSIX read bit set, but with the execute bits set for group or other, which allows local users to list files in otherwise restricted directories.APPLE-SA-2005-05-19SecurityAgent in Apple Mac OS X 10.4.1 allows attackers with physical access to bypass the locked screensaver and launch background applications by opening a URL from a text input field.APPLE-SA-2005-05-19Dashboard in Apple Mac OS X 10.4.1 allows remote attackers to install widgets via Safari without prompting the user, a different vulnerability than CVE-2005-1933.APPLE-SA-2005-05-1913694The XMLHttpRequest object in Opera 8.0 Final Build 1095 allows remote attackers to bypass access restrictions and perform unauthorized actions on other domains via a redirect.http://secunia.com/secunia_research/2005-4/advisory/15008 13970Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477.http://greyhatsecurity.org/firefox.htmhttp://greyhatsecurity.org/vulntests/ffrc.htmhttp://www.mozilla.org/security/announce/mfsa2005-42.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=293302https://bugzilla.mozilla.org/show_bug.cgi?id=292691ADV-2005-049315292VU#534710135441013913mozilla-javascript-code-execution(20443)OVAL100002SCOSA-2005.491549520050508 Firefox Remote Compromise Leaked20050508 Firefox Remote Compromise Technical DetailsRHSA-2005:434RHSA-2005:435oval:org.mitre.oval:def:100002The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site.http://greyhatsecurity.org/firefox.htmhttp://greyhatsecurity.org/vulntests/ffrc.htmhttp://www.mozilla.org/security/announce/mfsa2005-42.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=293302https://bugzilla.mozilla.org/show_bug.cgi?id=292691ADV-2005-049315292VU#648758135441013913mozilla-javascript-code-execution(20443)OVAL100001SCOSA-2005.491549520050508 Firefox Remote Compromise Leaked20050508 Firefox Remote Compromise Technical DetailsRHSA-2005:434RHSA-2005:435oval:org.mitre.oval:def:100001Format string vulnerability in dSMTP (dsmtp.exe) in DMail 3.1a allows remote attackers to execute arbitrary code via format string specifiers in the xtellmail command.http://www.security.org.sg/vuln/dmail31a.html13505101388515242dmail-dsmtpexe-format-string(20414)20050505 dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String ExploitSQL injection vulnerability in jgs_portal.php in JGS-Portal 3.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter.13451101386615219jgsportal-sql-injection(20371)20050430 JGS-Portal 3.0.1 SQL-Injection20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)Directory traversal vulnerability in RaidenFTPD before 2.4.2241 allows remote attackers to read arbitrary files via a "..\\" (dot dot backslash) in the urlget site command.1329215037raidenftpd-directory-traversal(20368)1571320050502 Directory Traversal Vuln - RaidenFTPD 2.4 < Build 2241Multiple SQL injection vulnerabilities in Aaron Outpost ASP Inline Corporate Calendar allow remote attackers to execute arbitrary SQL commands via the Event_ID parameter to (1) defer.asp or (2) details.asp.15239asp-inline-corporate-calendar-sql-injection(20416)1013884161921619320050503 [HSC Security Group] ASP Inline Corporate Calendar SQL injectionArticleLive 2005 allows remote attackers to gain privileges by modifying the (1) auth and (2) userId fields in a cookie.http://www.digitalparadox.org/advisories/inal.txt13493101389515250articlelive-bypass-security(20431)20050503 Authentication bypass, sql injections and xss in ArticleLive 2005Multiple cross-site scripting (XSS) vulnerabilities in ArticleLive 2005 allow remote attackers to inject arbitrary web script or HTML via the (1) Query, (2) Username, (3) LastName, (4) Biography, or (5) BlogId parameter.13493101389515250articlelive-multiple-xss(20430)1618320050503 Authentication bypass, sql injections and xss in ArticleLive 2005Directory traversal vulnerability in Golden FTP server pro 2.52 allows remote attackers to read arbitrary files via a "\.." (forward slash dot dot) with a leading '"' (double quote) in the GET command.1347915175goldenftp-dotdot-directory-traversal(20668)20050504 Golden Ftp Server Pro - Directory Traversal VulnGolden FTP Server Pro allows 2.52 allows remote attackers to obtain sensitive information via a GET request for a file that does not exist, which reveals the absolute path of the FTP server in the resulting FTP error message.15175goldenftp-information-disclosure(20674)20050504 Golden Ftp Server Pro - Directory Traversal VulnMultiple cross-site scripting vulnerabilities in FishCart 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) trackingnum, (2) reqagree, or (3) m parameter to upstracking.php or (4) nlst parameter to display.php. NOTE: the vendor was not able to reproduce some of the reported vectors but believes that they have been addressed. The original researcher is known to be unreliable.http://www.digitalparadox.org/advisories/fishc.txt1349915232fishcart-multiple-xss(20384)162801628120050504 Multiple SQL injections and XSS in FishCart 3.120070123 Re: Multiple SQL injections and XSS in FishCart 3.1[fishcart] 20050521 Re: Concerned about security** DISPUTED ** Multiple SQL injection vulnerabilities in FishCart 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) cartid parameter to upstnt.php or (2) psku parameter to display.php. NOTE: the vendor disputes this report, saying that they are forced SQL errors. The original researcher is known to be unreliable.http://www.digitalparadox.org/advisories/fishc.txt1349915232fishcart-multiple-sql-injection(20386)162821628320050504 Multiple SQL injections and XSS in FishCart 3.120070123 Re: Multiple SQL injections and XSS in FishCart 3.1Multiple cross-site scripting (XSS) vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) the E-mail address, Note, or Public Certificate fields to address.html, (2) addressaction.html, (3) the Signature field to settings.html, or (4) the Shared calendars to calendarsettings.html.merak-icewarp-script-xss(20467)20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2Unknown vulnerability in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to obtain the full path of the server via certain requests to (1) calendar_addevent.html, (2) calendar_event.html, or (3) calendar_task.html.15249merak-icewarp-script-path-disclosure(20469)20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2, when the mailbox.dat file does not exist, allows remote authenticated users to determine if a file exists via the folder parameter to attachment.html.15249merak-icewarp-file-existence(20472)20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to (1) move their home directory via viewaction.html or (2) move arbitrary files via the importfile parameter to importaction.html.15249merak-icewarp-directory-relocation(20471)20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2Cross-site scripting (XSS) vulnerability in user.cgi in Gossamer Threads Links SQL 2.x and 3.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter.http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029;http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/1348416189101389115253links-usercgi-addcgi-xss(20415)20050504 Gossamer Threads Links SQL login XSS VulnerabilityDirectory traversal vulnerability in SimpleCam 1.2 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the URL.http://www.autistici.org/fdonato/advisory/SimpleCam1.2-adv.txt134951013888simplecam-dotdot-directory-traversal(20411)20050504 directory traversal in SimpleCam 1.2Multiple cross-site scripting (XSS) vulnerabilities in admin.cgi in MegaBook 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) entryid or (2) password parameter.20050508 Re: MegaBook V2.0 - Cross Site Scripting Exploit13522megabook-admincgi-xss(20669)20050505 MegaBook V2.0 - Cross Site Scripting ExploitOracle Database 9i and 10g disables Fine Grained Audit (FGA) after the SYS user executes a SELECT statement on an FGA object, which makes it easier for attackers to escape detection.Applying patchset 10.1.0.4 is fixing this issue for Oracle 10g. Oracle 9i is still vulnerable.http://www.red-database-security.com/advisory/oracle-fine-grained-auditing-issue.htmlVU#777773oracle-audit-data-manipulation(20407)20050505 Oracle 9i / 10g Fine Grained Auditing IssueThe DBMS_Scheduler in Oracle 10g allows remote attackers with CREATE JOB privileges to gain additional privileges by changing SESSION_USER to the SYS user.Applying patchset 10.1.0.4 is fixing this issue.http://www.red-database-security.com/exploits/oracle_exploit_dbms_scheduler_select_user.html13509oracle10g-gain-privileges(20410)20050505 Oracle 10g DBMS_SCHEDULER SESSION_USER issueindex.php in myBloggie 2.1.1 allows remote attackers to obtain sensitive information via an invalid post_id parameter, which reveals the path in an error message.http://mywebland.com/forums/viewtopic.php?t=180mybloggie-postid-path-disclosure(20433)http://mywebland.com/forums/viewtopic.php?t=18020050505 Multiple vulnerabilities in myBloggie 2.1.1Multiple cross-site scripting (XSS) vulnerabilities in myBloggie 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) year parameter in viewmode.php, or the (2) cat_id, (3) month_no, or (4) post_id parameter in index.php, which are not properly sanitized before they are displayed in an error message. NOTE: issues 2, 3, and 4 may be due to a problem in associated products rather than myBloggie itself.Download newest myBloggie from http://mywebland.com/13507mybloggie-viewmodephp-xss(20434)mybloggie-script-injection(20436)20050505 Multiple vulnerabilities in myBloggie 2.1.1delcomment.php in myBloggie 2.1.1 allows remote attackers to delete arbitrary comments by modifying the comment_id parameter.1350714980mybloggie-delcomment-bypass-security(20437)20050505 Multiple vulnerabilities in myBloggie 2.1.1Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the keyword parameter in search.php; or (2) the date_no parameter in viewdate mode, (3) the cat_id parameter in viewcat mode, the (4) month_no or (5) year parameter in viewmonth mode, or (6) post_id parameter in viewid mode to index.php. NOTE: item (1) was discovered to affect 2.1.3 as well.1350714980mybloggie-sql-injection(20439)1501720050505 Multiple vulnerabilities in myBloggie 2.1.120050527 SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2MidiCart PHP Shopping Cart allows remote attackers to obtain sensitive information via a direct request to (1) search_list.php, (2) item_list.php, or (3) item_show.php, which reveal the path in a PHP error message.http://www.hackgen.org/advisories/hackgen-2005-004.txt16172midicart-path-disclosure(20425)20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping CartCross-site scripting (XSS) vulnerability in MidiCart PHP Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) searchstring parameter to search_list.php or the (2) secondgroup or (3) maingroup parameters to item_list.php.http://www.hackgen.org/advisories/hackgen-2005-004.txt135161351713518161731617415269midicart-xss(20427)20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping CartMultiple SQL injection vulnerabilities in MidiCart PHP Shopping Cart allow remote attackers to execute arbitrary SQL commands via the (1) searchstring parameter to search_list.php, the (2) maingroup or (3) secondgroup parameters to item_list.php, or (4) code_no parameter to item_show.php.http://www.hackgen.org/advisories/hackgen-2005-004.txt1351213513135141351516175161761617715269midicart-sql-injection(20428)20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping CartGameSpy SDK CD-Key Validation Toolkit, as used by many online games, allows remote attackers to bypass the CD key validation by sending a spoofed \disc\ command, which tells the server the CD key is no longer in use.15254gamespy-sdk-cdkey-gain-access(20422)20050504 Gamespy cd-key validation system: Cd-key never in useThe new account wizard in Mail.app 2.0 in Mac OS 10.4, when configuring an IMAP mail account and checking the credentials, does not prompt the user to use SSL until after the password has already been sent, which causes the password to be sent in plaintext.mailapp-account-wizard-plaintext-password(20670)20050504 Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwordsSQL injection vulnerability in out.php in CJ Ultra (CJUltra) Plus 1.0.3 and 1.0.4 allows remote attackers to execute arbitrary SQL commands via the perm parameter.1528120050505 Sql Injection in CJ Ultra Plus v1.0.3-1.0.4Buffer overflow in the Tomcat plugin in 4d WebSTAR 5.33 and 5.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL.1353816154152784d-webstar-plugin-bo(20478)20050506 4d WebSTAR 5.x Web Server Mac OS X Buffer OverflowMultiple cross-site scripting (XSS) vulnerabilities in PwsPHP 1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) month or (2) annee parameters to the news module, (3) nbractif or (4) annee parameters to the stats module, (5) id parameter to profil.php, (6) mb_lettre or (7) lettre parameter to memberlist.php, or (8) chaine_search, or (9) auteur_search parameter to the recherche module.162281622916230162311623215315ADV-2005-0503pwsphp-mulitple-scripts-xss(20500)20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilitiesSQL injection vulnerability in profil.php in PwsPHP 1.2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter.1623315315pwsphp-id-sql-injection(20501)1356320050507 PwsPHP v1.2.2 Final - Multiples vulnerabilitiesPwsPHP 1.2.2 allows remote attackers to obtain sensitive information via a direct request to the admin directory, which reveals the path in an error message.162341531520050507 PwsPHP v1.2.2 Final - Multiples vulnerabilitiesPwsPHP 1.2.2 allows remote attackers to bypass authentication and post arbitrary comments via the Pseudo cookie.1623515315pwsphp-cookie-spoof-identity(20503)20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilitiesThe Admin panel in PwsPHP 1.2.2 does not properly verify uploaded picture files, which allows remote attackers to upload and possibly execute arbitrary files.1623615315pwsphp-admin-panel-file-upload(20508)20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilitiesInteger overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request.20050506 64 bit qmail funhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html1013911commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without a space character, which causes an array to be referenced with a negative index.20050506 64 bit qmail funhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html1013911Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands.20050506 64 bit qmail funhttp://www.guninski.com/where_do_you_want_billg_to_go_today_4.html1013911DList (dlist.exe) in DMail 3.1a allows remote attackers to bypass authentication, read log files, and shutdown the system via a sendlog command with an incorrect password hash, which is not properly handled by the _cmd_sendlog function.http://www.security.org.sg/vuln/dmail31a.html1349715242dmail-dlist-bypass-authentication(20412)Unknown vulnerability in Cisco Firewall Services Module (FWSM) 2.3.1 and earlier, when using URL, FTP, or HTTPS filtering exceptions, allows certain TCP packets to bypass access control lists (ACLs).20050511 FWSM URL Filtering Solution TCP ACL Bypass VulnerabilityADV-2005-0527Unknown vulnerability in Solaris 7 through 9, when using Federated Naming Services (FNS), autofs, and FNS X.500 configuration, allows local users to cause a denial of service (automountd crash) when "accessing" /xfn/_x500.57786ADV-2005-0517Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups.http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_queryADV-2005-052115294FEDORA-2005-373DSA-751FLSA-2006:15280913592RHSA-2005:489Buffer overflow in the header_get_field_name function in header.c for GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via a crafted e-mail.20050525 GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability1376615442DSA-7321014052Integer overflow in the fetch_io function of the imap4d server in GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via a partial message request with a large value in the END parameter, which leads to a heap-based buffer overflow.20050525 GNU Mailutils 0.6 imap4d fetch_io Heap overflow Vulnerability1376315442DSA-7321014052The imap4d server for GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows authenticated remote users to cause a denial of service (CPU consumption) via a large range value in the FETCH command.20050525 GNU Mailutils 0.6 imap4d FETCH Commad Resource Consumption DoS Vulnerability1376515442DSA-7321014052Format string vulnerability in imap4d server in GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via format string specifiers in the command tag for IMAP commands.20050525 GNU Mailutils 0.6 imap4d Format String Vulnerability1376415442DSA-7321014052PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter.20050622 Multiple Vendor Cacti Remote File Inclusion Vulnerabilityhttp://www.cacti.net/release_notes_0_8_6e.phpGLSA-200506-20CLSA-2005:978DSA-764174261014252154901593116136cacti-topgraphheader-file-include(21118)SQL injection vulnerability in config_settings.php for Cacti before 0.8.6e allows remote attackers to execute arbitrary SQL commands via the id parameter.20050622 Multiple Vendor Cacti Multiple SQL Injection Vulnerabilitieshttp://www.cacti.net/release_notes_0_8_6e.phpGLSA-200506-2017424cacti-configsettings-sql-injection(21120)CLSA-2005:978DSA-7641402710142521549015931PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter.20050622 Multiple Vendor Cacti config_settings.php Remote Code Execution Vulnerabilityhttp://www.cacti.net/release_notes_0_8_6e.phpGLSA-200506-20CLSA-2005:978DSA-764140281742510142521549015931cacti-configsettings-file-include(21119)Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call.USN-167-1http://www.securiteam.com/unixfocus/5DP0J00GKE.html1452518696101463616412awstats-eval-execute-commands(21769)DSA-8921746320050809 AWStats ShowInfoURL Remote Command Execution VulnerabilitySUSE-SR:2005:019Untrusted search path vulnerability in the crttrap command in QNX Neutrino RTOS 6.2.1 allows local users to load arbitrary libraries via a LD_LIBRARY_PATH environment variable that references a malicious library.20060207 QNX Neutrino RTOS crttrap Arbitrary Library Loading VulnerabilityADV-2006-0474187501015599qnx-crttrap-privilege-elevation(24560)16539Sophos Anti-Virus 5.0.1, with "Scan inside archive files" enabled, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a Bzip2 archive with a large 'Extra field length' value.20050714 Sophos Anti-Virus Zip File Handling DoS Vulnerability14270sophos-bzip2-dos(21373)1014488Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant."http://www.mozilla.org/security/announce/mfsa2005-43.htmlADV-2005-053010139621013963OVAL100015SCOSA-2005.4915495RHSA-2005:434RHSA-2005:435oval:org.mitre.oval:def:100015 13641Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160.http://www.mozilla.org/security/announce/mfsa2005-44.htmlADV-2005-053010139651013964OVAL100014SCOSA-2005.4915495RHSA-2005:601SUSE-SA:2006:0221982313645RHSA-2005:434RHSA-2005:435oval:org.mitre.oval:def:100014Multiple stack-based and heap-based buffer overflows in Remote Management authentication (zenrem32.exe) on Novell ZENworks 6.5 Desktop and Server Management, ZENworks for Desktops 4.x, ZENworks for Servers 3.x, and Remote Management allows remote attackers to execute arbitrary code via (1) unspecified vectors, (2) type 1 authentication requests, and (3) type 2 authentication requests.20050518 NOVELL ZENWORKS MULTIPLE =?utf-8?Q?REM=C3=98TE?= STACK & HEAP OVERFLOWShttp://www.rem0te.com/public/images/zen.pdfhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm13678ADV-2005-0571101400515433novell-zenwork-remote-management-1-bo(20644)novell-zenwork-remote-management-bo(20639)novell-zenwork-remote-management-2-bo(20645)Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag.http://bugzilla.remotesensing.org/show_bug.cgi?id=843GLSA-200505-07http://bugs.gentoo.org/show_bug.cgi?id=9158415320libtiff-bitspersample-bo(20533)SCOSA-2005.3416872MDKSA-2006:04218943DSA-755USN-130-113585163501013944SCOSA-2006.318289MDKSA-2006:042Integer overflow in the ELF parser in HT Editor before 0.8.0 allows remote attackers to execute arbitrary code via a crafted ELF file, which leads to a heap-based buffer overflow.GLSA-200505-08HT Editor ELF Parser Unspecified Remote Heap Overflow VulnerabilityHT Editor ELF and PE Parser VulnerabilitiesDSA-743Buffer overflow in the PE parser in HT Editor before 0.8.0 allows remote attackers to execute arbitrary code via a crafted PE file.GLSA-200505-08HT Editor ELF and PE Parser VulnerabilitiesHT Editor PE Parser Unspecified Remote Buffer Overflow VulnerabilityDSA-743Heap-based buffer overflow in the demo version of Bakbone Netvault, and possibly other versions, allows remote attackers to execute arbitrary commands via a large packet to port 20031.20050512 Netvault Remote Heap Overflow (another one)BakBone NetVault Buffer Overflow VulnerabilitiesSQL injection vulnerability in index.php in Advanced Guestbook 2.3.1 allows remote attackers to execute arbitrary SQL commands via the entry parameter.20050508 Advanced Guestbook 2.3.113548Directory traversal vulnerability in easymsgb.pl in Easy Message Board allows remote attackers to read arbitrary files via a .. (dot dot) in the print parameter.20050508 Easy Message Board Directory Traversal and Remote Commandhttp://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt1355116162easymsgb.pl in Easy Message Board allows remote attackers to execute arbitrary commands via shell metacharacters in the print parameter.20050508 Easy Message Board Directory Traversal and Remote Commandhttp://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt135551616315295Sophos Anti-Virus 3.93 does not check downloaded files for viruses when they have only been written, which creates a race condition and may allow remote attackers to bypass virus protection if the file is executed before the antivirus starts on system reboot.20050509 Viruses can evade Sophos Anti-Virussophos-download-virus-undetected(20519)GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when set to create JPEG images, does not properly protect an image even when a password and username is assigned, which may allow remote attackers to gain sensitive information via a direct request to the image.20050510 Esqo advisory: GeoVision Digital Video Surveillance System - Multiple authentication issueshttp://www.esqo.com/research/advisories/2005/100505-1.txt135711634015330geovision-authentication(20537)GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via sniffing.20050510 Esqo advisory: GeoVision Digital Video Surveillance System - Multiple authentication issueshttp://www.esqo.com/research/advisories/2005/100505-1.txt16341geovision-authentication-plaintext(20538)SQL injection vulnerability in view_user.php in WowBB 1.6, 1.61, and 1.62 allows remote attackers to execute arbitrary SQL commands via the sort_by parameter.20050510 WowBB view_user.php SQL Injection Vulnerability135691654312843wowbb-viewuser-sql-injection(20565)Cross-site scripting (XSS) vulnerability in the JRun Web Server in ColdFusion MX 7.0 allows remote attackers to inject arbitrary script or HTML via the URL, which is not properly quoted in the resulting default 404 error page.http://www.macromedia.com/devnet/security/security_zone/mpsb05-03.html20050510 New Macromedia Security Zone Bulletin Postedcoldfusion-mx7-default-page-xss(20550)Gamespy cd-key validation system allows remote attackers to cause a denial of service (cd-key already in use) by capturing and replaying a cd-key authorization session.20050504 Gamespy cd-key validation system: 15254gamespy-sdk-cdkey-mult-games-dos(20417)20050510 Gamespy cd-key validation system: "Cd-key in use" DoS versus many gamesMultiple cross-site scripting (XSS) vulnerabilities in WebApp Guestbook PRO 3.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) content of a message.20050511 Guesbook Pro XSS & HTML Injectionhttp://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt135931634915290webapp-php-guestbook-pro-xss(20544)1013940The web module in Neteyes Nexusway allows remote attackers to bypass authentication and gain administrator privileges by setting the cyclone500_auth cookie.20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability20050510 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability1644615150nexusway-configuration-modification(20554)The web module in Neteyes Nexusway allows remote attackers to execute arbitrary commands via hex-encoded shell metacharacters in the ip parameter for (1) nslookup.cgi or (2) ping.cgi.20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability20050510 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability164481644915150nexusway-web-command-execution(20557)The SSH module in Neteyes Nexusway allows remote attackers to execute arbitrary commands via shell metacharacters in arguments to certain commands, as demonstrated using ping and traceroute.20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability20050510 [Full-disclosure] [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability1644715150nexusway-ssh-command-execution(20555)Multiple cross-site scripting (XSS) vulnerabilities in post.asp in MaxWebPortal 1.3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mod, (2) M, or (3) type parameter.20050511 [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSShttp://www.hackerscenter.com/archive/view.asp?id=25421360115329maxwebportal-postasp-xss(20560)16501Multiple SQL injection vulnerabilities in MaxWebPortal 1.3.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fpassword parameter to inc_functions.asp, (2) txtAddress, (3) message, or (4) subject parameter to post_info.asp, (5) andor parameter to search.asp, (6) verkey parameter to pop_profile.asp, or (7) Remove or (8) Delete parameter to pm_delete2.asp.20050511 [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSShttp://www.hackerscenter.com/archive/view.asp?id=25421360115329maxwebportal-postasp-sql-injection(20562)1650216503165041650616510Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different error message depending on whether a product exists or not, which allows remote attackers to determine hidden products.20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8http://www.bugzilla.org/security/2.16.8/https://bugzilla.mozilla.org/show_bug.cgi?id=287109ADV-2005-0533164251533813606CLSA-2005:1040post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows remote authenticated users to "enter bugs into products that are closed for bug entry" by modifying the URL to specify the name of the product.20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8http://www.bugzilla.org/security/2.16.8/https://bugzilla.mozilla.org/show_bug.cgi?id=2871091642615338bugzilla-postbug-weak-security(42797)Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history.20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8https://bugzilla.mozilla.org/show_bug.cgi?id=287436ADV-2005-0533164271533813605CLSA-2005:1040Acrowave AAP-3100AR wireless router allows remote attackers to bypass authentication by pressing CTRL-C at the username or password prompt in a telnet session, which causes the shell to crash and restart, then leave the user in the new shell.20050512 Acrowave AAP-3100AR authetication bypass1644515343SQL injection vulnerability in topic.php in DirectTopics 2.1 and 2.2 allows remote attackers to execute arbitrary SQL commands via the topic parameter.20050512 Directtopics Multiple Vulnerabilities (Security Advisory)topic.php in DirectTopics 2.1 and 2.2 allows remote attackers to obtain sensitive information via an invalid topic parameter, which reveals the path in an error message.20050512 Directtopics Multiple Vulnerabilities (Security Advisory)Cross-site scripting (XSS) vulnerability in DirectTopics 2.1 and 2.2 allows remote attackers to inject arbitrary web script via a javascript: URL in (1) a thread or (2) an IMG tag.20050512 Directtopics Multiple Vulnerabilities (Security Advisory)forum.asp in bttlxeForum 2.0 allows remote attackers to obtain full path information via a certain hex-encoded argument to the page parameter, possibly due to a SQL injection vulnerability.1013934Multiple directory traversal vulnerabilities in ShowOff! 1.5.4 allow remote attackers to read arbitrary files via ".." sequences in arguments to the (1) ShowAlbum, (2) ShowVideo, or (3) ShowGraphic scripts.1633215300ShowOff! 1.5.4 allows remote attackers to cause a denial of service (server crash) via a malformed request to port 8083.1633315300SQL injection vulnerability in admin_login.asp for ASP Virtual News Manager allows remote attackers to execute arbitrary SQL commands via the password parameter.http://www.under9round.com/avn13.txt1013933Windows Media Player 9 and 10, in certain cases, allows content protected by Windows Media Digital Rights Management (WMDRM) to redirect the user to a web site to obtain a license, even when the "Acquire licenses automatically for protected content" setting is not enabled.892313The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows allows remote attackers to hide the real file types of downloaded files via the Content-Type HTTP header and a filename containing whitespace, dots, or ASCII byte 160.http://secunia.com/secunia_research/2004-11/advisory/1643112979The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows uses the Content-Type HTTP header to determine the file type, but saves the original file extension when "Save to Disk" is selected, which allows remote attackers to hide the real file types of downloaded files.http://secunia.com/secunia_research/2004-11/advisory/1643212979APG Technology ClassMaster does not properly restrict access to sensitive folders, which allows remote attackers to access folders via a network share.http://www.securiteam.com/windowsntfocus/5SP0D0AFPQ.html13604EnCase Forensic Edition 4.18a does not support Device Configuration Overlays (DCO), which allows attackers to hide information without detection.15340Apple QuickTime Player 7.0 on Mac OS X 10.4 allows remote attackers to obtain sensitive information via a .mov file with a Quartz Composer composition (.qtz) file that uses certain patches to read local information, then other patches to send the information to the attacker.20050511 [DR018] Quartz Composer / QuickTime 7 information leakagehttp://remahl.se/david/vuln/018[quartzcomposer-dev] 20050510 Quartz Quicktime embedded in remote webpages...[quartzcomposer-dev] 20050511 Re: Quartz Quicktime embedded in remote webpages...1360316376101396115307APPLE-SA-2005-05-31ADV-2005-0531users.ini.php in BoastMachine 3.0 does not properly restrict the types of files that can be uploaded, which allows remote attackers to execute arbitrary code.http://www.kernelpanik.org/docs/kernelpanik/bmachines.txt136001633415312Cross-site scripting (XSS) vulnerability in Bug Report 1.0 allows remote attackers to inject arbitrary web script or HTML via various fields to bug_report.php, which are not filtered or quoted when processed by bug_list.php or admin/index.php.1013957Cross-site scripting (XSS) vulnerability in index.php for 1Two News 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) nom, (2) email, (3) siteweb, or (4) commentaire variables.10139601Two News 1.0 allows remote attackers to (1) delete images for new stories via a direct request to admin/delete.php or (2) upload arbitrary images via a direct request to admin/upload.php.1013960Cross-site scripting (XSS) vulnerability in index.php for Quick.Forum 2.1.6 allows remote attackers to inject arbitrary web script or HTML via the topic field in a NewTopic action.http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html136021632715200Multiple SQL injection vulnerabilities in Quick.Forum 2.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) iCategory or (2) page parameter to index.php, or (3) iCategory parameter in the query string to the forum directory.http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html1632615200Quick.Forum 2.1.6 stores potentially sensitive information such as usernames, banned IP addresses, censored words, and backups under the web document root, which allows remote attackers to obtain that information via a direct request to (1) db/users.txt, (2) db/banList.txt, (3) db/censureWords.txt, or (4) backup files.http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html163281632915200Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to inject arbitrary web script or HTML via the sWord parameter.http://lostmon.blogspot.com/2005/05/quickcart-sword-variable-xss-and.html135991633015297** DISPUTED ** SQL injection vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to execute arbitrary SQL commands via the iCategory parameter. NOTE: the vendor has privately disputed this issue, saying that Quick.cart does not even use SQL and therefore can not be vulnerable to SQL injection.http://lostmon.blogspot.com/2005/05/quickcart-sword-variable-xss-and.html16331The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264.[linux-kernel] 20050517 [PATCH] Fix root hole in pktcdvd20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability20050517 Linux kernel pktcdvd ioctl break user space limit vulnerability [corrected]http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10ADV-2005-0557MDKSA-2005:2191365117826MDKSA-2005:219The Altiris Client Service for Windows (ACLIENT.EXE) 6.0.88 allows local users to disable password protection and access the administrative interface by finding and showing the "Altiris Client Service" hidden window, disabling the password protection, disabling the "Hide client tray icon box" option, then opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2004-2070.20050427 Privilege escalation and password protection bypass in Altiris Client Service for Windows (Version 6.0.88)1589715159Unknown vulnerability in NIS+ on Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (rpc.nisd disabled and NIS+ unavailable) via unknown vectors.57780ADV-2005-0492Multiple "javascript vulerabilities in BB code" in BirdBlog before 1.3.1 allow remote attackers to inject arbitrary Javascript.http://sourceforge.net/project/shownotes.php?release_id=32478815206Cross-site scripting (XSS) vulnerability in catalog.php for CodeThat ShoppingCart 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter.http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html1356016155152511013924SQL injection vulnerability in catalog.php for CodeThat ShoppingCart 1.3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter.http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html1356016156152511013924CodeThat ShoppingCart 1.3.1 stores config.ini under the web root, which allows remote attackers to obtain sensitive information via a direct request.http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html1356016157152511013924index.php in Fusion SBX 1.2 and earlier does not properly use the extract function, which allows remote attackers to bypass authentication by setting the is_logged parameter or execute arbitrary code via the maxname2 parameter.http://www.securiteam.com/exploits/5OP042KFPU.htmlhttp://www.exploits.co.in/Article1134.htmlADV-2005-0508162161621715257fusion-islogged-authentication-bypass(20531)Cross-site scripting (XSS) vulnerability in (1) search.php and (2) topics.php for Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the highlite parameter.http://www.gulftech.org/?node=research&article_id=00073-05052005http://forums.invisionpower.com/index.php?showtopic=16801613534ADV-2005-048716298101390715265invision-powerboard-highlite-xss(20445)20050506 Multiple Vulnerabilities In Invision Power BoardSQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable.http://www.gulftech.org/?node=research&article_id=00073-05052005http://forums.invisionpower.com/index.php?showtopic=16801613529162971013907101449915265invision-powerboard-login-sql-injection(20446)20050506 Multiple Vulnerabilities In Invision Power Board20050526 Invision Power Board 1.* and 2.