Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. VU#412115 RHSA-2003:025 http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf A010603-1 20030110 More information regarding Etherleak 20030110 More information regarding Etherleak 20030117 Re: More information regarding Etherleak 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) RHSA-2003:088 9962 7996 oval:org.mitre.oval:def:2665 Cross-site scripting vulnerability (XSS) in ManualLogin.asp script for Microsoft Content Management Server (MCMS) 2001 allows remote attackers to execute arbitrary script via the REASONTXT parameter. MS03-002 mcms-manuallogin-reasontxt-xss (10318) 20021007 CSS on Microsoft Content Management Server 5922 Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. VU#610986 CA-2003-03 MS03-001 win-locator-bo(11132) 6666 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) oval:org.mitre.oval:def:103 Buffer overflow in the Windows Redirector function in Microsoft Windows XP allows local users to execute arbitrary code via a long parameter. MS03-005 6778 winxp-windows-redirector-bo(11260) 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability Microsoft Outlook 2002 does not properly handle requests to encrypt email messages with V1 Exchange Server Security certificates, which causes Outlook to send the email in plaintext, aka "Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure." MS03-003 outlook-v1-certificate-plaintext(11133) 6667 Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter. VU#489721 6966 MS03-006 20030227 MS-Windows ME IE/Outlook/HelpCenter critical vulnerability winme-hsc-hcp-bo(11425) 6074 N-047 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. 7146 MS03-008 20030319 iDEFENSE Security Advisory 03.19.03: Heap Overflow in Windows Script Engine 20030319 Windows Scripting Engine issue 20030319 Heap Overflow in Windows Script Engine oval:org.mitre.oval:def:795 oval:org.mitre.oval:def:794 oval:org.mitre.oval:def:200 oval:org.mitre.oval:def:134 Unknown vulnerability in the DNS intrusion detection application filter for Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (blocked traffic to DNS servers) via a certain type of incoming DNS request that is not properly handled. 7145 MS03-009 The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data. 20030102 [BUGZILLA] Security Advisory - remote database password disclosure bugzilla-mining-world-writable(10971) 6502 RHSA-2003:012 DSA-230 The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file. DSA-230 20030102 [BUGZILLA] Security Advisory - remote database password disclosure 6501 6351 bugzilla-htaccess-database-password(10970) gsinterf.c in bmv 1.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. For the stable distribution this problem has been fixed in version 1.2-14.2. For the unstable distribution this problem has been fixed in version 1.2-17. bmv-symlink(18823) 12229 DSA-633 http://packages.debian.org/changelogs/pool/main/b/bmv/bmv_1.2-14.2/changelog 1012847 13796 13793 Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands. VU#650937 CA-2003-02 http://security.e-matters.de/advisories/012003.html RHSA-2003:013 cvs-doublefree-memory-corruption(11108) 6650 RHSA-2003:012 MDKSA-2003:009 DSA-233 N-032 FreeBSD-SA-03:01 20030202 Exploit for CVS double free() for Linux pserver 20030124 Test program for CVS double-free. 20030122 [security@slackware.com: [slackware-security] New CVS packages available] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&JServSessionIdservlets=5of2iuhr14 20030120 Advisory 01/2003: CVS remote vulnerability Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names. VU#979793 VU#825177 [apache-httpd-announce] 20030120 [ANNOUNCE] Apache 2.0.44 Released http://www.apacheweek.com/issues/03-01-24#security apache-device-code-execution(11125) apache-device-name-dos(11124) 6659 Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served. http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2 Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. RHSA-2003:025 DSA-423 linux-odirect-information-leak(11249) 6763 MDKSA-2003:014 DSA-358 http://linux.bkbits.net:8080/linux-2.4/cset@3e2f193drGJDBg9SG6JwaDQwCBnAMQ uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode. VU#134025 RHSA-2003:056 linux-umlnet-gain-privileges(11276) 6801 N-044 Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. 9930 apache-esc-seq-injection(11412) 20030224 Terminal Emulator Security Issues 2004-0027 2004-0017 SSA:2004-133 RHSA-2003:244 RHSA-2003:243 RHSA-2003:139 RHSA-2003:104 RHSA-2003:083 RHSA-2003:082 MDKSA-2003:050 57628 101555 GLSA-200405-22 SSRT4717 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) APPLE-SA-2004-05-03 MDKSA-2004:046 20030224 Terminal Emulator Security Issues oval:org.mitre.oval:def:4114 oval:org.mitre.oval:def:150 oval:org.mitre.oval:def:100109 The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6936 MDKSA-2003:040 20030224 Terminal Emulator Security Issues The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6938 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6947 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in aterm 0.42 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6949 20030224 Terminal Emulator Security Issues Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3. DSA-229 20030108 IMP 2.x SQL injection vulnerabilities 1005904 6559 20030108 Re: IMP 2.x SQL injection vulnerabilities 8177 8087 Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname. VU#284857 CA-2003-01 RHSA-2003:011 DSA-231 SuSE-SA:2003:0006 dhcpd-minires-multiple-bo(11073) SuSE-SA:2003:0006 1005924 6627 OpenPKG-SA-2003.002 MDKSA-2003:007 N-031 CLA-2003:562 20030122 [securityslackware.com: [slackware-security] New DHCP packages available] Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. VU#850785 http://www.entercept.com/news/uspr/01-22-03.asp solaris-kcms-directory-traversal(11129) 6665 50104 20030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner oval:org.mitre.oval:def:2592 oval:org.mitre.oval:def:195 oval:org.mitre.oval:def:120 Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. CA-2003-10 VU#516825 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03) RHSA-2003:091 RHSA-2003:089 RHSA-2003:052 RHSA-2003:051 SuSE-SA:2003:027 ESA-20030321-010 AD20030318 DSA-282 DSA-272 DSA-266 2003-0014 20030325 GLSA: glibc (200303-22) 20030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes 20030319 EEYE: XDR Integer Overflow 20030319 EEYE: XDR Integer Overflow NetBSD-SA2003-008 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030331 GLSA: dietlibc (200303-29) 20030319 RE: EEYE: XDR Integer Overflow MDKSA-2003:037 oval:org.mitre.oval:def:230 Buffer overflows in protegrity.dll of Protegrity Secure.Data Extension Feature (SEF) before 2.2.3.9 allow attackers with SQL access to execute arbitrary code via the extended stored procedures (1) xp_pty_checkusers, (2) xp_pty_insert, or (3) xp_pty_select. VU#247545 7085 7084 7083 20030313 Protegrity buffer overflow 8294 Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to cause a denial of service (crash). DSA-228 20030103 Multiple libmcrypt vulnerabilities 1006181 6510 20030105 GLSA: libmcrypt CLA-2003:567 Memory leak in libmcrypt before 2.5.5 allows attackers to cause a denial of service (memory exhaustion) via a large number of requests to the application, which causes libmcrypt to dynamically load algorithms via libtool. DSA-228 20030103 Multiple libmcrypt vulnerabilities libmcrypt-libtool-memory-leak(10988) 6512 20030105 GLSA: libmcrypt CLA-2003:567 Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before 1.9.1 allows remote attackers to execute arbitrary code via fragmented RPC packets. VU#916785 CA-2003-13 6963 snort-rpc-fragment-bo(10956) 20030303 Snort RPC Preprocessing Vulnerability 4418 MDKSA-2003:029 ESA-20030307-007 DSA-297 GLSA-200304-06 GLSA-200303-6.1 20030303 Snort RPC Vulnerability (fwd) Buffer overflow in the mtink status monitor, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long HOME environment variable. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6656 MDKSA-2003:010 Buffer overflow in escputil, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long printer-name command line argument. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6658 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 ml85p, as included in the printer-drivers package for Mandrake Linux, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable filenames of the form "mlg85p%d". http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 Buffer overflows in noffle news server 1.0.1 and earlier allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code. DSA-244 noffle-multiple-bo(11181) 6695 7955 Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters. DSA-436 http://telia.dl.sourceforge.net/sourceforge/mailman/xss-2.1.0-patch.txt 20030124 Mailman: cross-site scripting bug mailman-email-variable-xss(11152) 1005987 6677 9205 ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count. VU#149953 DSA-245 20030115 DoS against DHCP infrastructure with isc dhcrelay dhcp-dhcrelay-dos(11187) 6628 RHSA-2003:034 20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd) CLSA-2003:616 TLSA-2003-26 SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name. 6738 DSA-247 courierimap-authmysqllib-sql-injection(11213) Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client. RHSA-2003:020 20030128 MIT Kerberos FTP client remote shell commands execution MDKSA-2003:021 8114 7979 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character. DSA-246 20030130 Apache Jakarta Tomcat 3 URL parsing vulnerability http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-null-directory-listing(11194) 6721 HPSBUX0303-249 N-060 7977 7972 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file. tomcat-webxml-read-files(11195) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ 6722 HPSBUX0303-249 DSA-246 N-060 Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML. DSA-246 HPSBUX0303-249 http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-web-app-xss(11196) 6720 9204 9203 N-060 7972 Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp. jakarta-tomcat-msdos-dos(12102) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt AbsoluteTelnet SSH2 client does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt http://www.celestialsoftware.net/telnet/beta_software.html 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006013 6725 7686 SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006012 1006011 1006010 6728 6727 6726 PuTTY 0.53b and earlier does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 1006014 6724 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. http://docs.info.apple.com/article.html?artnum=61798 macos-afp-unauthorized-access(11333) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6860 1006107 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-command-execution(11401) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6954 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-path-disclosure(11402) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6956 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-directory-disclosure(11403) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6955 Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-parsexml-xss(11404) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6958 Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-describe-xss(11405) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6960 Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-mp3-bo(11406) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6957 Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line argument. DSA-252 20030202 GLSA: slocate http://www.usg.org.uk/advisories/2003.001.txt oval:org.mitre.oval:def:11369 CLA-2003:643 MDKSA-2003:015 8749 8236 8118 8007 7982 7947 10720 RHSA-2004:041 20030125 Re: [USG- SA- 2003.001] USG Security Advisory (slocate) 20030124 [USG- SA- 2003.001] USG Security Advisory (slocate) 20040202-01-U CSSA-2003-009.0 Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname. 20030127 Hypermail buffer overflows hypermail-long-hostname-bo(11158) hypermail-mail-attachment-bo(11157) 6690 6689 DSA-248 8030 20030126 Hypermail buffer overflows MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. VU#661243 6683 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-null-pointer-dos(10099) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 50142 CLSA-2003:639 oval:org.mitre.oval:def:1110 Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys. VU#684563 6714 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-user-spoofing(11188) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 CLSA-2003:639 Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names. VU#787523 6712 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-format-string(11189) 4879 CLSA-2003:639 Buffer overflow in passwd for HP UX B.10.20 allows local users to execute arbitrary commands with root privileges via a long LANG environment variable. 