* Exploit (BID 13529) 1013Cross-site scripting (XSS) vulnerability in Kryloff Technologies Subject Search Server (SSServer) 1.1 allows remote attackers to inject arbitrary web script or HTML via the "Search For" field.13574101393815288ssserver-searchfor-xss(20558)A "mathematical flaw" in the implementation of the El Gamal signature algorithm for LibTomCrypt 1.0 to 1.0.2 allows attackers to generate valid signatures without having the private key.20050503 Secure Science Corporation Advisory CSA-056http://www.securiteam.com/unixfocus/5JP092AFPG.html134731618815233libtomcrypt-signature-security-bypass(20455)MRO Maximo Self Service 4 and 5 stores certain information under the web document root using file extensions that are not processed by Tomcat, which allows remote attackers to obtain sensitive information via a direct request for the file, such as MXServer.properties.20050505 MRO Maximo v4 & v5135081616115176maximo-information-disclosure(20452)SQL injection vulnerability in login.asp for Net56 Browser Based File Manager 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the password field.20050508 Browser Based File Manager Administration Vulnerability1354716544browser-based-file-mgr-sql-injection(20504)NiteEnterprises Remote File Manager 1.0 allows remote attackers to cause a denial of service (crash) via a crafted string to TCP port 7080.20050508 Server Remote File Manager DOS Exploit13550ADV-2005-05011615815299PHP Advanced Transfer Manager (phpATM) 1.21 allows remote attackers to upload arbitrary files via filenames containing multiple file extensions, as demonstrated using a filename ending in "php.ns", which allows execution of arbitrary PHP code.20050506 PHP Advanced Transfer Manager v1.2113542161601527920051029 uplod phpshell in PHP Advanced Transfer Manager20051030 Re: uplod phpshell in PHP Advanced Transfer ManagerCross-site scripting (XSS) vulnerability in the guestbook for SiteStudio 1.6 allows remote attackers to inject arbitrary web script or HTML via the name field to (1) psoft.guestbook.GuestBookServ in Standalone Site Studio or (2) E-Guest_sign.pl in Integrated Site Studio with H-Sphere.20050509 SiteStudiohttp://exploitlabs.com/files/advisories/EXPL-A-2005-008-sitestudio.txthttp://www.psoft.net/SS/ss_16_security_update_guestbook.htmlhttp://www.psoft.net/misc/hsphere_winbox_security_update_guestbook.html135541624015286sitestudio-guestbook-xss(20496)H-Sphere Winbox 2.4.2 and 2.4.3 RC1 stores sensitive information such as username and password in plaintext in world-readable log files, which allows local users to gain privileges.http://exploitlabs.com/files/advisories/EXPL-A-2005-007-hsphere.txthttp://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html135591623915287hsphere-information-disclosure(20522)Cross-site scripting (XSS) vulnerability in shop.cgi in Remote Cart allows remote attackers to inject arbitrary web script or HTML via the (1) merchant or (2) demo parameters.http://www.governmentsecurity.org/forum/lofiversion/index.php/t14715.html164541013903Multiple unknown vulnerabilities in the Blocks module in Spidean AutoTheme 1.7 and AT-Lite for PostNuke have unknown impact.http://news.postnuke.com/Article2687.html1353916346101390815289autotheme-pnadminphp-gain-access(20490)Unknown vulnerability in Sun StorEdge 6130 Arrays (SE6130) with serial numbers between 0451AWF00G and 0513AWF00J allows local users and remote attackers to delete data.57771VU#8124381356616325101392115306storedge-6130-array-bypass-security(20542)ADV-2005-0491Cross-site scripting (XSS) vulnerability in security.php for Tru-Zone NukeET 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via a base64 encoded Codigo parameter.http://lostmon.blogspot.com/2005/05/nukeet-codigo-variable-cross-site.html1357016214153321013936nukeet-securityphp-xss(20540)Cross-site scripting (XSS) vulnerability in WebX in Web Crossing 5.x allows remote attackers to inject arbitrary web script or HTML via a URL with an "@" followed by the desired script.http://osvdb.org/ref/16/16070-webcrossing.txt134821607015218web-crossing-webx-xss(20381)SQL injection vulnerability in read.php in Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to execute arbitrary SQL commands via the TID parameter.20050513 OpenBB SQL Injection & Cross-site Scripting Vulnerability13624Cross-site scripting (XSS) vulnerability in member.php in Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to inject arbitrary web script or HTML via the reverse parameter in a list action.20050513 OpenBB SQL Injection & Cross-site Scripting Vulnerability13625Cross-site scripting (XSS) vulnerability in viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows remote attackers to inject arbitrary web script or HTML via the postorder parameter.20050513 Ultimate PHP Board (UPB) Security Advisory13621viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 may allow remote attackers to read sensitive data via the postorder parameter, which is not properly handled by textdb.inc.php, possibly due to a SQL injection vulnerability.20050513 Ultimate PHP Board (UPB) Security Advisory13622viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows remote attackers to obtain sensitive information via an invalid (1) id or possibly (2) postorder parameter, which reveals the path in an error message when a file can not be opened.20050513 Ultimate PHP Board (UPB) Security AdvisoryWillings WebCam and WebCam Lite 2.8 and earlier stores the password in memory in plaintext, which allows local users to gain sensitive information.20050513 Willings WebCam - Password Disclosure IssueThe YMSGR URL handler in Yahoo! Messenger 5.x through 6.0 allows remote attackers to cause a denial of service (disconnect) via a room login or a room join request packet with a third : (colon) and an & (ampersand), which causes Messenger to send a corrupted packet to the server, which triggers a disconnect from the server.20050513 Yahoo! Messenger URL Handler Remote DoS Vulnerability1362616816Multiple cross-site scripting (XSS) vulnerabilities in (1) start_page.css.php3 (aka start-page.css.php3) or (2) style.css.php3 in PHPMyChat 0.14.5 allow remote attackers to inject arbitrary web script or HTML commands via the FontName parameter. NOTE: it was later reported that 0.14.5 is also affected.20050513 PHPHeaven PHPMyChat Cross-site Scripting Vulnerablitiy20071204 RFI and Multiple XSS in PhpMyChat1362713628Cross-site scripting (XSS) vulnerability in Skull-Splitter Guestbook 1.0, 2.0 and 2.2 allows remote attackers to inject arbitrary web script or HTML via the (1) title or (2) content of a message.20050514 Skull-Splitters Guestbook Multiple XXS/HTML injectionSkull-Splitter critical updateDirectory traversal vulnerability in the pnModFunc function in pnMod.php for PostNuke 0.750 through 0.760rc4 allows remote attackers to read arbitrary files via a .. (dot dot) in the func parameter to index.php.20050516 Postnuke 0.750 - 0.760rc4 local file inclusionhttp://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48http://news.postnuke.com/Article2690.htmlADV-2005-0553Cross-site scripting (XSS) vulnerability in productsByCategory.asp in MetaCart e-Shop allows remote attackers to inject arbitrary web script or HTML via the strCatalog_NAME parameter.20050516 Multiple Vulnerabilities in MetaCart e-Shophttp://echo.or.id/adv/adv13-theday-2005.txtMetaCart e-Shop Multiple VulnerabilitiesStack-based buffer overflow in the UnixAppOpenFilePerform function in Adobe Reader 5.0.9 and 5.0.10 for Unix allows remote attackers to execute arbitrary code via a PDF document with a long /Filespec tag.20050705 iDEFENSE Security Advisory 07.05.05: Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow Vulnerabilityhttp://www.adobe.com/support/techdocs/329083.htmlRHSA-2005:575SUSE-SA:2005:042Multiple buffer overflows in handlers.c for Pico Server (pServ) before 3.3 may allow attackers to execute arbitrary code.13648http://sourceforge.net/project/shownotes.php?release_id=327708Unknown vulnerability in Viewglob before 2.0.1, related to "a potential security issue with the Viewglob display and ssh X forwarding," has unknown impact.http://sourceforge.net/project/shownotes.php?release_id=32557416170101393715293viewglob-connection-information-disclosure(20559)apage.cgi in WebAPP 0.9.9.2.1, and possibly earlier versions, allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter.13637WebAPP apage.cgi Remote Command Execution Vulnerability20061023 Application orders Linux in WebAPP v0.9.9.2.120061024 Re: Application orders Linux in WebAPP v0.9.9.2.1SQL injection vulnerability in member.php for Photopost PHP Pro allows remote attackers to execute arbitrary SQL commands via the verifykey parameter.20050513 PhotoPost Arbitrary Data Exploit13620Unknown vulnerability in Attachment Mod before 2.3.13, related to a "serious issue with realnames," has unknown impact and attack vectors.http://sourceforge.net/project/shownotes.php?release_id=32640815327booby.php in Booby 1.0.0 and earlier allows remote attackers to view private bookmarks by guessing item IDs.http://sourceforge.net/project/shownotes.php?release_id=3268261362315305booby-bookmarks-information-disclosure(20605)Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules before using the paths in the PYTHONPATH variable, which allows local users to execute arbitrary code via a malicious module in /tmp/.http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=15421662215386Multiple SQL injection vulnerabilities in JGS-XA JGS-Portal 3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) anzahl_beitraege parameter to jgs_portal.php, 2) year parameter to (jgs_portal_statistik.php, 3) year parameter to (jgs_portal_beitraggraf.php, 4) tag parameter to (jgs_portal_viewsgraf.php, 5) year parameter to (jgs_portal_themengraf.php, 6) year parameter to (jgs_portal_mitgraf.php, 7) id parameter to jgs_portal_sponsor.php, or (8) the Accept-Language header to jgs_portal_log.php.20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)Multiple cross-site scripting (XSS) vulnerabilities in JGS-XA JGS-Portal 3.0.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) anzahl_beitraege parameter to jgs_portal.php, (2) year parameter to jgs_portal_statistik.php, (3) year parameter to jgs_portal_beitraggraf.php, (4) tag parameter to jgs_portal_viewsgraf.php, (5) year parameter to jgs_portal_themengraf.php, (6) year parameter to jgs_portal_mitgraf.php, (7) id parameter to jgs_portal_sponsor.php, or (8) the Accept-Language header to jgs_portal_log.php. NOTE: this issue may stem from the same core problem as CVE-2005-1633.20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)JGS-XA JGS-Portal 3.0.2 and earlier allows remote attackers to obtain the full server path via direct requests to (1) jgs_portal_ref.php, (2) jgs_portal_land.php, (3) jgs_portal_log.php, (4) jgs_portal_global_sponsor.php, (5) jgs_portal_global.php, (6) jgs_portal_system.php, (7) jgs_portal_views.php; or multiple files in the jgs_portal_include directory, including (8) jgs_portal_boardmenue.php, (9) jgs_portal_forenliste.php, (10) jgs_portal_geburtstag.php, (11) jgs_portal_guckloch.php, (12) jgs_portal_kalender.php, (13) jgs_portal_letztethemen.php, (14) jgs_portal_links.php, (15) jgs_portal_neustemember.php, (16) jgs_portal_newsboard.php, (17) jgs_portal_online.php, (18) jgs_portal_pn.php, (19) jgs_portal_portalmenue.php, (20) jgs_portal_styles.php, (21) jgs_portal_suchen.php, (22) jgs_portal_team.php, (23) jgs_portal_topforen.php, (24) jgs_portal_topposter.php, (25) jgs_portal_umfrage.php, (26) jgs_portal_useravatar.php, (27) jgs_portal_waronline.php, (28) jgs_portal_woonline.php, or (29) jgs_portal_zufallsavatar.php.20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05)mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 creates the mysql_install_db.X file with a predictable filename and insecure permissions, which allows local users to execute arbitrary SQL commands by modifying the file's contents.20050517 MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmphttp://www.zataz.net/adviso/mysql-05172005.txt1366020050517 MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmphttps://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=15868815369RHSA-2005:68517080MDKSA-2006:045MDKSA-2006:045Multiple SQL injection vulnerabilities in NPDS 4.8 and 5.0 allow remote attackers to execute arbitrary SQL commands via the thold parameter to (1) comments.php or (2) pollcomments.php.http://www.npds.org/article.php?sid=12581013973The _writeAttrs function in SafeHTML before 1.3.2 does not properly handle quotes in attribute values, which could allow remote attackers to exploit cross-site scripting (XSS) vulnerabilities in applications that rely on SafeHTML for protection.http://pixel-apes.com/safehtml/feed1661215371SQL injection vulnerability in Sigmaweb.DLL in Sigma ISP Manager 6.6 allows remote attackers to execute arbitrary SQL commands via the (1) username, (2) password, or (3) domain fields.http://www.under9round.com/sigma.txt1662015379mod_channel.bas in The Ignition Project ignitionServer 0.3.0 to 0.3.6, and possibly earlier versions, does not properly verify whether a host has the owner privileges required to delete IRC channel access entries, which allows remote attackers to bypass intended restrictions.http://www.ignition-project.com/security/20050414-hosts-delete-owner-access-entries15388mod_channel in The Ignition Project ignitionServer 0.3.0 to 0.3.6, and possibly earlier versions, does not allow protected operators to access channels that have been locked out by a key, which allows IRC users to cause a denial of service.http://www.ignition-project.com/security/20050515-protected-opers-cannot-join-channel-with-key15388SQL injection vulnerability in the verify_email function in Woltlab Burning Board 2.x and earlier allows remote attackers to execute arbitrary SQL commands via the $email variable.20050516 Woltlab Burning Board SQL Injection Vulnerability20050516 Re: Woltlab Burning Board SQL Injection Vulnerability (fwd)1657515395ADV-2005-0558The ZCom_BitStream::Deserialize function in Zoidcom 1.0 beta 4 and earlier allows remote attackers to cause a denial of service via a crafted UDP packet with a large size value, which causes a memory allocation error or an out-of-bounds read.20050510 Crash in Zoidcom 1.0 beta 4http://www.zoidcom.com/download/changelog.txt164951013939zoidcom-deserialize-dos(20511)Cross-site scripting (XSS) vulnerability in guestbook.php for 1Two Livre d'Or 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) livreornom, (2) livreoremail, or (3) livreormessage parameters.136311013971167171two-livere-dor-guestbook-xss(20589)Keyvan1 ImageGallery stores the image.mdb database under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information.13630101397015362imagegallery-information-disclosure(20592)The default installation of Fastream NETFile FTP/Web Server 7.4.6, which supports FXP, does not require that the IP address in a PORT command be the same as the IP of the logged in user, which allows remote attackers to conduct FTP Bounce attacks to bypass firewall rules or cause a denial of service.http://www.security.org.sg/vuln/netfileftp746port.htmlADV-2005-055615394Gurgens (GASoft) Guest Book 2.1 stores the db/Genid.dat database file under the web document root with insufficient access control, which allows remote attackers to obtain and decrypt usernames and passwords.20050515 Gurgens Guest Book Password Database Vulnerability101397615373Gurgens (GASoft) Ultimate Forum 1.0 stores the db/Genid.dat database file under the web document root with insufficient access control, which allows remote attackers to obtain and decrypt usernames and passwords.20050515 Ultimate Forum Password Database Vulnerability101397415374The IpV6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, a variant of CVE-2005-0688 and a reoccurrence of the "Land" vulnerability (CVE-1999-0016).20050516 Windows (XP, 2k3, Longhorn) is vulnerable to IpV6 Land attack.13658ADV-2005-0559The web mail service in Woppoware PostMaster 4.2.2 (build 3.2.5) generates different error messages depending on whether a user exists or not, which allows remote attackers to determine valid usernames.1359715268Directory traversal vulnerability in message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in the wmm parameter.1359715268message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to bypass authentication by modifying the email parameter.1359715268Cross-site scripting (XSS) vulnerability in message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to inject arbitrary web script or HTML via the email parameter.1359715268Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set.http://isun.shabgard.org/hc3.txt15271AOL Instant Messenger 5.5.x and earlier allows remote attackers to cause a denial of service (client crash) via an invalid smiley icon location in the sml parameter of a font tag.13553Mercur Messaging 2005 SP2 allows remote attackers to read the source code of .ctml files via a URL with a trailing hex-encoded space ("%20").1621815234Multiple directory traversal vulnerabilities in Mercur Messaging 2005 SP2 allow remote attackers to perform unauthorized file operations via the Folder.Id parameter to (1) deletefolder.ctml, (2) deletemessage.ctml, (3) origmessage.ctml, or (4) readmessage.ctml, the Message.Id parameter to editmessage.ctml, or the (5) Message.Command parameter to messages.ctml.16220162211622216223162241622515234Directory traversal vulnerability in filemanager.cpp in MyServer 0.8 allows remote attackers to list the parent directory of the web root via a URL with a "..." (triple dot).15274http://cvs.sourceforge.net/viewcvs.py/myserverweb/myserverweb/source/filemanager.cpp?rev=1.116&view=logCross-site scripting (XSS) vulnerability in filemanager.cpp in MyServer 0.8 allows remote attackers to inject arbitrary Javascript via a URL with a "..." (triple dot) followed by an onmouseover event.15274http://cvs.sourceforge.net/viewcvs.py/myserverweb/myserverweb/source/filemanager.cpp?rev=1.116&view=logHTMLJunction EZGuestbook stores the guestbook.mdb file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the administrative password.164441013912htmljunction-database-disclosure(20487)Jeuce Personal Webserver 2.13 allows remote attackers to cause a denial of service (server crash) via a long GET request, possibly triggering a buffer overflow.http://users.pandora.be/bratax/advisories/b005.html16453101390213732Directory traversal vulnerability in Jeuce Personal Web Server 2.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.http://www.securiteam.com/windowsntfocus/5JP011PEKY.html1218312718137321012791jeuce-dotdot-directory-traversal(18787)Jeuce Personal Web Server 2.13 allows remote attackers to cause a denial of service (server crash) via a GET request beginning with "://".http://www.securiteam.com/windowsntfocus/5JP011PEKY.html1218312719137321012791jeuce-url-dos(18791)The __VIEWSTATE functionality in Microsoft ASP.NET 1.x allows remote attackers to conduct replay attacks to (1) apply a ViewState generated from one view to a different view, (2) reuse ViewState information after the application's state has changed, or (3) use the ViewState to conduct attacks or expose content to third parties.20050503 ASP.NET __VIEWSTATE crypto validation prone to replay attacks20050505 Re: ASP.NET __VIEWSTATE crypto validation prone to replay attackshttp://scottonwriting.net/sowblog/posts/3747.aspx1619615241ms-aspnet-viewstate-replay(20409)The __VIEWSTATE functionality in Microsoft ASP.NET 1.x, when not cryptographically signed, allows remote attackers to cause a denial of service (CPU consumption) via deeply nested markup.20050503 ASP.NET __VIEWSTATE crypto validation prone to replay attackshttp://scottonwriting.net/sowblog/posts/3747.aspx1619515241ms-aspnet-viewstate-dos(20408)Multiple buffer overflows in Orenosv HTTP/FTP Server 0.8.1 allow remote authenticated users to cause a denial of service (server crash) and possibly execute arbitrary code via long arguments to FTP commands such as MKD, RMD, or DELE, which are processed by the (1) ftp_xlate_path, (2) ftp_is_canonical, or (3) os_fn_nativize functions, or (4) a long SSI command that is processed by the parse_cmd function in cgissi.exe.http://www.security.org.sg/vuln/orenosv081.htmlhttp://www.securiteam.com/windowsntfocus/5FP0H00FPS.htmlhttp://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html1354613549ADV-2005-04991616516166101392315302orenosv-http-ftp-commands-bo(20510)orenosv-http-ftp-cgissi-bo(20512)DataTrac Activity Console 1.1 allows remote attackers to cause a denial of service via a long HTTP GET request.http://www.milw0rm.com/id.php?id=983http://www.securiteam.com/windowsntfocus/5FP052AFPA.html135581616815291 983YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp.http://www.securiteam.com/windowsntfocus/5OP0115FPQ.html1350116198Cross-site scripting (XSS) vulnerability in Opera 8.0 Final Build 1095 allows remote attackers to inject arbitrary web script or HTML via "javascript:" URLs when a new window or frame is opened, which allows remote attackers to bypass access restrictions and perform unauthorized actions on other domains.http://secunia.com/secunia_research/2005-5/advisory/15411Unknown vulnerability in Extreme BlackDiamond 10808 and 8800 switches running ExtremeWare XOS 11.1 before 11.1.3.3, 11.0 before 11.0.2.4, and 10.x allows remote authenticated users to execute arbitrary commands.http://www.extremenetworks.com/services/documentation/FieldNotices_FN0215-Security_Alert_EXOS.aspVU#937838ADV-2005-057215438The Logfile feature in Yahoo! Messenger 5.x through 6.0 can be activated by a YMSGR: URL and writes all output to a single ypager.log file, even when there are multiple users, and does not properly warn later users that the feature has been enabled, which allows local users to obtain sensitive information from other users.20050518 Yahoo Messenger may be storing all session data Unencoded on the local machineMultiple cross-site scripting (XSS) vulnerabilities in Help Center Live allow remote attackers to inject arbitrary web script or HTML via the (1) find parameter to index.php, (2) name or (3) message field of a chat request, or (4) the message body when opening a trouble ticket.20050517 Help Center Live VulnerabilitiesMultiple SQL injection vulnerabilities in Help Center Live allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to index.php, (2) tid parameter to view.php, fid parameter to (3) download.php or (4) chat_download.php, (5) status parameter to icon.php, TICKET_tid parameter to (6) index.php or (7) view.php.20050517 Help Center Live VulnerabilitiesCross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php.20050517 Help Center Live VulnerabilitiesGroove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 installs the client installation directories with insecure EVERYBODY permissions, which allows local users to gain sensitive information.http://www.kb.cert.org/vuls/id/JGEI-6BCRBXVU#44337015421Multiple cross-site scripting (XSS) vulnerabilities in Groove Mobile Workspace in Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 allow remote attackers to inject arbitrary web script or HTML via the (1) picture columns embedded within SharePoint lists or (2) drop-down menus in a SharePoint list.http://www.kb.cert.org/vuls/id/JGEI-6BCRCCVU#372618VU#51438615421Unknown vulnerability in Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 allows remote attackers to bypass restrictions on COM objects.http://www.kb.cert.org/vuls/id/JGEI-6BCRCMVU#15561015421Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 does not properly display file extensions on attached or embedded files in a compound document, which may allow remote attackers to trick users into executing malicious code.http://www.kb.cert.org/vuls/id/JGEI-6BCRD6VU#23223215421Stack-based buffer overflow in the error directive in picasm 1.12b and earlier allows attackers to execute arbitrary code via a long error message.20050520 picasm error handling stack overflow vulnerabilityhttp://www.co.jyu.fi/~trossi/pic/13698D-Link DSL-502T, DSL-504T, DSL-562T, and DSL-G604T, when /cgi-bin/firmwarecfg is executed, allows remote attackers to bypass authentication (1) if their IP address already exists in /var/tmp/fw_ip or (2) if their request is the first, which causes /var/tmp/fw_ip to be created and contain their IP address.20050519 D-Link DSL routers authentication bypassADV-2005-0573PHP remote file inclusion vulnerability in common.php in phpATM 1.21, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the include_location parameter to index.php.20050519 phpATM arbitrary PHP code inclusion15420166921014008** DISPUTED ** JavaMail API, as used by Solstice Internet Mail Server POP3 2.0, does not properly validate the message number in the MimeMessage constructor in javax.mail.internet.InternetHeaders, which allows remote authenticated users to read other users' e-mail messages by modifying the msgno parameter. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products."20050519 JavaMail Information Disclosure (msgno)ADV-2005-0574Buffer overflow in winword.exe 10.2627.6714 and earlier in Microsoft Word for the Macintosh, before SP3 for Word 2002, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted mcw file.20050519 UNICODE BUFFER OVERFLOW IN MS-WORD20050521 [UPDATE] UNICODE BUFFER OVERFLOW IN MS-WORD13687Cross-site scripting (XSS) vulnerability in default.asp for episodex guestbook allows remote attackers to inject arbitrary web script or HTML via the Name field and other fields.20050520 episodex guestbook security bypass & html injectionepisodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp.20050520 episodex guestbook security bypass & html injectionFormat string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries.20050520 pst.advisory: gedit fun. opensource is god .lol windowsGLSA-200506-09RHSA-2005:499USN-138-1DSA-753OVAL1245SUSE-SA:2005:036oval:org.mitre.oval:def:1245SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter.20050520 [BuHa Security] Wordpress SQL-InjectionGLSA-200506-04http://bugs.gentoo.org/show_bug.cgi?id=88926Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message.20050520 [BuHa Security] Wordpress SQL-InjectionDouble free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.DSA-757GLSA-200507-11VU#623332APPLE-SA-2005-08-15APPLE-SA-2005-08-1720050703-01-USuSE-SR:2005:017TLSA-2005-782005-0036USN-224-114239ADV-2005-106616041kerberos-kdc-krb5recvauth-execute-code(21055)178991014461RHSA-2005:562RHSA-2005:5671713520050712 MITKRB5-SA-2005-003: double-free in krb5_recvauthCLA-2005:993101810HPSBUX02152ADV-2006-377622090** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1250. Reason: This candidate is a duplicate of CVE-2005-1250. Notes: this duplicate occurred as a result of multiple independent discoveries and insufficient coordination by the vendor and CNA. All CVE users should reference CVE-2005-1250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Directory traversal vulnerability in Internet Graphics Server in SAP before 6.40 Patch 11 allows remote attackers to read arbitrary files via ".." sequences in an HTTP GET request.http://www.corsaire.com/advisories/c050503-001.txtFormat string vulnerability in gxine 0.4.1 through 0.4.4, and other versions down to 0.3, allows remote attackers to execute arbitrary code via a ram file with a URL whose hostname contains format string specifiers.20050521 pst.advisory 2005-21: gxine remote exploitable . opensource is god .lol windows1370715451http://www.0xbadexworm.org/adv/gxinefmt.txtGLSA-200505-19ADV-2005-062616747Integer overflow in Computer Associates Vet Antivirus library, as used by CA InoculateIT 6.0, eTrust Antivirus r6.0 through 7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, BrightStor ARCserve Backup (BAB) r11.1, Vet Antivirus, Zonelabs ZoneAlarm Security Suite, and ZoneAlarm Antivirus, allows remote attackers to gain privileges via a compressed VBA directory with a project name length of -1, which leads to a heap-based buffer overflow.20050523 Computer Associates Vet Antivirus Library Remote Heap Overflowhttp://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=1588http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=3289613710http://www.rem0te.com/public/images/vet.pdf10140501547015479Multiple SQL injection vulnerabilities in Xanthia.php in the Xanthia module in PostNuke 0.750 allow remote attackers to execute arbitrary SQL commands via the (1) name or (2) module parameter.20050521 [SECURITYREASON.COM] PostNuke SQL Injection 0.750=>xhttp://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691Multiple cross-site scripting (XSS) vulnerabilities in the RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) rss_url parameter to magpie_slashbox.php, or the url parameter to (2) magpie_simple.php or (3) magpie_debug.php.20050521 [SECURITYREASON.COM] PostNuke XSS 0.760{RC2,RC3}20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosurehttp://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.750 and 0.760RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) skin or (2) paletteid parameter to demo.php in the Xanthia module, or (3) the serverName parameter to config.php in the Multisites (aka NS-Multisites) module.20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosurehttp://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote attackers to obtain sensitive information via a direct request to simple_smarty.php, which reveals the path in an error message.20050521 [SECURITYREASON.COM] PostNuke XSS 0.760{RC2,RC3}PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitive information via a direct request to (1) theme.php or (2) Xanthia.php in the Xanthia module, (3) user.php, (4) thelang.php, (5) text.php, (6) html.php, (7) menu.php, (8) finclude.php, or (9) button.php in the pnblocks directory in the Blocks module, (10) config.php in the NS-Multisites (aka Multisites) module, or (11) xmlrpc.php, which reveals the path in an error message.20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosure20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosureDirectory traversal vulnerability in pnadminapi.php in the Xanthia module in PostNuke 0.760-RC3 allows remote administrators to read arbitrary files via a .. (dot dot) in the skin parameter.20050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.1020050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10SQL injection vulnerability in pnadmin.php in the Xanthia module in PostNuke 0.760-RC3 allows remote administrators to execute arbitrary SQL commands via the riga[0] parameter.20050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.1020050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10SQL injection vulnerability in PortailPHP 1.3 allows remote attackers to execute arbitrary SQL commands via the id parameter to the (1) News, (2) File, (3) Liens, or (4) Faq modules.20050521 SQL injections in PortailPHP137081014036Format string vulnerability in Warrior Kings: Battles 1.23 and earlier and Warrior Kings 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a nickname.13711101404010140411548220050523 Format string and crash in Warrior Kings 1.3 and Battles 1.23Warrior Kings: Battles 1.23 and earlier allows remote attackers to cause a denial of service (server crash) via a partial join packet that triggers a NULL pointer dereference.13712101404010140411548220050523 Format string and crash in Warrior Kings 1.3 and Battles 1.23Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow.http://bugs.gentoo.org/show_bug.cgi?id=91398GLSA-200505-15GLSA-200506-01MDKSA-2005:0952005-0025USN-136-1RHSA-2005:763RHSA-2005:801MDKSA-2005:215155271771816757RHSA-2005:659RHSA-2005:673RHSA-2005:7091707217135172571735617001CLA-2006:10601369718506RHSA-2006:0368101654421122RHSA-2006:035420060703-01-P2126221717 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates ADV-2007-1267 24788MDKSA-2005:215gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb.http://bugs.gentoo.org/show_bug.cgi?id=88398GLSA-200505-15MDKSA-2005:095RHSA-2005:801RHSA-2005:709170721735618506Unknown vulnerability in MailScanner 4.41.3 and earlier, related to "incomplete reporting of viruses in zip files," allows remote attackers to bypass virus detection.The vendor has released a fixed version (4.42.2)http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog1014024The fn_show_postinst function in Gentoo webapp-config before 1.10-r14 allows local users to overwrite arbitrary files via a symlink attack on the postinst.txt temporary file.http://www.zataz.net/adviso/webapp-config-05182005.txt16746101402715445http://bugs.gentoo.org/show_bug.cgi?id=91785GLSA-200506-1313780ADV-2005-0809templates.admin.users.user_form_processing in Blue Coat Reporter before 7.1.2 allows authenticated users to gain administrator privileges via an HTTP POST that sets volatile.user.administrator to true.http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.htmlADV-2005-058916763154521372320050524 Blue Coat Reporter multiple remote vulnerabilitiesUnknown vulnerability in Blue Coat Reporter before 7.1.2 allows remote unauthenticated attackers to add a license.http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.htmlADV-2005-0589167641545213725Multiple cross-site scripting (XSS) vulnerabilities in Blue Coat Reporter before 7.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) the username in an Add User window or (2) the license key (volatile.license_to_add parameter) in the Licensing page.http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.htmlADV-2005-058916765167661545220050524 Blue Coat Reporter multiple remote vulnerabilitiesGibraltar Firewall 2.2 and earlier, when using the ClamAV update to 0.81 for Squid, uses a defunct ClamAV method to scan memory for viruses, which does not return an error code and prevents viruses from being detected.1014030Unknown vulnerability in Serendipity 0.8, when used with multiple authors, allows unprivileged authors to upload arbitrary media files.http://sourceforge.net/project/shownotes.php?release_id=3280921665915405Multiple cross-site scripting (XSS) vulnerabilities in Serendipity 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) templatedropdown and (2) shoutbox plugins.http://sourceforge.net/project/shownotes.php?release_id=328092166601666115405Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 3.0c2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.ADV-2005-057615425Cross-site scripting (XSS) vulnerability in index.php for TOPo 2.2 (2.2.178) allows remote attackers to inject arbitrary web script or HTML via the (1) m, (2) s, (3) ID, or (4) t parameters, or the (5) field name, (6) Your Web field, or (7) email field in the comments section.http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html137001370116699101401615325TOPo 2.2 (2.2.178) stores data files in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as client IP addresses.http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html16700101401615325ZyXEL Prestige 650R-31 router running ZyNOS FW v3.40(KO.1) allows remote attackers to cause a denial of service (CPU consumption and network loss) via crafted fragmented IP packets.http://www.infobyte.com.ar/adv/ISR-10.html137031677915463Buffer overflow in LS Games War Times 1.03 and earlier allows remote attackers to cause a denial of service (server crash) via a long nickname.16619101398115363Unknown vulnerability in ALWIL avast! antivirus 4 (4.6.6230) and earlier, when running on Windows NT 4.0, does not properly detect certain viruses.http://www.avast.com/eng/av4_revision_history.html1013991AFP Server for Mac OS X 10.4.1, when using an ACL enabled volume, does not properly remove an ACL when a file is copied to a directory that does not use ACLs, which will override the POSIX file permissions for that ACL.APPLE-SA-2005-06-08Buffer overflow in the legacy client support for AFP Server for Mac OS X 10.4.1 allows attackers to execute arbitrary code.APPLE-SA-2005-06-081014138Unknown vulnerability in the CoreGraphics Window Server for Mac OS X 10.4.x up to 10.4.1 allows local users to inject arbitrary commands into root sessions.APPLE-SA-2005-06-08LaunchServices in Apple Mac OS X 10.4.x up to 10.4.1 does not properly mark file extensions and MIME types as unsafe if an Apple Uniform Type Identifier (UTI) is not created when the type is added to the database of unsafe types, which could allow attackers to bypass intended restrictions.APPLE-SA-2005-06-081014141NFS on Apple Mac OS X 10.4.x up to 10.4.1 does not properly obey the -network or -mask flags for a filesystem and exports it to everyone, which allows remote attackers to bypass intended access restrictions.APPLE-SA-2005-06-081014142launchd 106 in Apple Mac OS X 10.4.x up to 10.4.1 allows local users to overwrite arbitrary files via a symlink attack on the socket file in an insecure temporary directory.20050608 [ Suresec Advisories ] - Mac OS X 10.4 - launchd local root vulnerabilityhttp://www.suresec.org/advisories/adv3.pdfAPPLE-SA-2005-06-08The CoreGraphics Window Server in Mac OS X 10.4.1 allows local users with console access to gain privileges by "launching commands into root sessions."APPLE-SA-2005-06-08Apple Mac OS X 10.4.x up to 10.4.1 sets insecure world- and group-writable permissions for the (1) system cache folder and (2) Dashboard system widgets, which allows local users to conduct unauthorized file operations via "file race conditions."APPLE-SA-2005-06-08MCX Client for Apple Mac OS X 10.4.x up to 10.4.1 insecurely logs Portable Home Directory credentials, which allows local users to obtain the credentials.APPLE-SA-2005-06-081014148Novell eDirectory 8.7.3 allows remote attackers to cause a denial of service (application crash) via a URL containing an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1.20050612 [CIRT.DK - Advisory] Novell eDirectory 8.7.3 DOS Device name Denial of Servicehttp://www.cirt.dk/advisories/cirt-33-advisory.pdf101417715676Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonstrated by "OpenSSL ASN.1 brute forcer." NOTE: this issue might overlap CVE-2004-0079, CVE-2004-0081, or CVE-2004-0112.ADV-2005-0744 8732Cookie Cart allows remote attackers to read the Order Notification list via the testmycgi and path parameters to testmy.cgi.20050521 Cookie Cart Default Installation Multiple Vulnerabilitieshttp://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt101402615448Cookie Cart stores the password file under the web document root with insufficient access control, which allows remote attackers to obtain usernames and encrypted passwords via a direct request to passwd.txt.http://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt1014026Multiple SQL injection vulnerabilities in PROMS before 0.11 allow remote attackers to execute arbitrary SQL commands via unknown vectors.http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gz1013992Multiple cross-site scripting (XSS) vulnerabilities in PROMS before 0.11 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gz1013992PROMS 0.11 does not properly handle "certain combinations of rights," which gives more rights to users than intended.http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gzMultiple unknown vulnerabilities in PROMS 0.11 allow "non-authorized users" to (1) view or modify the project member list or (2) modify the todos list.1013992Summary of Security Items from May 18 through May 24, 2005Format string vulnerability in the logPrintBadfile function in delbadfiles.c Iron Bars SHell (ibsh) before 0.3d allows users to "access files outside the home directory" and possibly execute arbitrary code via certain inputs that are not properly handled in a syslog call.Fixed in version 0.3 dhttp://sourceforge.net/project/shownotes.php?release_id=3293401372015473The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask.GLSA-200505-16http://bugs.gentoo.org/show_bug.cgi?id=90423USN-132-11370516774167751542915446MDKSA-2005:107OVAL96015453RHSA-2005:480oval:org.mitre.oval:def:960fixproc in Net-snmp 5.x before 5.2.1-r1 creates temporary files insecurely, which allows local users to modify the contents of those files to execute arbitrary commands, or overwrite arbitrary files via a symlink attack.http://www.zataz.net/adviso/net-snmp-05182005.txtGLSA-200505-18ADV-2005-059816778154711014039MDKSA-2006:0251371518635RHSA-2005:373RHSA-2005:3951713516999MDKSA-2006:025Gearbox Software Halo: Combat Evolved 1.6 allows remote attackers to cause a denial of service (infinite loop) via malformed data.13728ADV-2005-0616101406715501BEA WebLogic Server and WebLogic Express 8.1 SP2 and SP3 allows users with the Monitor security role to "shrink or reset JDBC connection pools."http://dev2dev.bea.com/pub/advisory/12513717ADV-2005-0602154861014049BEA WebLogic Server and WebLogic Express 8.1 through Service Pack 3 and 7.0 through Service Pack 5 does not properly handle when a security provider throws an exception, which may cause WebLogic to use incorrect identity for the thread, or to fail to audit security exceptions.http://dev2dev.bea.com/pub/advisory/12613717ADV-2005-0603154861014049BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings.http://dev2dev.bea.com/pub/advisory/12713717ADV-2005-0604154861014049The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack 3 prints the password to standard output when an incorrect login attempt is made, which could make it easier for attackers to guess the correct password.http://dev2dev.bea.com/pub/advisory/12813717ADV-2005-0605154861014049The cluster cookie parsing code in BEA WebLogic Server 7.0 through Service Pack 5 attempts to contact any host or port specified in a cookie, even when it is not in the cluster, which allows remote attackers to cause a denial of service (cluster slowdown) via modified cookies.http://dev2dev.bea.com/pub/advisory/12913717ADV-2005-0606154861014049Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password.http://dev2dev.bea.com/pub/advisory/13013717ADV-2005-060715486http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txthttp://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txthttp://www.appsecinc.com/resources/alerts/general/BEA-001.htmlhttp://www.appsecinc.com/resources/alerts/general/BEA-002.html101404920050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (1)20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (2)20050527 [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability20050527 [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerabilityThe embedded LDAP server in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 5, allows remote anonymous binds, which may allow remote attackers to view user entries or cause a denial of service.http://dev2dev.bea.com/pub/advisory/13113717ADV-2005-0608154861014049Buffer overflow in BEA WebLogic Server and WebLogic Express 6.1 Service Pack 4 allows remote attackers to cause a denial of service (CPU consumption from thread looping).http://dev2dev.bea.com/pub/advisory/13213717ADV-2005-060915486SQL injection vulnerability in login.asp in ezdwc NewsletterEz 3.0 allows remote attackers to execute arbitrary SQL commands via the password parameter.http://www.under9round.com/nez.txt13730154691014038Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759.http://www.zataz.net/adviso/shtool-05252005.txthttp://bugs.gentoo.org/show_bug.cgi?id=93782101405915496GLSA-200506-08OVAL345DSA-7891376715668RHSA-2005:564OpenPKG-SA-2005.011oval:org.mitre.oval:def:345viewFile.php in the scm component of Gforge before 4.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file_name parameter.20050524 Gforge - viewFile.php security flaw1371613845** DISPUTED ** ReadMessage.jsp in JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to view other users' e-mail attachments via a direct request to /mailboxesdir/username@domainname. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."20050524 Javamail Multiple Information Disclosure Vulnerabilities** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products."20050524 Javamail Multiple Information Disclosure Vulnerabilities13753PHP remote file inclusion vulnerability in poll_vote.php in PHP Poll Creator 1.01 allows remote attackers to execute arbitrary PHP code via the relativer_pfad parameter.20050525 PHP Injection in PHP Poll Creator16846101406115510Cross-site scripting (XSS) vulnerability in the ModWeb agent for Novell NetMail 3.52 before 3.52C allows remote attackers to inject arbitrary web script or HTML via calendar display fields.http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm1564413926ADV-2005-072717240Buffer overflow in the Modweb agent for Novell NetMail 3.52 before 3.52C, when renaming folders, may allow attackers to execute arbitrary code.http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm1564413926ADV-2005-072717241Buffer overflow in the IMAP command continuation function in Novell NetMail 3.52 before 3.52C may allow remote attackers to execute arbitrary code.http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm156441392614718ADV-2005-072717239Race condition in shtool 2.0.1 and earlier allows local users to modify or create arbitrary files via a symlink attack on temporary files after they have been created, a different vulnerability than CVE-2005-1751.20050623 [OpenPKG-SA-2005.011] OpenPKG Security Advisory (shtool)http://bugs.gentoo.org/show_bug.cgi?id=93782GLSA-200506-081376715668sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges.RHSA-2005:502OVAL62313936101418115675oval:org.mitre.oval:def:623Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users to cause a denial of service (kernel crash) via ptrace and the restore_sigcontext function.SuSE-SA:2005:044DSA-92214051180561014275RHSA-2005:514RHSA-2005:551RHSA-2005:663FLSA:157459-317073DSA-10181936917002ADV-2005-1878The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a "non-canonical" address.SuSE-SA:2005:029USN-143-115786DSA-922DSA-921139041805618059RHSA-2005:514RHSA-2005:663FLSA:157459-2FLSA:157459-31707317002ADV-2005-1878Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures allows local users to write bytes into kernel memory.SuSE-SA:2005:029DSA-9221390318056RHSA-2005:514FLSA:157459-317073Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service.SUSE-SA:2005:029MDKSA-2005:22013904MDKSA-2005:220linux-kernel-guardpage-dos(43324)syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments.SuSE-SA:2005:029USN-143-1DSA-9221390418056Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5 6.0.12.1056 on Windows, and 10, 10.0.1.436, and other versions before 10.0.5 on Linux, allows remote attackers to execute arbitrary code via a RealMedia file with a long RealText string, such as an SMIL file.RHSA-2005:523Bugzilla Bug 159871 - CAN-2005-1766 HelixPlayer heap overflow20050623 RealNetworks RealPlayer RealText Parsing Heap Overflow Vulnerabilityhttp://service.real.com/help/faq/security/050623_player/EN/20050623 RealNetworks RealPlayer RealText Parsing Heap Overflow VulnerabilitySUSE-SA:2005:037DSA-82616981RHSA-2005:517traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment faults on an exception stack, which allows local users to cause a denial of service (oops and stack fault exception).SuSE-SA:2005:044USN-187-1DSA-92214467DSA-9211805618059MDKSA-2006:04418977RHSA-2005:66317002ADV-2005-1878Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow.20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64)http://www.suresec.org/advisories/adv4.pdfSUSE-SA:2005:04414205DSA-92118059101444215980RHSA-2005:551RHSA-2005:6631700219185ADV-2005-1878 20060402-01-U 19607Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message.20050616 [SM-ANNOUNCE] Patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769]http://www.squirrelmail.org/security/issue/2005-06-15DSA-756MDKSA-2005:108APPLE-SA-2005-08-15APPLE-SA-2005-08-17FLSA:163047RHSA-2005:595SUSE-SR:2005:018MDKSA-2005:108Buffer overflow in the Aavmker4 device driver in Avast! Antivirus 4.6 and possibly other versions allows local users to cause a denial of service (system crash) and possibly execute arbitrary code via certain signals combined with crafted input.20050526 Alwil Software Avast Antivirus Device Driver Memory Overwrite Vulnerabilityhttp://pb.specialised.info/all/adv/avast-adv.txtUnknown vulnerability in HP-UX trusted systems B.11.00 through B.11.23 allows remote attackers to gain unauthorized access, possibly involving remshd and/or telnet -t.HPSBUX011651014060Buffer overflow in the client cd-key hash in Terminator 3: War of the Machines 1.16 and earlier allows remote attackers to cause a denial of service (application crash) via a long client cd-key hash value, a different vulnerability than CVE-2005-1556.1552020050526 Buffer-overflow and crash in Terminator 3: War of the Machines 1.16Multiple unknown vulnerabilities in L-Soft LISTSERV 14.3, 1.8e, and 1.8d allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: this candidate may be SPLIT in the future when more precise technical details become available.20050525 High Risk Vulnerability in L-Soft's LISTSERV Server13768154981014051WEB-DAV Linux File System (davfs2) 0.2.3 does not properly enforce Unix permissions, which allows local users to write arbitrary files on a davfs2 mounted filesystem.20050525 davfs2 does not honour Unix permissionshttp://bugs.debian.org/cgi-bin/bugreport.cgi?bug=31075715497Terminator 3: War of the Machines 1.16 and earlier allows remote attackers to cause a denial of service (application crash) via a large nickname.20050526 Buffer-overflow and crash in Terminator 3: War of the Machines 1.1615520Buffer overflow in the READ_TCP_STRING function in game_message_functions.cpp in the network plugin for C'Nedra 0.4.0 and earlier allows remote attackers to execute arbitrary code via a long text string.1551920050526 Buffer-overflow in C'Nedra 0.4.0SQL injection vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to execute arbitrary SQL commands via the start parameter.20050527 PostNuke Critical SQL Injection and XSS 0.750=>xhttp://news.postnuke.com/Article2691.html20050527 PostNuke Critical SQL Injection and XSS 0.750=>x1014066Cross-site scripting (XSS) vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to inject arbitrary web script or HTML via the start parameter.20050527 PostNuke Critical SQL Injection and XSS 0.750=>xhttp://news.postnuke.com/Article2691.html20050527 PostNuke Critical SQL Injection and XSS 0.750=>xSQL injection vulnerability in password.asp in MaxWebPortal 1.35, 1.36, 2.0, and 20050418 Next allows remote attackers to execute arbitrary SQL commands via the memKey parameter.101404815511SQL injection vulnerability in admin/login.asp in Active News Manager allows remote attackers to execute arbitrary SQL commands via the password.http://www.under9round.com/anm.txt154931014057Unknown vulnerability in SMTP authentication for MailEnable allows remote attackers to cause a denial of service (crash).15487Multiple cross-site scripting (XSS) vulnerabilities in BookReview beta 1.0 allow remote attackers to inject arbitrary web script or HTML via the node parameter to (1) add_review.htm, (2) suggest_review.htm, (3) suggest_category.htm, (4) add_booklist.htm, or (5) add_url.htm, the isbn parameter to (6) add_review.htm, (7) add_contents.htm, (8) add_classification.htm, the (9) chapters parameter to the add_contents page in index.php (aka add_contents.htm), (10) the user parameter to contact.htm, or (11) the submit[string] parameter to search.htm. NOTE: it is not clear whether BookReview is available to the public. If not, then it should not be included in CVE.http://lostmon.blogspot.com/2005/05/bookreview-10-multiple-variable-xss.html137831687116872168731687416875168761687716878168791014058BookReview beta 1.0 allows remote attackers to obtain the path of the web server via certain parameters to search.htm, possibly due to a search[string] parameter with a missing value or an incorrect submit[type] value, which reveals the path in the resulting error message. NOTE: it is not clear whether BookReview is available to the public. If not, then it should not be included in CVE.http://lostmon.blogspot.com/2005/05/bookreview-10-multiple-variable-xss.html1688116880Hosting Controller 6.1 HotFix 2.0 and earlier allows remote attackers to steal passwords and gain privileges via a modified emailaddress parameter in an updateprofile action for UserProfile.asp.1014062SQL injection vulnerability in ad/login.asp in ZonGG 1.2 allows remote attackers to execute arbitrary SQL commands via the password parameter.http://www.under9round.com/zongg.txt13787ADV-2005-0636101406315515SQL injection vulnerability in admin.asp in FunkyASP AD System 1.1 allows remote attackers to execute arbitrary SQL commands and gain privileges via the password parameter.http://www.under9round.com/funky-asp.txthttp://www.funkyasp.co.uk/product.asp?prod=1&currency=USD154941014056setup.php in phpStat 1.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the $check variable.20050527 PHP Stat Administrative User Authentication Bypasshttp://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txthttp://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt101406415516SQL injection vulnerability in resellerresources.asp in Hosting Controller 6.1 Hotfix 2.0 allows remote attackers to execute arbitrary SQL commands via the jresourceid parameter.101407115540SQL injection vulnerability in SignIn.asp in India Software Solution shopping cart allows remote attackers to execute arbitrary SQL commands via the password.http://ir-hackers.com/indsc.txt1014074Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability."20050528 Microsoft Internet Explorer - Crash on JavaScript 20050530 Re: Microsoft Internet Explorer - Crash on JavaScript 1554620051121 Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explorer JavaScript Window() VulnerabilityADV-2005-25091015251MS05-054TA05-347AVU#88786113799ADV-2005-286715368ADV-2005-290918064OVAL1091OVAL1299OVAL1303OVAL1489OVAL1508OVAL72218311oval:org.mitre.oval:def:1091oval:org.mitre.oval:def:1299oval:org.mitre.oval:def:1303oval:org.mitre.oval:def:1489oval:org.mitre.oval:def:1508oval:org.mitre.oval:def:722Microsoft Internet Explorer 6 SP2 (6.0.2900.2180) crashes when the user attempts to add a URI to the restricted zone, in which the full domain name of the URI begins with numeric sequences similar to an IP address. NOTE: if there is not an exploit scenario in which an attacker can trigger this behavior, then perhaps this issue should not be included in CVE.20050531 Microsoft Internet Explorer - Crash on adding sites to restricted zone (05/28/2005)13798Memory leak in Windows Management Instrumentation (WMI) service allows attackers to cause a denial of service (memory consumption and crash) by creating security contexts more quickly than they can be cleared from the RPC cache.http://www.networksecurity.fi/advisories/windows-wmi-rpc.html8901961380113020User32.DLL in Microsoft Windows 98SE, and possibly other operating systems, allows local and remote attackers to cause a denial of service (crash) via an icon (.ico) bitmap file with large width and height values.User32.dll Icon Size CrashMicrosoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks.http://www.oxid.it/downloads/rdp-gbu.pdf1381815605The filecopy function in misc.c in Clam AntiVirus (ClamAV) before 0.85, on Mac OS, allows remote attackers to execute arbitrary code via a virus in a a filename that contains shell metacharacters, which are not properly handled when HFS permissions prevent the file from being deleted and ditto is invoked.http://www.sentinelchicken.com/advisories/clamav1014070Format string vulnerability in the curses_msg function in the Ncurses interface (ec_curses.c) for Ettercap before 0.7.3 allows remote attackers to execute arbitrary code.http://ettercap.sourceforge.net/history.php1553513820ADV-2005-06701014084DSA-749GLSA-200506-071566416000The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations.http://cr.yp.to/antiforgery/cachetiming-20050414.pdf13785Directory traversal vulnerability in ServersCheck Monitoring Software 5.9.0 to 5.10.0 allows remote attackers to read arbitrary files via .. (dot dot) sequences in an HTTP request.http://www.rgod.altervista.org/hacking/news/serverscheck.html1014075Cross-site scripting (XSS) vulnerability in FreeStyle Wiki 3.5.7 and WikiLite (FSWikiLite) .10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.1553813824Cross-site scripting (XSS) vulnerability in Jaws Glossary gadget 0.4 to 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the term parameter in a view or ViewTerm action to index.php.20050529 XSS Bug in Jaws Glossary Action: ViewTerm ( v 0.4 - 0.5.1 (latest version))1379513796The vCard viewer in Nokia 9500 allows attackers to cause a denial of service (crash) via a vCard with a long Name field, which causes the crash when the user views it.http://www.securityfocus.com/infocus/183413784http://www.securityfocus.com/infocus/1836Nortel VPN Router (aka Contivity) allows remote attackers to cause a denial of service (crash) via an IPsec IKE packet with a malformed ISAKMP header.20050531 Nortel VPN Router Malformed Packet DoS Vulnerability13792http://www.nta-monitor.com/news/vpn-flaws/nortel/vpn-router-dos/1014068Multiple cross-site scripting (XSS) vulnerabilities in Net Portal Dynamic System (NPDS) 5.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) admin.php, or (2) powerpack_f.php, (3) the sitename parameter to sdv_infos.php, (4) the categories parameter to faq.php, (5) the lettre parameter to the glossaire module, (6) the title parameter to reviews.php, or (7) the image_subject parameter to reply.php.http://www.npds.org/download.php?op=geninfo&did=11510140731646416922Multiple SQL injection vulnerabilities in Net Portal Dynamic System (NPDS) 5.0 allow remote attackers to execute arbitrary SQL commands via the (1) terme parameter in the glossaire module (glossaire.php) or (2) query parameter to links.php.http://www.npds.org/download.php?op=geninfo&did=1151014073SQL injection vulnerability in login.asp in an unknown product by Online Solutions for Educators (OS4E) allows remote attackers to execute arbitrary SQL commands via the password.http://www.under9round.com/os4e.txt13804ADV-2005-06451014072Format string vulnerability in PeerCast 0.1211 and earlier allows remote attackers to execute arbitrary code via format strings in the URL.20050528 Format String Vulnerability In Peercast 0.1211 And Earlierhttp://www.gulftech.org/?node=research&article_id=00077-05282005http://www.peercast.org/forum/viewtopic.php?p=11596ADV-2005-065115536GLSA-200506-1515753The Data function in class.smtp.php in PHPMailer 1.7.2 and earlier allows remote attackers to cause a denial of service (infinite loop leading to memory and CPU consumption) via a long header field.http://www.cybsec.com/vuln/PHPMailer-DOS.pdf10140691554313805ADV-2006-044818732ADV-2007-224225726Firefly Studios Stronghold 2 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large size value for the nickname, which causes a memory allocation failure and generates an exception.20050530 Crash in Stronghold 2 1.215556Sony Ericsson P900 Beamer allows remote attackers to cause a denial of service (panic) via an obexftp session with a long filename in an OBEX File Transfer or OBEX Object Push.http://www.securityfocus.com/infocus/183413872http://www.securityfocus.com/infocus/1836SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php.http://wordpress.org/development/2005/05/security-update/1690515517GLSA-200506-04http://bugs.gentoo.org/show_bug.cgi?id=945121380920050607 SQL Injection Exploit for WordPress <= 1.5.1.1Cross-site scripting (XSS) vulnerability in usercp.php for MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via the website field in a user profile.20050530 MyBB 1.0 RC4 XSS Bug15552138191014081Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1) filename or (2) transfer mode string in a Read Request (RRQ) or Write Request (WRQ) packet.http://www.security.org.sg/vuln/tftp2000-1001.html13821101407915539Directory traversal vulnerability in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allows remote attackers to read arbitrary files via a TFTP GET request containing (1) "../" (dot dot slash) or (2) "..\" (dot dot backslash) sequences.http://www.security.org.sg/vuln/tftp2000-1001.html13821101407915539Stack-based buffer overflow in PicoWebServer 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long URL.20050528 PicoWebServer Remote Unicode Stack Overflow1380715541Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary code via (1) an FTP command with a long argument to FTPD (ftpdw.exe) or (2) a large amount of data to LPD (Lpdw.exe).http://connectivity.hummingbird.com/support/nc/exceed/ftpd_advisory.html?cks=yhttp://connectivity.hummingbird.com/support/nc/exceed/lpdw_advisory.html137881379015557Invision Power Board (IPB) 1.0 through 2.0.4 allows non-root admins to add themselves or other users to the root admin group via the "Move users in this group to" screen.20050528 Invision Power Board 1.x and 2.x Privilege Escalation Vulnerability1379715545Invision Power Board (IPB) 1.0 through 1.3 allows remote attackers to edit arbitrary forum posts via a direct request to index.php with modified parameters.13802Multiple SQL injection vulnerabilities in NewLife Blogger before 3.3.1 allow remote attackers to execute arbitrary SQL commands via unknown attack vectors.http://www.sevengraff.com/index.php1381515523Cross-site scripting (XSS) vulnerability in NikoSoft WebMail before 0.11.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.nikosoft.net/nswm/15518zboard.php in Zeroboard version 4.1pl2 to 4.1pl5 allows remote attackers to execute arbitrary PHP code via improper quoting when using the preg_replace function.http://pandora.sapzil.info/text/notify/20050123.zb41advisory.phphttp://www.securiteam.com/exploits/5KP0V0AFPA.html13823PHP remote file inclusion vulnerability in pdl_header.inc.php in PowerDownload 3.0.2 and 3.0.3 allows remote attackers to execute arbitrary PHP code via the incdir parameter to downloads.php.http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt1382210140781553720050531 PowerDownload Remote File InclusionMultiple SQL injection vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php.20050530 Multiple vulnerabilities in x-cart Gold101407715555xcart-multiple-parameters-sql-injection(20773)13817Multiple cross-site scripting (XSS) vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php.20050530 Multiple vulnerabilities in x-cart Gold101407715555xcart-multiple-scripts-xss(20774)13817The sql_escape_string function in auth/sql.c for the mailutils SQL authentication module does not properly quote the "\" (backslash) character, which is used as an escape character and makes the module vulnerable to SQL injection attacks.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308031GLSA-200506-02Multiple stack-based buffer overflows in the nvd_exec function in HP Radia Notify Daemon 3.1.2.0 (formerly by Novadigm), and other versions including 2.x, 3.x, and 4.x, allows remote attackers to execute arbitrary code via a command with crafted parameters to a RADEXECD process.20050601 HP Radia Notify Daemon: Multiple Buffer Overflow Vulnerabilitieshttp://www.grok.org.uk/advisories/radexecd.htmlHPSBMA01143ADV-2005-0681101408915567Buffer overflow in HP Radia Notify Daemon 3.1.0.0 (formerly by Novadigm), and other versions including 2.x, 3.x, and 4.x, allows remote attackers to execute arbitrary code via a long file extension.20050601 HP Radia Notify Daemon: Multiple Buffer Overflow Vulnerabilitieshttp://www.grok.org.uk/advisories/radexecd.htmlHPSBMA01143ADV-2005-0681101408915567D-Link DSL-504T allows remote attackers to bypass authentication and gain privileges, such as upgrade firmware, restart the router or restore a saved configuration, via a direct request to firmwarecfg.20050526 DSL-504T (and maybe many other) remote access without password bug1367915422D-Link DSL-504T stores usernames and passwords in cleartext in the router configuration file, which allows remote attackers to obtain sensitive information.20050526 DSL-504T (and maybe many other) remote access without password bugMicrosoft Internet Explorer 6 SP2 allows remote attackers to cause a denial of service (infinite loop and application crash) via two embedded files that call each other.20050528 Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005)The DbgMsg.sys driver in Compuware SoftICE DriverStudio 3.1 and 3.2 allows remote attackers to cause a denial of service (application crash) via an invalid Debug Message pointer.20050529 Compuware Softice (DbgMsg driver) Local Denial Of Servicehttp://pb.specialised.info/all/adv/sice-adv.txt15522** DISPUTED ** Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux distributions, allows local users to gain privileges by using sudo to call su, then entering a blank password and hitting CTRL-C. NOTE: SuSE and multiple third-party researchers have not been able to replicate this issue, stating "Sudo catches SIGINT and returns an empty string for the password so I don't see how this could happen unless the user's actual password was empty."20050531 [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.320050531 RE: [securitysuse.de] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.320050531 Re: [securitysuse.de] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.320417Multiple cross-site scripting (XSS) vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 and earlier allow remote attackers to execute arbitrary web script or HTML via the (1) forums, (2) version, or (3) limit parameter to misc.php, (4) page or (5) datecut parameter to forumdisplay.php, (6) username, (7) email, or (8) email2 parameter to member.php, (9) page or (10) usersearch parameter to memberlist.php, (11) pid or (12) tid parameter to showthread.php, or (13) tid parameter to printthread.php.20050531 Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4http://www.mybboard.com/community/showthread.php?tid=255915552Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to calendar.php, (2) idsql parameter to online.php, (3) usersearch parameter to memberlist.php, (4) pid parameter to editpost.php, (5) fid parameter to forumdisplay.php, (6) tid parameter to newreply.php, (7) sid parameter to search.php, (8) tid or (9) pid parameter to showthread.php, (10) tid parameter to usercp2.php, (11) tid parameter to printthread.php, or (12) pid parameter to reputation.php.20050531 Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4http://www.mybboard.com/community/showthread.php?tid=25591555217024SQL injection vulnerability in login.asp in NEXTWEB (i)Site allows remote attackers to execute arbitrary SQL commands and bypass authentication via the password field.20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple155601014085NEXTWEB (i)Site stores databases under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to databases/Users.mdb.20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple155601014085NEXTWEB (i)Site allows remote attackers to cause a denial of service (error 500) via a crafted HTTP request, possibly involving wildcard requests for .jsp files.20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple15560Fortinet firewall running FortiOS 2.x contains a hardcoded uername with the password set to the serial number, which allows local users with console access to gain privileges.20050601 Backdoor in =?ISO-8859-1?Q?Fortinet=B4s_firewall_Fortigate?=Multiple cross-site scripting vulnerabilities in castnewPost.asp in Liberum Help Desk 0.97.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Email, (2) Title, or (3) Description fields.20050602 [ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Deskhttp://echo.or.id/adv/adv14-theday-2005.txtMultiple SQL injection vulnerabilities in Doug Luxem Liberum Help Desk 0.97.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.asp or (2) print.asp or (3) edit parameter to register.asp.20050602 [ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Deskhttp://echo.or.id/adv/adv14-theday-2005.txt15593Directory traversal vulnerability in class.layout_phpcms.php in phpCMS 1.2.x before 1.2.1pl2 allows remote attackers to read or include arbitrary files, as demonstrated using a .. (dot dot) in the language parameter to parser.php.20050602 SEC-CONSULT SA20050602-1 :: Arbitrary File Inclusion in phpCMS 1.2.xhttp://www.phpcms.de/download/index.en.htmlhttp://cvs.sourceforge.net/viewcvs.py/phpcms/phpcms/parser/include/class.layout_phpcms.php?rev=1.12.2.37&view=markup15586The control for Adobe Reader 5.0.9 and 5.0.10 on Linux, Solaris, HP-UX, and AIX creates temporary files with the permissions as specified in a user's umask, which could allow local users to read PDF documents of that user if the umask allows it.http://secunia.com/secunia_research/2005-6/advisory/http://www.adobe.com/support/techdocs/329121.html14457RHSA-2005:575VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, creates temporary log files with predictable names, which allows local users to modify arbitrary files via a symlink attack.1654114638101477620050829 Adobe Version Cue VCNative Arbitrary File Overwrite VulnerabilityVCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, allows local users to load arbitrary libraries and execute arbitrary code via the -lib command line argument.1654114638101477620050829 Adobe Version Cue VCNative Arbitrary Library Loading VulnerabilityMultiple directory traversal vulnerabilities in YaMT before 0.5_2 allow attackers to overwrite arbitrary files via the (1) rename or (2) sort options.http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.htmlhttp://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.htmlMultiple buffer overflows in YaMT before 0.5_2 allow attackers to execute arbitrary code via the (1) rename or (2) sort options.http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.htmlhttp://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.htmlThe dhcpcd DHCP client before 1.3.22 allows remote attackers to cause a denial of service (daemon crash) via unknown vectors that cause an out-of-bounds memory read.DSA-750RHSA-2005:603inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced.DSA-763http://security.debian.org/pool/updates/main/z/zlib/zlib_1.2.2-4.sarge.2.diff.gzAPPLE-SA-2005-08-15APPLE-SA-2005-08-17FLSA:162680GLSA-200509-18DSA-797USN-151-31434018141101454016137zlib-codetable-dos(21456)SCOSA-2006.618377RHSA-2005:584MDKSA-2005:1961732617516DSA-102619550GLSA-200603-1819334MDKSA-2006:070SUSE-SA:2005:043 19597 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates ADV-2007-1267 24788MDKSA-2005:196MDKSA-2006:070Certain contributed scripts for ekg Gadu Gadu client 1.5 and earlier create temporary files insecurely, with unknown impact and attack vectors, a different vulnerability than CVE-2005-1916.DSA-76020050721 Multiple vulnerabilities in libgadu and ekg packageA certain contributed script for ekg Gadu Gadu client 1.5 and earlier allows attackers to execute shell commands via unknown attack vectors.DSA-76020050721 Multiple vulnerabilities in libgadu and ekg packageMultiple integer overflows in libgadu, as used in Kopete in KDE 3.2.3 to 3.4.1, ekg before 1.6rc3, GNU Gadu, CenterICQ, Kadu, and other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an incoming message.20050721 Multiple vulnerabilities in libgadu and ekg packagehttp://www.kde.org/info/security/advisory-20050721-1.txtFEDORA-2005-624GLSA-200507-2314345 GLSA-200507-2616140161551621116242RHSA-2005:639SUSE-SR:2005:019gopher.c in the Gopher client 3.0.5 does not properly create temporary files, which allows local users to gain privileges.DSA-7701014599Unknown vulnerability in apt-cacher in Debian 3.1, related to "missing input sanitising," allows remote attackers to execute arbitrary commands on the caching server.DSA-7721445916327aptcacher-command-execution(21664)Backup Manager (backup-manager) before 0.5.8 creates backup files with world-readable default permissions, which allows local users to obtain sensitive information.DSA-78713892101412415615The CD-burning feature in backup-manager 0.5.8 and earlier uses a fixed filename in a world-writable directory for logging, which allows local users to overwrite files via a symlink attack.DSA-787Format string vulnerability in simpleproxy before 3.4 allows remote malicious HTTP proxies to execute arbitrary code via format string specifiers in a reply.DSA-7861466616567simpleproxy-reply-format-string(22016)VU#139421FUSE 2.x before 2.3.0 does not properly clear previously used memory from unfilled pages when the filesystem returns a short byte count to a read request, which may allow local users to obtain sensitive information.http://www.sven-tantau.de/public_files/fuse/fuse_20050603.txthttp://sourceforge.net/project/shownotes.php?release_id=331884http://bugs.debian.org/311634170421556113857DSA-744101410716024Unknown vulnerability in arshell in the Array Service (arrayd) for SGI ProPack 3 with SP 5 and 6, and SGI ProPack 4, allows local users to execute arbitrary shells as root on other hosts in the cluster or array.20050701-01-P1014454PHP remote file inclusion vulnerability in cal_admintop.php in Calendarix Advanced 1.5 allows remote attackers to execute arbitrary PHP code via the calpath parameter.20050531 multiple vulnerability Calendarix Advanced1014083Multiple SQL injection vulnerabilities in Calendarix Advanced 1.5 allow remote attackers to execute arbitrary SQL commands via the catview parameter to (1) cal_week.php, (2) cal_cat.php, or (3) cal_day.php, or (4) id parameter to cal_pophols.php.20050531 multiple vulnerability Calendarix Advanced16971169721697416975101408315569Cross-site scripting (XSS) vulnerability in calendar.php in Calendarix Advanced 1.5 allows remote attackers to inject arbitrary web script or HTML via the year parameter.20050531 multiple vulnerability Calendarix Advanced169731014083Symantec Brightmail AntiSpam before 6.0.2 has a hard-coded database administrator password, which allows remote attackers to gain privileges.http://securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.htmlADV-2005-067115562brightmail-static-database-security-bypass(20804)1014088I-Man 0.9, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by uploading a file attachment with a .php extension.http://sourceforge.net/project/shownotes.php?release_id=33142215558iman-file-upload(20857)PHP remote file inclusion vulnerability in start_lobby.php in MWChat 6.x allows remote attackers to execute arbitrary PHP code via the CONFIG[MWCHAT_Libs] parameter.http://www.defacers.com.mx/advisories/4.txthttp://www.appindex.net17087101409015596PHP remote file inclusion vulnerability in childwindow.inc.php in Popper 1.41-r2 and earlier allows remote attackers to execute arbitrary PHP code via the form parameter.http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07170851558420050604 LSS.hr false positives.20050606 Popper webmail remote code execution vulnerability - advisory fix101411620050605 Re: LSS.hr false positives. (correction)Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly."20050603 [DRUPAL-SA-2005-001] New Drupal release fixes critical security issue20050603 [DRUPAL-SA-2005-001] New Drupal release fixes critical security issue1702815372Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows remote attackers to execute arbitrary code.20050607 [AppSecInc Advisory WEBSP05-V0098] Remote Buffer overflow in WebSphere Application Server Administrative Consolehttp://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.htmlhttp://www-1.ibm.com/support/docview.wss?rs=180&uid=swg240097751704115598Multiple buffer overflows in Crob FTP 3.6.1, and possibly earlier versions, allow remote attackers to execute arbitrary code via (1) an FTP command with a large string followed by the RMD command with a long string or (2) a globbing ("*") character followed by a long string.20050606 Crob FTP Server remote buffer overflowsCrob FTP Server Buffer Overflow Vulnerabilities 15585Directory traversal vulnerability in Dzip before 2.9 allows remote attackers to create arbitrary files via a filename containing a .. (dot dot) in a .dz archive.http://bugs.gentoo.org/show_bug.cgi?id=93079GLSA-200506-03ADV-2005-06921559915614Multiple SQL injection vulnerabilities in list.php in Exhibit Engine (EE) 1.22 allow remote attackers to execute arbitrary SQL commands via the (1) search_row, (2) sort_row, (3) order or (4) perpage parameter.20050602 SEC-CONSULT SA20050602-2 :: Exhibit Engine Blind SQL Injectionhttp://photography-on-the.net/forum/showthread.php?p=579692138441700615583Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file.20050602 PHP Execution Vulnerability in CuteNews1703015594Cross-site scripting (XSS) vulnerability in view_ticket.php in Lpanel 1.59 and earlier allows remote attackers to inject arbitrary web script or HTML and obtain sensitive information via the pid parameter.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection.1386915589GIPTables Firewall 1.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the temp.ip.addresses temporary file.20050606 GIPTables Firewall <= v1.1 insecure temporary file creationhttp://www.zataz.net/adviso/giptables-05222005.txt156041014109LutelWall 0.97 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget.20050606 LutelWall <= 0.97 insecure temporary file creationhttp://www.zataz.net/adviso/lutelwall-05222005.txt138631014112http://firewall.lutel.pl/download/0.98/ChangeLogGLSA-200506-101564715665everybuddy 0.4.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget.20050606 everybuddy <= 0.4.3 insecure temporary file creationhttp://www.zataz.net/adviso/everybuddy-06062005.txthttp://bugs.gentoo.org/show_bug.cgi?id=94473138651014110upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code.http://secwatch.org/advisories/secwatch/20050530_yapig.txt17115156001014103PHP remote file inclusion vulnerability in last_gallery.php in YaPiG 0.93u and 0.94u allows remote attackers to execute arbitrary PHP code via the YAPIG_PATH parameter.http://secwatch.org/advisories/secwatch/20050530_yapig.txt17117156001014103global.php in YaPiG 0.92b allows remote attackers to include arbitrary local files via the BASE_DIR parameter.http://secwatch.org/advisories/secwatch/20050530_yapig.txt17116156001014103Directory traversal vulnerability in the (1) rmdir or (2) mkdir commands in upload.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to create or delete arbitrary directories via a .. (dot dot) in the dir parameter.http://secwatch.org/advisories/secwatch/20050530_yapig.txt1387717120156001014103view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to obtain sensitive information via a phid parameter that is not an integer, which reveals the path in an error message.http://secwatch.org/advisories/secwatch/20050530_yapig.txt17119156001014103Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to inject arbitrary web script or HTML via (1) the phid parameter or (2) unknown parameters when posting a new comment.http://secwatch.org/advisories/secwatch/20050530_yapig.txt138751387617118156001014103Unknown vulnerability in the Sun Solaris C library (libc and libproject) in Solaris 10 allows local users to gain privileges.101740ADV-2005-06901709915613solaris-clibrary-libproject-gain-privileges(20874)Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates.http://sourceforge.net/project/shownotes.php?release_id=33223113861SUSE-SR:2005:019Unknown vulnerability in Sun ONE Application Server 6.5 SP1 Maintenance Update 6 and earlier allows attackers to read files.101690ADV-2005-0695Unknown vulnerability in Mortiforo before 0.9.1 allows users to access private forums via unknown attack vectors.http://sourceforge.net/project/shownotes.php?release_id=3328071014120The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable.20050607 AOL AIM Instant Messenger Buddy Icon 20050607 Re: AOL AIM Instant Messenger Buddy Icon 138801014145FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message.http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256ADV-2005-0697156031014114FlatNuke 2.5.3 allows remote attackers to obtain sensitive information via invalid parameters to certain scripts, which leaks the web document root in an error message.http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256ADV-2005-0697156031014114Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker.1014114http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256ADV-2005-069715603Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the border or back parameters to (1) help.php or (2) footer.php.http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256ADV-2005-0697156031014114Directory traversal vulnerability in thumb.php in FlatNuke 2.5.3 allows remote attackers to read arbitrary images or obtain the installation path via the image parameter.http://secwatch.org/advisories/secwatch/20050604_flatnuke.txthttp://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256ADV-2005-0697156031014114Unknown vulnerability in FlexCast Audio Video Streaming Server before 2.0 has unknown impact and attack vectors.15441The passthrough functionality in phpThumb.php in phpThumb() before 1.5.4 allows remote attackers to read files that are not images.http://sourceforge.net/project/shownotes.php?release_id=3304691384215534Rakkarsoft RakNet network library 2.33 and earlier, when released before 30 May 2005, and as used in multiple products including nFusion Elite Warriors: Vietnam, allows remote attackers to cause a denial of service (infinite loop) via a zero-byte UDP packet.1386210141111559720050605 Server termination in Raknet 2.33 (before 30 May 2005)Sawmill before 7.1.6 allows remote attackers to bypass authentication and (1) gain administrative privileges or (2) add a license.http://www.sawmill.net/version_history7.html171001710115499sawmill-unknown-gain-access(20879)sawmill-unknown-add-license(20880)http://www.networksecurity.fi/advisories/sawmill-admin.html1014106Multiple cross-site scripting (XSS) vulnerabilities in Sawmill before 7.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the username in the Add User window or (2) the license key in the Licensing page.http://www.sawmill.net/version_history7.html171021710315499sawmill-add-user-xss(20881)http://www.networksecurity.fi/advisories/sawmill-admin.html1014106Directory traversal vulnerability in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to read other users' mail and perform operations on arbitrary directories via .. sequences in the (1) SELECT, (2) CREATE, (3) DELETE, and (4) RENAME commands.http://www.security.org.sg/vuln/spa-promail4.htmlADV-2005-06801698915573spa-pro-imap-diectory-traversal(20860)1014095Buffer overflow in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to execute arbitrary code via a long CREATE command.http://www.security.org.sg/vuln/spa-promail4.htmlADV-2005-06801699015573spa-pro-create-bo(20862)1014095SQL injection vulnerability in login.asp in JiRo's Upload System (JUS) 1 allows remote attackers to execute arbitrary SQL commands via the password parameter.http://www.under9round.com/jus.txt16969155641014086The klif.sys driver in Kaspersky Labs Anti-Virus 5.0.227, 5.0.228, and 5.0.335 on Windows 2000 allows local users to gain privileges by modifying certain critical code addresses that are later accessed by privileged programs.20050607 Kaspersky AntiVirus 1387820050607 Kaspersky AntiVirus 'klif.sys' Privilege Escalation Vulnerability20050607 Kaspersky AntiVirus 'klif.sys' Privilege Escalation VulnerabilitySQL injection vulnerability in login.asp in livingmailing 1.3 allows remote attackers to execute arbitrary SQL commands via the password. NOTE: there is little public information about this product and its vendor, and the original researcher announcement is no longer available.ADV-2005-06781014087The ISA Firewall service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (Wspsrv.exe crash) via a large amount of SecureNAT network traffic.894864http://www.networksecurity.fi/advisories/windows-isa-firewall.htmlhttp://www.niscc.gov.uk/niscc/docs/br-20050602-00456.html?lang=en13846170311014113Perception LiteWeb allows remote attackers to bypass access controls for files via an extra leading / (slash) or leading \ (backslash) in the URL.17084101409615592The web server control panel in 602LAN SUITE 2004 allows remote attackers to make it more difficult for the administrator to read portions of log files via a "</pre><!