20030203 HP UX passwd Binary Buffer Overflow Vulnerability Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows local users to execute arbitrary code via a long path name. http://www.idefense.com/advisory/02.10.03.txt 6803 nod32-pathname-bo(11282) 20030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6940 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6942 HPSBUX0401-309 20030224 Terminal Emulator Security Issues The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6945 20030224 Terminal Emulator Security Issues The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6953 200303-16 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:003 20030224 Terminal Emulator Security Issues The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 20030224 Terminal Emulator Security Issues The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 10237 MDKSA-2003:040 DSA-496 20030224 Terminal Emulator Security Issues The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 8347 20030224 Terminal Emulator Security Issues VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Per: http://cwe.mitre.org/data/definitions/77.html 'CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')' RHSA-2003:053 terminal-emulator-window-title(11414) GLSA-200303-2 20030224 Terminal Emulator Security Issues 20030224 Terminal Emulator Security Issues The DEC UDK processing feature in the xterm terminal emulator in XFree86 4.2.99.4 and earlier allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6950 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:052 RHSA-2003:051 7184 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user. DSA-303 20030129 [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql) http://www.mysql.com/doc/en/News-3.23.55.html 6718 RHSA-2003:166 RHSA-2003:094 RHSA-2003:093 MDKSA-2003:013 ESA-20030220-004 mysql-mysqlchangeuser-doublefree-dos(11199) CLA-2003:743 oval:org.mitre.oval:def:436 Format string vulnerability in mpmain.c for plpnfsd of the plptools package allows remote attackers to execute arbitrary code via the functions (1) debuglog, (2) errorlog, and (3) infolog. 6715 plptools-plpnsfd-format-string(11193) 20030129 Re: Local root vuln in SuSE 8.0 plptools package 20030129 Local root vuln in SuSE 8.0 plptools package Integer signedness error in the myFseek function of samplein.c for Blade encoder (BladeEnc) 0.94.2 and earlier allows remote attackers to execute arbitrary code via a negative offset value following a "fmt" wave chunk. 6745 http://www.pivx.com/luigi/adv/blade942-adv.txt GLSA-200302-04 bladeenc-myfseek-code-execution(11227) 20030202 Bladeenc 0.94.2 code execution Unknown vulnerability in the directory parser for Direct Connect 4 Linux (dcgui) before 0.2.2 allows remote attackers to read files outside the sharelist. 20030204 GLSA: qt-dcgui qtdcgui-directory-download-files(11246) http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues RHSA-2003:071 RHSA-2003:070 4917 20030224 Terminal Emulator Security Issues ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." http://www.openssl.org/news/secadv_20030219.txt 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) ssl-cbc-information-leak(11369) DSA-253 2003-0005 6884 RHSA-2003:205 RHSA-2003:104 RHSA-2003:082 RHSA-2003:063 RHSA-2003:062 3945 MDKSA-2003:020 ESA-20030220-005 N-051 GLSA-200302-10 20030219 OpenSSL 0.9.7a and 0.9.6i released CLSA-2003:570 20030501-01-I NetBSD-SA2003-001 The DEC UDK processing feature in the hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6944 RHSA-2003:071 RHSA-2003:070 4918 20030224 Terminal Emulator Security Issues The iptables ruleset in Gnome-lokkit in Red Hat Linux 8.0 does not include any rules in the FORWARD chain, which could allow attackers to bypass intended access restrictions if packet forwarding is enabled. 7128 RHSA-2003:072 gnomelokkit-forward-bypass-firewall(11552) 4400 Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. 7049 http://www.guninski.com/etherre.html http://www.ethereal.com/appnotes/enpa-sa-00008.html DSA-258 ethereal-socks-format-string(11497) RHSA-2003:077 RHSA-2003:076 SuSE-SA:2003:019 GLSA-200303-10 20030308 Ethereal format string bug, yet still ethereal much better than windows MDKSA-2003:051 CLSA-2003:627 oval:org.mitre.oval:def:54 The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 7185 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 oval:org.mitre.oval:def:4430 oval:org.mitre.oval:def:2536 oval:org.mitre.oval:def:244 Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020. RHSA-2003:139 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/loggers/mod_log_config.c?only_with_tag=APACHE_2_0_BRANCH http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_log_config.c?only_with_tag=APACHE_1_3_25 8146 20040325 GLSA200403-04 Multiple security vulnerabilities in Apache 2 oval:org.mitre.oval:def:151 mod_auth_any package in Red Hat Enterprise Linux 2.1 and other operating systems does not properly escape arguments when calling other programs, which allows attackers to execute arbitrary commands via shell metacharacters. 7448 RHSA-2003:114 modauthany-command-execution(11893) RHSA-2003:113 http://www.itlab.musc.edu/webNIS/mod_auth_any.html N-090 Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. VU#298233 7106 DSA-262 20030317 Security Bugfix for Samba - Samba 2.2.8 Released 20030317 GLSA: samba (200303-11) IMNX-2003-7+-003-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I IMNX-2003-7+-003-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:552 The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. 7107 DSA-262 20030317 GLSA: samba (200303-11) 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I APPLE-SA-2003-03-24 RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:554 Buffer overflow in libIM library (libIM.a) for National Language Support (NLS) on AIX 4.3 through 5.2 allows local users to gain privileges via several possible attack vectors, including a long -im argument to aixterm. http://www.idefense.com/advisory/02.12.03.txt aix-aixterm-libim-bo(11309) 6840 7996 IY40320 IY40317 IY40307 20030212 libIM.a buffer overflow vulnerability 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. A021403-1 macos-trublueenvironment-gain-privileges(11332) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt http://docs.info.apple.com/article.html?artnum=61798 6859 Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify. hp-sd-utilities-bo(13623) 8986 HPSBUX0311-293 20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability oval:org.mitre.oval:def:5466 20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2000-0844. Reason: This candidate is a duplicate of CVE-2000-0844. Notes: All CVE users should reference CVE-2000-0844 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege. 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 8713 http://www.nsfocus.com/english/homepage/sa2003-02.htm N-068 52443 http://packetstormsecurity.org/0304-advisories/sa2003-02.txt oval:org.mitre.oval:def:4383 Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 7240 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 52388 oval:org.mitre.oval:def:1905 The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0, which causes tcpdump to generate data within an infinite loop. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=81585 tcpdump-radius-decoder-dos(11324) RHSA-2003:214 RHSA-2003:033 RHSA-2003:032 MDKSA-2003:027 DSA-261 A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. utillinux-mcookie-cookie-predictable(11318) 6855 MDKSA-2003:016 Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login, as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP. VU#953746 CA-2003-05 http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf 6849 6319 oracle-username-bo(11328) N-046 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Multiple buffer overflows in Oracle 9i Database release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function. VU#840666 VU#743954 VU#663786 CA-2003-05 6850 6848 6847 http://www.nextgenss.com/advisories/ora-tzofstbo.txt http://www.nextgenss.com/advisories/ora-tmstmpbo.txt http://www.nextgenss.com/advisories/ora-bfilebo.txt oracle-totimestamptz-bo(11327) oracle-tzoffset-bo(11326) oracle-bfilename-directory-bo(11325) N-046 http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b) 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). GLSA-200302-09 20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 http://www.slackware.com/changelog/current.php?cpu=i386 php-cgi-sapi-access(11343) 6875 GLSA-200302-09.1 Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server. DSA-277 7200 SuSE-SA:2003:022 apcupsd-logevent-format-string(11334) http://sourceforge.net/project/shownotes.php?release_id=137900 1006108 http://hsj.shadowpenguin.org/misc/apcupsd_exp.txt http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/apcupsd/apcupsd/src/apcnisd.c.diff?r1=1.5&r2=1.6 CSSA-2003-015.0 6828 MDKSA-2003:018 Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3.10.5, may allow attackers to cause a denial of service or execute arbitrary code, related to usage of the vsprintf function. DSA-277 7200 apcupsd-vsprintf-multiple-bo(11491) http://sourceforge.net/project/shownotes.php?release_id=137900 http://sourceforge.net/project/shownotes.php?release_id=137892 SuSE-SA:2003:022 MDKSA-2003:018 1006108 CSSA-2003-015.0 Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. 20030221 Re: Cisco IOS OSPF exploit cisco-ios-ospf-bo(11373) 20030220 Cisco IOS OSPF exploit 6895 miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges. http://marc.theaimsgroup.com/?l=webmin-announce&m=104587858408101&w=2 20030224 [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" 6915 http://www.lac.co.jp/security/english/snsadv_e/62_e.html webmin-usermin-root-access(11390) DSA-319 N-058 20030224 GLSA: usermin (200302-14) 20030224 Webmin 1.050 - 1.060 remote exploit ESA-20030225-006 HPSBUX0303-250 20030602-01-I 1006160 MDKSA-2003:025 http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html 8163 8115 Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize). VU#611865 7008 http://www.idefense.com/advisory/03.04.03.txt file-afctr-read-bo(11469) RHSA-2003:087 RHSA-2003:086 SuSE-SA:2003:017 MDKSA-2003:030 DSA-260 20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1) IMNX-2003-7+-012-01 NetBSD-SA2003-003 Format string vulnerability in Nokia 6210 handset allows remote attackers to cause a denial of service (crash, lockup, or restart) via a Multi-Part vCard with fields containing a large number of format string specifiers. 