-" sequence in an HTTP GET request in the logon, possibly due to a cross-site scripting (XSS) vulnerability.http://rgod.altervista.org/602_en.html1014105SQL injection vulnerability in login.asp for WWWeb Concepts Events System 1.0 allows remote attackers to execute arbitrary SQL commands via the password.http://www.under9round.com/wecs.txt101410415595The fetchnews NNTP client in leafnode 1.11.2 and earlier can hang while waiting for input that never arrives, which allows remote NNTP servers to cause a denial of service (news loss).http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1841. Reason: This candidate is a duplicate of CVE-2005-1841. Notes: this duplicate occurred as a result of separate assignments by multiple CNAs, one to the researcher and one to the vendor. All CVE users should reference CVE-2005-1841 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist.USN-178-11405415786kernel-subthread-dos(21138)CenterICQ 4.20.0 and earlier creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack on the gg.token.PID temporary file.http://www.zataz.net/adviso/centericq-06152005.txtDSA-75414144The log4sh_readProperties function in log4sh 1.2.5 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable log4sh.$$ filenames.14140ADV-2005-09571589920050704 log4sh insecure temporary file creation20050705 log4sh insecure temporary file creationlinki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files.20050705 ekg insecure temporary file creation and arbitrary code executionhttp://www.zataz.net/adviso/ekg-06062005.txtDSA-76020050721 Multiple vulnerabilities in libgadu and ekg packagekpopper 1.0 and earlier allows local users to create and overwrite arbitrary files via a symlink attack on the .popper-new temporary file.http://www.zataz.net/adviso/kpopper-06152005.txtThe original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".RHSA-2006:0195583410156551898820060301-01-USUSE-SR:2006:0051913019183FLSA:183571-120397** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information.20050718 [KDE Security Advisory]: Kate backup file permission leakhttp://www.kde.org/info/security/advisory-20050718-1.txtDSA-80414297101451216099RHSA-2005:612FLSA:178606SUSE-SR:2005:018GLSA-200611-2123099Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement.20050629 Advisory 02/2005: Remote code execution in Serendipityhttp://pear.php.net/package/XML_RPC/download/1.3.1http://www.gulftech.org/?node=research&article_id=00087-07012005http://www.hardened-php.net/advisory-022005.phpMDKSA-2005:109http://sourceforge.net/project/shownotes.php?release_id=338803DSA-745DSA-747GLSA-200507-01GLSA-200507-06GLSA-200507-07http://www.drupal.org/security/drupal-sa-2005-003/advisory.txthttp://sourceforge.net/project/showfiles.php?group_id=87163http://www.ampache.org/announce/3_3_1_2.php158521587215944159471595716001OVAL350DSA-789HPSBTU0208314088101533618003158101585515861158831588415895159031590415916159171592216339166931744017674ADV-2005-2827DSA-746RHSA-2005:564SUSE-SA:2005:05120050629 [DRUPAL-SA-2005-003] Drupal 4.6.2 / 4.5.4 fixes critical XML-RPC issueSUSE-SA:2005:041SUSE-SA:2005:049SUSE-SR:2005:018oval:org.mitre.oval:def:350The MS-Expand file handling in Clam AntiVirus (ClamAV) before 0.86 allows remote attackers to cause a denial of service (file descriptor and memory consumption) via a crafted file that causes repeated errors in the cli_msexpand function.20050629 Clam AntiVirus ClamAV MS-Expand File Handling DoS Vulnerabilityhttp://sourceforge.net/project/shownotes.php?release_id=336462DSA-737The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) 0.83, and other versions vefore 0.86, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff, which causes a zero-length read.20050629 Clam AntiVirus ClamAV Cabinet File Handling DoS VulnerabilityDSA-737The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636.20070711 SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability20070711 SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability20070711 SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability417320070711 True: SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln24874ADV-2007-251326035GLSA-200708-0826424squirrelmail-gpgp-keyring-command-execution(35355)squirrelmail-gpgp-keyfunc-command-execution(35364)Multiple directory traversal vulnerabilities in Tikiwiki before 1.9.1 allow remote attackers to read arbitrary files and execute commands via (1) the suck_url parameter to tiki-editpage.php or (2) language parameter to tiki-user_preferences.php.20051110 Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability20051110 Tikiwiki tiki-user_preferences Command Injection Vulnerability10151901539015392tikiwiki-tikieditpage-directory-traversal(23095)tikiwiki-tikiuserpreferences-dir-traversal(23099)Trend Micro ServerProtect EarthAgent for Windows Management Console 5.58 and possibly earlier versions, when running with Trend Micro Control Manager 2.5 and 3.0, and Damage Cleanup Server 1.1, allows remote attackers to cause a denial of service (CPU consumption) via a flood of crafted packets with a certain "magic value" to port 5005, which also leads to a memory leak.20051214 Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability15868ADV-2005-290710153581803821773259Multiple heap-based buffer overflows in (1) isaNVWRequest.dll and (2) relay.dll in Trend Micro ServerProtect Management Console 5.58 and earlier, as used in Control Manager 2.5 and 3.0 and Damage Cleanup Server 1.1, allow remote attackers to execute arbitrary code via "wrapped" length values in Chunked transfer requests. NOTE: the original report suggests that the relay.dll issue is related to a problem in which a Microsoft Foundation Classes (MFC) static library returns invalid values under heavy load. As such, this might not be a vulnerability in Trend Micro's product.20051214 Trend Micro ServerProtect isaNVWRequest.dll Chunked Overflow158651586620051214 Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability20051214 Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow VulnerabilityADV-2005-29071015358180382177121772256257Directory traversal vulnerability in the Crystal Report component (rptserver.asp) in Trend Micro ServerProtect Management Console 5.58, as used in Control Manager 2.5 and 3.0 and Damage Cleanup Server 1.1, and possibly earlier versions, allows remote attackers to read arbitrary files via the IMAGE parameter.20051214 Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure15867ADV-2005-290710153581803821770258GoodTech SMTP Server 5.14 allows remote attackers to cause a denial of service (application crash) via a RCPT TO command with an invalid argument, as demonstrated using an "A" character.20050607 Denial of Service vulnerability in GoodTech SMTP Server for Windows NT/2000/XP version 5.1415623Lpanel 1.59 and earlier, and other versions before 1.597, allows remote authenticated users to modify certain critical variables and (1) modify DNS settings for arbitrary domains via the domain parameter to diagnose.php, (2) close, open, or respond to arbitrary support tickets via the close, open, or pid parameter to view_ticket.php, (3) obtain sensitive information on arbitrary invoices via the inv parameter to viewreceipt.php, or (4) modify domain information for arbitrary domains via the editdomain parameter to domains.php.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to close any support ticket within the system.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to open any support ticket within the system.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to reset the DNS information of any domain name managed by the system.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to the unauthorized viewing of client invoice information.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to unauthorized domain management access.20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to respond to any support ticket on the system.http://www.lpanel.net/changelog.php1386915589Dashboard in Apple Mac OS X Tiger 10.4 allows attackers to execute arbitrary commands by overriding the behavior of system widgets via a user widget with the same bundle identifier (CFBundleIdentifier), a different vulnerability than CVE-2005-1474.http://www1.cs.columbia.edu/~aaron/files/widgets/VU#983429Gaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error.http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235GLSA-200506-11MDKSA-2005:099DSA-734OVAL263FLSA:158543RHSA-2005:51813932SUSE-SA:2005:036oval:org.mitre.oval:def:263MDKSA-2005:099Heap-based buffer overflow in the BERDecBitString function in Microsoft ASN.1 library (MSASN1.DLL) allows remote attackers to execute arbitrary code via nested constructed bit strings, which leads to a realloc of a non-null pointer and causes the function to overwrite previously freed memory, as demonstrated using a SPNEGO token with a constructed bit string during HTTP authentication, and a different vulnerability than CVE-2003-0818. NOTE: the researcher has claimed that MS:MS04-007 fixes this issue.http://www.phreedom.org/solar/exploits/msasn1-bitstring/asn1-constructed-heap-overflow(20870)Unknown vulnerability in the web server for the ESS/ Network Controller for Xerox Document Centre 240 through 555 running System Software 27.18.017 and earlier allows attackers to "gain unauthorized access."http://www.xerox.com/downloads/usa/en/c/cert_XRX05_003.pdf12783ADV-2005-02551465914556xerox-document-security-bypass(19661)A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718.Mozilla / Mozilla Firefox Frame Injection Vulnerabilityhttp://secunia.com/multiple_browsers_frame_injection_vulnerability_test/https://bugzilla.mozilla.org/show_bug.cgi?id=296850http://www.mozilla.org/security/announce/mfsa2005-51.html14242ADV-2005-107515601DSA-777DSA-810FLSA:160202OVAL637OVAL759OVAL100007RHSA-2005:586RHSA-2005:587101952SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:637oval:org.mitre.oval:def:759oval:org.mitre.oval:def:100007** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1250. Reason: This candidate is a duplicate of CVE-2005-1250. Notes: this duplicate occurred as a result of multiple independent discoveries and insufficient coordination by the vendor and CNA. All CVE users should reference CVE-2005-1250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2004 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in a request to the Report service (TCP 8022).1529115500155001015141whatsup-smallbusiness-dotdot-traversal(22969)SilverCity before 0.9.5-r1 installs (1) cgi-styler-form.py, (2) cgi-styler.py, and (3) source2html.py with read and write world permissions, which allows local users to execute arbitrary code.GLSA-200506-05http://bugs.gentoo.org/show_bug.cgi?id=93558101415315632Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages.20050610 Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured Interfaces Vulnerability Discovery: FishNet Securityhttp://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+802.1x+Advisory.pdf20050608 Cisco 802.1x Voice-Enabled Interfaces Allow Anonymous Voice VLAN Access1014135cisco-callmanager-voice-gain-access(20939)20050608 Cisco 802.1x Voice-Enabled Interfaces Allow Anonymous Voice VLAN AccessMultiple SQL injection vulnerabilities in Loki download manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) password field to default.asp or (2) cat parameter to catinfo.asp.20050608 2 SQL injection in Loki download manager v2.01389813900101414715633xmysqladmin 1.0 and earlier allows local users to delete arbitrary files via a symlink attack on a database backup file in /tmp.20050609 xmysqladmin insecure temporary file creationhttp://bugs.gentoo.org/show_bug.cgi?id=93792156351014172Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data.20050609 Invision Community Blog Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00078-0607200515626Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme action.20050609 Invision Community Blog Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00078-0607200515626Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions.20050609 Invision Gallery Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00079-06092005Multiple SQL injection vulnerabilities in Invision Gallery before 1.3.1 allow remote attackers to execute arbitrary SQL commands via (1) the comment parameter in an editcomment action or (2) the rating parameter when voting on a photo.20050609 Invision Gallery Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00079-0609200513907The eping_validaddr function in functions.php for the ePing plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the eping_host parameter.20050609 Arbitrary code execution in eping plugin20050610 Re: Arbitrary code execution in eping pluginhttp://e107plugins.co.uk/news.php15678hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument.20050609 Webhints v1.03 Remote Command Execution13930101417315652Multiple HTTP Response Splitting vulnerabilities in osCommerce 2.2 Milestone 2 and earlier allow remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the (1) products_id or (2) pid parameter to index.php or (3) goto parameter to banner.php.20050610 osCommere HTTP Response Splitting139791567020050616 RE: osCommere HTTP Response Splitting (Solution)Directory traversal vulnerability in Pico Server (pServ) 3.3 allows remote attackers to read arbitrary files and execute arbitrary commands via a /./ (slash dot slash) before each .. (dot dot) sequence in the URL, which results in an incorrect directory depth count.20050611 Multiple vulnerabilities in Pico Server (pServ) v3.3http://sourceforge.net/project/shownotes.php?group_id=59378&release_id=33403615663Heap-based buffer overflow in the CGI extension for Pico Server (pServ) 3.3 allows remote attackers to execute arbitrary code via a long HTTP request.20050611 Multiple vulnerabilities in Pico Server (pServ) v3.3http://sourceforge.net/project/shownotes.php?group_id=59378&release_id=33403615663singapore 0.9.11 allows remote attackers to obtain sensitive information via a direct request to (1) admin.class.php, (2) any .tpl.php file in templates/admin_default/, or (3) any .tpl.php file in templates/default/, which reveal the path in an error message.20050612 singapore v0.9.11 cross site scripting and path disclosure1014186Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9.11 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter.20050612 singapore v0.9.11 cross site scripting and path disclosure139381014186File Upload Manager allows remote attackers to upload arbitrary files by modifying the test variable to contain a value of '~~~~~~' (six tildes), which bypasses the file extension checks.20050612 File Upload Manager Sploits20257mtnpeak.net File Upload Manager does not properly check user authentication for certain actions, which allows remote attackers to provide a modified base64-encoded file parameter and (1) read arbitrary files via the "view" action or (2) delete arbitrary files via the del action.20050612 File Upload Manager Sploits20050612 File Upload Manager Sploits2025820050615 Re: File Upload Manager Sploits17435** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1855. Reason: This candidate is a duplicate of CVE-2005-1855. Notes: All CVE users should reference CVE-2005-1855 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.jammail.pl in jamchen JamMail 1.8 allows remote attackers to execute arbitrary commands via shell metacharacters in the mail parameter.101417513937The getemails function in C.J. Steele Tattle allows remote attackers to execute arbitrary commands via shell metacharacters in certain log entries, as demonstrated using shell metacharacters in an FTP username.20050607 remote command execution in 'tattle'15582Unknown vulnerability in ObjectWeb Consortium C-JDBC before 1.3.1 allows local users to bypass intended access restrictions and obtain the cache results from another user.101411815627Cross-site scripting (XSS) vulnerability in Cerberus Helpdesk 0.97.3 allows remote attackers to inject arbitrary web script or HTML via the (1) errorcode parameter to index.php or (2) certain fields to clients.php.http://echo.or.id/adv/adv15-theday-2005.txthttp://forum.cerberusweb.com/showthread.php?threadid=5162&goto=newpost101412815641Cerberus Helpdesk 0.97.3 allows remote attackers to obtain sensitive information via certain requests to (1) reports.php, (2) knowledgebase.php, or (3) configuration.php, which leaks the information in a PHP error message.http://echo.or.id/adv/adv15-theday-2005.txthttp://forum.cerberusweb.com/showthread.php?threadid=5162&goto=newpost101412815641PHP remote file inclusion vulnerability in utilit.php for Ovidentia Portal allows remote attackers to execute arbitrary PHP code via the babInstallPath parameter.101414915658PHP remote file inclusion vulnerability in siteframe.php for Broadpool Siteframe allows remote attackers to execute arbitrary code via a URL in the LOCAL_PATH parameter.1392817246101415015657[Siteframe-Announce] 20060621 WARNING: Security Vulnerability identified in Siteframe 3.xsiteframe-localpath-file-include(20973)The eTrace_validaddr function in eTrace plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the etrace_host parameter.20050610 Re: Arbitrary code execution in eping plugin13934Multiple SQL injection vulnerabilities in ProductCart Ecommerce before 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) idcategory parameter to viewPrd.asp, (2) lid parameter to editCategories.asp, (3) icd parameter to modCustomCardPaymentOpt.asp, or (4) idccr parameter to OptionFieldsEdit.asp.http://echo.or.id/adv/adv16-theday-2005.txt1014129Cross-site scripting (XSS) vulnerability in ProductCart Ecommerce before 2.7 allows remote attackers to inject arbitrary web script or HTML via the error parameter to techErr.asp.http://echo.or.id/adv/adv16-theday-2005.txt1014129Cross-site scripting (XSS) vulnerability in Pragma Systems Telnetserver 6.0 allows remote attackers to inject arbitrary web script or HTML, and hide activities in log files, via a "<!--" (HTML comment) in a session.http://www.rgod.altervista.org/pragma.html101412715642Symantec pcAnywhere 10.5x and 11.x before 11.5, with "Launch with Windows" enabled, allows local users with physical access to execute arbitrary commands via the Caller Properties feature.http://securityresponse.symantec.com/avcenter/security/Content/2005.06.10.html13933101417815673Directory traversal vulnerability in InteractivePHP FusionBB .11 Beta and earlier allows remote attackers to include arbitrary local files via ".." sequences in the language parameter.http://www.gulftech.org/?node=research&article_id=00081-06132005http://www.interactivephp.com/misc/CHANGELOG.htmlMultiple SQL injection vulnerabilities in InteractivePHP FusionBB .11 Beta and earlier allow remote attackers to execute arbitrary SQL commands via (1) the username, which is not properly handled by the insertUser function, or (2) the bb_session_id value in a cookie.http://www.gulftech.org/?node=research&article_id=00081-06132005http://www.interactivephp.com/misc/CHANGELOG.htmlJava Web Start in Java 2 Platform Standard Edition (J2SE) 5.0 and 5.0 Update 1 allows applications to assign permissions to themselves and gain privileges.10174813958HPSBUX012141394561Unspecified vulnerability in Java 2 Platform, Standard Edition (J2SE) 5.0 and 5.0 Update 1 and J2SE 1.4.2 up to 1.4.2_07, as used in multiple products and platforms including (1) HP-UX and (2) APC PowerChute, allows applications to assign permissions to themselves and gain privileges.101749ADV-2005-215017272139581015643HPSBUX01215HPSBMA01234101799SUSE-SA:2005:03256Multiple cross-site scripting (XSS) vulnerabilities in Annuaire 1Two 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter to index.php, or the (2) site_id, (3) nom, (4) email, or (5) commentaire parameters in commentaires.php.1014187http://www.hackisknowledge.org/Advisories/Annuaire%201Two%20v1.0/Annuaire%201Two%20v1.0.html13960136121396115708Novell NetMail 3.5.2a, 3.5.2b, and 3.5.2c, when running on Linux, sets the owner and group ID to 500 for certain files, which could allow users or groups with that ID to execute arbitrary code or cause a denial of service by modifying those files.1400517456101425115763COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code.MS05-051TA05-284AVU#950516OVAL1261OVAL1269OVAL1466OVAL1499OVAL576OVAL8161505717161171721722317509oval:org.mitre.oval:def:1261oval:org.mitre.oval:def:1269oval:org.mitre.oval:def:1466oval:org.mitre.oval:def:1499oval:org.mitre.oval:def:576oval:org.mitre.oval:def:816Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality.20051011 Microsoft Distributed Transaction Controller TIP DoS VulnerabilityMS05-051OVAL1134OVAL1283OVAL1338OVAL1513OVAL1550OVAL68615058101503717161171721722317509oval:org.mitre.oval:def:1134oval:org.mitre.oval:def:1283oval:org.mitre.oval:def:1338oval:org.mitre.oval:def:1513oval:org.mitre.oval:def:1550oval:org.mitre.oval:def:686Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability."20051011 Microsoft Distributed Transaction Controller Packet Relay DoS VulnerabilityMS05-051OVAL1136OVAL1182OVAL1203OVAL1253OVAL1325OVAL141315059101503717161171721722317509oval:org.mitre.oval:def:1136oval:org.mitre.oval:def:1182oval:org.mitre.oval:def:1203oval:org.mitre.oval:def:1253oval:org.mitre.oval:def:1325oval:org.mitre.oval:def:1413Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message.MS05-042TA05-221A16368OVAL100095OVAL100097OVAL100099OVAL100101OVAL100103OVAL100105VU#6101331014642oval:org.mitre.oval:def:100095oval:org.mitre.oval:def:100097oval:org.mitre.oval:def:100099oval:org.mitre.oval:def:100101oval:org.mitre.oval:def:100103oval:org.mitre.oval:def:100105Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used.MS05-042TA05-221A16368OVAL100096OVAL100098OVAL100100OVAL100102OVAL100104OVAL100106VU#477341145201014642oval:org.mitre.oval:def:100096oval:org.mitre.oval:def:100098oval:org.mitre.oval:def:100100oval:org.mitre.oval:def:100102oval:org.mitre.oval:def:100104oval:org.mitre.oval:def:100106Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm.MS05-039TA05-221A20050809 Windows Plug and Play Remote CompromiseVU#998653P-266http://www.securiteam.com/windowsntfocus/5YP0E00GKW.htmlhttp://www.frsirt.com/english/alerts/20050814.ZotobA.php20050811 Windows 2000 universal exploit for MS05-03914513ADV-2005-135416372101464018605win-plugandplay-bo(21602)http://www.hsc.fr/ressources/presentations/null_sessions/OVAL100073oval:org.mitre.oval:def:100073oval:org.mitre.oval:def:160oval:org.mitre.oval:def:267oval:org.mitre.oval:def:474oval:org.mitre.oval:def:497oval:org.mitre.oval:def:783Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message.MS05-043TA05-221A16356VU#220821OVAL100077OVAL1045OVAL1405145141014638oval:org.mitre.oval:def:100077oval:org.mitre.oval:def:1045oval:org.mitre.oval:def:1405oval:org.mitre.oval:def:256The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages.MS05-046OVAL1106OVAL1210OVAL1536OVAL1544OVAL9101015041150661716519922win-csnw-bo(21700)oval:org.mitre.oval:def:1106oval:org.mitre.oval:def:1210oval:org.mitre.oval:def:1536oval:org.mitre.oval:def:1544oval:org.mitre.oval:def:910Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string.MS05-048TA05-284AVU#88346020051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow VulnerabilityOVAL1130OVAL1201OVAL1406OVAL1420OVAL1515OVAL581OVAL84810150381015039150671716720051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow VulnerabilityQ90724519905win-cdo-bo(22495)oval:org.mitre.oval:def:1130oval:org.mitre.oval:def:1201oval:org.mitre.oval:def:1406oval:org.mitre.oval:def:1420oval:org.mitre.oval:def:1515oval:org.mitre.oval:def:581oval:org.mitre.oval:def:848Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability".MS05-038TA05-221AVU#96520616373ADV-2005-1353OVAL1140OVAL1216OVAL1335OVAL390oval:org.mitre.oval:def:1140oval:org.mitre.oval:def:1216oval:org.mitre.oval:def:1335oval:org.mitre.oval:def:390Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability".MS05-038TA05-221A16373ADV-2005-1353OVAL100081OVAL100082OVAL1319OVAL697OVAL790OVAL88814512oval:org.mitre.oval:def:100081oval:org.mitre.oval:def:100082oval:org.mitre.oval:def:1319oval:org.mitre.oval:def:697oval:org.mitre.oval:def:790oval:org.mitre.oval:def:888Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087.MS05-038TA05-221A16373VU#959049ADV-2005-1353OVAL1061OVAL1221OVAL1235OVAL1337145111014643oval:org.mitre.oval:def:1061oval:org.mitre.oval:def:1221oval:org.mitre.oval:def:1235oval:org.mitre.oval:def:1337oval:org.mitre.oval:def:100082The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands.http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064DSA-748APPLE-SA-2005-09-22ESB-2005.0732P-31216920VU#684913RHSA-2005:543SUSE-SR:2005:018Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack.20050620 Sudo version 1.6.8p9 now available, fixes security issue.https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=16111613993http://www.sudo.ws/sudo/alerts/path_race.htmlDSA-735RHSA-2005:535OVAL1242APPLE-SA-2005-11-29156471574417813ADV-2005-0821ADV-2005-265917396sudo-pathname-race-condition(21080)FLSA:162750SUSE-SA:2005:036oval:org.mitre.oval:def:1242Finjan SurfinGate 7.0SP2 and SP3 allows remote attackers to download blocked files via hex-encoded characters in a filename, as demonstrated using "%2e".20050614 URL-Encoding Problem in Finjan SurfinGateADV-2005-07781732415711finjan-surfingate-security-bypass(21010)Bitrix Site Manager 4.0.x allows remote attackers to obtain sensitive information via direct request to (1) subscr_form.php or (2) dbquery_error.php, which reveals the path in an error message.20050615 Vulnerability: Bitrix Web Server Paths1734817376bitrix-site-path-disclosure(21019)PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the _SERVER[DOCUMENT_ROOT] parameter.20050615 Vulnerability: Bitrix Php inclusionhttp://www.bitrixsoft.com/support/forum/read.php?FID=10&TID=1872http://www.bitrixsoft.com/sitemanager/versions.php?module=mainADV-2005-07791734115726bitrix-serverdocumentroot-file-include(21018)13965show.php in McGallery 1.1 allows remote attackers to connect to arbitrary databases, or gain sensitive information by triggering an error, via a modified host parameter.20050615 Vulnerability: McGallery v 1.1 Mysql DB including17344157271014215Directory traversal vulnerability in admin.php in McGallery 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter.20050615 Vulnerability: McGallery v 1.1 files reading on disk1734315727139631014215Multiple cross-site scripting (XSS) vulnerabilities in pafiledb.php in paFileDB 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sortby or (2) filelist parameters to the category action (category.php), or (3) pages parameter in the viewall action (viewall.php).20050615 Multiple paFileDB Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00082-06142005http://www.phparena.net/http://www.phparena.net/pafiledb_patch/Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in the login form, (2) in the team login form, or (3) to auth.php, (4) select, (5) id, or (6) query parameter to pafiledb.php, or (7) string parameter to search.php.20050615 Multiple paFileDB Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00082-06142005http://www.phparena.net/http://www.phparena.net/pafiledb_patch/Directory traversal vulnerability in pafiledb.php in paFileDB 3.1 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) in the action parameter.20050615 Multiple paFileDB Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00082-06142005http://www.phparena.net/http://www.phparena.net/pafiledb_patch/SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.20050615 Mambo 4.5.2.2 SQL Injection in UPDATE statementhttp://mamboforge.net/frs/download.php/6153/CHANGELOG1732315710139661014222Ultimate PHP Board (UPB) 1.9.6 GOLD allows remote attackers to obtain sensitive information via an invalid (zero) id parameter to (1) viewtopic.php, (2) profile.php, or (3) newpost.php, which reveals the path in an error message.20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD15732Multiple cross-site scripting vulnerabilities in Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ref parameter to login.php, (2) id or (3) page parameter to viewtopic.php, id parameter to (4) profile.php, (5) newpost.php, (6) email.php, (7) icq.php, or (8) aol.php, (9) t_id parameter to newpost.php, (10) ref parameter to getpass.php, or (11) sText parameter to search.php.20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD15732Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier stores the users.dat file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information on registered users via a direct request to db/users.dat.20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD15732JBOSS 3.2.2 through 3.2.7 and 4.0.2 allows remote attackers to obtain sensitive information via a GET request (1) with a "%." (percent dot), which reveals the installation path or (2) with a % (percent) before a filename, which reveals the contents of the file.20050617 JBOSS 3.2.2-3.2.7 / 4.0.2 installation path disclosure / config disclosure / version fingerprintingADV-2005-08151574617559HPSBMA0209613985ADV-2006-049710156051878920060720 Cisco MARS < 4.2.1 remote compromise20060720 Cisco MARS < 4.2.1 remote compromise439Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts.20050619 Advisory 01/2005: Fileupload/download vulnerability in Trachttp://www.hardened-php.net/advisory-012005.phphttp://svn.edgewall.com/repos/trac/tags/trac-0.8.4/ChangeLog15752Yaws Webserver 1.55 and earlier allows remote attackers to obtain the source code for yaws scripts via a request to a yaw script with a trailing %00 (null).20050617 Source Code Disclosure in Yaws Webserver <1.56http://yaws.hyber.org/yaws-1.55_to_1.56.patch1737515740Multiple SQL injection vulnerabilities in Ublog Reload 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) ci, (2) d, or (3) m parameter to index.asp, or the (4) bi parameter to blog_comment.asp.20050620 [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5http://echo.or.id/adv/adv18-theday-2005.txtADV-2005-0818Cross-site scripting (XSS) vulnerability in trackback.asp in Ublog Reload 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the btitle parameter.20050620 [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5http://echo.or.id/adv/adv18-theday-2005.txtADV-2005-081813994Multiple cross-site scripting (XSS) vulnerabilities in paFAQ 1.0 Beta 4 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the id parameter in a Question action.20050620 paFaq Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00083-06202005Multiple SQL injection vulnerabilities in login in paFAQ 1.0 Beta 4 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) id parameters.20050620 paFaq Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00083-06202005paFAQ 1.0 Beta 4 allows remote attackers to obtain sensitive information via a direct request to admin/backup.php, which contains a backup of the database including usernames and passwords.20050620 paFaq Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00083-06202005The "upload a language pack" feature in paFAQ 1.0 Beta 4 allows remote authenticated administrators to execute arbitrary PHP commands by uploading a malicious language pack.20050620 paFaq Multiple VulnerabilitiesSymantec AntiVirus 9 Corporate Edition allows local users to gain privileges via the "Scan for viruses" option, which launches a help window with raised privileges, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2002-1540.20050829 Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation VulnerabilitySYM05-012 ipfw in FreeBSD 5.4, when running on Symmetric Multi-Processor (SMP) or Uni Processor (UP) systems with the PREEMPTION kernel option enabled, does not sufficiently lock certain resources while performing table lookups, which can cause the cache results to be corrupted during multiple concurrent lookups, allowing remote attackers to bypass intended access restrictions.FreeBSD-SA-05:13Directory traversal vulnerability in the web server for 3Com Network Supervisor 5.0.2 allows remote attackers to read arbitrary files via ".." sequences in the URL to TCP port 21700.20050902 3Com Network Supervisor Directory Traversal VulnerabilityADV-2005-1611101483616639Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page.13996Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2 Patch 1 and Sun ONE Messaging Server 6.2 allows remote attackers to execute arbitrary Javascript, possibly due to a cross-site scripting (XSS) vulnerability.101770ADV-2005-0816The send_pinentry_environment function in asshelp.c in gpg2 on SUSE Linux 9.3 does not properly handle certain options, which can prevent pinentry from being found and causes S/MIME signing to fail.SUSE-SR:2005:016GnuPG S/MIME Signing Unspecified Vulnerability[gpa-dev] 20050531 S/MIME signing fails on a SUSE 9.3 system[gpa-dev] 20050603 Re: S/MIME signing fails on a SUSE 9.3 systemVipul Razor Agents (razor-agents) before 2.70 allows remote attackers to cause a denial of service via (1) certain "unusual HTML messages" or (2) "certain malformed headers" such as Content-Type.http://sourceforge.net/mailarchive/forum.php?thread_id=7520323&forum_id=4259http://bugs.gentoo.org/show_bug.cgi?id=95492GLSA-200506-1713984DSA-738SUSE-SA:2005:035Cisco VPN 3000 Concentrator before 4.1.7.F allows remote attackers to determine valid groupnames by sending an IKE Aggressive Mode packet with the groupname in the ID field, which generates a response if the groupname is valid, but does not generate a response for an invalid groupname.http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm13992ADV-2005-0822Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 has a hard-coded account and password for debugging, which allows remote attackers to gain privileges.http://www.enterasys.com/support/relnotes/VH-4802-2050509-patch-rel.pdf15757Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 does not properly restrict certain debugging commands to the ADMIN account, which could allow attackers to obtain sensitive information or modify the registry.http://www.enterasys.com/support/relnotes/VH-4802-2050509-patch-rel.pdf15757SQL injection vulnerability in index.php for MercuryBoard 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header.20050621 MercuryBoard 1.1.4 SQL Injection14015amaroK Web Frontend 1.3 stores the globals.inc file under the web root without a .php extension and insufficient access control, which allows remote attackers to obtain the database username and password via a direct request to the file.http://sourceforge.net/project/shownotes.php?release_id=33571915736Ultimate PHP Board (UPB) 1.9.6 GOLD uses weak encryption for passwords in the users.dat file, which allows attackers to easily decrypt the passwords and gain privileges, possibly after exploiting CVE-2005-2005 to obtain users.dat.20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD13975Multiple SQL injection vulnerabilities in socialMPN allow remote attackers to execute arbitrary SQL commands via (1) the sid parameter to article.php, (2) uname parameter to user.php, (3) siteid parameter to viewforum.php, (4) username parameter to newtopic.php, the (5) secid or (6) artid parameter to sections.php, (7) siteid parameter to index.php, or (8) sid parameter to friend.php.1014214Unknown vulnerability in lpadmin on Sun Solaris 7, 8, and 9 allows local users to overwrite arbitrary files.10176815723139681014218Directory traversal vulnerability in folderview.asp for Blue-Collar Productions i-Gallery 3.3 allows remote attackers to read arbitrary files and directories via the folder parameter.20050620 [Hat-Squad] i-Gallery directory traversal14000ADV-2005-0825Cross-site scripting (XSS) vulnerability in folderview.asp for BlueCollar iGallery 3.3 allows remote attackers to inject arbitrary web script or HTML via the folder parameter.20050620 [Hat-Squad] i-Gallery directory traversal14000ADV-2005-0825SQL injection vulnerability in login.asp for Cool Cafe (Cool Caf&#xe9;) Chat 1.2.1 allows remote attackers to execute arbitrary SQL commands via the password.20050616 CoolCafe Chat SQL injectionhttp://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt101422117349modifyUser.asp in Cool Cafe (Cool Caf&#xe9;) Chat 1.2.1 allows remote attackers to obtain the administrator password and email address via a modified nickname value.20050616 CoolCafe Chat SQL injectionhttp://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt17350Multiple SQL injection vulnerabilities in Fortibus CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via (1) the username or password to logon.asp, (2) WeeklyNotesDisplay.asp, or (3) the Search page.ADV-2005-0827101424215762Fortibus CMS 4.0.0 allows remote attackers to modify information of other users, including Admin, via the "My info" page.1014242Unknown vulnerability in "various plugins" for NanoBlogger 3.2.1 and earlier allows remote attackers to execute arbitrary commands.http://nanoblogger.sourceforge.net/downloads/nanoblogger-3.2.3.tar.gz1739215754Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469.http://www.pdc.kth.se/heimdal/advisory/2005-06-20/15718DSA-758GLSA-200506-24SUSE-SA:2005:040Buffer overflow in addschup in HAURI ViRobot 2.0, and possibly other products, allows remote attackers to execute arbitrary code via a long ViRobot_ID cookie (HTTP_COOKIE).http://www.securiteam.com/exploits/5TP0C1FG1I.htmlhttp://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt1570020050615 DMA[2005-0614a] - 'Global Hauri ViRobot Server cookie overflow'1296417320virobot-addschup-bo(21000)Cross-site scripting (XSS) vulnerability in ajax-spell before 1.8 allows remote attackers to inject arbitrary web script or HTML via onmouseover or other events in HTML tags.http://sourceforge.net/project/shownotes.php?release_id=335556http://www.broken-notebook.com/spell_checker/index.php1398615737Directory traversal vulnerability in XAMPP before 1.4.14 allows remote attackers to inject arbitrary HTML and PHP code via lang.php.http://sourceforge.net/project/shownotes.php?release_id=3357101398315735Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter to inbox/send_message.php, the (5) search, (6) words, (7) include, (8) find_in, (9) display_as, or (10) search parameter to search.php, the (11) submit, (12) query, or (13) field parameter to tile.php, the (14) us parameter to forum/subscribe_forum.php, or the (15) roles[], (16) status, (17) submit, or (18) reset_filter parameters to directory.php.http://lostmon.blogspot.com/2005/06/atutor-multiple-variable-cross-site.html139721735117352173531735417355173561735717358173591014216Multiple SQL injection vulnerabilities in DUware DUportal PRO 3.4.3 allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to default.asp, (2) iData parameter to detail.asp, (3) iMem parameter to members.asp, (4) iCat parameter to cat.asp, (5) offset parameter to members_listing_approval.asp, or (6) iChannel parameter to channels_edit.asp.20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Productshttp://echo.or.id/adv/adv19-theday-2005.txt175971759817599Multiple SQL injection vulnerabilities in DUware DUamazon Pro 3.0 and 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iSub parameter to sub.asp, (3) iSub parameter to detail.asp, (4) iPro parameter to review.asp, iCat parameter to (5) catEdit.asp, (6) catDelete.asp, (7) productEdit.asp, or (8) productDelete.asp, or (9) iType parameter to type.asp.20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Productshttp://echo.or.id/adv/adv19-theday-2005.txtMultiple SQL injection vulnerabilities in DUware DUpaypal Pro 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iPro parameter to detail.asp, (3) iSub parameter to sub.asp, (4) iCat parameter to catEdit.asp.20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Productshttp://echo.or.id/adv/adv19-theday-2005.txtMultiple SQL injection vulnerabilities in DUware DUforum 3.1, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) iMsg parameter to messages.asp, iFor parameter to (2) post.asp or (3) forums.asp, or (4) id parameter to userEdit.asp. NOTE: vectors 1 and 3 were later reported to affect version 3.0.20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Productshttp://echo.or.id/adv/adv19-theday-2005.txt20061202 [Aria-Security Team] DuWare DuForum SQL Injection Vulnduforum-messages-forums-sql-injection(30668)Multiple SQL injection vulnerabilities in DUware DUclassmate 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) iState parameter to default.asp or (2) iPro parameter to edit.asp.20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Productshttp://echo.or.id/adv/adv19-theday-2005.txt14036Unknown vulnerability in Tor before 0.1.0.10 allows remote attackers to read arbitrary memory and possibly key information from the exit server's process space.Security bug in 0.0.9.x Tor servers96320GLSA-200506-1815764tor-information-disclosure(21093)Buffer overflow in the VERITAS Backup Exec Web Administration Console (BEWAC) 9.0 4367 through 10.0 rev. 5484 allows remote attackers to execute arbitrary code.http://seer.support.veritas.com/docs/276606.htm20050623 Buffer overflow vulnerability in VERITAS Software Backup Exec Web Administration Console (BEWAC)15789P-23214025Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5 (6.0.12.1040 through 1069), RealOne Player v1 and v2, RealPlayer 8 and RealPlayer Enterprise allows remote attackers to execute arbitrary code via an .avi file with a modified strf structure value.20050623 eEye Advisory - EEYEB-200505 - RealPlayer AVI Processing Overflowhttp://service.real.com/help/faq/security/050623_player/EN/20050623 eEye Advisory - EEYEB-200505 - RealPlayer AVI Processing OverflowJust another flat file (JAF) CMS before 3.0 Final allows remote attackers to obtain sensitive information via (1) an * (asterisk) in the id parameter, (2) a blank id parameter, or (3) an * (asterisk) in the disp parameter to index.php, which reveals the path in an error message. NOTE: a followup suggests that this may be a directory traversal or file inclusion vulnerability.20050623 [ECHO_ADV_20$2005] Full path disclosure JAF CMShttp://echo.or.id/adv/adv20-theday-2005.txt20050626 Re: [ECHO_ADV_20$2005] Full path disclosure JAF CMSUnknown vulnerability in RealPlayer 10 and 10.5 (6.0.12.1040-1069) and RealOne Player v1 and v2 allows remote attackers to overwrite arbitrary files or execute arbitrary ActiveX controls via a crafted MP3 file.http://service.real.com/help/faq/security/050623_player/EN/RealPlayer 8, 10, 10.5 (6.0.12.1040-1069), and Enterprise and RealOne Player v1 and v2 allows remote malicious web server to create an arbitrary HTML file that executes an RM file via "default settings of earlier Internet Explorer browsers".http://service.real.com/help/faq/security/050623_player/EN/The Quantum archive decompressor in Clam AntiVirus (ClamAV) before 0.86.1 allows remote attackers to cause a denial of service (application crash) via a crafted Quantum archive.http://sourceforge.net/project/shownotes.php?release_id=337279GLSA-200506-2315811DSA-737SUSE-SA:2005:038Multiple cross-site scripting (XSS) vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to inject arbitrary web script or HTML via the (1) Searchpage parameter to dosearch.php, (2) Number, (3) what, or (4) page parameter to newreply.php, (5) Number, (6) Board, or (7) what parameter to showprofile.php, (8) fpart or (9) page parameter to showflat.php, or (10) like parameter to showmembers.php.20050624 Infopop UBB Threads Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00084-06232005http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.php, (3) mailthread.php, or (4) notifymod.php, (5) month or (6) year parameter to calendar.php, (7) message parameter to viewmessage.php, (8) main parameter to addfav.php, or (9) posted parameter to grabnext.php.20050624 Infopop UBB Threads Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00084-06232005http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag.20050624 Infopop UBB Threads Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00084-06232005http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351Multiple HTTP Response Splitting vulnerabilities in (1) toggleshow.php, (2) togglecats.php, and (3) showprofile.