6952 nokia-6210-vcard-dos(11421) Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet. 7053 peoplesoft-schedulertransfer-create-files(10962) 20030310 PeopleSoft PeopleTools Remote Command Execution Vulnerability ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server. servermask-header-obtain-info(16947) http://www.corsaire.com/advisories/c030224-001.txt 20040810 Corsaire Security Advisory - Port80 Software ServerMask inconsistencies The HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy users to bypass pattern matching for blocked URLs via requests that are URL-encoded with escapes, Unicode, or UTF-8. http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2003032507434754 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 7196 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. VU#142121 zlib-gzprintf-bo(11381) 20030222 buffer overrun in zlib 1.1.4 20030223 poc zlib sploit just for fun :) http://lists.apple.com/mhonarc/security-announce/msg00038.html 6913 RHSA-2003:081 RHSA-2003:079 6599 MDKSA-2003:033 57405 GLSA-200303-25 20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25 20030224 Re: buffer overrun in zlib 1.1.4 CLSA-2003:619 NetBSD-SA2003-004 CSSA-2003-011.0 isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop. 6974 http://www.idefense.com/advisory/02.27.03.txt DSA-255 tcpdump-isakmp-dos(11434) RHSA-2003:214 RHSA-2003:085 RHSA-2003:032 SuSE-SA:2003:0015 MDKSA-2003:027 20030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump) 20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsin CLA-2003:629 Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CA-2003-09 VU#117394 7116 MS03-007 http-webdav-long-request(11533) 20030317 Microsoft IIS WebDAV Remote Compromise Vulnerability http://www.nextgenss.com/papers/ms03-007-ntdll.pdf Q815021 http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en 20030321 New attack vectors and a vulnerability dissection of MS03-007 20030708 WDAV exploit without netcat and with pretty magic number 20030328 Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit 20030326 WebDAV exploit: using wide character decoder scheme 20030325 IIS 5.0 WebDAV -Proof of concept-. Fully documented. 20030321 New attack vectors and a vulnerability dissection of MS03-007 oval:org.mitre.oval:def:109 The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745. MS03-012 http://www.idefense.com/advisory/04.09.03.txt 20030409 iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration Server 2000 oval:org.mitre.oval:def:406 The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." VU#447569 MS03-011 msvm-bytecode-improper-validation(11751) oval:org.mitre.oval:def:136 Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. VU#446338 7370 MS03-013 win-kernel-lpcrequestwaitreplyport-bo(11803) oval:org.mitre.oval:def:779 oval:org.mitre.oval:def:3145 oval:org.mitre.oval:def:262 oval:org.mitre.oval:def:2265 oval:org.mitre.oval:def:2022 oval:org.mitre.oval:def:142 oval:org.mitre.oval:def:1264 Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. VU#169753 MS03-015 20030426 Buffer overflow in Internet Explorer's HTTP parsing code 20030701 URLMON.DLL buffer overflow - technical details oval:org.mitre.oval:def:926 The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. MS03-015 20030203 internet explorer local file reading oval:org.mitre.oval:def:963 Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check parameters that are passed during third party rendering, which could allow remote attackers to execute arbitrary web script, aka the "Third Party Plugin Rendering" vulnerability, a different vulnerability than CVE-2003-0233. MS03-015 ie-improper-thirdparty-rendering(11848) Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check the Cascading Style Sheet input parameter for Modal dialogs, which allows remote attackers to read files on the local system via a web page containing script that creates a dialog and then accesses the target files, aka "Modal Dialog script execution." VU#244729 6306 MS03-015 20021203 Poisonous Style for Dialog window turns the zone off. Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows attackers to execute arbitrary code via a certain request to the HTTP receiver. MS03-016 20030505 Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow SQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000 and 2002 allows remote attackers to execute operating system commands via a request to (1) rawdocdata.asp or (2) RawCustomSearchField.asp containing an embedded SQL statement. MS03-016 20030505 Microsoft Biztalk Server DTA vulnerable to SQL injection The secldapclntd daemon in AIX 4.3, 5.1 and 5.2 uses an Internet socket when communicating with the loadmodule, which allows remote attackers to directly connect to the daemon and conduct unauthorized activities. VU#624713 7264 MSS-OAR-E01-2003:0245.1 8221 adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local users to overwrite arbitrary files via a symlink attack on a default temporary directory with a predictable name. DSA-256 6978 mhc-adb2mhc-insecure-tmp(11439) Clearswift MAILsweeper 4.x allows remote attackers to bypass attachment detection via an attachment that does not specify a MIME-Version header field, which is processed by some mail clients. 7044 20030307 Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue 20030326 RE: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field. VU#433489 CA-2003-11 7037 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication http://www.rapid7.com/advisories/R7-0010.html lotus-nrpc-bo(11526) N-065 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicious web servers to cause a denial of service (crash) via a long HTTP status line. VU#411489 CA-2003-11 7038 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060 20030313 R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow http://www.rapid7.com/advisories/R7-0011.html lotus-web-retriever-bo(11525) N-065 man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man. 7066 20030311 Vulnerability in man < 1.5l man-myxsprintf-code-execution(11512) RHSA-2003:134 RHSA-2003:133 GLSA-200303-13 CLSA-2003:620 Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value. http://www.krusesecurity.dk/advisories/routefind550bof.txt ftp://ftp.multitech.com/Routers/RF550VPN.TXT routefinder-vpn-options-bo(11514) 7067 The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities. http://www.krusesecurity.dk/advisories/routefind550bof.txt The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. VU#628849 RHSA-2003:098 RHSA-2003:145 DSA-495 DSA-423 DSA-336 DSA-332 DSA-312 DSA-311 DSA-276 DSA-270 GLSA-200303-17 RHSA-2003:088 CSSA-2003-020.0 RHSA-2003:103 MDKSA-2003:039 MDKSA-2003:038 ESA-20030515-017 20030317 Fwd: Ptrace hole / Linux 2.2.25 oval:org.mitre.oval:def:254 The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. 7117 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 20030321 GLSA: evolution (200303-18) CLA-2003:648 oval:org.mitre.oval:def:107 Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. 7118 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:108 The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. 7119 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:111 The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." VU#888801 7148 20030319 [OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding ssl-premaster-information-leak(11586) 20030327 Immunix Secured OS 7+ openssl update RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030319.txt SuSE-SA:2003:024 http://www.linuxsecurity.com/advisories/immunix_advisory-3066.html IMNX-2003-7+-001-01 DSA-288 http://lists.apple.com/mhonarc/security-announce/msg00028.html http://eprint.iacr.org/2003/052/ 20030501-01-I NetBSD-SA2003-007 SuSE-SA:2003:024 20030327 Immunix Secured OS 7+ openssl update OpenPKG-SA-2003.026 MDKSA-2003:035 GLSA-200303-20 2003-0013 20030324 GLSA: openssl (200303-20) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:461 A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. VU#206537 20030402 [ANNOUNCE] Apache 2.0.45 Released ADV-2009-1233 RHSA-2003:139 http://www.idefense.com/advisory/04.08.03.txt http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=205147 8499 34920 http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030411 PATCH: [CAN-2003-0132] Apache 2.0.44 Denial of Service 20030410 working apache <= 2.0.44 DoS exploit for linux. 20030408 Exploit Code Released for Apache 2.x Memory Leak 20030409 GLSA: apache (200304-01) 20030408 iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x oval:org.mitre.oval:def:156 GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages. RHSA-2003:126 MDKSA-2003:046 CLA-2003:737 oval:org.mitre.oval:def:138 Unknown vulnerability in filestat.c for Apache running on OS2, versions 2.0 through 2.0.45, allows unknown attackers to cause a denial of service via requests related to device names. 20030402 [ANNOUNCE] Apache 2.0.45 Released http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. 7253 RHSA-2003:084 oval:org.mitre.oval:def:634 psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. RHSA-2003:142 DSA-285 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=188366 oval:org.mitre.oval:def:423 SNMP daemon in the DX200 based network element for Nokia Serving GPRS support node (SGSN) allows remote attackers to read SNMP options via arbitrary community strings. A031303-2 8301 Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack. VU#623217 DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-269 7113 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030317 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol oval:org.mitre.oval:def:248 Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." VU#442569 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt 20030319 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-266 20030330 GLSA: openafs (200303-26) 20030331 GLSA: krb5 & mit-krb5 (200303-28) oval:org.mitre.oval:def:250 Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. 7120 20030320 CORE-20030304-02: Vulnerability in Mutt Mail User Agent mutt-folder-name-bo(11583) 20030319 mutt-1.4.1 fixes a buffer overflow. RHSA-2003:109 SuSE-SA:2003:020 DSA-268 MDKSA-2003:041 GLSA-200303-19 http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10 20030430 GLSA: balsa (200304-10) 20030322 GLSA: mutt (200303-19) 20030320 [OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt) CLA-2003:630 CLA-2003:626 oval:org.mitre.oval:def:434 oval:org.mitre.oval:def:2 The PNG deflate algorithm in RealOne Player 6.0.11.x and earlier, RealPlayer 8/RealPlayer Plus 8 6.0.9.584, and other versions allows remote attackers to corrupt the heap and overwrite arbitrary memory via a PNG graphic file format containing compressed data using fixed trees that contain the length values 286-287, which are treated as a very large length. VU#705761 7177 http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability Adobe Acrobat Reader (acroread) 6, under certain circumstances when running with the "Certified plug-ins only" option disabled, loads plug-ins with signatures used for older versions of Acrobat, which can allow attackers to cause Acrobat to enter Certified mode and run untrusted plugins by modifying the CTIsCertifiedMode function. VU#689835 20030708 Adobe Acrobat and PDF security: no improvements for 2 years The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null terminate a message buffer after a call to Qvsnprintf, which could allow authenticated users to execute arbitrary code via a buffer overflow in a mdef command with a long macro name. 7058 DSA-259 qpopper-popmsg-macroname-bo(11516) 20030310 QPopper 4.0.x buffer overflow vulnerability SuSE-SA:2003:018 GLSA-200303-12 20030314 [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper) 20030312 Re: QPopper 4.0.x buffer overflow vulnerability Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name. 7025 lprm-bo(11473) SuSE-SA:2003:0014 DSA-275 DSA-267 20030406-02-P ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch MDKSA-2003:059 8293 20030308 OpenBSD lprm(1) exploit 20030305 potential buffer overflow in lprm (fwd) Unknown vulnerability in tcpdump before 3.7.2 related to an inability to "Handle unknown RADIUS attributes properly," allows remote attackers to cause a denial of service (infinite loop), a different vulnerability than CAN-2003-0093. http://www.tcpdump.org/tcpdump-changes.txt tcpdump-radius-attribute-dos(11857) RHSA-2003:214 RHSA-2003:151 RHSA-2003:032 MDKSA-2003:027 DSA-261 Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly other versions, may allow remote attackers to cause a denial of service or execute arbitrary code via "maths overflow errors" such as (1) integer signedness errors or (2) integer overflows, which lead to buffer overflows. VU#630433 DSA-263 netpbm-multiple-bo(11463) 6979 RHSA-2003:060 20030228 NetPBM, multiple vulnerabilities CLSA-2003:656 OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). VU#997481 20030327 Immunix Secured OS 7+ openssl update 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030317.txt MDKSA-2003:035 DSA-288 20030317 [ADVISORY] Timing Attack on OpenSSL 20030313 Vulnerability in OpenSSL http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf 20030313 OpenSSL Private Key Disclosure 20030501-01-I IMNX-2003-7+-001-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL OpenPKG-SA-2003.019 GLSA-200303-23 GLSA-200303-24 GLSA-200303-15 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:466 The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp A073103-1 Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request containing long parameters. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp A073103-1 MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf. VU#203897 7052 20030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql) mysql-datadir-root-privileges(11510) RHSA-2003:093 ESA-20030324-012 DSA-303 RHSA-2003:094 20030318 GLSA: mysql (200303-14) 20030310 Re: MySQL user can be changed to root 20030308 MySQL_user_can_be_changed_to_root? CLA-2003:743 MDKSA-2003:057 oval:org.mitre.oval:def:442 BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code. 20030317 S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server 20030317 SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express http://www.s21sec.com/en/avisos/s21sec-011-en.txt http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp 7124 7122 Unknown vulnerability in bonsai Mozilla CVS query tool allows remote attackers to execute arbitrary commands as the www-data user. 7162 DSA-265 bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi. DSA-265 bonsai-path-disclosure(9921) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=187230 5517 Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various parameters to cvsquery.cgi, (4) the person parameter to showcheckins.cgi, (5) the module parameter to cvsqueryform.cgi, and (6) possibly other attack vectors as identified by Mozilla bug #146244. 5516 DSA-265 bonsai-error-message-xss(9920) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=163573 http://bugzilla.mozilla.org/show_bug.cgi?id=146244 http://bugzilla.mozilla.org/attachment.cgi?id=95985&action=view http://bugzilla.mozilla.org/attachment.cgi?id=95950&action=view bonsai Mozilla CVS query tool allows remote attackers to gain access to the parameters page without authentication. 7163 DSA-265 Directory traversal vulnerability in Cross-Referencing Linux (LXR) allows remote attackers to read arbitrary files via .. (dot dot) sequences in the v parameter. 7062 DSA-264 20030311 Cross-Referencing Linux vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0138. Reason: This candidate is a reservation duplicate of CVE-2003-0138 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0138 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0139. Reason: This candidate is a reservation duplicate of CVE-2003-0139 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. 7050 http://www.ethereal.com/appnotes/enpa-sa-00008.html SuSE-SA:2003:019 RHSA-2003:077 MDKSA-2003:051 20030309 GLSA: ethereal (200303-10) oval:org.mitre.oval:def:55 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. http://sourceforge.net/mailarchive/forum.php?thread_id=1641953&forum_id=1988 RHSA-2003:112 oval:org.mitre.oval:def:614 The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337. CA-2003-12 VU#897604 7230 RHSA-2003:120 IMNX-2003-7+-002-01 RHSA-2003:121 DSA-290 DSA-278 1001088 20030329 Sendmail: -1 gone wild 20030329 Sendmail: -1 gone wild http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030401-01-P SCOSA-2004.11 FreeBSD-SA-03:07 CSSA-2003-016.0 IMNX-2003-7+-002-01 20030331 GLSA: sendmail (200303-27) 20030520 [Fwd: 127 Research and Development: 127 Day!] GLSA-200303-27 52700 52620 20030330 [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail) 20030329 sendmail 8.12.9 available CLA-2003:614 Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote attackers to reset passwords of other users and gain privileges by modifying hidden form fields in the HTML page. 6971 ecartis-password-reset(11431) DSA-271 20030303 Re: Ecardis Password Reseting Vulnerability 20030227 Ecardis Password Reseting Vulnerability decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does not properly validate a message length parameter, which allows remote attackers to cause a denial of service (crash) via a negative length, which overwrites arbitrary heap memory with a zero byte. 7182 http://www.rapid7.com/advisories/R7-0013.html 20030412 R7-0013: Heap Corruption in Gaim-Encryption Plugin Format string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display. VU#363001 7121 RHSA-2003:128 20030328 CORE-2003-0304-03: Vulnerability in GNOME's Eye of Gnome 20030328 Vulnerability in GNOME's Eye of Gnome MDKSA-2003:048 http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10 oval:org.mitre.oval:def:52 Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions. 7198 7197 20030326 @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator 20030402 Inaccurate Reports Concerning PHP Vulnerabilities 20030327 RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator CLSA-2003:691 Multiple off-by-one buffer overflows in the IMAP capability for Mutt 1.3.28 and earlier, and Balsa 1.2.4 and earlier, allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder, a different vulnerability than CVE-2003-0140. 7229 DSA-274 DSA-300 Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allows remote attackers to execute arbitrary code via a long QuickTime URL. VU#112553 20030401 Fwd: QuickTime 6.1 for Windows is available http://www.idefense.com/advisory/03.31.03.txt http://lists.apple.com/mhonarc/security-announce/msg00027.html 20030331 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player quicktime-url-bo(11671) 7247 20030401 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player 20030401 Fwd: QuickTime 6.1 for Windows is available 10561 hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before 5.55 allows remote attackers to cause a denial of service (CPU consumption) via a request to hpnst.exe that calls itself, which causes an infinite loop. 7246 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools Unknown vulnerability in ftpd in IBM AIX 5.2, when configured to use Kerberos 5 for authentication, allows remote attackers to gain privileges via unknown attack vectors. aix-ftpd-gain-access(11823) 7346 IY42424 MSS-OAR-E01-2003.0469.1 4878 DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program. A041003-1 http://lists.apple.com/mhonarc/security-announce/msg00028.html Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument. 7210 20030327 @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function php-openlog-stack-bo(11637) 20041222 PHP v4.3.x exploit for Windows. 20030327 Re: @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function 2113 20030402 Inaccurate Reports Concerning PHP Vulnerabilities xfsdq in xfsdump does not create quota information files securely, which allows local users to gain root privileges. VU#111673 DSA-283 20030404-01-P MDKSA-2003:047 The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password. 7442 20030407-01-P irix-ldap-authentication-bypass(11860) N-084 SGI IRIX before 6.5.21 allows local users to cause a denial of service (kernel panic) via a certain call to the PIOCSWATCH ioctl. VU#142228 irix-piocswatch-ioctl-dos(12241) 7868 20030603-01-P 1008770 The Name Service Daemon (nsd), when running on an NIS master on SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows remote attackers to cause a denial of service (crash) via a UDP port scan. 20030701-01-P SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does not follow "-" entries in the /etc/group file, which may cause subsequent group membership entries to be processed inadvertently. 20030701-01-P Multiple buffer overflows in Lotus Domino Web Server before 6.0.1 allow remote attackers to cause a denial of service or execute arbitrary code via (1) the s_ViewName option in the PresetFields parameter for iNotes, (2) the Foldername option in the PresetFields parameter for iNotes, or (3) a long Host header, which is inserted into a long Location header and used during a redirect operation. VU#772817 VU#542873 VU#206361 CA-2003-11 6871 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) lotus-domino-hostname-bo(11337) lotus-domino-inotes-bo(11336) 6870 http://www.nextgenss.com/advisories/lotus-inotesoflow.txt http://www.nextgenss.com/advisories/lotus-hostlocbo.txt N-065 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) Buffer overflow in the COM Object Control Handler for Lotus Domino 6.0.1 and earlier allows remote attackers to execute arbitrary code via multiple attack vectors, as demonstrated using the InitializeUsingNotesUserName method in the iNotes ActiveX control. VU#571297 CA-2003-11 6872 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) lotus-notes-activex-bo(11339) http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104543 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via an incomplete POST request, as demonstrated using the h_PageUI form. VU#355169 CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-incomplete-post-dos(11360) 6951 N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via a "Fictionary Value Field POST request" as demonstrated using the s_Validation form with a long, unknown parameter name. CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-invalid-field-dos(11361) 6951 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts. 20030802 [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS oval:org.mitre.oval:def:260 lv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories. RHSA-2003:169 DSA-304 TLSA-2003-35 RHSA-2003:167 oval:org.mitre.oval:def:430 The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when a threaded MPM is used. VU#479268 RHSA-2003:186 http://www.apache.org/dist/httpd/Announcement2.html 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released apache-aprpasswordvalidate-dos(12091) 7725 8881 CLA-2003:661 OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. 