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the Cat parameter.20050624 Infopop UBB Threads Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00084-06232005http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351Infopop UBB.Threads before 6.5.2 Beta allows remote attackers to include arbitrary files via the language parameter in a cookie followed by a null (%00) byte.20050624 Infopop UBB Threads Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00084-06232005http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351Multiple SQL injection vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to execute arbitrary SQL commands via the catid parameter to (1) default.asp or (2) buyersend.asp, (3) Administrator ID field in admin.asp, E-mail field in (4) advertiserstart.asp or (5) buyer.asp, or Keyword field in search.asp.20050624 [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell 3550 23110 ADV-2007-1096 activebuyandsell-buyersend-sql-injection(33183)Multiple cross-site scripting (XSS) vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Title parameter to sendpassword.asp or (2) Keyword field in search.asp.20050624 [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSellMultiple cross-site scripting vulnerabilities in ASP Nuke 0.80 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to forgot_password.asp, or the (2) FirstName, (3) LastName, (4) Username, (5) Password, (6) Address1, (7) Address2, (8) City, (9) ZipCode, (10) Email parameter to register.asp.20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.8014062HTTP response splitting vulnerability in language_select.asp in ASP Nuke 0.80 allows remote attackers to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the LangCode parameter.20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.8014063SQL injection vulnerability in comment_post.asp in ASP Nuke 0.80 allows remote attackers to execute arbitrary SQL statements via the TaskID parameter.20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.801406420050627 SQL Injection Exploit for ASPNuke <= 0.80SQL injection vulnerability in article.asp in unknown versions of aspnuke allows remote attackers to execute arbitrary SQL commands via the articleid parameter.20050627 aspnuke is vulnerable to sql injection18215FreeBSD 4.x through 4.11 and 5.x through 5.4 allows remote attackers to modify certain TCP options via a TCP packet with the SYN flag set for an already established session.FreeBSD-SA-05:15pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password.http://www.openldap.org/its/index.cgi/Incoming?id=3791http://bugzilla.padl.com/show_bug.cgi?id=210https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990http://bugzilla.padl.com/show_bug.cgi?id=211http://bugs.gentoo.org/show_bug.cgi?id=96767RHSA-2005:751RHSA-2005:7671723320050704 pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setupGLSA-2005-07-13MDKSA-2005:121USN-152-1141251412617692ldap-tls-information-disclosure(21245)1784521520The ClamAV Mail fILTER (clamav-milter) 0.84 through 0.85d, when used in Sendmail using long timeouts, allows remote attackers to cause a denial of service by keeping an open connection, which prevents ClamAV from reloading.20050623 long sendmail timeouts let attacker prevent milter quiesce14047DSA-737SUSE-SA:2005:038traceroute in Sun Solaris 10 on x86 systems allows local users to execute arbitrary code with PRIV_NET_RAWACCESS privileges via (1) a large number of -g arguments or (2) a malformed -s argument with a trailing . (dot).20050624 Solaris 10 /usr/sbin/traceroute vulnerabilities20050624 Re: Solaris 10 /usr/sbin/traceroute vulnerabilities20050624 Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities14049102060101526117708ADV-2005-2564The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain privileges by (1) modifying LD_AUDIT to reference malicious code and possibly (2) using a long value for LD_AUDIT.20050628 Solaris 9/10 ld.so fun20050628 Solaris 9/10 ld.so fun20050628 Solaris 9/10 ld.so fun14074101794ADV-2005-0908101453715841Unknown vulnerability in IBM DB2 8.1.4 through 8.1.9 and 8.2.0 through 8.2.2 allows local users with SELECT privileges to conduct unauthorized activities and insert, update or delete table contents.IY73104Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php.http://dark-assassins.com/forum/viewtopic.php?t=14514066ADV-2005-088815830PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to the filename in the administration/db_backups directory in PHP-Fusion 6.0 or the fusion_admin/db_backups directory in 5.0.http://dark-assassins.com/forum/viewtopic.php?t=142ADV-2005-088815830HP Version Control Repository Manager (VCRM) before 2.1.1.730 does not properly handle the "@" character in a proxy password, which could allow attackers with physical access to obtain portions of the password when it is displayed to the screen.HPSBMA0116614032101426715790Cross-site scripting (XSS) vulnerability in error.asp for Hosting Controller allows remote attackers to inject arbitrary web script or HTML via the error parameter.1408020051215 Bug in HC20050628 Cross-Site Scripting (CSS) in Hosting Controller All Version and hot fix it hehe ;)1016456BisonFTP Server V4R1 allows remote authenticated users to cause a denial of service via an invalid command with a long argument.14079Heap-based buffer overflow in the Admin Plus Pack Option for VERITAS Backup Exec 9.0 through 10.0 for Windows Servers allows remote attackers to execute arbitrary code.http://seer.support.veritas.com/docs/276607.htmhttp://seer.support.veritas.com/docs/277429.htmTA05-180AVU#3526251578914023Unknown vulnerability in Remote Agent for Windows Servers (RAWS) in VERITAS Backup Exec 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for NetWare, allows remote attackers to gain privileges by copying the handle for the server.http://seer.support.veritas.com/docs/276608.htmhttp://seer.support.veritas.com/docs/277429.htm1578914026Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write = command' option is enabled, allows remote attackers to execute arbitrary code via a command that has two double quotes followed by a tab character.20050622 Portcullis Security Advisory 05-013 - VoIP - Asterisk Stack Overflowhttp://www.portcullis-security.com/advisory/advisory-05-013.txtasterisk-manager-interface-bo(21115)im_trbbs.cgi in imTRSET 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the df parameter.20050629 Original imTRBBS(ver1.02) and prior remote command executionhttp://www.cgi-club.com/imTRBBS/Format string vulnerability in IMAP4 in IA eMailServer Corporate Edition 5.2.2 build 1051 allows remote attackers to cause a denial of service (application crash) via a LIST command with format string specifiers as the second argument.20050627 Denial of Service Vulnerability in True North Software, Inc. IA eMailServer Corporate Edition Version: 5.2.2. Build: 10511014301emailserver-list-dos(21169)Cross-site scripting (XSS) vulnerability in SearchResults.aspx in Community Forum allows remote attackers to inject arbitrary web script or HTML via the q parameter.20050627 XSS IN Community forumBuffer overflow in Inframail Advantage Server Edition 6.0 through 6.7 allows remote attackers to cause a denial of service (process crash) via a long (1) SMTP FROM field or possibly (2) FTP NLST command.20050628 Multiple buffer overflows exist in Infradig Systems Inframail Advantage Server Edition 6.0PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code.20050628 Security Advisory - phpBB 2.0.15 PHP-code injection bughttp://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem.20050629 SEC-CONSULT SA-20050629-0http://www.microsoft.com/technet/security/advisory/903144.mspxMS05-037ESB-2005.0489VU#93960514087ADV-2005-093517680101432915891ie-javaprxydll-execute-code(21193)TA05-193AOVAL1326OVAL1506OVAL1518OVAL79320050702 Microsoft Internet Explorer oval:org.mitre.oval:def:1326oval:org.mitre.oval:def:1506oval:org.mitre.oval:def:1518oval:org.mitre.oval:def:793 VU#959049The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.html1014323DSA-803DSA-805USN-160-2TSLSA-2005-0059APPLE-SA-2005-11-291564717813OVAL840145301748714106ADV-2005-2140ADV-2005-2659102197102198ADV-2006-07891907219073RHSA-2005:582HPSBUX02074HPSBUX02101ADV-2006-10181931717319[apache-httpd-announce] 20051014 Apache HTTP Server 2.0.55 ReleasedPK13959PK16139SSA:2005-310-0419185SUSE-SA:2005:046SUSE-SR:2005:018oval:org.mitre.oval:def:840oval:org.mitre.oval:def:1526oval:org.mitre.oval:def:162923074ADV-2006-4680 MDKSA-2005:130MDKSA-2005:130oval:org.mitre.oval:def:1237604Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes IIS to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.htmlmicrosoft-iis-hrs(42899)Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.html1014365 RHSA-2007:0327APPLE-SA-2007-07-31HPSBUX02262RHSA-2007:03602515913873ADV-2007-2732ADV-2007-3087ADV-2007-3386262352666027037[Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1ADV-2008-00652836520080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1SUSE-SR:2008:00529242RHSA-2008:0261239312ADV-2008-19793090830899IBM WebSphere 5.1 and WebSphere 5.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebSphere to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.html1014367ibm-websphere-hrs(42898)BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.html1014366bea-weblogic-hrs(42901)Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Application Server to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.htmloracle-applicationserver-hrs(42902)Sun SunONE web server 6.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes SunONE to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."20050606 A new whitepaper by Watchfire - HTTP Request Smugglinghttp://www.watchfire.com/resources/HTTP-Request-Smuggling.pdfhttp://www.securiteam.com/securityreviews/5GP0220G0U.html1014369sun-sunone-hrs(42903)options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files.DSA-756APPLE-SA-2005-08-15APPLE-SA-2005-08-17FLSA:16304720050714 SquirrelMail Arbitrary Variable Overwriting Vulnerability20050714 [SM-ANNOUNCE] Patch available for CAN-2005-2095RHSA-2005:59514254squirrelmail-set-post-variable(21359)SUSE-SR:2005:018zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file.DSA-740RHSA-2005:569GLSA-200507-05USN-148-114162ADV-2005-0978101439815949APPLE-SA-2005-08-15APPLE-SA-2005-08-17FLSA:162680GLSA-200509-18DSA-797FreeBSD-SA-05:16.zlib101989VU#680620USN-151-3HPSBUX02090SCOSA-2006.6ADV-2006-01441840618377MDKSA-2005:196170541722517236173261751619550DSA-102618507MDKSA-2006:070oval:org.mitre.oval:def:1262oval:org.mitre.oval:def:1542 19597 hpux-secure-shell-dos(24064) 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates ADV-2007-1267 2478820071029 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096)20071029 Windows binary of "Virtual Floppy Drive 2.1" contains vulnerable zlib (CAN-2005-2096)20071018 Official Windows binaries of "curl" contain vulnerable zlib 1.2.2 (CAN-2005-2096)20071018 Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096)20071020 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096)20071021 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096)MDKSA-2005:112MDKSA-2005:196MDKSA-2006:070xpdf and kpdf do not properly validate the "loca" table in PDF files, which allows local users to cause a denial of service (disk consumption and hang) via a PDF file with a "broken" loca table, which causes a large temporary file to be created when xpdf attempts to reconstruct the information.USN-163-1DSA-780MDKSA-2005:13814529SCOSA-2005.4217277DSA-9361839818407RHSA-2005:670RHSA-2005:671RHSA-2005:706RHSA-2005:708FLSA:175404FLSA-2006:176751SUSE-SR:2005:019DSA-113621339102972ADV-2007-228025729The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM.USN-169-116355MDKSA-2005:22014521RHSA-2005:514FLSA:157459-317073MDKSA-2005:220The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null dereference in the keyring destructor.USN-169-116355MDKSA-2005:220145171014644RHSA-2005:514FLSA:157459-317073MDKSA-2005:220The rw_vm function in usercopy.c in the 4GB split patch for the Linux kernel in Red Hat Enterprise Linux 4 does not perform proper bounds checking, which allows local users to cause a denial of service (crash).Bugzilla Bug 165547 – CAN-2005-2100 4G/4G split bounds checkingRHSA-2005:51417073langen2kvtml in KDE 3.0 to 3.4.2 creates insecure temporary files in /tmp with predictable names, which allows local users to overwrite arbitrary files.http://www.kde.org/info/security/advisory-20050815-1.txtMDKSA-2005:159DSA-81814561101467516428The AIM/ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) via a filename that contains invalid UTF-8 characters.http://gaim.sourceforge.net/security/?id=21USN-168-114531FLSA:158543RHSA-2005:627SUSE-SR:2005:019Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM substitution strings, such as %t or %n.http://gaim.sourceforge.net/security/?id=22USN-168-114531FLSA:158543RHSA-2005:589RHSA-2005:627SUSE-SR:2005:019sysreport before 1.3.7 allows local users to obtain sensitive information via a symlink attack on a temporary directory.RHSA-2005:59818682101465316381sysreport-race-condition(21770)FEDORA-2005-1071FEDORA-2005-107217539Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authentication, Authorization, and Accounting (AAA) RADIUS authentication, if the fallback method is set to none, via a long username.20050629 RADIUS Authentication Bypass1014330radius-authentication-bypass(21190)Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting.20050629 [DRUPAL-SA-2005-002] Drupal 4.6.2 / 4.5.4 fixes input validation issue15872http://www.drupal.org/security/drupal-sa-2005-002/advisory.txtDSA-74514110Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter.20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00085-0628200515831SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file.20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00085-0628200515831wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use.20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00085-0628200515831WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1.20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00085-062820051583120060227 WordPress 2.0.1 Multiple Vulnerabilitieslogin.cgi in Community Link Pro Web Editor allows remote attackers to execute arbitrary commands via the file parameter.20050629 [badroot security] Community link pro web editor: Remote commandhttp://www.badroot.org/advisories/SA0x05158801014345Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php.20050629 XOOPS 2.0.11 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00086-06292005http://www.xoops.org/modules/news/article.php?storyid=238315843SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method.20050629 XOOPS 2.0.11 && Earlier Multiple Vulnerabilitieshttp://www.gulftech.org/?node=research&article_id=00086-06292005http://www.xoops.org/modules/news/article.php?storyid=238315843Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Meleon 0.9, and possibly other products that use the Gecko engine, allow remote attackers to cause a denial of service (application crash) via JavaScript that repeatedly calls an empty function.20050629 Mozilla Multiple Product JavaScript Issuehttp://www.kurczaba.com/html/security/0506241.htmhttp://www.securiteam.com/securitynews/5OP0U00G1G.html10143491014372101429410142931014292mozilla-mult-browsers-javascript-dos(21188)RHSA-2005:586RHSA-2005:587Soldier of Fortune II 1.02x and 1.03 allows remote attackers to cause a denial of service (server crash) via a large ID value in the ignore command, which is used as an array index and causes an out-of-bounds operation.176491586820050629 In-game /ignore crash in Soldier of Fortune II 1.03** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1921. Reason: This candidate is a duplicate of CVE-2005-1921. Notes: All CVE users should reference CVE-2005-1921 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code.MS05-049TA05-284AMicrosoft Windows Explorer Web View Script Insertion VulnerabilityOVAL129115064171681717217223oval:org.mitre.oval:def:1291Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122.Story of a dumb patchMS05-049TA05-284AOVAL1116OVAL1192150701015040171681717217223oval:org.mitre.oval:def:1116oval:org.mitre.oval:def:1192The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer.MS05-05118828TA05-284AVU#180868AD20051011bOVAL1071OVAL1452OVAL55115056101503717161171721722317509oval:org.mitre.oval:def:1071oval:org.mitre.oval:def:1452oval:org.mitre.oval:def:55173Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call.MS05-047TA05-284AVU#21457218830AD20051011cOVAL1244OVAL1328OVAL1519101504215065171661717217223oval:org.mitre.oval:def:1244oval:org.mitre.oval:def:1328oval:org.mitre.oval:def:151971Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118.Story of a dumb patchMS05-049TA05-284AVU#922708OVAL1329OVAL1488OVAL1517OVAL1537OVAL1551OVAL708150691015040171681717217223oval:org.mitre.oval:def:1329oval:org.mitre.oval:def:1488oval:org.mitre.oval:def:1517oval:org.mitre.oval:def:1537oval:org.mitre.oval:def:1551oval:org.mitre.oval:def:708Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord.MS05-053VU#30054915352OVAL1063OVAL1175OVAL1263OVAL1546OVAL7011015168ADV-2005-2348174981746117223oval:org.mitre.oval:def:1063oval:org.mitre.oval:def:1175oval:org.mitre.oval:def:1263oval:org.mitre.oval:def:1546oval:org.mitre.oval:def:701TA05-312AUnspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability."Windows Metafile Multiple Heap OverflowsMS05-053VU#433341101516815356ADV-2005-2348174981746117223TA05-312A161The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames.MS05-044VU#41582817163OVAL1146OVAL1284OVAL141610150361717217223oval:org.mitre.oval:def:1146oval:org.mitre.oval:def:1284oval:org.mitre.oval:def:1416Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability."http://www.microsoft.com/technet/security/advisory/906267.mspx14594ADV-2005-1450101472716480Win-msdss-command-execution(21895)VU#740372http://isc.sans.org/diary.php?date=2005-08-18MS05-052TA05-284AVU#959049VU#898241OVAL1155OVAL1454OVAL1464OVAL1468OVAL1535OVAL1538TA05-347A15061171721722317509TA06-220Aoval:org.mitre.oval:def:1155oval:org.mitre.oval:def:1454oval:org.mitre.oval:def:1464oval:org.mitre.oval:def:1468oval:org.mitre.oval:def:1535oval:org.mitre.oval:def:153820070606 IE 6/Microsoft Html Popup Window (mshtml.dll) DoS72microsoft-ie-mshtml-dos(34754)QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value.MS05-05018822TA05-284AVU#995220AD20051011aOVAL1149OVAL1231OVAL1267OVAL1424OVAL143415063171601717217509oval:org.mitre.oval:def:1149oval:org.mitre.oval:def:1231oval:org.mitre.oval:def:1267oval:org.mitre.oval:def:1424oval:org.mitre.oval:def:1434RPC portmapper (rpcbind) in SCO UnixWare 7.1.1 m5, 7.1.3 mp5, and 7.1.4 mp2 allows remote attackers or local users to cause a denial of service (lack of response) via multiple invalid portmap requests.SCOSA-2005.31143601622820050727 [NILESA-20050701] UnixWare 7.x RPC portmapper Dos VulnerabilityDO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1915. Reason: This candidate is a duplicate of CVE-2005-1915. Notes: All CVE users should reference CVE-2005-1915 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.http://bugs.gentoo.org/show_bug.cgi?id=94069The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow local users to cause a denial of service (kernel crash) by using the set-parameters ioctl on an audio device to change the block size and set the pause state to "unpaused" in the same ioctl, which causes a divide-by-zero error.NetBSD-SA2005-00215874SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) T1 or (2) T2 parameters.15818Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users.20050628 Access right escalation / severe permission problems on Raritan Console Servers1408415853Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers to list arbitrary directories via unknown attack vectors.141001761915819Cross-site scripting (XSS) vulnerability in index.php in Comdev eCommerce 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the onMouseOver event of an "A" tag in a review message.http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=6415865PHP remote file inclusion vulnerability in user_check.php for Pavsta Auto Site allows remote attackers to execute arbitrary PHP code via the sitepath parameter.ADV-2005-093017631101432115873Directory traversal vulnerability in default.asp for FSboard 2.0 allows remote attackers to read arbitrary files via ".." sequences in the filename parameter.14111TCP Chat 1.0 allows remote attackers to cause a denial of service (crash) via a long string to the chat service, possibly triggering a buffer overflow.1014371Directory traversal vulnerability in Golden FTP Server 2.60 allows remote authenticated attackers to list arbitrary directories via a "\.." (backslash dot dot) in an LS (LIST) command.15840Microsoft Front Page allows attackers to cause a denial of service (crash) via a crafted style tag in a web page.http://www.freewebs.com/xxosfilexx/HungFPage.html1014352Prevx Pro 2005 1.0 allows local users to bypass file protection and modify files by using MapViewOfFile to perform memory mapping on the file.101434615885The kernel driver in Prevx Pro 2005 1.0 does not verify the source of certain messages, which allows local users to bypass protection by sending certain messages to the driver, as demonstrated by sending an "allow" message to bypass a warning message.101434615885SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows Servers, uses insecure permissions when generating the Secure Shell host identification key, which allows local users to access the key and spoof the server.http://www.ssh.com/company/newsroom/article/653/15894Trac before 0.8.4 allows remote attackers to read or upload arbitrary files via a full pathname in the id parameter to the (1) upload or (2) attachment viewer scripts.http://www.hardened-php.net/advisory-012005.php1399015752DSA-739Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php.http://www.hardened-php.net/advisory-032005.phphttp://www.hardened-php.net/advisory-042005.php[cacti-announce] 20050701 Cacti 0.8.6f Releasedhttp://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch20050702 Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED]20050702 Advisory 04/2005: Cacti Remote Command Execution VulnerabilityDSA-76414027154901412814129ADV-2005-09511014361cacti-graph-post-cookie-sql-injection(21266)cacti-request-array-command-execution(21270)config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks.http://www.hardened-php.net/advisory-052005.php[cacti-announce] 20050701 Cacti 0.8.6f Releasedhttp://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch20050702 Advisory 05/2005: Cacti Authentification/Addslashes Bypass VulnerabilityDSA-76414130ADV-2005-09511014361Windows NT 4.0 and Windows 2000 before URP1 for Windows 2000 SP4 does not properly prevent NULL sessions from accessing certain alternate named pipes, which allows remote attackers to (1) list Windows services via svcctl or (2) read eventlogs via eventlog.20050707 NULL sessions vulnerabilities using alternate named pipeshttp://www.hsc.fr/ressources/presentations/null_sessions/1417714178101441714189win-name-pipe-null-information-disclosure(21286)win-pipe-null-eventlog-information-disclosure(21288)spf.c in Courier Mail Server does not properly handle DNS failures when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption.http://www.courier-mta.org/?changelog.html15901SQL injection vulnerability in Geeklog before 1.3.11 allows remote attackers to execute arbitrary SQL commands via user comments for an article.http://www.geeklog.net/article.php/geeklog-1.3.11sr1http://www.hardened-php.net/advisory-062005.php101438115914SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta and earlier allows remote attackers to execute arbitrary SQL commands via the ticket variable.20050701 [SECURITY ALERT] osTicket bugs141271014373PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc parameter.20050701 [SECURITY ALERT] osTicket bugs141271014373PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and earlier allows remote attackers to execute arbitrary code via the serverPath parameter.15893SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the prevnext parameter.http://sourceforge.net/project/shownotes.php?group_id=66322&release_id=33931714133PHP remote file inclusion vulnerability in survey.inc.php for nabopoll 1.2 allows remote attackers to execute arbitrary PHP code via the path parameter.ADV-2005-0954101435515910A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows remote attackers to execute arbitrary comands, a re-introduction of a vulnerability that was originally identified by CVE-2003-0845.20050703 JBoss jBPM 2.0: Remote code execution and classloader covert channelhttp://www.illegalaccess.org/java/jboss.phpmshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote attackers to cause a denial of service (application crash) via a long request.20050704 PlanetFileServer v2.0.1.3 - Denial Of Service14138IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information.20050705 Imail Cookie Vulnerability (unhashed)Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags.20050705 XSS in nested tag in phpbb 2.0.16http://www.securitylab.ru/55612.html DSA-768PHP remote file inclusion vulnerability in form.inc.php3 in MyGuestbook 0.6.1 allows remote attackers to execute arbitrary PHP code via the lang parameter.20050705 MyGuestbook Remote File Inclusion.http://www.soulblack.com.ar/repo/papers/advisory/myguestbook_advisory.txt101438715927Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP Script 1.5.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter.20050705 Re: [badroot security] AutoIndex PHP Script: XSS vulnerabilityhttp://www.badroot.org/advisories/SA0x0715928SQL injection vulnerability in Covide Groupware-CRM allows remote attackers to execute arbitrary SQL commands via unknown attack vectors.20050705 [covide] possible sql injectionhttp://sourceforge.net/project/shownotes.php?release_id=33904714156read.cgi in GlobalNoteScript allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameters.http://zone-h.org/advisories/read/id=77651014375SQL injection vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter.http://dark-assassins.com/forum/viewtopic.php?t=9015902Cross-site scripting (XSS) vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the cid parameter.http://dark-assassins.com/forum/viewtopic.php?t=9015902delete.php in Plague News System 0.6 and earlier allows remote unauthenticated attackers to delete news, comments, and shoutbox posts by modifying the id parameter.http://dark-assassins.com/forum/viewtopic.php?t=9015902Directory traversal vulnerability in source.php in Quick & Dirty PHPSource Printer 1.1 and earlier allows remote attackers to read arbitrary files via ".../...//" sequences in the file parameter, which are reduced to "../" when PHPSource Printer uses a regular expression to remove "../" sequences.http://guff.szub.net/2005/07/04/quick-and-dirty-security/101437615900The LCF component (lcfd) in IBM Tivoli Management Framework Endpoint allows remote attackers to cause a denial of service (process exit and connection loss) by connecting to LCF and ending the connection without sending any data.http://www-1.ibm.com/support/entdocview.wss?uid=swg21210334http://www.corsaire.com/advisories/c041127-001.txt14194ADV-2005-1018159531014424The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi.http://www.bugzilla.org/security/2.18.1/https://bugzilla.mozilla.org/show_bug.cgi?id=2931591014428Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete.http://www.bugzilla.org/security/2.18.1/https://bugzilla.mozilla.org/show_bug.cgi?id=2931591014428The web interface for Lotus Notes mail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies.20050706 Cross site scripting in Lotus Notes web mail1014440Novell NetMail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies.14171ADV-2005-099415962178211014439Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop.[net-snmp-announce] 20050701 Multiple new Net-SNMP releases to fix a security related bug2005-00341593014168USN-190-1DSA-873MDKSA-2006:025186351721717343RHSA-2005:373RHSA-2005:395RHSA-2005:720SUSE-SR:2005:0241713517282169991700720061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 420061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 120061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 220061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2ADV-2006-45022287510272521256ADV-2006-4677101727323058ADV-2007-188325373MDKSA-2006:025SUSE-SR:2007:012SUSE-SR:2007:0132543225787probe.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the olddat parameter. NOTE: it is unclear which product or vendor this program is associated with, if any.20050705 [badroot security] probe.cgi: Remote Command Executionhttp://www.badroot.org/advisories/SA0x061014393PHP remote file inclusion vulnerability in BlogModel.php in Jaws 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via the path parameter.20050706 Advisory 07/2005: Jaws Multiple Remote Code Execution Vulnerabilitieshttp://www.hardened-php.net/advisory-072005.php1014395gen-index in GNATS 4.0, 4.1.0, and possibly earlier versions, when installed setuid, does not properly check files passed to the -o argument and opens the file with write access, which allows local users to overwrite arbitrary files.20050706 GNATS - gen-indexhttp://www.pi3.int.pl/adv/gnats.txt15963Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the "Messages waiting" message.20050706 VoIP-Phones: Weakness in proccessing SIP-Notify-Messageshttp://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt1014406sip-notify-message-spoof(21260)Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the "Messages waiting" message.20050706 VoIP-Phones: Weakness in proccessing SIP-Notify-Messageshttp://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt1014407sip-notify-message-spoof(21260)class.xmail.php in PhpXmail 0.7 through 1.1 does not properly handle large passwords, which prevents an error message from being returned and allows remote attackers to bypass authentication and gain unauthorized access.20050706 PHPXMAIL - Authentication Bypass1595114175eRoom 6.x does not properly restrict files that can be attached, which allows remote attackers to execute arbitrary commands via a .lnk file.20050706 eRoom Multiple Security Issues15940eRoom does not set an expiration for Cookies, which allows remote attackers to capture cookies and conduct replay attacks.20050706 eRoom Multiple Security IssuesMultiple cross-site scripting (XSS) vulnerabilities in McAfee IntruShield Security Management System allow remote authenticated users to inject arbitrary web script or HTML via the (1) thirdMenuName or (2) resourceName parameter to SystemEvent.jsp.20050706 McAfee Intrushield IPS Abuse20050706 Re: Re: McAfee Intrushield IPS Abuse101442215961McAfee IntruShield Security Management System allows remote authenticated users to access the "Generate Reports" feature and modify alerts by setting the Access option to true, as demonstrated using the (1) fullAccess or (2) fullAccessRight parameter in reports-column-center.jsp, or (3) fullAccess parameter to SystemEvent.jsp.20050706 McAfee Intrushield IPS Abuse20050706 Re: Re: McAfee Intrushield IPS Abuse101442215961McAfee IntruShield Security Management System obtains the user ID from the URL, which allows remote attackers to guess the Manager account and possibly gain privileges via a brute force attack.20050706 McAfee Intrushield IPS Abuse20050706 Re: Re: McAfee Intrushield IPS Abuse1014422Lantronix SecureLinx console server running firmware 2.0 and 3.0 stores /etc/ssh under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as SSH private keys.20050707 Multiple vulnerabilities in Lantronix SLC console server15979Multiple SQL injection vulnerabilities in Comersus shopping cart allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to comersus_optAffiliateRegistrationExec.asp or (2) idProduct parameter to comersus_optReviewReadExec.asp.20050707 [Bday release] Comersus shopping cart has multiple Sql injection1014419Multiple cross-site scripting (XSS) vulnerabilities in Comersus shopping cart allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to comersus_backoffice_listAssignedPricesToCustomer.asp or (2) message parameter to comersus_backoffice_message.asp.20050707 [Bday release] Comersus shopping cart has multiple Sql injection101441915251SimplePHPBlog 0.4.0 stores password hashes in config/password.txt with insufficient access control, which allows remote attackers to obtain passwords via a brute force attack.20050707 SimplePHPBlog 0.4.0 <= Remote Password Disclosure15954SQL injection vulnerability in the user profile edit module in profile.php for PunBB 1.2.5 and earlier allows remote attackers to execute arbitrary SQL statements via the temp array, which is not initialized before it is used and prevents the attacker-supplied portions of the array from being properly escaped.20050707 Advisory 08/2005: PunBB SQL Injection Vulnerabilityhttp://www.hardened-php.net/advisory-082005.phphttp://www.punbb.org/Unspecified vulnerability in the Apple Mac OS X kernel before 10.4.2 allows remote attackers to cause a denial of service (kernel panic) via a crafted TCP packet, possibly related to source routing or loose source routing.APPLE-SA-2005-07-12Apple Darwin Streaming Server 5.5 and earlier allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1, a different vulnerability than CVE-2003-0421 and CVE-2003-0502.http://secway.org/Advisory/AD20050713.txt10144741605620050713 APPLE Darwin Streaming Server Web Admin Remote Denial of SerivceThe Apple AirPort card uses a default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network.143211014522SQL injection vulnerability in sql.cls.php in Id Board 1.1.3 allows remote attackers to modify SQL queries, as demonstrated using the f parameter to index.php.20050710 ID Board 1.1.3 SQL Injection Vulnerability10144381597614204PHP remote file inclusion vulnerability in lang.php in SPiD before 1.3.1 allows remote attackers to execute arbitrary code via the lang_path parameter.http://spid.adnx.net/index_en.html#log10144371602214208PHP remote file inclusion vulnerability in inc/functions.inc.php in PPA web photo gallery 0.5.6 allows remote attackers to execute arbitrary code via the config[ppa_root_path] variable.10144361420916011Multiple unknown vulnerabilities in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to bypass authentication.http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf101442915970Unknown vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to cause a denial of service or access files via crafted HTTP requests.http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf101442915970Cross-site scripting (XSS) vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf101442915970login.php in phpWishlist before 0.1.15 allows remote attackers to bypass authentication via a direct request to admin.php.http://unix.freshmeat.net/projects/phpwishlist/?branch_id=53897&release_id=2009251014432Cross-site scripting (XSS) vulnerability in Computer Associates (CA) eTrust SiteMinder 5.5, when the "CSSChecking" parameter is set to "NO," allows remote attackers to inject arbitrary web script or HTML via the (1) PASSWORD or (2) BUFFER parameters to smpwservicescgi.exe, (3) the TARGET parameter to login.fcc, and