7467 20030430 OpenSSH/PAM timing attack allows remote users identification TLSA-2003-31 RHSA-2003:224 RHSA-2003:222 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) 20030430 OpenSSH/PAM timing attack allows remote users identification http://lab.mediaservice.net/advisory/2003-01-openssh.txt oval:org.mitre.oval:def:445 Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released RHSA-2003:243 SCOSA-2004.6 RHSA-2003:244 MDKSA-2003:075 oval:org.mitre.oval:def:169 msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable temporary file names ("word$$.html"). DSA-575 catdoc-xlsview-symlink(16335) 11560 11193 13022 13021 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=183525 tcpdump does not properly drop privileges to the pcap user when starting up. RHSA-2003:174 RHSA-2003:151 CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. RHSA-2003:171 DSA-317 TLSA-2003-33 SuSE-SA:2003:028 7637 MDKSA-2003:062 20030529 [slackware-security] CUPS DoS vulnerability fixed (SSA:2003-149-01) CLSA-2003:678 oval:org.mitre.oval:def:6 Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. RHSA-2003:137 DSA-280 20030407 [OpenPKG-SA-2003.028] OpenPKG Security Advisory (samba) MDKSA-2003:044 20030407 Immunix Secured OS 7+ samba update oval:org.mitre.oval:def:564 Buffer overflow gds_lock_mgr of Interbase Database 6.x allows local users to gain privileges via a long ISC_LOCK_ENV environment variable (INTERBASE_LOCK). http://www.secnetops.com/research/advisories/SRT2003-04-03-1300.txt 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow Mac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files. http://lists.apple.com/mhonarc/security-announce/msg00028.html Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. VU#267873 7294 DSA-280 20030407 [DDI-1013] Buffer Overflow in Samba allows remote root compromise RHSA-2003:137 SuSE-SA:2003:025 http://www.digitaldefense.net/labs/advisories/DDI-1013.txt 20030403-01-P MDKSA-2003:044 20030409 GLSA: samba (200304-02) 20030408 [Sorcerer-spells] SAMBA--SORCERER2003-04-08 20030407 Immunix Secured OS 7+ samba update CLA-2003:624 oval:org.mitre.oval:def:567 oval:org.mitre.oval:def:2163 The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-279 metrics-tmpfile-symlink(11734) 7293 Buffer overflow in moxftp 2.2 and earlier allows remote malicious FTP servers to execute arbitrary code via a long FTP banner. 6921 moxftp-welcome-banner-bo(11399) DSA-281 20030223 moxftp arbitrary code execution poc/advisory 1006156 20030223 moxftp arbitrary code execution poc/advisory 8136 KDE 2 and KDE 3.1.1 and earlier 3.x versions allows attackers to execute arbitrary commands via (1) PostScript (PS) or (2) PDF files, related to missing -dPARANOIDSAFER and -dSAFER arguments when using the kghostview Ghostscript viewer. http://www.kde.org/info/security/advisory-20030409-1.txt DSA-284 RHSA-2003:002 DSA-296 DSA-293 http://bugs.kde.org/show_bug.cgi?id=56808 http://bugs.kde.org/show_bug.cgi?id=53343 MDKSA-2003:049 20030414 GLSA: kde-2.x (200304-05.1) 20030412 [Sorcerer-spells] KDE-SORCERER2003-04-12 20030411 GLSA: kde-2.x (200304-05) 20030410 GLSA: kde-3.x (200304-04) CLA-2003:747 CLA-2003:668 gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the ticker title of a URI. DSA-294 20030423 Security problems in gkrellm-newsticker gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to cause a denial of service (crash) via (1) link or (2) title elements that contain multiple lines. DSA-294 20030423 Security problems in gkrellm-newsticker ps2epsi creates insecure temporary files when calling ghostscript, which allows local attackers to overwrite arbitrary files. DSA-286 Cross-site scripting (XSS) vulnerability in Macromedia Flash ad user tracking capability allows remote attackers to insert arbitrary Javascript via the clickTAG field. http://www.securiteam.com/securitynews/5XP0B0U9PE.html http://www.macromedia.com/support/flash/ts/documents/clicktag_security.htm 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow. VU#139129 CA-2003-13 7178 DSA-297 http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 ESA-20030430-013 20030428 GLSA: snort (200304-06) 20030423 Snort <=1.9.1 exploit 20030422 GLSA: snort (200304-05) 20030415 CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability MDKSA-2003:052 Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002. VU#697049 20030423 Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. 20030418 Xinetd 2.3.10 Memory Leaks RHSA-2003:160 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88537 MDKSA-2003:056 CLA-2003:782 oval:org.mitre.oval:def:657 handleAccept in rinetd before 0.62 does not properly resize the connection list when it becomes full and sets an array index incorrectly, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of connections. DSA-289 20030417 Vulnerability in rinetd ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow. VU#673993 7316 20030409 PoPToP PPTP server remotely exploitable buffer overflow DSA-295 SuSE-SA:2003:029 20030418 Exploit for PoPToP PPTP server 20030422 Re: Exploit for PoPToP PPTP server - Linux version http://sourceforge.net/project/shownotes.php?release_id=138437 20030428 GLSA: pptpd (200304-08) run-mailcap in mime-support 3.22 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-292 SQL injection vulnerability in bttlxeForum 2.0 beta 3 and earlier allows remote attackers to bypass authentication via the (1) username and (2) password fields, and possibly other fields. http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812 20030424 SQL injection in BttlxeForum 1006632 Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password. VU#443257 20030424 Cisco Security Advisory: Cisco Catalyst Enable Password Bypass Vulnerability Cross-site scripting (XSS) vulnerability in Neoteris Instant Virtual Extranet (IVE) 3.01 and earlier allows remote attackers to insert arbitrary web script and bypass authentication via a certain CGI script. 20030513 XSS In Neoteris IVE Allows Session Hijacking Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monkeyd) 0.6.1 and earlier allows remote attackers to execute arbitrary code via a POST request with a large body. 7202 20030428 GLSA: monkeyd (200304-07.1) 20030420 Monkey HTTPd Remote Buffer Overflow http://monkeyd.sourceforge.net/Changelog.txt 20030420 Monkey HTTPd Remote Buffer Overflow Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server. VU#641012 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7179 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. VU#454716 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7180 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall The (1) dupatch and (2) setld utilities in HP Tru64 UNIX 5.1B PK1 and earlier allows local users to overwrite files and possibly gain root privileges via a symlink attack. tru64-dupatch-setld-symlink(11892) 7452 SSRT3471 Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter. 7453 http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf oracle-database-link-bo(11885) N-085 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. MS03-018 oval:org.mitre.oval:def:66 Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun." MS03-018 20030530 NSFOCUS SA2003-05: Microsoft IIS ssinc.dll Over-long Filename Buffer Overflow Vulnerability oval:org.mitre.oval:def:483 The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page. MS03-018 http://www.aqtronix.com/Advisories/AQ-2003-01.txt 20030418 Microsoft Active Server Pages DoS oval:org.mitre.oval:def:373 Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. http://www.spidynamics.com/iis_alert.html MS03-018 20030528 Internet Information Services 5.0 Denial of service 20030528 Internet Information Services 5.0 Denial of service 20030529 IIS WEBDAV Denial of Service attacks oval:org.mitre.oval:def:933 The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. MS03-019 20030528 MS03-019: DoS or Code of Choice 20030528 Re: Alert: MS03-019, Microsoft... wrong, again. 20030528 RE: Alert: MS03-019, Microsoft... wrong, again. oval:org.mitre.oval:def:966 oval:org.mitre.oval:def:936 Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location. VU#384932 7517 MS03-017 20030507 Windows Media Player directory traversal vulnerability mediaplayer-skin-code-execution(11953) 20030507 Windows Media Player directory traversal vulnerability 20030508 why i love xs4all + mediaplayer thingie oval:org.mitre.oval:def:321 Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability. VU#556356 MS03-031 oval:org.mitre.oval:def:235 Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe. VU#918652 MS03-031 A072303-2 oval:org.mitre.oval:def:299 Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow. VU#584868 MS03-031 A072303-3 oval:org.mitre.oval:def:303 Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115. MS03-015 20030424 Internet Explorer Plugin.ocx heap overflow (#NISR24042003) ie-plugin-load-bo(11854) oval:org.mitre.oval:def:1094 Format string vulnerability in POP3 client for Mirabilis ICQ Pro 2003a allows remote malicious servers to execute arbitrary code via format strings in the response to a UIDL command. 7461 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-pop3-format-string(11938) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client Integer signedness errors in the POP3 client for Mirabilis ICQ Pro 2003a allow remote attackers to execute arbitrary code via the (1) Subject or (2) Date headers. 7463 7462 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-pop3-email-bo(11939) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The "ICQ Features on Demand" functionality for Mirabilis ICQ Pro 2003a does not properly verify the authenticity of software upgrades, which allows remote attackers to install arbitrary software via a spoofing attack. 7464 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-features-no-auth(11944) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The Message Session window in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service (CPU consumption) by spoofing the address of an ADS server and sending HTML with a -1 width in a table tag. 7465 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-table-tag-dos(11947) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icqateimg32.dll parsing/rendering library in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor. 7466 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-gif89a-header-dos(11948) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash). VU#799060 axis-admin-authentication-bypass(12104) 7652 1006854 8876 4804 http://www.coresecurity.com/common/showdoc.php?idx=329&idxseccion=10 20030527 CORE-2003-0403: Axis Network Camera HTTP Authentication Bypass FrontRange GoldMine mail agent 5.70 and 6.00 before 30503 directly sends HTML to the default browser without setting its security zone or otherwise labeling it untrusted, which allows remote attackers to execute arbitrary code via a message that is rendered in IE using a less secure zone. http://www.secnap.net/security/gm001.html 20030528 SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm) IPSec in Mac OS X before 10.2.6 does not properly handle certain incoming security policies that match by port, which could allow traffic that is not explicitly allowed by the policies. VU#869548 http://docs.info.apple.com/article.html?artnum=61798 macos-ipsec-acl-bypass(12027) 7628 1006796 8798 Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter for the (1) normal_html.cgi or (2) member_html.cgi scripts. 1006707 20030507 Happymall E-Commerce Remote Command Execution The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions. RHSA-2003:145 DSA-311 RHSA-2003:172 RHSA-2003:147 http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html DSA-442 DSA-336 DSA-332 DSA-312 20030618 [slackware-security] 2.4.21 kernels available (SSA:2003-168-01) ESA-20030515-017 20030517 Algorithmic Complexity Attacks and the Linux Networking Code data-algorithmic-complexity-dos(15382) 7601 8786 MDKSA-2003:074 MDKSA-2003:066 http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417 oval:org.mitre.oval:def:261 Vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library for Apache 2.0.37 through 2.0.45 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. VU#757612 RHSA-2003:186 http://www.apache.org/dist/httpd/Announcement2.html 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released apache-aprpsprintf-code-execution(12090) 7723 http://www.idefense.com/advisory/05.30.03.txt 20030530 iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability MDKSA-2003:063 CLA-2003:661 The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. RHSA-2003:172 DSA-311 ESA-20030515-017 TLSA-2003-41 RHSA-2003:147 DSA-442 DSA-336 DSA-332 DSA-312 20030520 Linux 2.4 kernel ioperm vuln MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:278 Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:198 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:284 The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:292 ** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report." 20030625 PHP/Apache .htaccess Authentication Bypass Vulnerability ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. RHSA-2003:173 ADV-2006-2873 TLSA-2003-43 SSRT061154 55600 8031 HPSBTU02132 RHSA-2003:201 MDKSA-2003:072 1016517 21112 oval:org.mitre.oval:def:667 Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. VU#258564 20030715 [slackware-security] nfs-utils packages replaced (SSA:2003-195-01b) nfs-utils-offbyone-bo(12600) TLSA-2003-44 8179 RHSA-2003:207 RHSA-2003:206 SuSE-SA:2003:031 DSA-349 1001262 1007187 9259 20030716 Immunix Secured OS 7+ nfs-utils update -- bugtraq 20030714 Linux nfs-utils xlog() off-by-one bug http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt 20030714 Reality of the rpc.mountd bug 20030714 Linux nfs-utils xlog() off-by-one bug MDKSA-2003:076 oval:org.mitre.oval:def:443 The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released MDKSA-2003:075 oval:org.mitre.oval:def:173 Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released MDKSA-2003:075 oval:org.mitre.oval:def:183 The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. VU#397604 RHSA-2003:175 20030504 Key validity bug in GnuPG 1.2.1 and earlier gnupg-invalid-key-acceptance(11930) 7497 RHSA-2003:176 4947 TLSA200334 MDKSA-2003:061 http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html 20030515-016 20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04) 20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg) ESA-20030515-016 CLA-2003:694 oval:org.mitre.oval:def:135 The GnuPG plugin in kopete before 0.6.2 does not properly cleanse the command line when executing gpg, which allows remote attackers to execute arbitrary commands. MDKSA-2003:055 http://kopete.kde.org/index.php?page=newsstory&news=Kopete_releases_version_0.6.2 CLA-2003:665 Format string vulnerability in the printer capability for IBM AIX .3, 5.1, and 5.2 allows local users to gain printq or root privileges. MSS-OAR-E01-2003:0660.1 aix-print-format-string(12000) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 3.5.x through 4.0.REL, when enabling IPSec over TCP for a port on the concentrator, allow remote attackers to reach the private network without authentication. VU#727780 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-unauth-access(11954) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7 allows remote attackers to cause a denial of service (reload) via a malformed SSH initialization packet. VU#317348 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-ssh-dos(11955) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7A allow remote attackers to cause a denial of service (slowdown and possibly reload) via a flood of malformed ICMP packets. VU#221164 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-icmp-dos(11956) fuzz 0.6 and earlier creates temporary files insecurely, which could allow local users to gain root privileges. DSA-302 leksbot 1.2.3 in Debian GNU/Linux installs the KATAXWR as setuid root, which allows local users to gain root privileges by exploiting unknown vulnerabilities related to the escalated privileges, which KATAXWR is not designed to have. DSA-299 kataxwr-gain-privileges(11945) 7505 Multiple buffer overflows in Floosietek FTGate Pro Mail Server (FTGatePro) 1.22 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands. 7508 7506 20030506 Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) ftgate-mailfrom-rcptto-bo(11951) 20030506 Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server. http://www.nextgenss.com/advisories/slmail-vulns.txt 20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A) 20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A) Race condition in SDBINST for SAP database 7.3.0.29 creates critical files with world-writable permissions before initializing the setuid bits, which allows local attackers to gain root privileges by modifying the files before the permissions are changed. 7421 20030507 SAP database local root vulnerability during installation. (fwd) Multiple buffer overflows in SLWebMail 3 on Windows systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long Language parameter to showlogin.dll, (2) a long CompanyID parameter to recman.dll, (3) a long CompanyID parameter to admin.dll, or (4) a long CompanyID parameter to globallogin.dll. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail ShowGodLog.dll in SLWebMail 3 on Windows systems allows remote attackers to read arbitrary files by directly calling ShowGodLog.dll with an argument specifying the full path of the target file. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail SLWebMail 3 on Windows systems allows remote attackers to identify the full path of the server via invalid requests to DLLs such as WebMailReq.dll, which reveals the path in an error message. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail Buffer overflow in youbin allows local users to gain privileges via a long HOME environment variable. 7503 20030506 youbin local root exploit + advisory 20030506 youbin local root exploit + advisory youbin-home-bo(11949) 20030506 youbin local root exploit + advisory The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections. airport-auth-credentials-disclosure(11980) 7554 A051203-1 1006742 8773 Buffer overflow in Personal FTP Server allows remote attackers to execute arbitrary code via a long USER argument. 20030331 Personal FTP Server http://security.nnov.ru/search/document.asp?docid=4309 20030508 Remote Stack Overflow exploit for Personal FTPD admin.php in miniPortail allows remote attackers to gain administrative privileges by setting the miniPortailAdmin cookie to an "adminok" value. 20030508 miniPortail (PHP) : Admin Access http://www.frog-man.org/tutos/miniPortail.txt Cross-site scripting (XSS) vulnerability in the web interface for Request Tracker (RT) 1.0 through 1.0.7 allows remote attackers to execute script via message bodies. http://lists.fsck.com/pipermail/rt-announce/2003-May/000071.html 20030508 Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks Buffer overflow in catmail for ListProc 8.2.09 and earlier allows remote attackers to execute arbitrary code via a long ULISTPROC_UMASK value. 20030508 SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow SSI.php in YaBB SE 1.5.2 allows remote attackers to execute arbitrary PHP code by modifying the sourcedir parameter to reference a URL on a remote web server that contains the code. 20030509 II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version) Buffer overflow in Pi3Web 2.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GET request with a large number of / characters. pi3web-get-request-bo(11889) 7555 20030512 Unix Version of the Pi3web DoS 20030428 Pi3Web 2.0.1 DoS Directory traversal vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the file parameter. happymall-dotdot-directory-traversal(11987) 7559 20030512 One more flaw in Happymall Cross-site scripting (XSS) vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to insert arbitrary web script via the file parameter. 20030512 One more flaw in Happymall happymall-normalhtml-xss(11988) 7557 Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php. phpnuke-web-sql-injection(11984) 7558 20030512 Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) 7588 20030513 More and More SQL injection on PHP-Nuke 6.5. Multiple buffer overflows in the SMTP Service for ESMTP CMailServer 4.0.2003.03.27 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands. 20030510 Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0 cmailserver-smtp-bo(11975) 7548 7547 20030510 Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0 Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows local users to execute arbitrary code via a long INTERBASE environment variable when calling (1) gds_inet_server, (2) gds_lock_mgr, or (3) gds_drop. firebird-interbase-bo(11977) 7546 GLSA-200405-18 8758 20020617 Interbase 6.0 malloc() issues 20030509 Firebird Local exploit Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. 7550 RHSA-2003:199 TLSA-2003-42 RHSA-2003:200 DSA-344 20030509 unzip directory traversal revisited IMNX-2003-7+-017-01 CSSA-2003-031.0 CSSA-2003-031.0 unzip-dotdot-directory-traversal(12004) MDKSA-2003:073 N-111 20030710 [OpenPKG-SA-2003.033] OpenPKG Security Advisory (infozip) CLA-2003:672 oval:org.mitre.oval:def:619 Cross-site scripting (XSS) vulnerability in Phorum before 3.4.3 allows remote attackers to inject arbitrary web script and HTML tags via a message with a "<<" before a tag name in the (1) subject, (2) author's name, or (3) author's e-mail. phorum-message-html-injection(11974) 7545 20030509 Re: A Phorum's bug... 20030509 A Phorum's bug... Adobe Acrobat 5 does not properly validate JavaScript in PDF files, which allows remote attackers to write arbitrary files into the Plug-ins folder that spread to other PDF documents, as demonstrated by the W32.Yourde virus. VU#184820 http://www.adobe.com/support/downloads/detail.jsp?ftpID=2121 IBM AIX 5.2 and earlier distributes Sendmail with a configuration file (sendmail.cf) with the (1) promiscuous_relay, (2) accept_unresolvable_domains, and (3) accept_unqualified_senders features enabled, which allows Sendmail to be used as an open mail relay for sending spam e-mail. VU#814617 aix-sendmail-mail-relay(11993) 7580 http://security.sdsc.edu/advisories/2003.05.13-AIX-sendmail.txt 20030513 AIX sendmail open relay SQL injection vulnerability in register.asp in Snitz Forums 2000 before 3.4.03, and possibly 3.4.07 and earlier, allows remote attackers to execute arbitrary stored procedures via the Email variable. 7549 35764 snitz-register-sql-injection(11981) 35733 http://packetstormsecurity.org/0305-exploits/snitz_exec.txt 56166 20030513 Snitz Forum 3.3.03 Remote Command Execution 20030512 Snitz Forum 3.3.03 Remote Command Execution Cross-site scripting (XSS) vulnerability in Movable Type before 2.6, and possibly other versions including 2.63, allows remote attackers to insert arbitrary web script or HTML via the Name textbox, possibly when the "Allow HTML in comments?" option is enabled. 20030512 Re: CSS found in Movable Type 20030512 CSS found in Movable Type 20030513 Re: CSS found in Movable Type -- Nope movable-type-comment-xss(12003) 7560 Buffer overflow in the file & folder transfer mechanism for IP Messenger for Win 2.00 through 2.02 allows remote attackers to execute arbitrary code via file with a long filename, which triggers the overflow when the user saves the file. http://www.lac.co.jp/security/english/snsadv_e/64_e.html 20030513 [SNS Advisory No.64] IP Messenger for Win Buffer Overflow Vulnerability ip-messenger-filename-bo(11986) 7566 Format string vulnerability in scsiopen.c of the cdrecord program in cdrtools 2.0 allows local users to gain privileges via format string specifiers in the dev parameter. 7565 20030513 cdrtools2.0 Format String Vulnerability 20030513 Cdrecord_local_root_exploit. ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz cdrtools-scsiopen-format-string(12007) http://www.securiteam.com/exploits/5ZP0C2AAAC.html MDKSA-2003:058 200305-06 Memory leak in eServ 2.9x allows remote attackers to cause a denial of service (memory exhaustion) via a large number of connections, whose memory is not freed when the connection is terminated. 