possibly other vectors.20050708 SiteMinder Multiple Vulnerabilities20050711 Re: SiteMinder Multiple Vulnerabilities1014433ADV-2005-1040178091781015956ca-siteminder-smpwservicescgi-xss(21305)The ReadLog function in kaiseki.cgi in pngren allows remote attackers to execute arbitrary commands via shell metacharacters in the query string.20050705 PNG remote commands execution vulnerability1418217784101442615981Multiple SQL injection vulnerabilities in CartWIZ allow remote attackers to modify SQL statements via the (1) idProduct parameter to tellAFriend.asp, (2) sortType parameter to viewSupportTickets.asp, or the id parameter to (3) updateCreditCards.asp or (4) deleteCreditCards.asp.http://digitalparadox.org/viewadvisories.ah?view=421014418Cross-site scripting (XSS) vulnerability in store/login.asp in CartWIZ allows remote attackers to inject arbitrary web script or HTML via the message parameter.http://digitalparadox.org/viewadvisories.ah?view=421014418PrivaShare 1.1b allows remote attackers to cause a denial of service (crash) via a malformed message.http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=66159331014412Capturix ScanShare 1.06 build 50 stores sensitive information such as the password in cleartext in capturixss_cfg.ini, which is readable by local users.101440915995Stack-based buffer overflow in Internet Download Manager 4.05 allows remote attackers to execute arbitrary code via a long URL.http://www.ihsteam.com/download/ihsexpl/dlm.c1014404Backup Manager 0.5.8a creates temporary files insecurely, which allows local users to conduct unauthorized file operations when a user is burning a CDR.http://www.sukria.net/packages/backup-manager/15989Backup Manager 0.5.8a creates an archive repository with world readable and writable permissions, which allows attackers to modify or read the repository.http://www.sukria.net/packages/backup-manager/15989Buffer overflow in the mms_interp_header function in mms.c in MMS Ripper before 0.6.4 might allow remote attackers to execute arbitrary code via a file with more than 20 streams.http://nbenoit.tuxfamily.org/projects/mmsrip/ChangeLog15987MMS Ripper 0.6.4 (Default)apt-setup in Debian GNU/Linux installs the apt.conf file with insecure permissions, which allows local users to obtain sensitive information such as passwords.305142: apt-setup creates a world readable apt.conf file1595514173Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x before 1.4.6 and 1.5 before 1.5beta3 allows remote attackers to inject arbitrary web script or HTML via a parameter in the page move template, a different vulnerability than CVE-2005-1888.http://sourceforge.net/project/shownotes.php?release_id=3402901418115950SUSE-SR:2005:019PHP remote file inclusion vulnerability in gals.php in PhotoGal Photo Gallery 1.5 and earlier allows remote attackers to execute arbitrary code via the news_file parameter.1014397Dansie Shopping Cart stores the vars.dat file under the web root with insufficient access control, which might allow remote attackers to obtain sensitive information such as program variables.1014396The device file system (devfs) in FreeBSD 5.x does not properly check parameters of the node type when creating a device node, which makes hidden devices available to attackers, who can then bypass restrictions on a jailed process.FreeBSD-SA-05:171433418123101453616145freebsd-devfs-gain-privileges(21451)Hosting Controller 6.1 Hotfix 2.1 allows remote authenticated users to perform unauthorized actions, such as modifying the credit limit, via a direct request to AccountActions.asp and modifying the CreditLimit parameter in an UpdateCreditLimit action.1014443** DISPUTED ** Dragonfly Commerce allows remote attackers to change a product price by modifying the x_DragonflyCartProductPrice hidden field to (1) dc_Categorieslist.asp, (2) dc_Categoriesview.asp, (3) dc_productslist.asp, and (4) dc_productslist_Clearance.asp. NOTE: the vendor has disputed this issue, saying that "Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration." However, SecurityTracker claims that they have been able to confirm the problem.1014451http://www.digitalparadox.org/viewadvisories.ah?view=4620050712 Dragonfly Shopping Cart Multiple vulnerabilities** DISPUTED ** Multiple SQL injection vulnerabilities in Dragonfly Commerce allows remote attackers to modify SQL statements and possibly execute arbitrary SQL commands via the (1) key parameter to dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID parameter to ratings.asp, (4) dc_Productsview.asp, (5) start, (6) key_mp, (7) searchtype, or (8) psearch parameters to dc_forum_Postslist.asp. NOTE: the vendor has disputed this issue, saying that the error messages arise from invalid category and product numbers. Assuming that this is the case, the issue still satisfies the CVE definition of "exposure."1014451http://www.digitalparadox.org/viewadvisories.ah?view=4620050712 Dragonfly Shopping Cart Multiple vulnerabilitiesUnknown vulnerability in the HTTPMail service in MailEnable Professional before 1.6 has unknown impact and attack vectors.http://www.mailenable.com/professionalhistory.asp1014427Unknown vulnerability in the SMTP service in MailEnable Standard before 1.9 and Professional before 1.6 allows remote attackers to cause a denial of service (crash) during authentication.http://www.mailenable.com/professionalhistory.asphttp://www.mailenable.com/standardhistory.asp1014427aspnet_wp.exe in Microsoft ASP.NET web services allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a crafted SOAP message to an RPC/Encoded method.http://www.spidynamics.com/spilabs/advisories/aspRCP.html1600514217Microsoft MSN Messenger allows remote attackers to cause a denial of service via a plaintext message containing the ".pif" string, which is interpreted as a malicious file extension and causes users to be kicked from a group conversation. NOTE: it has been reported that Gaim is also affected, so this may be an issue in the protocol or MSN servers.http://www.digitalparadox.org/viewadvisories.ah?view=45http://www.messenger-blog.com/?p=1461014444Microsoft Outlook Express 6.0 leaks the default news server account when a user responds to a "watched" conversation thread, which could allow remote attackers to obtain sensitive information.90093014225Softiacom wMailserver 1.0 stores passwords in plaintext in the Darsite\MAILSRV\Admin key, which allows local users to gain administrator privileges.20050712 SoftiaCom MailServer - Local Password Disclosure Vulnerability142121014450Web Wiz Forums 7.9 and 8.0 allows remote attackers to view message titles of a hidden forum.14207Blog Torrent 0.92 and earlier stores sensitive files under the web document root in the (1) data or (2) torrents directories with insufficient access control, which allows remote attackers to obtain sensitive information such as account names and password hashes, as demonstrated using data/newusers.10144491598320050711 blogtorrent remote/local user password disclosureElectronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the elmostats temporary file insecurely, which allows local users to overwrite arbitrary files.1597714235High Availability Linux Project Heartbeat 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files.16039DSA-761Buffer overflow in invscout in IBM AIX 5.1.0 through 5.3.0 might allow local users to execute arbitrary code via a long command line argument.http://www.caughq.org/advisories/CAU-2005-0002.txthttp://www.securityfocus.com/advisories/881613909101413215636Buffer overflow in multiple "p" commands in IBM AIX 5.1, 5.2 and 5.3 might allow local users to execute arbitrary code via long command line arguments to (1) penable or other hard-linked files including (2) pdisable, (3) pstart, (4) phold, (5) pdelay, or (6) pshare.http://www.caughq.org/advisories/CAU-2005-0006.txthttp://www.security-focus.com/advisories/868413915101413215636Buffer overflow in the getlvname command in IBM AIX 5.1, 5.2 and 5.3, might allow local users to execute arbitrary code via long command line arguments.http://www.caughq.org/advisories/CAU-2005-0005.txthttp://www.security-focus.com/advisories/868413914101413215636Buffer overflow in the diagTasksWebSM command in IBM AIX 5.1, 5.2 and 5.3, might allow local users to execute arbitrary code via long command line arguments.http://www.caughq.org/advisories/CAU-2005-0004.txthttp://www.security-focus.com/advisories/881913912101413215636Format string vulnerability in the paginit command in IBM AIX 5.3, and possibly other versions, might allow local users to execute arbitrary code via format strings in command line arguments.http://www.caughq.org/advisories/CAU-2005-0003.txt139111014132Format string vulnerability in the swcons command in IBM AIX 5.3, and possibly other versions, might allow local users to execute arbitrary code via long command line arguments.http://www.caughq.org/advisories/CAU-2005-0007.txt139211014132ftpd in IBM AIX 5.1, 5.2 and 5.3 allows remote authenticated users to cause a denial of service (port exhaustion and memory consumption) by using all ephemeral ports.1014421oftpd 0.3.7 allows remote attackers to cause a denial of service via a USER command with a large number of null (\0) characters.1014413xpvm.tcl in xpvm 1.2.5 allows local users to overwrite arbitrary files via a symlink attack on the xpvm.trace.$user temporary file.1604014228DSA-100319251Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 does not quickly time out Realtime Information Server Data Collection (RISDC) sockets, which results in a "resource leak" that allows remote attackers to cause a denial of service (memory and connection consumption) in RisDC.exe.20050712 Cisco CallManager Memory Handling Vulnerabilities14250Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to cause a denial of service (memory consumption and restart) via crafted packets to (1) the CTI Manager (ctimgr.exe) or (2) the CallManager (ccm.exe).20050712 Cisco CallManager Memory Handling Vulnerabilities1425114252Memory leak in inetinfo.exe in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1, when Multi Level Admin (MLA) is enabled, allows remote attackers to cause a denial of service (memory consumption) via a large number of Admin Service Tool (AST) logins that fail.20050712 Cisco CallManager Memory Handling Vulnerabilities14253The aupair service (aupair.exe) in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to execute arbitrary code or corrupt memory via crafted packets that trigger a memory allocation failure and lead to a buffer overflow.20050712 Cisco CallManager Memory Handling Vulnerabilities14255malloc-return-value-dos(19053)Unknown vulnerability in F5 BIG-IP 9.0.2 through 9.1 allows attackers to "subvert the authentication of SSL transactions," via unknown attack vectors, possibly involving NATIVE ciphers.16008101445214215Multiple PHP remote file inclusion vulnerabilities in iPhotoAlbum 1.1 allow remote attackers to execute arbitrary code via the (1) doc_path parameter to getpage.php or (2) set_menu parameter to lib/static/header.php.10144481422916031 3596 20070329 iPhotoAlbum v1.1(header.php)Remote File Include Vulnerability 23189Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors.http://moodle.org/doc/?frame=release.html16028Directory traversal vulnerability in DownloadProtect before 1.0.3 allows remote attackers to read files above the download folder.1600314211Multiple unknown vulnerabilities in Jinzora 2.0.1 have unknown impact and attack vectors, possibly involving a PHP file inclusion vulnerability.http://freshmeat.net/projects/jinzora/?branch_id=43140&release_id=20039015952Buffer overflow in Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share.http://www.digitalmunition.com/DMA%5B2005-0712a%5D.txthttp://affix.sourceforge.net/affix_212_sec.patch14230DSA-762PHP remote file inclusion vulnerability in secure.php in PHPSecurePages (phpSP) 0.28beta and earlier allows remote attackers to execute arbitrary code via the cfgProgDir parameter, a variant of CVE-2001-1468.10144101599414201phpsecurepages-secure-file-include(29263)PhpAuction 2.5 allows remote attackers to bypass authentication and gain privileges as another user by setting the PHPAUCTION_RM_ID cookie to the user ID.101442315967SQL injection vulnerability in PhpAuction 2.5 allow remote attackers to modify SQL queries via the category parameter to adsearch.php. NOTE: there is evidence that viewnews.php may not be part of the PhpAuction product, so it is not included in this description.101442315967Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 allow remote attackers to inject arbitrary web script or HTML via the lan parameter to(1) index.php or (2) admin/index.php, or (3) the auction_id parameter to profile.php. NOTE: there is evidence that viewnews.php and login.php may not be part of the PhpAuction product, so they are not included in this description.101442315967Directory traversal vulnerability in PhpAuction 2.5 allows remote attackers to read arbitrary files, include local PHP files, or obtain sensitive path information via ".." sequences in the lan parameter to (1) index.php or (2) admin/index.php.101442315967Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remote attackers to access arbitrary files via "%2e%2e%2f" (encoded dot dot) sequences in the formLanguage parameter.14142101441415941http://www.vuxml.org/freebsd/88188a8c-eff6-11d9-8310-0001020eed82.html[Dailydave] 20050704 !!! pre-authenticated remote code inclusion vulnerability inside phppgadmin !!!DSA-759http://sourceforge.net/project/shownotes.php?release_id=34226116116The saveProfile function in PhpSlash 0.8.0 allows remote attackers to modify arbitrary profiles and gain privileges by modifying the author_id parameter.20050707 phpSlash account hijacking vulnerability159361014415PHP remote file inclusion vulnerability in photolist.inc.php in Squito Gallery 1.33 allows remote attackers to execute arbitrary code via the photoroot parameter.10144471600914219The dispallclosed2 function in dispallclosed.pl for multiple USANet Creations products, including (1) USANet Shopping Mall Software, (2) Domain Name Auction Software, (3) Standard Classified Ads Software, and (4) MakeBid Reverse Auction allows remote attackers to execute arbitrary code via shell metacharacters in the DISPCLOSED parameter.14179101441115985The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user.http://www.mozilla.org/security/announce/mfsa2005-45.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=289940http://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlhttp://bugzilla.mozilla.org/show_bug.cgi?id=289940P-25214242ADV-2005-1075160431604416059DSA-810FLSA:160202OVAL100013OVAL1226OVAL742RHSA-2005:586RHSA-2005:587SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100013oval:org.mitre.oval:def:1226oval:org.mitre.oval:def:742Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection.http://www.mozilla.org/security/announce/mfsa2005-46.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=292591https://bugzilla.mozilla.org/show_bug.cgi?id=292589http://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlP-25214242ADV-2005-1075160431604416059DSA-810FLSA:160202OVAL100012OVAL1348OVAL808RHSA-2005:586RHSA-2005:587RHSA-2005:601SUSE-SA:2006:02219823SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100012oval:org.mitre.oval:def:1348oval:org.mitre.oval:def:808Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling."http://www.mikx.de/firewalling/http://www.mozilla.org/security/announce/mfsa2005-47.htmlhttp://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlP-252http://www.securiteam.com/securitynews/5ZP0E0UGAK.html14242ADV-2005-10751604316044OVAL100011RHSA-2005:586SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100011The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation.http://www.mozilla.org/security/announce/mfsa2005-48.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=293331P-25214242ADV-2005-10751604316059DSA-810FLSA:160202OVAL100010OVAL100016OVAL1281OVAL1311RHSA-2005:586RHSA-2005:587SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100010oval:org.mitre.oval:def:100016oval:org.mitre.oval:def:1281oval:org.mitre.oval:def:1311Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL.http://www.mozilla.org/security/announce/mfsa2005-49.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=294074P-25214242ADV-2005-107516043OVAL100009RHSA-2005:586SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100009Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string.http://www.mozilla.org/security/announce/mfsa2005-50.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=295854http://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlP-25214242ADV-2005-1075160431604416059DSA-810FLSA:160202OVAL100008OVAL417OVAL781RHSA-2005:586RHSA-2005:587RHSA-2005:601SUSE-SA:2006:02219823SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100008oval:org.mitre.oval:def:417oval:org.mitre.oval:def:781Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents.http://www.mozilla.org/security/announce/mfsa2005-52.html1554914242ADV-2005-10751555115553mozilla-frame-topfocus-xss(21332)DSA-810FLSA:160202OVAL100107OVAL1415OVAL773RHSA-2005:586RHSA-2005:587RHSA-2005:601SUSE-SA:2006:02219823SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100107oval:org.mitre.oval:def:1415oval:org.mitre.oval:def:773Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL.http://www.mozilla.org/security/announce/mfsa2005-53.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=298255P-25214242ADV-2005-1075101446916043FLSA:160202OVAL100006OVAL1073OVAL1172RHSA-2005:586RHSA-2005:587SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100006oval:org.mitre.oval:def:1073oval:org.mitre.oval:def:1172Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/http://www.mozilla.org/security/announce/mfsa2005-54.html1548914242ADV-2005-1075DSA-810FLSA:160202OVAL1268OVAL1313OVAL100005RHSA-2005:586RHSA-2005:587SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:1268oval:org.mitre.oval:def:1313oval:org.mitre.oval:def:100005Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing").http://www.mozilla.org/security/announce/mfsa2005-55.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=298892http://www.networksecurity.fi/advisories/netscape-multiple-issues.htmlP-25214242ADV-2005-1075160431605916044DSA-810FLSA:160202OVAL100004OVAL100005OVAL100011OVAL1258OVAL729RHSA-2005:586RHSA-2005:587RHSA-2005:601SUSE-SA:2006:02219823SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100004oval:org.mitre.oval:def:100005oval:org.mitre.oval:def:100011oval:org.mitre.oval:def:1258oval:org.mitre.oval:def:729Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object.http://www.mozilla.org/security/announce/mfsa2005-56.htmlhttps://bugzilla.mozilla.org/show_bug.cgi?id=294795https://bugzilla.mozilla.org/show_bug.cgi?id=294799https://bugzilla.mozilla.org/show_bug.cgi?id=295011https://bugzilla.mozilla.org/show_bug.cgi?id=296397P-25214242ADV-2005-107510144701604316059DSA-810FLSA:160202OVAL100003OVAL550OVAL817VU#652366RHSA-2005:586RHSA-2005:587RHSA-2005:601SUSE-SA:2006:02219823SUSE-SA:2005:045SUSE-SR:2005:018oval:org.mitre.oval:def:100003oval:org.mitre.oval:def:550oval:org.mitre.oval:def:817iCab 2.9.8 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/15477Safari version 2.0 (412) does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."http://secunia.com/secunia_research/2005-12/advisory/http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/APPLE-SA-2005-11-29101529414011173971547417813mozilla-javascript-dialog-box-spoofing(21070)ADV-2005-2659Opera 7.x and 8 before 8.01 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/http://secunia.com/secunia_research/2005-8/15488Microsoft Internet Explorer 6.0 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability."http://secunia.com/secunia_research/2005-9/advisory/http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/http://www.microsoft.com/technet/security/advisory/902333.mspx1549115492Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. "j&#X41vascript" in an IMG tag.20050719 [ISR] - Novell Groupwise WebAccess Cross-Site Scriptinghttp://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm1431016098novell-groupwise-webaccess-xss(21421)101451518064Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename argument of a PUT command.http://www.digitalmunition.com/DMA[2005-0712b].txtDSA-762http://affix.sourceforge.net/affix_212_sec.patchhttp://affix.sourceforge.net/affix_320_sec.patch1423220050712 MA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system()Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the status command with a long mailbox name.20050712 CORE-2005-0629: MailEnable Buffer Overflow Vulnerabilityhttp://www.coresecurity.com/common/showdoc.php?idx=467&idxseccion=10Cisco ONS 15216 Optical Add/Drop Multiplexer (OADM) running firmware 2.2.2 and earlier allows remote attackers to cause a denial of service (management plane session loss) via crafted telnet data.20050713 Cisco ONS 15216 OADM Telnet Denial-of-Service Vulnerability1424610144751607317863Cisco Security Agent (CSA) 4.5 allows remote attackers to cause a denial of service (system crash) via a crafted IP packet.20050713 Cisco Security Agent Vulnerable to Crafted IP Attackcsa-ip-dos(21344)WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords.http://www.kb.cert.org/vuls/id/JGEI-6BWQDQVU#491770Multiple cross-site scripting (XSS) vulnerabilities in WebEOC before 6.0.2 allow remote attackers to inject arbitrary web script and HTML via unknown vectors.http://www.kb.cert.org/vuls/id/JGEI-6BVST4VU#138538WebEOC before 6.0.2 does not properly restrict the size of an uploaded file, which allows remote authenticated users to cause a denial of service (system and database resource consumption) via a large file.http://www.kb.cert.org/vuls/id/JGEI-6BWLERVU#956762Multiple SQL injection vulnerabilities in WebEOC before 6.0.2 allow remote attackers to modify SQL statements via unknown attack vectors.http://www.kb.cert.org/vuls/id/JGEI-6C8Q27VU#372797WebEOC before 6.0.2 stores sensitive information in locations such as URIs, web pages, and configuration files, which allows remote attackers to obtain information such as Usernames, Passwords, Emergency information, medical information, and system configuration.http://www.kb.cert.org/vuls/id/JGEI-6BWPXLVU#165290WebEOC before 6.0.2 does not properly check user authorization, which allows remote attackers to gain privileges via a direct request to a resource.http://www.kb.cert.org/vuls/id/JGEI-6BWLWGVU#258834SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow.20050712 SoftiaCom MailServer v2.0 - Denial Of ServiceCross-site scripting (XSS) vulnerability in PHPCounter 7.2 allows remote attackers to inject arbitrary web script or HTML via the EpochPrefix parameter.20050713 Path Disclosure and XSS problem in PHP Counter 7.215816142561014478PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message.20050713 Path Disclosure and XSS problem in PHP Counter 7.2158161014478wps_shop.cgi in WPS Web Portal System 0.7.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and (2) cat variables.20050713 WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands1578014245101448015780Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 passes the cleartext password as a parameter when starting sqlplus, which allows local users to gain sensitive information.20050713 Advisory: Oracle JDeveloper passes Plaintext Passwordhttp://www.red-database-security.com/advisory/oracle_jdeveloper_passes_plaintext_password.htmlOracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 stores cleartext passwords in (1) IDEConnections.xml, (2) XSQLConfig.xml and (3) settings.xml, which allows local users to obtain sensitive information.20050713 Advisory: Oracle JDeveloper Plaintext Passwordshttp://www.red-database-security.com/advisory/oracle_jdeveloper_plaintext_password.htmlhttp://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html15991jdeveloper-config-plaintext-password(21342)Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a temporary file, which is not deleted after it is used, which allows local users to obtain sensitive information.20050713 Advisory: Oracle Forms Builder Password in Temp Fileshttp://www.red-database-security.com/advisory/oracle_formsbuilder_temp_file_issue.htmlhttp://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html15991formsbuilder-temp-file-plaintext-password(21343)Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of records are retrieved by an Oracle form, stores a copy of the database tables in a world-readable temporary file, which allows local users to gain sensitive information such as credit card numbers.20050713 Advisory: Oracle Forms Insecure Temporary File Handlinghttp://www.red-database-security.com/advisory/oracle_forms_unsecure_temp_file_handling.htmlhttp://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html15991formsbuilder-temp-file-info-disclosure(21347)NetPanzer 0.8 and earlier allows remote attackers to cause a denial of service (infinite loop) via a packet with a zero datablock size.netpanzer-datablock-dos(21361)1425710144791605520050713 Endless loop in NetPanzer 0.8YabbSE 1.5.5c allows remote attackers to obtain sensitive information via a direct request to ssi_examples.php, which reveals the path.20050714 YaBBSe 1.5.5c Path disclosure problemStack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 through 5.2 allows remote authenticated users to execute arbitrary code via a large javascript parameter.20050715 Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htmhttp://www.sybase.com/detail?id=1036742101449716108BitDefender Engine 1.6.1 and earlier does not properly scan all attachments, which allows remote attackers to bypass virus scanning via begin and end commands in the body of the e-mail, which BitDefender treats as a uuencoded attachment and stops scanning afterwards.20050714 05_07_14-bitdefender_malicious_content_bypass1014495Multiple cross-site scripting (XSS) vulnerabilities in Simple Message Board Version 2.0 Beta 1 allow remote attackers to inject arbitrary web script or HTML via the (1) FID parameter to forum.cfm, (2) UID parameter to user.cfm, (3) TID parameter to thread.cfm, or (4) PostDate parameter to search.cfm.20050714 XSS in forums Simple Message Board Version 2.0 Beta 1142661014494142671426814269Skype 1.1.0.20 and earlier allows local users to overwrite arbitrary files via a symlink attack on the skype_profile.jpg temporary file.20050716 [ZH2005-16SA] Insecure temporary file creation in Skype for Linuxhttp://www.zone-h.org/advisories/read/id=780816105PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack.20050716 PowerDNS 2.9.18 fixes two security issues affecting users of LDAPhttp://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18142901014504SUSE-SR:2005:019PowerDNS before 2.9.18, when allowing recursion to a restricted range of IP addresses, does not properly handle questions from clients that are denied recursion, which could cause a "blank out" of answers to those clients that are allowed to use recursion.20050716 PowerDNS 2.9.18 fixes two security issues affecting users of LDAPhttp://doc.powerdns.com/changelog.html#CHANGELOG-2-9-181014504SUSE-SR:2005:019** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1218. Reason: This candidate is a duplicate of CVE-2005-1218. Notes: All CVE users should reference CVE-2005-1218 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Microsoft MSN Messenger 9.0 and Internet Explorer 6.0 allows remote attackers to cause a denial of service (crash) via an image with an ICC Profile with a large Tag Count.20050716 Internet Explorer / MSN ICC Profiles Crash PoC Exploit14288DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow.http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=721426316070Race condition in Macromedia JRun 4.0, ColdFusion MX 6.1 and 7.0, when under heavy load, causes JRun to assign a duplicate authentication token to multiple sessions, which could allow authenticated users to gain privileges as other users.http://www.macromedia.com/devnet/security/security_zone/mpsb05-05.html160811014489netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability."1426016065OVAL1250OVAL1254OVAL1289OVAL1532OVAL7861717217223MS05-045oval:org.mitre.oval:def:1250oval:org.mitre.oval:def:1254oval:org.mitre.oval:def:1289oval:org.mitre.oval:def:1532oval:org.mitre.oval:def:786The JPEG decoder in Microsoft Internet Explorer allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via certain crafted JPEG images, as demonstrated using (1) mov_fencepost.jpg, (2) cmp_fencepost.jpg, (3) oom_dos.jpg, or (4) random.jpg.20050715 Compromising pictures of Microsoft Internet Explorer!http://lcamtuf.coredump.cx/crash142841428514286Opera 8.01 allows remote attackers to cause a denial of service (CPU consumption) via a crafted JPEG image, as demonstrated using random.jpg.20050715 Compromising pictures of Microsoft Internet Explorer!http://lcamtuf.coredump.cx/crash20050718 Re: Compromising pictures of Microsoft Internet Explorer!Buffer overflow in Winamp 5.03a, 5.09 and 5.091, and other versions before 5.094, allows remote attackers to execute arbitrary code via an MP3 file with a long ID3v2 tag such as (1) ARTIST or (2) TITLE.http://security.lss.hr/index.php?page=details&ID=LSS-2005-07-1410144831427616077ADV-2005-110617897SMS 1.9.2m and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) request1 or (2) request2 temporary files.16038management.php in Realnode Emilda 1.2.2 and earlier allows remote attackers to perform actions as other users by modifying the user_id parameter.http://sourceforge.net/project/shownotes.php?release_id=3385511424415857Check Point SecuRemote NG with Application Intelligence R54 allows attackers to obtain credentials and gain privileges via unknown attack vectors.14221inc.login.php in PHPsFTPd 0.2 through 0.4 allows remote attackers to obtain the administrator's username and password by setting the do_login parameter and performing an edit action using user.php, which causes the login check to be bypassed and leaks the password in the response.http://packetstorm.linuxsecurity.com/0507-exploits/phpsftpd.txt14222ADV-2005-11011587920050713 PHPsFTPd - Admin password leak1014481Buffer overflow in Domain Name Relay Daemon (DNRD) before 2.19.1 allows remote attackers to execute arbitrary code via a large number of large DNS packets with the Z and QR flags cleared.This vulnerability is addressed in the following product release: dnrd, dnrd, 2.19.1 This vulnerability affects all versions of dnrd prior to 2.19.1DNRD 2.19.1 releasednrd -- remote buffer and stack overflow vulnerabilities101455716142Domain Name Relay Daemon (DNRD) before 2.19.1 allows remote attackers to cause a denial of service (infinite recursion) via a DNS packet that uses message compression in the QNAME and two pointers that point to each other (circular buffer).101455716142Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0.17, when MACLIST_TTL is greater than 0 or MACLIST_DISPOSITION is set to ACCEPT, allows remote attackers with an accepted MAC address to bypass other firewall rules or policies.20050718 Shorewall MACLIST Problemhttp://shorewall.net/News.htm#2005071716087GLSA-200507-20DSA-849USN-197-1142921711017113Cross-site scripting (XSS) vulnerability in showerr.asp in DVBBS 7.1 SP2 allows remote attackers to inject arbitrary web script or HTML via the action parameter.14223PHP remote file include vulnerability in Yawp library 1.0.6 and earlier, as used in YaWiki and possibly other products, allows remote attackers to include arbitrary files via the _Yawp[conf_path] parameter.20050712 Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerabilityhttp://www.hardened-php.net/advisory-102005.phphttp://phpyawp.com/yawiki/index.php?page=ChangeLog1423716049WebCalendar before 1.0.0 does not properly restrict access to assistant_edit.php, which allows remote attackers to gain privileges.14072PHP remote file inclusion vulnerability in CaLogic 1.2.2 allows remote attackers to execute arbitrary code via the CLPATH parameter to (1) cl_minical.php, (2) clmcpreload.php, (3) mcconfig.php, or (4) mcpi-demo.php.16090http://www.calogic.de/modules/newbb/viewtopic.php?topic_id=333&forum=714296Cross-site scripting (XSS) vulnerability in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allows remote attackers to inject arbitrary web script or HTML via the (1) viewuser_id or (2) group parameter to users.php.http://lostmon.blogspot.com/2005/07/class-1-forum-software-cross-site.html142611014485101448616078Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the (1) id parameter to viewattach.php, (2) viewuser_id parameter to users.php, or the (3) id or (4) forum parameter to viewforum.php.http://lostmon.blogspot.com/2005/07/class-1-forum-software-cross-site.html1014485101448616078Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the searchtype or searchterm parameters to (1) results.php or (2) categorysearch.php.http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.htmlClever Copy 2.0 and 2.0a allows remote attackers to obtain the full path of the web root via a direct request to (1) ticker.php, (2) menu.php, (3) banned.php, (4) endlayout.php, (5) randomhlinesblock.php, (6) showlast.php, (7) showlast5class1.php, (8) showlast5phorum.php, (9) showlast5phorumblock.php, (10) showlastforumbb2.php, or (11) showlastforumbb2block.php.http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.htmlCross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the yr parameter to calendar.php.http://lostmon.blogspot.com/2005/07/clever-copy-calendarphp-yr-variable.htmlCross-site scripting (XSS) vulnerability in e107 0.617 and earlier allows remote attackers to inject arbitrary web script or HTML via nested [url] BBCode tags.http://milw0rm.com/id.php?id=11061014513 1106PHP remote file inclusion vulnerability in im.php in Laffer 0.3.2.6 and 0.3.2.7 allows remote attackers to execute arbitrary PHP code via the CFG_PATH variable.http://sourceforge.net/tracker/index.php?func=detail&aid=1235463&group_id=101249&atid=629313http://laffer.sourceforge.net/cgi-bin/index.pl?page=news&key=37374741014264MRV Communications In-Reach LX-8000S, LX-4000S, and LX-1000S 3.5.0, when using SSH public key authentication, does not properly restrict access to ports, which allows remote authenticated users to access the consoles of other users.20050718 MRV In-Reach console server: Port Access Control Bypass Vulnerability143001014517Directory traversal vulnerability in extras/update.php in osCommerce 2.2 allows remote attackers to read arbitrary files via (1) .. sequences or (2) a full pathname in the readme_file parameter.1429420060414 osCommerce 20060414 RE: osCommerce 182491015944oscommerce-extrasupdate-info-disclosure(25861)PHP remote file inclusion vulnerability in display.php in MooseGallery allows remote attackers to execute arbitrary PHP code via the type parameter.14280101448716093moosegallery-display-file-include(21388)Cross-site scripting (XSS) vulnerability in PHPPageProtect 1.0.0a allows remote attackers to inject arbitrary web script or HTML via the username parameter to (1) admin.php or (2) login.php.1014510161101431414318Cross-site scripting (XSS) vulnerability in smilies_popup.php in SEO-Board 1.0 allows remote attackers to inject arbitrary web script or HTML via the doc parameter.10145091432016051Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi.101450214299Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier.http://fetchmail.berlios.de/fetchmail-SA-2005-01.txthttp://developer.berlios.de/project/shownotes.php?release_id=6617FEDORA-2005-613FEDORA-2005-614http://www.redhat.com/archives/fedora-announce-list/2005-July/msg00104.html14349ADV-2005-11711617618174DSA-774OVAL1038OVAL1124RHSA-2005:64020060526 rPSA-2006-0084-1 fetchmailSUSE-SR:2005:018APPLE-SA-2006-08-012125320060801 DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow'ADV-2006-310119289oval:org.mitre.oval:def:1038oval:org.mitre.oval:def:1124 TA06-214ACross-site scripting (XSS) vulnerability in Hiki 0.8.0 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via "missing pages" in which the page name is not properly escaped, a different vulnerability than CVE-2005-2803.1707515021Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin).VU#16001216904DSA-860DSA-862RHSA-2005:799GLSA-200510-05149091014948ruby-eval-security-bypass(22360)USN-195-1MDKSA-2005:191DSA-86417094171291714717285SUSE-SR:2006:0051913017098APPLE-SA-2006-05-11TA06-132A2007717951ADV-2006-177959Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.12 JP and earlier, XOOPS 2.0.13.1 and earlier, and 2.2.x up to 2.2.3 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) modules that use "XOOPS Code" and (2) newbb in the forum module.173001519520051025 [SNS Advisory No.85] XOOPS Multiple Cross-site Scripting VulnerabilitiesCross-site scripting (XSS) vulnerability in the Unicode version of msearch (unicode-msearch) 1.51(U1)-beta1, 1.51(U1), and 1.52(U1) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.JVN#79925E6FHeap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field.APPLE-SA-2006-01-1016202ADV-2006-01281837020060111 [EEYEB-20051220] Apple QuickTime QTIF Stack Overflow20060111 Updated Advisories - Incorrect CVE Information20060111 [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer OverflowVU#629845TA06-011AVU#687201162122233322334223351015463quicktime-qtif-bo(24054)20060111 Updated Advisories - Incorrect CVE Information20060111 [EEYEB-20051220] Apple QuickTime QTIF Stack Overflow332Heap-based buffer overflow in Research in Motion (RIM) BlackBerry Attachment Service allows remote attackers to cause a denial of service (hang) via an e-mail attachment with a crafted TIFF file.VU#5707681015426ADV-2006-00111609818277Research in Motion (RIM) BlackBerry Router allows remote attackers to cause a denial of service (communication disruption) via crafted Server Routing Protocol (SRP) packets.VU#392920161001015427ADV-2006-001118277Research in Motion (RIM) BlackBerry Handheld web browser for BlackBerry Handheld before 4.0.2 allows remote attackers to cause a denial of service (hang) via a Java Application Description (JAD) file with a long application name and vendor string, which prevents a browser dialog from being properly dismissed.VU#82940016099ADV-2006-00111015428The BlackBerry Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.0 to version 4.0 Service Pack 2 allows attackers to cause a denial of service via a malformed Portable Network Graphics (PNG) file that triggers a heap-based buffer overflow.VU#646976ADV-2006-01271839316204blackberry-attachment-png-bo(24063)Buffer overflow in Novell GroupWise 6.5 Client allows remote attackers to execute arbitrary code via a GWVW02xx.INI language file with a long entry, as demonstrated using a long ES02TKS.VEW value in the Group Task section.http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098314.htm20050727 [ISR] - Novell GroupWise Client Remote Buffer Overflowrun-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files.USN-157-1MDKSA-2005:173MDKSA-2005:174DSA-104619863DSA-10511444319941** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2335, CVE-2005-2356. Reason: due to a typo in an advisory, this candidate was accidentally referenced. Notes: All CVE users should consult CVE-2005-2335 and CVE-2005-2356 to determine the appropriate identifier for the issue.Directory traversal vulnerability in EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL.14487emcnavispheremanager-directory-traversal(21726)10146291634420050805 EMC Navisphere Manager Directory Traversal VulnerabilityEMC Navisphere Manager 6.4.1.0.0 allows remote attackers to list arbitrary directories via an HTTP request for a directory that ends in a "." (trailing dot).1448710146291634420050805 EMC Navisphere Manager Directory Traversal VulnerabilityThe AES-XCBC-MAC algorithm in IPsec in FreeBSD 5.3 and 5.4, when used for authentication without other encryption, uses a constant key instead of the one that was assigned by the system administrator, which can allow remote attackers to spoof packets to establish an IPsec session.FreeBSD-SA-05:1916244freebsd-aesxcbcmac-security-bypass(21551)143941014586Unknown vulnerability in the LDAP dissector in Ethereal 0.8.5 through 0.10.11 allows remote attackers to cause a denial of service (free static memory and application crash) via unknown attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019Unknown vulnerability in the (1) AgentX dissector, (2) PER dissector, (3) DOCSIS dissector, (4) SCTP graphs, (5) HTTP dissector, (6) DCERPC, (7) DHCP, (8) RADIUS dissector, (9) Telnet dissector, (10) IS-IS LSP dissector, or (11) NCP dissector in Ethereal 0.8.19 through 0.10.11 allows remote attackers to cause a denial of service (application crash or abort) via unknown attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019Unknown vulnerability several dissectors in Ethereal 0.9.0 through 0.10.11 allows remote attackers to cause a denial of service (application crash) by reassembling certain packets.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:6871439916225SUSE-SR:2005:019Unknown vulnerability in the (1) SMPP dissector, (2) 802.3 dissector, (3) DHCP, (4) MEGACO dissector, or (5) H1 dissector in Ethereal 0.8.15 through 0.10.11 allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019SUSE-SR:2005:018Unknown vulnerability in the (1) GIOP dissector, (2) WBXML, or (3) CAMEL dissector in Ethereal 0.8.20 through 0.10.11 allows remote attackers to cause a denial of service (application crash) via certain packets that cause a null pointer dereference.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:6871439918386DSA-8531622517102SUSE-SR:2005:019Unknown vulnerability in the SMB dissector in Ethereal 0.9.0 through 0.10.11 allows remote attackers to cause a buffer overflow or a denial of service (memory consumption) via unknown attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019Unknown vulnerability in the BER dissector in Ethereal 0.10.11 allows remote attackers to cause a denial of service (abort or infinite loop) via unknown attack vectors.http://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019Format string vulnerability in the proto_item_set_text function in Ethereal 0.9.4 through 0.10.11, as used in multiple dissectors, allows remote attackers to write to arbitrary memory locations and gain privileges via a crafted AFP packet.20050805 Multiple Vendor Ethereal AFP Protocol Dissector Format String Vulnerabilityhttp://www.ethereal.com/appnotes/enpa-sa-00020.htmlGLSA-200507-27MDKSA-2005:131FLSA-2006:152922RHSA-2005:68714399DSA-8531622517102SUSE-SR:2005:019SUSE-SR:2005:018vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels.20050725 Help poor children in Ugandahttp://www.guninski.com/where_do_you_want_billg_to_go_today_5.html14374RHSA-2005:745Multiple integer signedness errors in libgadu, as used in ekg before 1.6rc2 and other packages, may allow remote attackers to cause a denial of service or execute arbitrary code.20050721 Multiple vulnerabilities in libgadu and ekg packageDSA-81314415Multiple "memory alignment errors" in libgadu, as used in ekg before 1.6rc2, Gaim before 1.5.0, and other packages, allows remote attackers to cause a denial of service (bus error) on certain architectures such as SPARC via an incoming message.20050721 Multiple vulnerabilities in libgadu and ekg packageDSA-81316265FLSA:158543RHSA-2005:627DSA-131824600Directory traversal vulnerability in Oracle Reports 6.0, 6i, 9i, and 10g allows remote attackers to overwrite arbitrary files via (1) "..", (2) Windows drive letter (C:), and (3) absolute path sequences in the desname parameter. NOTE: this issue was probably fixed by REP06 in CPU Jan 2006, in which case it overlaps CVE-2006-0289.20050719 Oracle Security Advisory: Overwrite any file via desname in Oracle Reportshttp://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html143091014524ADV-2006-03231849318608oracle-january2006-update(24321)20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days)Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet.20050719 Oracle Security Advisory: Run any OS Command via unauthorized Oracle Formshttp://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.htmlBuffer overflow in SlimFTPd 3.15 and 3.16 allows remote authenticated users to execute arbitrary code via a long directory name to (1) LIST, (2) DELE or (3) RNFR commands.20050721 Arbitrary code execution in SlimFTPd v3.16http://www.whitsoftdev.com/slimftpd/161771014542Belkin 54g wireless routers do not properly set an administrative password, which allows remote attackers to gain access via the (1) Telnet or (2) weba dministration interfaces.20050715 several vulnerabilities present in Belkin wireless routers1014493belkin-router-default-password(21412)Format string vulnerability in Race Driver 1.20 and earlier allows remote attackers to cause a denial of service (application crash) via format string specifiers in a (1) nickname or (2) chat message.20050718 Broadcast format string and buffer-overflow in Race Driver 1.20Buffer overflow in Race Driver 1.20 and earlier allows remote attackers to cause a denial of service (application crash) via a long (1) nickname or (2) chat message.20050718 Broadcast format string and buffer-overflow in Race Driver 1.20nss_ldap 181 to versions before 213, as used in Mandrake Corporate Server and Mandrake 10.0, and other operating systems, does not properly handle a SIGPIPE signal when sending a search request to an LDAP directory server, which might allow remote attackers to cause a denial of service (crond and other application crash) if they can cause an LDAP server to become unavailable. NOTE: it is not clear whether this attack scenario is sufficient to include this item in CVE.MDKSA-2005:121http://qa.mandriva.com/show_bug.cgi?id=13271nssldap-sigpipe-dos(40501)Directory traversal vulnerability in Oracle Reports allows remote attackers to read arbitrary files via an absolute or relative path to the (1) CUSTOMIZE or (2) desformat parameters to rwservlet. NOTE: vector 2 is probably the same as CVE-2006-0289, and fixed in Jan 2006 CPU.20050719 Oracle Security Advisory: Read parts of any XML-file via customize parameter in Oracle Reports20050719 Oracle Security Advisory: Read parts of any file via desformat in Oracle Reportshttp://www.red-database-security.com/advisory/oracle_reports_read_any_file.htmlhttp://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html10145251014527ADV-2006-03231849318608oracle-january2006-update(24321)20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days)Multiple cross-site scripting (XSS) vulnerabilities in Oracle Reports 9.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) debug parameter to showenv, (2) test parameter to parsequery, or (3) delimiter or (4) CELLWRAPPER parameter to rwservlet.20050719 Oracle Security Advisory: Various Cross-Site-Scripting Oracle Reportshttp://www.red-database-security.com/advisory/oracle_reports_various_css.htmlMultiple cross-site scripting vulnerabilities in PHP Surveyor 0.98 allow remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) start, and (3) id parameters to browse.php, or the sid parameter to (4) dataentry.php or (5) export.php.20050720 Multiple Vulnerabilities in PHP Surveyor16123PHP Surveyor 0.98 allows remote attackers to obtain sensitive information via a direct request to (1) question.php, (2) survey.php, or (3) group.php in the root directory, a direct request to (4) database.php, (5) sessioncontrol.php, (6) html.php, (7) sessioncontrol.php, an invalid (8) qid parameter to dumpquestion.php, or an invalid lid parameter to (9) labels.php or (10) dumplabel.php, which reveal the path in an error message.20050720 Multiple Vulnerabilities in PHP Surveyor16123Oray PeanutHull 3.0.1.0 and earlier does not properly drop SYSTEM privileges when launched from the system tray, which allows local users to gain privileges by accessing the Help functionality.20050720 PeanutHull Local Privilege Escalation Vulnerabilityhttp://secway.org/advisory/AD20050720EN.txt1433016124SQL injection vulnerability in auth.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the user parameter in an HTTP POST request.20050720 PHPNews SQL injection vulnerabilityhttp://newsphp.sourceforge.net/changelog/changelog_1.30.txt1614814333Directory traversal vulnerability in a third-party compression library (UNACEV2.DLL), as used in avast! Antivirus Home/Professional Edition 4.6.665 and Server Edition 4.6.460, allows remote attackers to write arbitrary files via an ACE archive containing filenames with (1) .. or (2) absolute pathnames.http://secunia.com/secunia_research/2005-20/advisory/http://www.avast.com/eng/av4_revision_history.html157761014544Buffer overflow in a third-party compression library (UNACEV2.DLL), as used in avast! Antivirus Home/Professional Edition 4.6.665 and Server Edition 4.6.460, allows remote attackers to execute arbitrary code via an ACE archive containing a long filename.http://secunia.com/secunia_research/2005-20/advisory/http://www.avast.com/eng/av4_revision_history.html157761014544Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ 1.20 allows remote attackers to inject arbitrary web script or HTML via the message parameter.http://www.hackerscenter.com/archive/view.asp?id=400814386Multiple stack-based buffer overflows in GoodTech SMTP server 5.16 allow remote attackers to execute arbitrary code via (1) a RCPT TO command with a long DNS name, or (2) a large number of RCPT TO commands with a long e-mail name arugment in the last command.20050723 GoodTech SMTP server 5.16 RCPT TO command remote buffer overflow14357Buffer overflow in a certain USB driver, as used on Microsoft Windows, allows attackers to execute arbitrary code.http://www.eweek.com/article2/0,1759,1840131,00.asp1437618493162101014566windows-usb-device-bo(21539)NDMP server in Veritas NetBackup 5.1 allows attackers to cause a denial of service via a CONFIG message with an out-of-range timestamp, which triggers a null dereference.http://www.hat-squad.com/en/000170.html16187Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive information via (1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo mod_sql directive.http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc216181DSA-7951438014381OpenPKG-SA-2005.020Unknown vulnerability in 3Com OfficeConnect Wireless 11g Access Point before 1.03.12 allows remote attackers to obtain sensitive information via the web interface.16207Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in the search function.http://lostmon.blogspot.com/2005/07/cmsimple-search-variable-xss.htmlhttp://www.cmsimple.dk/forum/viewtopic.php?t=2470143461812810145561614720060803 CMSimple Cross Site ScriptingCross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via (1) the lastusername parameter to index.php or (2) selected_search_arch parameter to search.php.101451416129show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an invalid archive parameter.101451416129Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available.20050719 Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein)1432519002mozilla-authentication-weakness(22272)8Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a parameter to the page move template.GLSA-200507-1814327177631595016130mediawiki-page-move-xss(21491)Cross-site scripting (XSS) vulnerability in guestbook.php in phpBook 1.46 allows remote attackers to inject arbitrary web script or HTML via the admin parameter.1014573143901829516192phpbook-admin-xss(21538)Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows remote attackers to execute arbitrary SQL commands via (1) the sid, start, and id parameters to browse.php, the sid parameter to (2) dataentry.php, (3) export.php, (4) admin.php, (5) conditions.php, (6) spss.php, (7) deletesurvey.php, (8) dumpsurvey.php, or (9) statistics.php, or the lid parameter to (10) labels.php or (11) dumplabel.php.20050720 Multiple Vulnerabilities in PHP Surveyor161231433118098180991810018101181021810318104181051810618107181081014538php-surveyor-sql-injection(21444)PHP Surveyor 0.98 allows remote attackers to trigger SQL errors via missing parameters to (1) browse.php, (2) export.php, (3) conditions.php, or (4) spss.php.20050720 Multiple Vulnerabilities in PHP Surveyor16123143311014538The inc.login.php scripts in PHPFinance 0.3 allows remote attackers to bypass the login and gain privileges.http://sourceforge.net/project/shownotes.php?release_id=343135http://cvs.sourceforge.net/viewcvs.py/phpfinance/phpfinance/inc.login.php?rev=1.2&view=loghttp://cvs.sourceforge.net/viewcvs.py/phpfinance/phpfinance/inc.conf.php?rev=1.2&view=logADV-2005-11331432213276phpfinance-logon-bypass(21426)PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag.143321609618111Cross-site scripting (XSS) vulnerability in search.php in PHPSiteSearch 1.7.7d allows remote attackers to inject arbitrary web script or HTML via the query parameter.http://www.rgod.altervista.org/PHPSiteSearch177dpoc.txt161561434418142phpsitesearch-query-xss(21463)The login protocol in RealChat 3.5.1b does not use authentication, which allows remote attackers to log on as other users by sniffing the beginning of a chat session and replaying it via a modified username.20050723 Realchat user impersonation - BSA 200506110001101456214358realchat-account-login(21497)SQL injection vulnerability in sendcard.php in Sendcard 3.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter.ADV-2005-1169161651435118153sendcard-id-sql-injection(21474)Opera 8.01, when the "Arial Unicode MS" font (ARIALUNI.TTF) is installed, does not properly handle extended ASCII characters in the file download dialog box, which allows remote attackers to spoof file extensions and possibly trick users into executing arbitrary code.http://www.opera.com/linux/changelogs/802/15870144021014592opera-content-disposition-extension-spoofing(21784)ADV-2005-1251Opera 8.01 allows remote attackers to conduct cross-site scripting (XSS) attacks or modify which files are uploaded by tricking a user into dragging an image that is a "javascript:" URI.http://www.opera.com/linux/changelogs/802/15756144101014593ADV-2005-1251A design error in Opera 8.01 and earlier allows user-assisted attackers to perform by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "link hijacking".http://www.opera.com/linux/changelogs/802/1578115835ADV-2005-12511015353Format string vulnerability in util.c in nbsmtp 0.99 and earlier, while running in debug mode, allows remote attackers to execute arbitrary code via format string specifiers that are not properly handled in a syslog call.http://people.freebsd.org/~niels/issues/nbsmtp-20050726.txthttp://www.vuxml.org/freebsd/debbb39c-fdb3-11d9-a30d-00b0d09acbfc.html144411627916324nbsmtp-format-string(21674)Format string vulnerability in the nm_info_handler function in Network Manager may allow remote attackers to execute arbitrary code via format string specifiers in a Wireless Access Point identifier, which is not properly handled in a syslog call.20050728 format string bug in nm_info_handler20050729 Re: format string bug in nm_info_handler FEDORA-2005-680Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and tDiary 2.0.1 and earlier, allows remote attackers to conduct actions as another user, and execute commands on the server, via a URL that is activated by the user.http://sourceforge.net/forum/forum.php?forum_id=4827431860416329tdiary-xs-request-forgery(21735)DSA-8081450016787PHP remote file inclusion vulnerability in block.php in PHP FirstPost allows remote attackers to execute arbitrary PHP code via the Include parameter.183941014563php-firstpost-block-file-include(21513)1437120050724 PHP FirstPost remote file include vulnerabilityPHP remote file inclusion vulnerability in apa_phpinclude.inc.php in Atomic Photo Album (APA) allows remote attackers to execute arbitrary PHP code via the apa_module_basedir parameter.1436818265101456916201apa-apaphpinclude-file-include(21562)20050723 Atomic Photo Album (APA) apa_phpinclude.inc.php remote file includeRace condition in the xpcom library, as used by web browsers such as Firefox, Mozilla, Netscape, and Galeon, allows remote attackers to cause a denial of service (application crash) via a large HTML file that loads a DOM call from within nested DIV tags, which causes part of the currently rendering page and referenced objects to be deleted.10145501014548mozilla-xpcom-race-condition(21472)20050721 Mozilla XPCOM Library Race ConditionMultiple SQL injection vulnerabilities in Contrexx before 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) value parameter to the poll module or (2) pId parameter to the gallery module.http://www.hardened-php.net/advisory_112005.59.html143521816618167101455416169contrexx-votingoption-pld-sql-injection(21482)20050722 Advisory 11/2005: Multiple vulnerabilities in ContrexxMultiple cross-site scripting (XSS) vulnerabilities in Contrexx before 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) term parameter to the search module or (2) title in the blog aggregation module.http://www.hardened-php.net/advisory_112005.59.html143521816818169101455416169contrexx-blog-xss(21487)contrexx-search-xss(21484)20050722 Advisory 11/2005: Multiple vulnerabilities in ContrexxContrexx before 1.0.5 allows remote attackers to obtain sensitive information via a direct request to /config/version.xml.http://www.hardened-php.net/advisory_112005.59.html1435218170101455416169contrexx-version-disclosure(21488)20050722 Advisory 11/2005: Multiple vulnerabilities in Contrexx** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2403. Reason: This candidate is a duplicate of CVE-2005-2403. Notes: All CVE users should reference CVE-2005-2403 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.143581014562realchat-account-login(21497)B-FOCuS Router 312+ allows remote attackers to bypass authentication and gain unauthorized access via a direct request to firmwarecfg.1436416205eci-router-login-security-bypass(21521)20050724 ECI router login bypassflsearch.pl in FtpLocate 2.02 allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP GET request.1436718305101457016218ftplocate-fsite-command-execution(21540)20050725 Chroot Security Group Advisory 2005-07-25 -- ftplocateMultiple SQL injection vulnerabilities in index.php and other pages in Beehive Forum allow remote attackers to execute arbitrary SQL commands via the webtag parameter.1436116217beehiveforum-webtag-sql-injection(21535)20050725 Beehive Forum Multiple VulnerabilitiesCross-site scripting (XSS) vulnerability in index.php in Beehive Forum allows remote attackers to inject arbitrary web script or HTML via the webtag parameter.143631621720050725 Beehive Forum Multiple VulnerabilitiesBeehive Forum allows remote attackers to obtain sensitive information via (1) an invalid final_uri or sort_by parameter to index.php or a direct request to (2) admin.php, (3) attachments.inc.php, (4) banned.inc.php, (5) beehive.inc.php, (6) constants.inc.php, (7) db.inc.php, (8) dictionary.inc.php or (9) search_index.php, which reveal the path in an error message.16217beehive-path-disclosure(21536)20050725 Beehive Forum Multiple VulnerabilitiesThe management interface for Siemens SANTIS 50 running firmware 4.2.8.0, and possibly other products including Ericsson HN294dp and Dynalink RTA300W, allows remote attackers to access the Telnet port without authentication via certain packets to the web interface that cause the interface to freeze.http://www.securenetwork.it/advisories/143721829416215santis50-packet-gain-access(21552)20050725 Siemens SANTIS 50 Authentication VulnerabilityStack-based buffer overflow in Ares FileShare 1.1 allows remote attackers or local users to execute arbitrary code via a (1) long history parameter in the configuration file (ares.conf) or (2) long search string.143771014576ares-longconfstring-bo(21557)aresfileshare-long-string-bo(21818)20050725 Ares FileShare 1.1 'Long Searched String' Buffer OverflowFTPshell Server 3.38 allows remote authenticated users to cause a denial of service (application crash) by multiple connections and disconnections without using the QUIT command.14382101458016189ftpshell-port-dos(21531)20050726 Denial of service vulnerability in FTPshell Server Version 3.38Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ allows remote attackers to inject arbitrary web script or HTML via the message parameter.14386184631014581cartwiz-viewcart-xss(21554)20050726 [HSC Security Group] XSS in CartWizLotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696.http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdfhttp://www-1.ibm.com/support/docview.wss?uid=swg2121293416231lotus-domino-names-obtain-information(21556)http://www.securiteam.com/securitynews/5FP0E15GLQ.html1438918462101458420050726 CYBSEC - Security Advisory: Default Configuration InformationFirefox, when opening Microsoft Word documents, does not properly set the permissions on shared sections, which allows remote attackers to write arbitrary data to open applications in Microsoft Office.1625620050727 Shared section vulnerability when opening microsoft office18484office-mso97shareddg-dos(24346)Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id or (2) group_id parameter to forum.php, (3) project_task_id parameter to task.php, (4) id parameter to detail.php, (5) the text field on the search page, (6) group_id parameter to qrs.php, (7) form, (8) rows, (9) cols or (10) wrap parameter to notepad.php, or the login field on the login form.16253gforge-multiple-xss(21558)1440518299183001830118302183031830420050727 Cross Site Scripting vulnerabilities in GForgeDSA-109420622The (1) lost password and (2) account pending features in GForge 4.5 do not properly set a limit on the number of e-mails sent to an e-mail address, which allows remote attackers to send a large number of messages to arbitrary e-mail addresses (aka mail bomb).20050727 Cross Site Scripting vulnerabilities in GForgeSQL injection vulnerability in PhpList allows remote attackers to modify SQL statements via the id argument to admin pages such as (1) members or (2) admin.20050731 PHPList Vunerability1831616274144031014607phplist-id-sql-injection(21576)20050728 PhpList Sql Injection and Path DisclosurePhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9) usermgt.php, or (10) users.php in admin/commonlib/pages directory, (11) helloworld.php, or (12) sidebar.php in public_html/lists/admin/plugins directory, or (13) main.php in public_html/lists/admin/plugsins/defaultplugin directory, which reveal the path in an error message.18317183181831918320183211832218323183241832518326183271832818329phplist-multiple-scripts-path-disclosure(21579)20050728 PhpList Sql Injection and Path DisclosureLinksys WRT54G router uses the same private key and certificate for every router, which allows remote attackers to sniff the SSL connection and obtain sensitive information.14407101459616271linksys-wrt54g-session-decrypt(21635)20050728 Vulnerability in Linksys Router accessCross-site scripting (XSS) vulnerability in browse.php in Website Baker Project allows remote attackers to inject arbitrary web script or HTML via the dir parameter.144041834216263website-baker-browse-xss(21631)20050728 Website Baker Project Multiple Vulnerabilitiesbrowse.php in Website Baker Project allows remote attackers to obtain sensitive data via (1) a directory that does not exist in the dir parameter or (2) a direct request to certain php files, which reveal the path in an error message.183431834416263website-baker-url-path-disclosure(21633)20050728 Website Baker Project Multiple VulnerabilitiesWebsite Baker Project does not properly verify the file extensions of uploaded files, which allows remote attackers to upload and execute arbitrary PHP code.144061834516263website-baker-adminmedia-file-upload(21634)20050728 Website Baker Project Multiple VulnerabilitiesCross-site scripting (XSS) vulnerability in UseBB 0.5.1 and earlier allows remote attackers to inject arbritrary Javascript via the BBCode color value.http://www.hardened-php.net/advisory_122005.60.htmlhttp://www.usebb.net/community/topic.php?id=60514412usebb-colorbbcode-xss(21651)20050728 Advisory 12/2005: UseBB Multiple VulnerabilitiesSQL injection vulnerability in UseBB 0.5.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search function.http://www.hardened-php.net/advisory_122005.60.htmlhttp://www.usebb.net/community/topic.php?id=60514413usebb-search-sql-injection(21652)20050728 Advisory 12/2005: UseBB Multiple VulnerabilitiesSQL injection vulnerability in login.asp in Thomson Web Skill Vantage Manager allows remote attackers to execute arbitrary SQL commands via the svmPassword parameter.1440916268webskill-login-sql-injection(21637)1833020050728 Thomson Web Skill Vantage ManagerMultiple cross-site scripting (XSS) vulnerabilities in VBzoom allow remote attackers to inject arbitrary web script and HTML via the (1) UserName parameter to profile.php or (2) UserID parameter to login.php.1442318662186631014614vbzoom-profile-login-xss(21680)1622020050729 VBZoom Cross Site Scripting Vulnerabilities20060306 SQL injection & XSS IN vbzoom v1.11Cross-Application Scripting (XAS) vulnerability in SPI Dynamics WebInspect 5.0.196 allows remote attackers to inject Javascript from one application into another.20050726 SPIDynamics WebInspect Cross-Application Scripting (XAS)14385spidynamics-webinspect-xas(21541)10145821619120050726 SPIDynamics WebInspect Cross-Application Scripting (XAS)20050728 SPIDynamics WebInspect Cross-ApplicationScripting (XAS)Kshout 2.x and 3.x stores settings.dat under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as usernames and passwords.http://www.soulblack.com.ar/repo/papers/advisory/kshout_advisory.txt20050729 Kshout Data Disclosure kshout-settings-information-disclosure(24352)Trillian Pro 3.1 build 121, when checking Yahoo e-mail, stores the password in plaintext in a world readable file and does not delete the file after login, which allows local users to obtain sensitive information.16289trillian-mail-plaintext-password(21667)20050730 Trillian Ver 3.1 saves password's in plain TextSQL injection vulnerability in viewPrd.asp in Product Cart 2.6 allows remote attackers to execute arbitrary SQL commands via the idcategory parameter.138811732918508101412914833productcart-multiple-script-sql-injection(20956)productcart-viewprd-sql-injection(21672)20050730 [HSC Security Group] SQL Injection in Product Cart 2.6** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2369. Reason: This candidate is a duplicate of CVE-2005-2369. Notes: All CVE users should reference CVE-2005-2369 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2370. Reason: This candidate is a duplicate of CVE-2005-2370. Notes: All CVE users should reference CVE-2005-2370 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Multiple "endianness errors" in libgadu in ekg before 1.6rc2 allow remote attackers to cause a denial of service (invalid behavior in applications) on big-endian systems.14415161401615516363DSA-81320050721 Multiple vulnerabilities in libgadu and ekg packageDSA-131824600Race condition in sandbox before 1.2.11 allows local users to create or overwrite arbitrary files via symlink attack on sandboxpids.tmp.http://bugs.gentoo.org/show_bug.cgi?id=96782GLSA-200507-2214375101457416214sandbox-race-condition(21519)Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file format processors in libclamav for Clam AntiVirus (ClamAV) 0.86.1 and earlier allow remote attackers to gain privileges via a crafted e-mail message.http://sourceforge.net/project/shownotes.php?release_id=344514clam-antivirus-file-format-gain-access(21555)CLSA-2005:987GLSA-200507-2514359182571825818259161801622916250162961645820050725 ClamAV Multiple Rem0te Buffer OverflowsSUSE-SR:2005:018Cisco IOS 12.0 through 12.4 and IOS XR before 3.2, with IPv6 enabled, allows remote attackers on a local network segment to cause a denial of service (device reload) and possibly execute arbitrary code via a crafted IPv6 packet.20050729 IPv6 Crafted Packet Vulnerabilitycisco-ios-ipv6-packet-command-execution(21591)20050729 Cisco IOS Shellcode PresentationTA05-210AVU#9308921627214414183321014598libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero "YCbCr subsampling" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804.USN-156-1https://bugzilla.ubuntu.com/show_bug.cgi?id=12008MDKSA-2005:142MDKSA-2005:143MDKSA-2005:144144171626616486Cross-site scripting (XSS) vulnerability in NetworkActiv Web Server 1.0, 2.0.0.6, 3.0.1.1, and 3.5.13, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the query string.http://secunia.com/secunia_research/2005-31/advisory/1630114473185251014624networkactiv-xss(21696)IBM Lotus Notes 6.5.4 and 6.5.5, and 7.0.0 and 7.0.1, uses insecure default permissions (Everyone/Full Control) for the "Notes" folder and all children, which allows local users to gain privileges and modify, add, or delete files in that folder.Update to version 7.0.2.1953720061018 Secunia Research: IBM Lotus Notes Insecure Default FolderPermissionsVU#38309220612ADV-2006-4093297611017086lotusnotes-directory-insecure-permission(29660)27342Greasemonkey before 0.3.5 allows remote web servers to (1) read arbitrary files via a GET request to a file:// URL in the GM_xmlhttpRequest API function, (2) list installed scripts using GM_scripts, or obtain sensitive information via (3) GM_setValue and GM_getValue.[Greasemonkey] 20050718 greasemonkey for secure data over insecure networks / sites[Greasemonkey] 20050718 greasemonkey for secure data over insecure networks / siteshttp://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.htmlhttp://greasemonkey.mozdev.org/changes/0.3.5.htmlhttp://www.securiteam.com/securitynews/5CP0P20GBK.html14336ADV-2005-114718154101452916128mozilla-greasemonkey-information-disclosure(21453)Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array.http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.htmlhttp://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a4f1bac62564049ea4718c4624b0fadc9f597c84http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8da3e25b2c4c1f305fd85428d3a9eb62b543bfba;hp=ecade4893a139cc35d4fe345ce70242ede5358c4;hb=a4f1bac62564049ea4718c4624b0fadc9f597c84;f=net/xfrm/xfrm_user.cUSN-169-1144771629816500linux-kernel-xfrm-dos(21710)2005:050MDKSA-2005:219MDKSA-2005:220DSA-922DSA-9211805618059RHSA-2005:514RHSA-2005:663FLSA:157459-3170731782617002ADV-2005-1878MDKSA-2005:219MDKSA-2005:220The driver for compressed ISO file systems (zisofs) in the Linux kernel before 2.6.12.5 allows local users and remote attackers to cause a denial of service (kernel crash) via a crafted compressed ISO file system.USN-169-11461416355165002005:050MDKSA-2005:218MDKSA-2005:219MDKSA-2005:220SUSE-SA:2005:06817918DSA-101717826DSA-10181937419369MDKSA-2005:218MDKSA-2005:219MDKSA-2005:220inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows remote attackers to cause a denial of service (kernel crash) via a compressed file with "improper tables".[bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing Module per-cpu alignment cannot always be metUSN-169-116355165002005:050MDKSA-2005:219MDKSA-2005:220DSA-92214719DSA-921SUSE-SA:2005:068179181805618059RHSA-2006:010118510RHSA-2006:0190RHSA-2006:019118684RHSA-2006:0144FLSA:157459-1FLSA:157459-2FLSA:157459-31925217826MDKSA-2005:219MDKSA-2005:220The huft_build function in inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 returns the wrong value, which allows remote attackers to cause a denial of service (kernel crash) via a certain compressed file that leads to a null pointer dereference, a different vulnerbility than CVE-2005-2458.Bugzilla Bug 94584Module per-cpu alignment cannot always be metUSN-169-116355165002005:050MDKSA-2005:219MDKSA-2005:220DSA-92214720DSA-921SUSE-SA:2005:06817918180561805917826MDKSA-2005:219MDKSA-2005:220Multiple cross-site scripting (XSS) vulnerabilities in Kayako liveResponse 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter or (2) name field when entering a session or sending a message.20050730 Kayako liveResponse Multiple Vulnerabilities14425183951839716286Multiple SQL injection vulnerabilities in the calendar feature in Kayako liveResponse 2.x allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) date parameter.20050730 Kayako liveResponse Multiple Vulnerabilities144251839616286Kayako liveResponse 2.x, when logging in a user, records the password in plaintext in the URL, which allows local users and possibly remote attackers to gain privileges.20050730 Kayako liveResponse Multiple Vulnerabilities144251839816286Kayako liveResponse 2.x allows remote attackers to obtain sensitive information via a direct request to addressbook.php and other include scripts, which reveals the path in an error message.20050730 Kayako liveResponse Multiple Vulnerabilities144251839916286login.php in PCXP/TOPPE CMS allows remote attackers to bypass authentication and gain privileges by modifying the cookie to match the target userid.20050730 PC-EXPERIENCE/TOPPE CMS Security AdvisoryCross-site scripting (XSS) vulnerability in pm.php in PCXP/TOPPE CMS allows remote attackers to inject arbitrary web script or HTML via the msg variable.20050730 PC-EXPERIENCE/TOPPE CMS Security Advisory1442818715Multiple SQL injection vulnerabilities in the auth_user function in admin.php in OpenBook 1.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter.20050730 [SVadvisory] - SQL injection in OpenBook 1.2.214444ADV-2005-1301184751014606openbook-authuser-sql-injection(21643)Multiple cross-site scripting (XSS) vulnerabilities in MySQL Eventum 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to view.php, (2) release parameter to list.php, or (3) F parameter to get_jsrs_data.php.20050731 MySQL Eventum Multiple Vulnerabilities14436ADV-2005-1287184001840118402101460316304Multiple SQL injection vulnerabilities in MySQL Eventum 1.5.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) isCorrectPassword or (2) userExist function in class.auth.php, getCustomFieldReport function in (4) custom_fields.php, (5) custom_fields_graph.php, or (6) class.report.php, or the insert function in (7) releases.php or (8) class.release.php.20050731 MySQL Eventum Multiple Vulnerabilities14437ADV-2005-128718403184041840518406101460316304Stack-based buffer overflow in the NMAP Agent for Novell NetMail 3.52C and possibly earlier versions allows local users to execute arbitrary code via a long user name in the USER command.1592510150481508019916netmail-nmap-user-bo(22727)20051012 Secunia Research: Novell NetMail NMAP Agent "USER" Buffer Overflow VulnerabilityBuffer overflow in a "core application plug-in" for Adobe Reader 5.1 through 7.0.2 and Acrobat 5.0 through 7.0.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors.http://www.adobe.com/support/techdocs/321644.htmlRHSA-2005:750ADV-2005-1434VU#896220GLSA-200508-1114603101471216466adobe-acrobat-reader-plugin-bo(21860)SUSE-SR:2005:019pstopnm in netpbm does not properly use the "-dSAFER" option when calling Ghostscript to convert a PostScript file into a (1) PBM, (2) PGM, or (3) PNM file, which allows external user-assisted attackers to execute arbitrary commands.319757: netpbm: arbitrary postscript code execution (CAN-2005-2471)161842005-003814379netpbm-dsafer-command-execution(21500)183301014752DSA-10211825319436RHSA-2005:743SUSE-SR:2005:019Multiple buffer overflows in BusinessMail 4.60.00 allow remote attackers to cause a denial of service (application crash) via a long string to SMTP (1) HELO or (2) MAIL FROM commands.20050801 Buffer overflow in BusinessMail email server system 4.60.00http://reedarvin.thearvins.com/20050730-01.html1443416306businessmail-smtp-dos(21636)18407101460220050801 Buffer overflow in BusinessMail email server system 4.60.00Multiple SQL injection vulnerabilities in ChurchInfo allow remote attackers to execute arbitrary SQL commands via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, (8) DepositSlipID parameter to DepositSlipEditor.php, (9) QueryID parameter to QueryView.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php.1443818408184091841018411184121841318414184151841618417184181841918420184211842218423184241842718428101461716292churchinfo-sql-injection(21647)20050801 ChurchInfo Multiple VulnerabilitiesChurchInfo allows remote attackers to execute obtain sensitive information via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, an invalid Number parameter to (8) SelectList.php or (9) SelectDelete.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php, which reveal the path in an error message.184291843018431184321843318434184351843618437184381843918450101461716292churchinfo-path-disclosure(21648)184251842620050801 ChurchInfo Multiple VulnerabilitiesRace condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete.144501853016309SCOSA-2005.39USN-191-1DSA-90317653MDKSA-2005:1972005-00531704517342169851700620050801 unzip TOCTOU file-permissions vulnerability RHSA-2007:0203 25098MDKSA-2005:19732Cross-site scripting (XSS) vulnerability in lost_passowrd.php in Naxtor Shopping Cart 1.0 allows remote attackers to inject arbitrary web script or HTML via the email parameter.16262144541014613naxtorshoppingcart-password-xss(21676)20050802 [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injectionshop_display_products.php in Naxtor Shopping Cart 1.0 allows remote attackers to obtain sensitive information via a cat_id with a "'" (single quote), which reveals the path in an error message, possibly due to an SQL injection vulnerability.16262144561014613naxtorshoppingcart-path-disclosure(21677)20050802 [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL InjectionSQL injection vulnerability in SilverNews 2.0.3 allows remote attackers to execute arbitrary SQL commands via the user field on the login page in the Admin control panel.http://www.rgod.altervista.org/silvernews.html1631514466185171014622silvernews-username-sql-injection(21688)20050803 Silvernews 2.0.3 (possibly previous versions ) SQL Injection / Login Bypass / Remote commands execution / cross site scriptingQuick 'n Easy FTP Server 3.0 allows remote attackers to cause a denial of service (application crash or CPU consumption) via a long USER command.101461514451quickneasy-user-command-dos(21679)20060325 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow vulnerabilities)20050802 Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow20050802 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow20050803 Re: Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflowCross-site scripting (XSS) vulnerability in ColdFusion Fusebox 4.1.0 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter, which is not quoted in an error page, as demonstrated using index.cfm.1446016320fusebox-fuseaction-xss(21697)20050803 Coldfusion Fusebox V4.1.0 VulnerabilityColdFusion Fusebox 4.1.0 allows remote attackers to obtain sensitive information via an invalid fuseaction parameter, which leaks the full server path in an error message, as demonstrated using the "?" (question mark) character.20050803 Coldfusion Fusebox V4.1.0 VulnerabilityThe StateToOptions function in msfweb in Metasploit Framework 2.4 and earlier, when running with the -D option (defanged mode), allows attackers to modify temporary environment variables before the "_Defanged" environment option is checked when processing the Exploit command.http://metasploit.com/archive/framework/msg00469.html163181445518495metasploit-defanged-bypass-security(21705)Eval injection vulnerability in Karrigell before 2.1.8 allows remote attackers to execute arbitrary Python code via modified arguments to a Karrigell services (.ks) script, which can reference functions from libraries that are used by that script.