20030513 eServ Memory Leak Solution 20030511 eServ Memory Leak Enables Denial of Service Attacks eserv-multiple-connections-dos(11973) 7552 20030511 eServ Memory Leak Enables Denial of Service Attacks 3com OfficeConnect Remote 812 ADSL Router 1.1.7 does not properly clear memory from DHCP responses, which allows remote attackers to identify the contents of previous HTTP requests by sniffing DHCP packets. http://nautopia.coolfreepages.com/vulnerabilidades/3com812_dhcp_leak.htm 20030514 Memory leak in 3COM 812 DSL routers 20030515 RE : Memory leak in 3COM DSL routers 3com-officeconnect-memory-leak(11999) 7592 Cross-site scripting (XSS) vulnerability in Inktomi Traffic-Server 5.5.1 allows remote attackers to insert arbitrary web script or HTML into an error page that appears to come from the domain that the client is visiting, aka "Man-in-the-Middle" XSS. 7596 20030514 Inktomi Traffic-Server XSS: man-in-the-middle XSS ! PalmOS allows remote attackers to cause a denial of service (CPU consumption) via a flood of ICMP echo request (ping) packets. 20030514 PalmOS ICMP flood DoS. autohtml.php in php-proxima 6.0 and earlier allows remote attackers to read arbitrary files via the name parameter in a modload operation. 20030514 php-proxima Remote File Access Vulnerability Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web script and HTML via the "Preview Message" capability. 20030514 VBulletin Preview Message - XSS Vuln 20030514 Re: VBulletin Preview Message - XSS Vuln The IMAP Client for Evolution 1.2.4 allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows remote malicious IMAP servers to cause a denial of service (crash) and possibly execute arbitrary code via certain large (1) literal and (2) mailbox size values that cause either integer signedness errors or integer overflow errors. RHSA-2005:114 RHSA-2005:015 FLSA:184074 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large (1) literal and possibly (2) mailbox size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large mailbox size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP servers to cause a denial of service (crash) via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Outlook Express 6.00.2800.1106 allows remote malicious IMAP servers to cause a denial of service (crash) via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Eudora 5.2.1 allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients SQL injection vulnerability in one||zero (aka One or Zero) Helpdesk 1.4 rc4 allows remote attackers to modify arbitrary ticket number descriptions via the sg parameter. 20030515 OneOrZero Security Problems (PHP) 20030515 OneOrZero Security Problems (PHP) 7609 one||zero (aka One or Zero) Helpdesk 1.4 rc4 allows remote attackers to create administrator accounts by directly calling the install.php Helpdesk Installation script. 20030515 OneOrZero Security Problems (PHP) 20030515 OneOrZero Security Problems (PHP) The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967. 20030515 Cisco Security Advisory: Cisco IOS Software Processing of SAA Packets oval:org.mitre.oval:def:5608 Buffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter. MS03-027 20030507 Buffer overflow in Explorer.exe 20030515 Re[2]: EXPLOIT: Buffer overflow in Explorer.exe on Windows XP SP1 20030511 Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1 oval:org.mitre.oval:def:3095 Poster version.two allows remote authenticated users to gain administrative privileges by appending the "|" field separator and an "admin" value into the email address field. 20030514 [VULNERABILITY] PHP 'poster version.two' The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely create temporary files, which could allow local users to gain additional privileges via (1) expn, (2) checksendmail, or (3) doublebounce.pl. DSA-305 https://bugs.gentoo.org/show_bug.cgi?id=235770 [oss-security] 20081030 CVE requests: tempfile issues for aview, mgetty, openoffice, crossfire http://dev.gentoo.org/~rbu/security/debiantemp/sendmail-base http://bugs.debian.org/496408 Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." VU#251788 ie-frame-restrictions-bypass(12019) 7539 MS03-020 8807 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030508 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! [CRITICAL] oval:org.mitre.oval:def:948 Cross-site scripting (XSS) vulnerability in articleview.php for eZ publish 2.2 allows remote attackers to insert arbitrary web script. 20030516 EzPublish Directory XSS Vulnerability Directory traversal vulnerability in Snowblind Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request. 20030516 Snowblind Web Server: multiple issues Directory traversal vulnerability in Snowblind Web Server 1.0 allows remote attackers to list arbitrary directory contents via a ... (triple dot) in an HTTP request. 20030516 Snowblind Web Server: multiple issues Snowblind Web Server 1.0 allows remote attackers to cause a denial of service (crash) via a URL that ends in a "</" sequence. 20030516 Snowblind Web Server: multiple issues Snowblind Web Server 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP request, which may trigger a buffer overflow. 20030516 Snowblind Web Server: multiple issues Venturi Client before 2.2, as used in certain Fourelle and Venturi Wireless products, can be used as an open proxy for various protocols, including an open relay for SMTP, which allows it to be abused by spammers. http://www.venturiwireless.com/tech_support/Q_and_A/Q_A_09.htm 20030516 Venturi Client 2.1 confirmed as open relay [Verizon Wireless Mobile Office] iisPROTECT 2.1 and 2.2 allows remote attackers to bypass authentication via an HTTP request containing URL-encoded characters. 20030522 Authentication Bypass in iisPROTECT Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allows remote attackers to insert arbitrary web script via the year parameter. 20030517 PHP-Nuke code injection in Yearly Stats at Statistics module Buffer overflow in the IMAP server (IMAPMax) for SmartMax MailMax 5.0.10.8 and earlier allows remote authenticated users to execute arbitrary code via a long SELECT command. 20030517 Buffer overflow vulnerability found in MailMax version 5 20030517 Buffer overflow vulnerability found in MailMax version 5 header.php in ttCMS 2.3 and earlier allows remote attackers to inject arbitrary PHP code by setting the ttcms_user_admin parameter to "1" and modifying the admin_root parameter to point to a URL that contains a Trojan horse header.inc.php script. 20030517 Remote code execution in ttCMS <=v2.3 Multiple buffer overflows in BitchX IRC client 1.0-0c19 and earlier allow remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via long hostnames, nicknames, or channel names, which are not properly handled by the functions (1) send_ctcp, (2) cannot_join_channel, (3) cluster, (4) BX_compress_modes, (5) handle_oper_vision, and (6) ban_it. DSA-306 http://security.debian.org/pool/updates/main/i/ircii-pana/ircii-pana_1.0-0c16-2.1.diff.gz 20030324 GLSA: bitchx (200303-21) 20030313 Buffer overflows in ircII-based clients 7100 7099 7097 7096 CLA-2003:655 Integer overflow in BitchX IRC client 1.0-0c19 and earlier allows remote malicious IRC servers to cause a denial of service (crash). DSA-306 http://security.debian.org/pool/updates/main/i/ircii-pana/ircii-pana_1.0-0c16-2.1.diff.gz Multiple buffer overflows in ircII 20020912 allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via responses that are not properly fed to the my_strcat function by (1) ctcp_buffer, (2) cannot_join_channel, (3) status_make_printable for Statusbar drawing, (4) create_server_list, and possibly other functions. DSA-291 20030319 [OpenPKG-SA-2003.024] OpenPKG Security Advisory (ircii) 20030313 Buffer overflows in ircII-based clients DSA-298 7098 Buffer overflows in EPIC IRC Client (EPIC4) 1.0.1 allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via long replies that are not properly handled by the (1) userhost_cmd_returned function, or (2) Statusbar capability. DSA-287 20030313 Buffer overflows in ircII-based clients 7091 Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local users to execute arbitrary code via a long -server command line argument. 20030520 Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition 20030519 Maelstrom exploit 20030518 Maelstrom Buffer Overflow Integer overflow in parse_decode_path() of slocate may allow attackers to execute arbitrary code via a LOCATE_PATH with a large number of ":" (colon) characters, whose count is used in a call to malloc. 20030519 bazarr slocate 7629 Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote attackers to cause a denial of service (hang) via a remote password array with an invalid length, which triggers a heap-based buffer overflow. http://www.rapid7.com/advisories/R7-0016.html sybase-passwordarray-bo(13800) 20031120 R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later versions, allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via a CTCP request from a large nickname, which causes an incorrect length calculation. ftp://ftp.prbh.org/pub/epic/patches/alloca_underrun-patch-1 RHSA-2003:342 DSA-399 DSA-306 CesarFTP 0.99g stores user names and passwords in plaintext in the settings.ini file, which could allow local users to gain privileges. 20030520 Plaintext Password in Settings.ini of CesarFTP 20030520 Plaintext Password in Settings.ini of CesarFTP Buffer overflow in unknown versions of Maelstrom allows local users to execute arbitrary code via a long -player command line argument. 20030520 Maelstrom Local Buffer Overflow Exploit 1008832 SQL injection vulnerability in ttForum allows remote attackers to execute arbitrary SQL and gain ttForum Administrator privileges via the Ignorelist-Textfield argument in the Preferences page. 20030520 More vulnerabilities in ttForum/ttCMS -> SQL injection The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier versions, modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. 20030520 BadBlue Remote Administrative Interface Access Vulnerability 20030520 BadBlue Remote Administrative Interface Access Vulnerability Multiple buffer overflows in kermit in HP-UX 10.20 and 11.00 (C-Kermit 6.0.192 and possibly other versions before 8.0) allow local users to gain privileges via long arguments to (1) ask, (2) askq, (3) define, (4) assign, and (5) getc, some of which may share the same underlying function "doask," a different vulnerability than CVE-2001-0085. VU#971364 20030502 Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) hp-ckermit-bo(11929) 7627 20030502 HP-UX 11.0 /usr/bin/kermit BitchX IRC client 1.0c20cvs and earlier allows attackers to cause a denial of service (core dump) via certain channel mode changes that are not properly handled in names.c. 20030510 BitchX: Crash when channel modes change CLA-2003:655 bitchx-mode-change-dos(12008) 7551 MDKSA-2003:069 rc.M in Slackware 9.0 calls quotacheck with the -M option, which causes the filesystem to be remounted and possibly reset security-relevant mount flags such as nosuid, nodev, and noexec. 20030522 [slackware-security] quotacheck security fix in rc.M (SSA:2003-141-06) Qualcomm Eudora 5.2.1 allows remote attackers to read arbitrary files via an email message with a carriage return (CR) character in a spoofed "Attachment Converted:" string, which is not properly handled by Eudora. 20030522 Eudora 5.2.1 attachment spoof The ckconfig command in lsadmin for Load Sharing Facility (LSF) 5.1 allows local users to execute arbitrary programs by modifying the LSF_ENVDIR environment variable to reference an alternate lsf.conf file, then modifying LSF_SERVERDIR to point to a malicious lim program, which lsadmin then executes. 20030522 Security advisory: LSF 5.1 local root exploit Directory traversal vulnerability in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allows remote attackers to read and execute arbitrary files via .. (dot dot) sequences in HTTP GET or POST requests. 20030521 [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability 20030521 [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability Multiple heap-based buffer overflows in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allow remote attackers to execute arbitrary code via long HTTP requests. 20030522 WsMp3d remote exploit. 