[karrigell-main] 20050802 Re: SECURITY: python namespace exposure163191446318506karrigel-dos(21668)[karrigell-main] 20050731 SECURITY: python namespace exposureBuffer overflow in the rdb_query function for Denora IRC Stats 1.0 might allow attackers to execute arbitrary code.http://sourceforge.net/project/shownotes.php?release_id=346819http://denora.nomadirc.net/index.php14471ADV-2005-131916281denora-rdbquery-bo(21686)Cross-site scripting (XSS) vulnerability in the Helpdesk in Logicampus before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://sourceforge.net/project/shownotes.php?release_id=3468011447216297logicampus-helpdesk-xss(21687)SQL injection vulnerability in mod_forum/read_message.php in PortailPHP allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php with the affiche parameter set to "Forum-read_mess", a different vulnerability than CVE-2005-1701.20050804 SQL IN PortailPHP1447418685Unknown vulnerability in Sun McData switches and directors 4300, 4500, 6064, and 6140 before E/OS 6.0.0 may allow attackers to cause a denial of service (connectivity and array access loss) via a network broadcast storm.1018331629514475mcdata-switch-director-dos(21706)Cross-site scripting (XSS) vulnerability in Web Content Management News System allows remote attackers to inject arbitrary web script or HTML via (1) the strRootpath parameter to validsession.php or (2) the strTable parameter to Admin/News/List.php.http://www.rgod.altervista.org/webc.html10146161631714464webcms-multiple-script-xss(21689)Web Content Management News System allows remote attackers to create arbitrary accounts and gain privileges via a direct request to Admin/Users/AddModifyInput.php.http://www.rgod.altervista.org/webc.html1014616163171446518524webcms-addmodifyinput-create-account(21694)Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code by calling sendmsg and modifying the message contents in another thread.USN-178-11478516747kernel-sendmsg-bo(22217)MDKSA-2005:219MDKSA-2005:220SUSE-SA:2005:06817918MDKSA-2005:235RHSA-2005:514RHSA-2005:663FLSA:157459-1FLSA:157459-2FLSA:157459-3DSA-1017170731782619374170022005-0049ADV-2005-1878MDKSA-2005:219MDKSA-2005:220MDKSA-2005:235Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow.146201014744DSA-800GLSA-200509-02RHSA-2005:761GLSA-200509-08GLSA-200509-12DSA-819DSA-817DSA-821GLSA-200509-19TSLSA-2005-0059APPLE-SA-2005-11-291564717813OVAL7351650216679ADV-2005-1511ADV-2005-2659FLSA:168516RHSA-2006:0197102198ADV-2006-078919072RHSA-2005:358HPSBUX02074SCOSA-2006.101919317252OpenPKG-SA-2005.018SUSE-SA:2005:05120060401-01-U19532SUSE-SA:2005:048SUSE-SA:2005:049SUSE-SA:2005:05221522oval:org.mitre.oval:def:735oval:org.mitre.oval:def:1496oval:org.mitre.oval:def:1659HPSBMA02159ADV-2006-432022691ADV-2006-450222875604The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input.USN-178-11478716747kernel-rawsendmsg-obtain-information(22218)MDKSA-2005:220SUSE-SA:2005:06817918MDKSA-2005:235RHSA-2005:514FLSA:157459-3170732005-0049MDKSA-2005:220MDKSA-2005:235kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files.DSA-815MDKSA-2005:160USN-176-1166921813920050907 [ Suresec Advisories ] - Kcheckpass file creation vulnerability20050905 [KDE Security Advisory] kcheckpass local root vulnerabilityRHSA-2006:05822148114736Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image.RHSA-2005:501GLSA-200509-07MDKSA-2005:1642005-0049SUSE-SA:2005:056VU#102441101953170441725817278FLSA:168264-2RHSA-2005:329RHSA-2005:396SUSE-SR:2005:0231721520060403-01-UHPSBUX02137ADV-2006-314021318oval:org.mitre.oval:def:1044oval:org.mitre.oval:def:998DSA-816FEDORA-2005-893FEDORA-2005-894101926USN-182-1148071935210148871677716790xorg-pixmap-bo(22244) SCOSA-2006.22 19624 19796The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended.FEDORA-2005-812ADV-2005-156116602ntp-incorrect-group-permissions(22035)MDKSA-2005:156DSA-80114673RHSA-2006:039321464190551016679** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2641. Reason: This candidate is a duplicate of CVE-2005-2641. Notes: All CVE users should reference CVE-2005-2641 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921.http://www.hardened-php.net/advisory_152005.67.html20050815 [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issueRHSA-2005:748DSA-798DSA-789GLSA-200509-19FLSA:16694316431164321644116460164651646816469164911655016558165631661916635166931697617440DSA-840DSA-842170531706620050817 [PHPADSNEW-SA-2005-001] phpAdsNew and phpPgAds 2.0.6 fix multiple vulnerabilitiesSUSE-SA:2005:05120050815 Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability14560SUSE-SA:2005:049slocate before 2.7 does not properly process very long paths, which allows local users to cause a denial of service (updatedb exit and incomplete slocate database) via a certain crafted directory structure.RHSA-2005:74714640190341014751slocate-directory-structure-dos(22316)RHSA-2005:346RHSA-2005:345Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux kernel 2.6.12, as used in SuSE Linux Enterprise Server 9, might allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted XDR data for the nfsacl protocol.http://lkml.org/lkml/2005/6/23/19http://lkml.org/lkml/2005/6/23/126SUSE-SA:2005:044http://linux.bkbits.net:8080/linux-2.6/cset@42b9c4fdYUuaq0joRUZi8W0Q-2hA1A1447016406kernel-xdrxcodearray-dos(21805)Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2 allows external user-assisted attackers to execute arbitrary code via a crafted Rich Text Format (RTF) file.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#4351881014695Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2, as used in applications such as TextEdit, allows external user-assisted attackers to execute arbitrary code via a crafted Microsoft Word file.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#1729481014695APPLE-SA-2005-08-15AppKit for Mac OS X 10.3.9 and 10.4.2 allows attackers with physical access to create local accounts by forcing a particular error to occur at the login window.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014696APPLE-SA-2005-08-15The System Profiler in Mac OS X 10.4.2 labels a Bluetooth device with "Requires Authentication: No" even when the user has selected the "Require pairing for security" option, which could confuse users about which setting is valid.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Buffer overflow in CoreFoundation in Mac OS X 10.3.9 allows attackers to execute arbitrary code via command line arguments to an application that uses CoreFoundation.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014697Algorithmic complexity vulnerability in CoreFoundation in Mac OS X 10.3.9 and 10.4.2 allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014697Buffer overflow in Directory Services in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to execute arbitrary code during authentication.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#913820dsidentity in Directory Services in Mac OS X 10.4.2 allows local users to add or remove user accounts.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Unknown vulnerability in loginwindow in Mac OS X 10.4.2 and earlier, when Fast User Switching is enabled, allows attackers to log into other accounts if they know the passwords to at least two accounts.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014704The Server Admin tool in servermgr_ipfilter for Mac OS X 10.4 to 10.4.2, when using multiple subnets and Address Groups, does not always properly write firewall rules to the Active Rules when certain conditions occur, which could result in firewall policies that are less restrictive than intended by the administrator.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014708Unknown vulnerability in Mac OS X 10.4.2 and earlier, when using Kerberos authentication with LDAP, allows attackers to gain access to a root Terminal window.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Mail.app in Mac OS 10.4.2 and earlier, when printing or forwarding an HTML message, loads remote images even when the user's preferences state otherwise, which could result in a privacy leak.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Unknown vulnerability in HItoolbox for Mac OS X 10.4.2 allows VoiceOver services to read secure input fields.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014699Buffer overflow in ping in Mac OS X 10.3.9 allows local users to execute arbitrary code.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014701Quartz Composer Screen Saver in Mac OS X 10.4.2 allows local users to access links from the RSS Visualizer even when a password is required.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014705Safari in Mac OS X 10.3.9 and 10.4.2, when rendering Rich Text Format (RTF) files, can directly access URLs without performing the normal security checks, which allows remote attackers to execute arbitrary commands.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#709220Safari in Mac OS X 10.3.9 and 10.4.2 submits forms from an XSL formatted page to the next page that is browsed by the user, which causes form data to be sent to the wrong site.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Buffer overflow in servermgrd in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to execute arbitrary code during authentication.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#4614121014709slpd in Directory Services in Mac OS X 10.3.9 creates insecure temporary files as root, which allows local users to gain privileges.APPLE-SA-2005-08-15APPLE-SA-2005-08-17The password assistant in Mac OS X 10.4 to 10.4.2, when used to create multiple accounts from the same process, does not reset the suggested password list when the assistant is displayed, which allows attackers to view recently used passwords.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014707Buffer overflow in traceroute in Mac OS X 10.3.9 allows local users to execute arbitrary code via unknown vectors.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014702Safari in WebKit in Mac OS X 10.4 to 10.4.2 directly accesses URLs within PDF files without the normal security checks, which allows remote attackers to execute arbitrary code via links in a PDF file.APPLE-SA-2005-08-15APPLE-SA-2005-08-17TA05-229AVU#420316Multiple cross-site scripting (XSS) vulnerabilities in Weblog Server in Mac OS X 10.4 to 10.4.2 allow remote attackers to inject arbitrary web script or HTML via unknown vectors.APPLE-SA-2005-08-15APPLE-SA-2005-08-17Safari after 2.0 in Apple Mac OS X 10.3.9 allows remote attackers to bypass domain restrictions via crafted web archives that cause Safari to render them as if they came from a different site.APPLE-SA-2005-09-22ESB-2005.0732P-31216920CUPS in Mac OS X 10.3.9 and 10.4.2 does not properly close file descriptors when handling multiple simultaneous print jobs, which allows remote attackers to cause a denial of service (printing halt).APPLE-SA-2005-08-15APPLE-SA-2005-08-171014698CUPS in Mac OS X 10.3.9 and 10.4.2 allows remote attackers to cause a denial of service (CPU consumption) by sending a partial IPP request and closing the connection.APPLE-SA-2005-08-15APPLE-SA-2005-08-171014698Race condition in Java 1.4.2 before 1.4.2 Release 2 on Apple Mac OS X allows local users to corrupt files or create arbitrary files via unspecified attack vectors related to a temporary directory, possibly due a symlink attack.APPLE-SA-2005-09-13P-306Unspecified vulnerability in Java 1.4.2 before 1.4.2 Release 2 on Apple Mac OS X allows local users to gain privileges via unspecified attack vectors relating to "the utility used to update Java shared archives."APPLE-SA-2005-09-13P-306Unspecified vulnerability in Java 1.3.1 before 1.3.1_16 on Apple Mac OS X allows an untrusted applet to gain privileges, related to "Mac OS X specific extensions."APPLE-SA-2005-09-13P-306OpenVPN before 2.0.1, when running with "verb 0" and without TLS authentication, does not properly flush the OpenSSL error queue when a client fails certificate authentication to the server and causes the error to be processed by the wrong client, which allows remote attackers to cause a denial of service (client disconnection) via a large number of failed authentication attempts.MDKSA-2005:145DSA-851164631710314605SUSE-SR:2005:020OpenVPN before 2.0.1 does not properly flush the OpenSSL error queue when a packet can not be decrypted by the server, which allows remote authenticated attackers to cause a denial of service (client disconnection) via a large number of packets that can not be decrypted.MDKSA-2005:145DSA-851164631710314607OpenVPN before 2.0.1, when running in "dev tap" Ethernet bridging mode, allows remote authenticated clients to cause a denial of service (memory exhaustion) via a flood of packets with a large number of spoofed MAC addresses.MDKSA-2005:145DSA-8511646317103Race condition in OpenVPN before 2.0.1, when --duplicate-cn is not enabled, allows remote attackers to cause a denial of service (server crash) via simultaneous TCP connections from multiple clients that use the same client certificate.MDKSA-2005:145DSA-851164631710314610Buffer overflow in the Discovery Service in BrightStor ARCserve Backup 9.0 through 11.1 allows remote attackers to execute arbitrary commands via a large packet to TCP port 41523, a different vulnerability than CVE-2005-0260.20050211 BrightStor ARCserve Backup buffer overflow PoC20050211 Re: BrightStor ARCserve Backup buffer overflow PoC20050215 Re: BrightStor ARCserve Backup buffer overflow PoChttp://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?ID=32478VU#966880125361381414293brightstor-discovery-servicepc-bo(19320)pstotext before 1.8g does not properly use the "-dSAFER" option when calling Ghostscript to extract plain text from PostScript and PDF files, which allows remote attackers to execute arbitrary commands via a malicious PostScript file.GLSA-200507-291618314378pstotext-dsafer-command-execution(21498)DSA-7921630516624FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to obtain sensitive information via a direct request to structure.php.20050804 FlatNuke 2.5.5 (possibly prior versions) remote commandshttp://www.rgod.altervista.org/flatnuke.html1854916330FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to obtain sensitive information via (1) a null byte or (2) an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1 in the mod parameter.20050804 FlatNuke 2.5.5 (possibly prior versions) remote commandshttp://www.rgod.altervista.org/flatnuke.html1855016330Multiple cross-site scripting (XSS) vulnerabilities in FlatNuke 2.5.5 and possibly earlier versions allow remote attackers to inject arbitrary web script or HTML via the (1) bodycolor, (2) backimage, (3) theme, or (4) logo parameter to structure.php, (5) admin, (6) admin_mail, or (7) back parameter to footer.php, or (8) the message body in a news post.20050804 FlatNuke 2.5.5 (possibly prior versions) remote commandshttp://www.rgod.altervista.org/flatnuke.html1448318551185521855316330flatnuke-news-articles-xss(21708)flatnuke-structure-xss(21707)CRLF injection vulnerability in FlatNuke 2.5.5 and possibly earlier versions allows remote attackers to execute arbitrary PHP commands via an ASCII char 13 (carriage return) in the signature field, which is injected into a PHP script without a preceding comment character, which can then be executed by a direct request.20050804 FlatNuke 2.5.5 (possibly prior versions) remote commandshttp://www.rgod.altervista.org/flatnuke.html144851855416330flatNuke-firma-execute-commands(21709)Tar 1.15.1 does not properly warn the user when extracting setuid or setgid files, which may allow local users or remote attackers to gain privileges.20050804 tar preserves setuid bit20050804 tar preserves setuid bitInvision Power Board (IPB) 1.0.3 allows remote attackers to inject arbitrary web script or HTML via an attachment, which is automatically downloaded and processed as HTML.20050805 ipb Css bug(now public)1449216348Directory traversal vulnerability in wce.download.php in Comdev eCommerce 3.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the download parameter.20050805 Comdev eCommerce wce.download.php Download Vulnerability14479PHP remote file inclusion vulnerability in config.php in Comdev eCommerce 3.0 allows remote attackers to execute arbitrary PHP code via the path[docroot] parameter.20050805 Comdev eCommerce config.php Vulnerability163461447818601ecommerce-pathdocroot-file-include(21733)Multiple cross-site scripting (XSS) vulnerabilities in PHPOpenChat 3.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) content parameter to profile.php and profile_misc.php, (3) the profile fields in userpage.php, (4) subject or (5) body in mail.php, or (8) disinvited_chatter or (7) invited_chatter parameter to invite.php.20050805 [HSC Security Group] Multiple XSS in phpopenchat 3.0.2144841867418675186761867718678101463416350phpopenchat-multiple-scripts-xss(21761)Arab Portal 2.0 allows remote attackers to obtain sensitive information via a long (1) username or (2) password, which reveals the path in an error message when the undefined "errmsg" function is called.20050801 Arab Portalsecurity.c in hcid for BlueZ 2.16, 2.17, and 2.18 allows remote attackers to execute arbitrary commands via shell metacharacters in the Bluetooth device name when invoking the PIN helper.[bluez-devel] 20050804 Possible security vulnerability in hcid when calling pin helperhttps://bugs.gentoo.org/show_bug.cgi?id=101557http://cvs.sourceforge.net/viewcvs.py/bluez/utils/hcid/security.c?r1=1.31&r2=1.34GLSA-200508-091645316476DSA-78214572vlan_dev.c in the VLAN code for Linux kernel 2.6.8 allows remote attackers to cause a denial of service (kernel oops from null dereference) via certain UDP packets that lead to a function call with the wrong argument, as demonstrated using snmpwalk on snmpd.http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=309308USN-169-1MDKSA-2005:219DSA-922180561461117826MDKSA-2005:219Multiple format string vulnerabilities in Evolution 1.5 through 2.3.6.1 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (1) full vCard data, (2) contact data from remote LDAP servers, or (3) task list data from remote servers.20050810 Evolution multiple remote format string bugshttp://www.sitic.se/eng/advisories_and_recommendations/sa05-001.htmlUSN-166-116394FEDORA-2005-743MDKSA-2005:141RHSA-2005:267SUSE-SA:2005:05420050810 Evolution multiple remote format string bugs14532DSA-101619380Format string vulnerability in Evolution 1.4 through 2.3.6.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the calendar entries such as task lists, which are not properly handled when the user selects the Calendars tab.20050810 Evolution multiple remote format string bugshttp://www.sitic.se/eng/advisories_and_recommendations/sa05-001.htmlUSN-166-116394FEDORA-2005-743MDKSA-2005:141RHSA-2005:267SUSE-SA:2005:05420050810 Evolution multiple remote format string bugs14532DSA-101619380Buffer overflow in dhost.exe in iMonitor for Novell eDirectory 8.7.3 on Windows allows attackers to cause a denial of service (crash) and obtain access to files via unknown vectors.http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098568.htmhttp://support.novell.com/cgi-bin/search/searchtid.cgi?/2972038.htmVU#21316514548101466116393Unknown vulnerability in HP ProLiant DL585 servers running Integrated Lights Out (ILO) firmware before 1.81 allows attackers to access server controls when the server is "powered down."14540101465816402HPSBMA01220The find_target function in ptrace32.c in the Linux kernel 2.4.x before 2.4.29 does not properly handle a NULL return value from another function, which allows local users to cause a denial of service (kernel crash/oops) by running a 32-bit ltrace program with the -i option on a 64-bit executable program.http://lkml.org/lkml/2005/1/5/245http://linux.bkbits.net:8080/linux-2.4/cset@41dd3455GwQPufrGvBJjcUOXQa3WXA14965DSA-92118059MDKSA-2006:04418977SUSE-SA:2006:01219038RHSA-2005:663FLSA:157459-217002ADV-2005-1878The web server for Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3) uses insecure permissions for the "Common Framework\Db" folder, which allows local users to read arbitrary files by creating a subfolder in the EPO agent web root directory.20050811 Privilege escalation in Network Associates ePolicy Orchestrator Agent 3.5.0 (patch 3)http://reedarvin.thearvins.com/20050811-01.html14549ADV-2005-14021873516410epolicy-orchestrator-gain-privileges(21839)Linux kernel 2.6.x does not properly restrict socket policy access to users with the CAP_NET_ADMIN capability, which could allow local users to conduct unauthorized activities via (1) ipv4/ip_sockglue.c and (2) ipv6/ipv6_sockglue.c.http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=6fc0b4a7a73a81e74d0004732df358f4f9975be2USN-169-12005:050MDKSA-2005:218MDKSA-2005:21914609RHSA-2005:514RHSA-2005:663FLSA:157459-3DSA-10171707317826DSA-1018193741936917002ADV-2005-1878MDKSA-2005:218MDKSA-2005:219core/database_api.php in Mantis 0.19.0a1 through 1.0.0a3, with register_globals enabled, allows remote attackers to connect to internal databases by modifying the g_db_type variable and monitoring the speed of responses, as identified by bug#0005956.DSA-778146041650620050926 Mantis Bugtracker - Remote Database Scanner and XSS VulnerabilitiesGLSA-200509-1616506Cross-site scripting (XSS) vulnerability in view_all_set.php in Mantis 0.19.0a1 through 1.0.0a3 allows remote attackers to inject arbitrary web script or HTML via the dir parameter, as identified by bug#0005959, and a different vulnerability than CVE-2005-3090.DSA-778GLSA-200509-161460416506mantis-bug-report-xss(21958)20050926 Mantis Bugtracker - Remote Database Scanner and XSS Vulnerabilities16506Stack-based buffer overflow in the init_syms function in MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta allows remote authenticated users who can create user-defined functions to execute arbitrary code via a long function_name field.20050808 [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User Defined Functions20050808 [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User Defined Functionshttp://www.appsecinc.com/resources/alerts/mysql/2005-002.html14509mysql-user-defined-function-bo(21737)20050808 [AppSecInc Advisory MYSQL05-V0002] Buffer Overflow in MySQL User Defined FunctionsMDKSA-2005:163DSA-829DSA-831DSA-833USN-180-1USN-180-2FLSA-2006:167803SUSE-SR:2005:02117027SCOSA-2006.1820381236703ADV-2008-132629847doping.php in ePing plugin 1.02 and earlier for e107 portal allows remote attackers to execute arbitrary code or overwrite files via (1) shell metacharacters in the eping_count parameter or (2) restricted shell metacharacters such as ">" and "&" in the eping_host parameter, which is not handled by the validation function.http://e107plugins.co.uk/news.php20050805 Vulnerability in ePing and eTrace plugins of e107Cross-site scripting (XSS) vulnerability in index.cfm in CFBB 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the page parameter.144401631120050805 XSS in forums CFBB v1.1.0Multiple SQL injection vulnerabilities in MYFAQ 1.0 allow remote attackers to execute arbitrary SQL commands via the Theme parameter to (1) affichagefaq.php3, (2) choixsoustheme.php3, (3) consultation.php3, (4) insfaq.php3, (5) inssoustheme.php3, (6) instheme.php3, (7) saisiefaqtotale.php3, (8) saisiesoustheme.php3, or (9) voirfaq.php3, the SousTheme parameter to (10) affichagefaq.php3, (11) consultation.php3, (12) insfaq.php3, (13) inssoustheme.php3, (14) saisiefaq.php3, (15) saisiefaqtotale.php3, or (16) voirfaq.php3, the Faq parameter to (17) saisiefaq.php3, (18) voirfaq.php3, or (19) inssolution.php3, or (20) question parameter to affichagefaq.php3.20050806 [SVadvisory#13] - SQL injection in MYFAQ 1.0MyFAQ Multiple Scripts SQL Injection Vulnerability1450316366SQL injection vulnerability in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the login field.144971014631gravityboardx-login-bypass-authentication(21740)20050807 Gravity Board X v1.1 multiple vulnerabilitiesMultiple cross-site scripting (XSS) vulnerabilities in Gravity Board X (GBX) 1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the board_id parameter to deletethread.php or (2) the template.14497101463120050807 Gravity Board X v1.1 multiple vulnerabilitiesDirect static code injection vulnerability in editcss.php in Gravity Board X (GBX) 1.1 allows remote attackers to execute arbitrary PHP code, HTML, and script via the csscontent parameter, which is directly inserted into the gbxfinal.css file.20050807 Gravity Board X v1.1 multiple vulnerabilitiesgravityboardx-template-xss(21742)Gravity Board X (GBX) 1.1 allows remote attackers to obtain sensitive information via (1) a 1 in the perm parameter to deletethread.php or a direct request to (2) ban.php, (3) addnews.php, (4) banned.php, (5) boardstats.php, (6) adminform.php, (7) /forms/admininfo.php, (8) /forms/announcements.php, (9) forms/banform.php, or (10) other pages in the /forms directory, which reveal the path in an error message.20050807 Gravity Board X v1.1 multiple vulnerabilitiesgravityboardx-multiple-path-disclosure(21746)Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) allow remote attackers to execute arbitrary SQL commands via the (1) FID parameter to board.php or (2) UID parameter to member.php.20050808 SQL IN Open Bulletin BoardPHP remote file inclusion vulnerability in SysCP 1.2.10 and earlier allows remote attackers to execute arbitrary PHP code via the language parameter.http://www.hardened-php.net/advisory_132005.64.htmlhttp://www.syscp.de/forum/viewtopic.php?t=177220050808 Advisory 13/2005: Remote code execution in SysCPEval injection vulnerability in the template engine for SysCP 1.2.10 and earlier allows remote attackers to execute arbitrary PHP code via a string containing the code within "{" and "}" (curly bracket) characters, which are processed by the PHP eval function.20050808 Advisory 13/2005: Remote code execution in SysCPhttp://www.hardened-php.net/advisory_132005.64.htmlhttp://www.syscp.de/forum/viewtopic.php?t=1772Multiple cross-site scripting (XSS) vulnerabilities in FunkBoard 0.66CF, and possibly earlier versions, allow remote attackers to inject arbitrary web script or HTML via the fbusername or fbpassword parameter to (1) editpost.php, (2) prefs.php, (3) newtopic.php, (4) reply.php, or (5) profile.php, the (6) fbusername, (7) fmail, (8) www, (9) icq, (10) yim, (11) location, (12) sex, (13) interebbies, (14) sig or (15) aim parameter to register.php, or (16) subject parameter to newtopic.php.20050808 FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution20050813 Re: FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code executionFunkBoard 0.66CF, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to forums.php, which reveals the path in an error message.FunkBoard20050808 FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution20050813 Re: FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code executionFunkBoard 0.66CF, and possibly earlier versions, does not properly restrict access to the (1) admin/mysql_install.php and (2) admin/pg_install.php scripts, which allows attackers to obtain the database username and password or inject arbitrary PHP code into info.php.20050808 FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code execution20050813 Re: FunkBoard V0.66CF (possibly prior versions) cross site scripting, possible database username/password disclosure & board takeover, possible remote code executionMySQL, when running on Windows, allows remote authenticated users with insert privileges on the mysql.func table to cause a denial of service (server hang) and possibly execute arbitrary code via (1) a request for a non-library file, which causes the Windows LoadLibraryEx function to block, or (2) a request for a function in a library that has the XXX_deinit or XXX_init functions defined but is not tailored for mySQL, such as jpeg1x32.dll and jpeg2x32.dll.20050808 [AppSecInc Advisory MYSQL05-V0003] Multiple Issues with MySQL User Defined Functionshttp://www.appsecinc.com/resources/alerts/mysql/2005-003.htmlmysql-loadlibraryex-dos(21756)20050808 [AppSecInc Advisory MYSQL05-V0003] Multiple Issues with MySQL User Defined FunctionsThe mysql_create_function function in sql_udf.cc for MySQL 4.0 before 4.0.25, 4.1 before 4.1.13, and 5.0 before 5.0.7-beta, when running on Windows, uses an incomplete blacklist in a directory traversal check, which allows attackers to include arbitrary files via the backslash (\) character.20050808 [AppSecInc Advisory MYSQL05-V0001] Improper Filtering of Directory Traversal Characters in MySQL User Defined Functionshttp://www.appsecinc.com/resources/alerts/mysql/2005-001.htmlmysql-udf-directory-traversal(21738)20050808 [AppSecInc Advisory MYSQL05-V0001] Improper Filtering of Directory Traversal Characters in MySQL User Defined Functionsxmb.php in XMB Forum 1.9.1 extracts and defines all provided variables, which allows remote attackers to modify arbitrary server variables such as _SERVER[REMOTE_ADDR].http://forums.xmbforum.com/viewthread.php?tid=75452320050809 Sql injection and global variables poisoning in XMB Forum 1.9.1SQL injection vulnerability in u2u.inc.php in XMB Forum 1.9.1 allows remote attackers to execute arbitrary SQL commands via certain values that are inserted into the $in variable.1452320050809 Sql injection and global variables poisoning in XMB Forum 1.9.1CaLogic 1.22, and possibly earlier versions, allows remote attackers to obtain sensitive information via a direct request to (1) doclsqlres.php, (2) clmcpreload.php, (3) viewhistlog.php, (4) mcconfig.php, (5) doclsqlbak.php, (6) defcalsel.php, or (7) cl_minical.php, which reveals the path in an error message.20050810 Full path disclosure in CaLogic 1.22 and possible in older versions.Wyse Winterm 1125SE running firmware 4.2.09f or 4.4.061f allows remote attackers to cause a denial of service (device crash) via a packet with a zero in the IP option length field.1014659145361640920050810 remote DOS on Wyse thin client 1125SE** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2552. Reason: This candidate is a duplicate of CVE-2005-2552. Notes: All CVE users should reference CVE-2005-2552 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.Nortel Contivity VPN Client V05_01.030, when configuring a certificate to be used as authentication, does not properly drop system privileges, which allows local users to gain privileges by opening a program with the File Open dialog box.Patch released by vendor.20050810 Privilege escalation in Nortel Contivity VPN Client V05_01.030Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 with Security Patch allow remote attackers to execute arbitrary SQL commands via the Username field in (1) index.php or (2) member.php, action parameter to (3) search.php or (4) member.php, or (5) polloptions parameter to polls.php.1455320050812 My Bulletin Board RC 4 VulnerabilitiesGrandstream BudgeTone 101 and 102 running firmware 1.0.6.7 and possibly earlier versions, allows remote attackers to cause a denial of service (device hang or reboot) via a large UDP packet to port 5060.1014665145391643820050812 Grandstream Budge Tone 101/102 DoS VulnerabilityKaspersky Anti-Virus for Unix/Linux File Servers 5.0-5 uses world-writable permissions for the (1) log and (2) license directory, which allows local users to delete log files, append to arbitrary files via a symlink attack on kavmonitor.log, or delete license keys and prevent keepup2date from properly executing.ftp://ftp.aerasec.de/pub/advisories/kav4unix/kav4unix-local-root-exploit.txt20050812 Insecure directory permissions of default installation of Kaspersky20050812 Insecure directory permissions of default installation of KasperskyMentor ADSL-FR4II router running firmware 2.00.0111 has an undocumented web server running on TCP port 5678, which allows local users to gain access.20050813 Low security hole affecting Mentor's ADSLFR4II routerThe web administration interface in Mentor ADSL-FR4II router running firmware 2.00.0111 does not set a default password, which allows local users to gain access.20050813 Low security hole affecting Mentor's ADSLFR4II routerMentor ADSL-FR4II router running firmware 2.00.0111 allows remote attackers to cause a denial of service (active TCP connections state table consumption) via a large number of connections, such as a port scan.1455720050813 Low security hole affecting Mentor's ADSLFR4II routerMentor ADSL-FR4II router running firmware 2.00.0111 stores the web administration password in cleartext in the backup configuration file, which allows local users to obtain sensitive information.164451455720050813 Low security hole affecting Mentor's ADSLFR4II routerSQL injection vulnerability in emailvalidate.php in PHPTB Topic Boards 2.0 allows remote attackers to execute arbitrary SQL commands via the mid parameter.145351873616443phptb-mid-sql-injection(21813)20050813 SQL in PHPTB Topic Boards 2.0Multiple cross-site scripting (XSS) vulnerabilities in DVBBS 7.1 SP2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the page parameter to dispbbs.asp, (2) name parameter to dispuser.asp, or the (3) title, (4) view, or (5) act parameter to boardhelp.asp.http://lostmon.blogspot.com/2005/08/dvbbs-multiple-variable-cross-site.html1851210146321613114498Unknown vulnerability in Linksys WRT54GS wireless router with firmware 4.50.6, with WPA Personal/TKIP authentication enabled, allows remote clients to bypass authentication by connecting without using encryption.20050815 Serious flaw in Linksys wireless AP password security14566101472116457Cross-site scripting (XSS) vulnerability in Parlano MindAlign 5.0 and later versions allows remote attackers to inject arbitrary web script or HTML via unknown vectors.http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en164081456218755mindalign-xss(21837)Parlano MindAlign 5.0 and later versions allows remote attackers to list valid users via unknown vectors, aka the "User Enumeration" vulnerability.http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en164081456218754mindalign-user-enumeration(21821)Unknown vulnerability in Parlano MindAlign 5.0 and later versions allows remote attackers to bypass authentication via unknown vectors.http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en164081456218756mindalign-bypass-authentication(21838)Parlano MindAlign 5.0 and later versions uses weak encryption, with unknown impact and attack vectors.http://www.niscc.gov.uk/niscc/docs/br-20050812-00673.html?lang=en164081456218757mindalign-weak-encryption(21840)Apple Safari 1.3 (132) on Mac OS X 1.3.9 allows remote attackers to cause a denial of service (crash) via certain Javascript, possibly involving a function that defines a handler for itself within the function body.20050809 Apple Safari & Javascript - KERN_INVALID_ADDRESS (0x0001)14528Cross-site scripting (XSS) vulnerability in Dada Mail before 2.10 Alpha 1 allows remote attackers to execute arbitrary Javascript via archived messages.http://mojo.skazat.com/download/testing_2_10_0_alpha1.html1643514573User.php in Gallery, as used in Postnuke, allows users with any Admin privileges to gain access to all galleries.16389DSA-8791736714547AOL Client Software 9.0 uses insecure permissions for its installation path, which allows local users to execute arbitrary code with SYSTEM privileges by replacing ACSD.exe with a malicious program.20050807 Eh? Oh well....Flaws in AOL software, and accountability. Patch available for one of the two.14530aol-subfolder-weak-security(24324)Multiple directory traversal vulnerabilities in Dokeos 1.6 and earlier, and possibly Claroline, allow remote attackers to (1) delete arbitrary files or directories via the delete parameter to claroline/scorm/scormdocument.php, (2) move arbitrary files via the move_to and move_file parameters to claroline/document/document.php, or determine the existence of arbitrary files via the file parameter to (3) claroline/scorm/showinframes.php or (4) claroline/scorm/contents.php.1640720050812 Multiple directory traversal vulnerabilities in Claroline20050819 Re: Erroneous Informations - Multiple directory traversal vulnerabilities in ClarolineHummingbird FTP for Connectivity 10.0 uses weak encryption (trivial encoding) to store the user's password in the FTP profile, which allows attackers to gain privileges.20050814 Hummingbird FTP Weak Password Encryption187341643014559humnmingbird-ftp-weak-encryption(21811)FUDForum 2.6.15 with "Tree View" enabled, as used in other products such as phpgroupware and egroupware, allows remote attackers to read private posts via a modified mid parameter.20050811 Fudforum: incompletely check of user rights in tree view gaining access to all messages16414DSA-798DSA-8991455617643SQL injection vulnerability in MidiCart allows remote attackers to execute arbitrary SQL commands via the code_no parameter to (1) Item_Show.asp or (2) search_list.asp.http://systemsecure.org/ssforum/viewtopic.php?t=30101466014544Mozilla Thunderbird 1.0 and Firefox 1.0.6 allows remote attackers to obfuscate URIs via a long URI, which causes the address bar to go blank and could facilitate phishing attacks.20050809 Mozilla Firefox up to 1.0.6 and Mozilla Thunderbird up to 1.0 url string obfuscationhttp://www.scip.ch/cgi-bin/smss/showadvf.pl?id=168214526Cross-site scripting (XSS) vulnerability in index.php for My Image Gallery (Mig ) 1.4.1 allows remote attackers to inject arbitrary web script or HTML via the (1) currDir or (2) image parameters.http://secwatch.org/advisories/secwatch/20050813_Mig.txthttp://sourceforge.net/project/shownotes.php?release_id=34934814570ADV-2005-14321874116405index.php for My Image Gallery (Mig ) 1.4.1 allows remote attackers to obtain the web server path via certain currDir and image arguments, which leaks the path in an error message.http://secwatch.org/advisories/secwatch/20050813_Mig.txthttp://sourceforge.net/project/shownotes.php?release_id=34934814570ADV-2005-14321874216405Unknown vulnerability in Lasso Professional Server8.0.4 and 8.0.5 allows attackers to bypass authentication, related to [Auth] tags.http://www.omnipilot.com/Software%20Updates.1747.8901.lasso1454316364Unknown vulnerability in the "frontend authentication" in PHlyMail 3.02.00 has unknown impact and attack vectors.http://phlymail.de/forum/viewtopic.php?t=69814537ADV-2005-136516388PHP file include vulnerability in download.php in PHPSimplicity Simplicity oF Upload before 1.3.1 allows remote attackers to include arbitrary local and remote files via the language parameter and a terminating null ("%00") characters.Download new version of program at http://www.phpsimplicity.com/scripts.php?id=3.http://rgod.altervista.org/simply.htmlhttp://www.phpsimplicity.com/scripts.php?id=314424101459116273SafeHTML before 1.3.5 does not properly filter script in UTF-7 and CSS comments, which allows remote attackers to conduct cross-site scripting (XSS) attacks in vulnerable applications that use SafeHTML.1457416427index.php in VegaDNS 0.8.1, 0.9.8, and possibly other versions, allows remote attackers to obtain the full server path via an invalid VDNS_Sessid parameter.http://www.packetstormsecurity.org/0508-exploits/vegadns-dyn0.txt16370Cross-site scripting (XSS) vulnerability in index.php in VegaDNS 0.8.1, 0.9.8, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the message parameter.http://www.packetstormsecurity.org/0508-exploits/vegadns-dyn0.txt1637014538VERITAS Backup Exec for Windows Servers 8.6 through 10.0, Backup Exec for NetWare Servers 9.0 and 9.1, and NetBackup for NetWare Media Server Option 4.5 through 5.1 uses a static password during authentication from the NDMP agent to the server, which allows remote attackers to read and write arbitrary files with the backup server.http://securityresponse.symantec.com/avcenter/security/Content/2005.08.12b.htmlTA05-224AVU#37895714551ADV-2005-1387101466216403backupexec-ndmp-gain-access(21793)Direct code injection vulnerability in WordPress 1.5.1.3 and earlier allows remote attackers to execute arbitrary PHP code via the cache_lastpostdate[server] cookie.20050809 (no subject)16386Unknown vulnerability in CPAINT Ajax Toolkit before 1.3-SP allows attackers to execute arbitrary PHP or ASP code or read files via unknown vectors.20050815 Vulnerability found in CPAINT Ajax Toolkithttp://sourceforge.net/forum/forum.php?forum_id=48878414565