20030521 Remote Heap Corruption Overflow vulnerability in WsMp3d. 20030521 Remote Heap Corruption Overflow vulnerability in WsMp3d. Demarc Puresecure 1.6 stores authentication information for the logging server in plaintext, which allows attackers to steal login names and passwords to gain privileges. 20030521 Demarc Puresecure v1.6 - Plaintext password issue - Cross-site scripting (XSS) vulnerability in Owl Intranet Engine 0.71 and earlier allows remote attackers to insert arbitrary script via the Search field. 20030521 [AP] Owl Intranet Engine CSS Bug BlackMoon FTP Server 2.6 Free Edition, and possibly other distributions and versions, stores user names and passwords in plaintext in the blackmoon.mdb file, which can allow local users to gain privileges. 20030520 [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration BlackMoon FTP Server 2.6 Free Edition, and possibly other distributions and versions, generates an "Account does not exist" error message when an invalid username is entered, which makes it easier for remote attackers to conduct brute force attacks. 20030520 [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. VU#679556 MS03-020 AD20030604 8943 20030709 IE Object Type Overflow Exploit 20030604 Internet Explorer Object Type Property Overflow oval:org.mitre.oval:def:922 Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. VU#337764 win-smb-bo(12544) 8152 MS03-024 1007154 9225 oval:org.mitre.oval:def:3391 oval:org.mitre.oval:def:146 oval:org.mitre.oval:def:118 Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CA-2003-18 VU#561284 VU#265232 MS03-030 20030723 EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption oval:org.mitre.oval:def:218 oval:org.mitre.oval:def:1104 oval:org.mitre.oval:def:1095 Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual Basic for Applications (VBA) SDK 5.0 through 6.3 allows remote attackers to execute arbitrary code via a document with a long ID parameter. VU#804780 8534 MS03-037 9666 20030903 EEYE: VBE Document Property Buffer Overflow 20030903 EEYE: VBE Document Property Buffer Overflow A certain Microsoft Windows Media Player 9 Series ActiveX control allows remote attackers to view and manipulate the Media Library on the local system via HTML script. VU#320516 MS03-021 mediaplayer-activex-obtain-information(12440) 8034 Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. VU#113716 20030626 Windows Media Services Remote Command Execution #2 MS03-022 20030626 Windows Media Services Remote Command Execution #2 1007059 9115 oval:org.mitre.oval:def:938 The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function. http://www.ngssoftware.com/advisories/utilitymanager.txt MS03-025 20030709 Microsoft Utility Manager Local Privilege Escalation 20030709 Microsoft Utility Manager Local Privilege Escalation win2k-accessibility-gain-privileges 8154 oval:org.mitre.oval:def:451 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0306. Reason: This candidate is a reservation duplicate of CVE-2003-0306. Notes: All CVE users should reference CVE-2003-0306 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. VU#568148 CA-2003-19 CA-2003-16 win-rpc-dcom-bo(12629) 8205 http://www.xfocus.org/documents/200307/2.html MS03-026 20030730 rpcdcom Universal offsets 20030726 Re: The French BUGTRAQ (New Win RPC Exploit) 20030725 The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised ) 20030716 [LSD] Critical security vulnerability in Microsoft Operating Systems oval:org.mitre.oval:def:296 oval:org.mitre.oval:def:2343 oval:org.mitre.oval:def:194 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. MS03-033 8455 oval:org.mitre.oval:def:6954 20030821 AppSecInc Security Alert: Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities 20030821 AppSecInc Security Alert: Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities oval:org.mitre.oval:def:962 oval:org.mitre.oval:def:961 oval:org.mitre.oval:def:1039 Unknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job. RHSA-2003:181 RHSA-2003:182 MDKSA-2003:065 20030603 [OpenPKG-SA-2003.030] OpenPKG Security Advisory (ghostscript) oval:org.mitre.oval:def:133 Safari 1.0 Beta 2 (v73) and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates. 20030507 Problem: Multiple Web Browsers do not do not validate CN on certificates. Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. VU#641013 http://www.ethereal.com/appnotes/enpa-sa-00009.html DSA-313 RHSA-2003:077 MDKSA-2003:067 oval:org.mitre.oval:def:69 Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. VU#361700 VU#232164 http://www.ethereal.com/appnotes/enpa-sa-00009.html DSA-313 7495 7494 MDKSA-2003:067 RHSA-2003:077 oval:org.mitre.oval:def:73 Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option. 20030209 #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow DSA-350 DSA-316 http://nethack.sourceforge.net/v340/bugmore/secpatch.txt nethack-s-command-bo(11283) 6806 nethack 3.4.0 and earlier installs certain setgid binaries with insecure permissions, which allows local users to gain privileges by replacing the original binaries with malicious code. DSA-316 Multiple buffer overflows in gPS before 1.0.0 allow attackers to cause a denial of service and possibly execute arbitrary code. DSA-307 http://gps.seul.org/changelog.html gPS before 1.1.0 does not properly follow the rgpsp connection source acceptation policy as specified in the rgpsp.conf file, which could allow unauthorized remote attackers to connect to rgpsp. DSA-307 http://gps.seul.org/changelog.html Buffer overflow in gPS before 0.10.2 may allow local users to cause a denial of service (SIGSEGV) in rgpsp via long command lines. DSA-307 http://gps.seul.org/changelog.html Format string vulnerability in LICQ 1.2.6, 1.0.3 and possibly other versions allows remote attackers to perform unknown actions via format string specifiers. http://csdl.computer.org/comp/proceedings/hicss/2004/2056/09/205690277.pdf The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:198 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 oval:org.mitre.oval:def:295 ICQLite 2003a creates the ICQ Lite directory with an ACE for "Full Control" privileges for Interactive Users, which allows local users to gain privileges as other users by replacing the executables with malicious programs. 20030529 ICQLite executable trojaning lyskom-server 2.0.7 and earlier allows unauthenticated users to cause a denial of service (CPU consumption) via a large query. DSA-318 znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. TLSA-2003-38 http://www.openpkg.org/security/OpenPKG-SA-2003.031-gzip.html DSA-308 7872 MDKSA-2003:068 Nokia Gateway GPRS support node (GGSN) allows remote attackers to cause a denial of service (kernel panic) via a malformed IP packet with a 0xFF TCP option. VU#924812 nokia-ggsn-ip-dos(12221) 7854 A060903-1 Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. RHSA-2003:192 http://www.kde.org/info/security/advisory-20030602-1.txt TLSA-2003-36 20030507 Problem: Multiple Web Browsers do not do not validate CN on certificates. RHSA-2003:193 DSA-361 20030510 [forward]Apple Safari and Konqueror Embedded Common Name Verification Vulnerability 7520 Buffer overflow in Prishtina FTP client 1.x allows remote FTP servers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP banner. 20030522 Prishtina FTP v.1.*: remote DoS Signed integer vulnerability in libnasl in Nessus before 2.0.6 allows local users with plugin upload privileges to cause a denial of service (core dump) and possibly execute arbitrary code by causing a negative argument to be provided to the insstr function as used in a NASL script. 20030523 nessus NASL scripting engine security issues 20030522 Potential security vulnerability in Nessus 7664 Multiple buffer overflows in libnasl in Nessus before 2.0.6 allow local users with plugin upload privileges to cause a denial of service (core dump) and possibly execute arbitrary code via (1) a long proto argument to the scanner_add_port function, (2) a long user argument to the ftp_log_in function, (3) a long pass argument to the ftp_log_in function. 20030522 Potential security vulnerability in Nessus 7664 20030523 nessus NASL scripting engine security issues Multiple unknown vulnerabilities in Nessus before 2.0.6, in libnessus and possibly libnasl, a different set of vulnerabilities than those identified by CVE-2003-0372 and CVE-2003-0373, aka "similar issues in other nasl functions as well as in libnessus." 7664 20030522 Potential security vulnerability in Nessus Cross-site scripting (XSS) vulnerability in member.php of XMBforum XMB 1.8.x (aka Partagium) allows remote attackers to insert arbitrary HTML and web script via the "member" parameter. 7662 20030522 XMB 1.8 Partagium cross site scripting vulnerability http://forums.xmbforum.com/viewthread.php?tid=773046 Buffer overflow in Eudora 5.2.1 allows remote attackers to cause a denial of service (crash and failed restart) and possibly execute arbitrary code via an Attachment Converted argument with a large number of . (dot) characters. 20030523 Eudora 5.2.1 buffer overflow DoS SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP. 20030523 iisPROTECT SQL injection in admin interface The Kerberos login authentication feature in Mac OS X, when used with an LDAPv3 server and LDAP bind authentication, may send cleartext passwords to the LDAP server when the AuthenticationAuthority attribute is not set. VU#467828 http://docs.info.apple.com/article.html?artnum=107579 Unknown vulnerability in Apple File Service (AFP Server) for Mac OS X Server, when sharing files on a UFS or re-shared NFS volume, allows remote attackers to overwrite arbitrary files. http://lists.apple.com/mhonarc/security-announce/msg00030.html Buffer overflow in atftp daemon (atftpd) 0.6.1 and earlier, and possibly later versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename. DSA-314 20030606 atftpd bug 20030604 possible remote buffer overflow in atftpd Multiple vulnerabilities in noweb 2.9 and earlier creates temporary files insecurely, which allows local users to overwrite arbitrary files via multiple vectors including the noroff script. DSA-323 Buffer overflow in Eterm 0.9.2 allows local users to gain privileges via a long ETERMPATH environment variable. DSA-309 7708 20030509 BAZARR CODE NINER PINK TEAM GO GO GO Buffer overflow in xaos 3.0-23 and earlier, when running setuid, allows local users to gain root privileges via a long -language option. DSA-310 20030605 BAZARR LOCAL ROOT AGAIN. HI GUYS. DONT READ THIS OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. VU#978316 20030605 OpenSSH remote clent address restriction circumvention oval:org.mitre.oval:def:9894 http://lists.apple.com/mhonarc/security-announce/msg00038.html http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html 7831 RHSA-2006:0698 RHSA-2006:0298 http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm 23680 22196 21724 21262 21129 20060703-01-P pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use_uid option disabled, allows local users to spoof log entries and gain privileges by causing getlogin() to return a spoofed user name. http://www.idefense.com/advisory/06.16.03.txt 20030616 FW: iDEFENSE Security Advisory 06.16.03: Linux-PAM getlogin() Spoofing RHSA-2004:304 Cross-site scripting (XSS) vulnerability in the secure redirect function of RSA ACE/Agent 5.0 for Windows, and 5.x for Web, allows remote attackers to insert arbitrary web script and possibly cause users to enter a passphrase via a GET request containing the script. http://www.rapid7.com/advisories/R7-0014.html 20030619 R7-0014: RSA SecurID ACE Agent Cross Site Scripting Multiple buffer overflows in Options Parsing Tool (OPT) shared library 3.18 and earlier, when used in setuid programs, may allow local users to execute arbitrary code via long command line options that are fed into macros such as opt_warn_2, as used in functions such as opt_atoi. http://nis-www.lanl.gov/~jt/Software/opt/opt-3.19.tar.gz 20030523 Re: Options Parsing Tool library buffer overflows. 20030424 SRT2003-04-24-1532 - Options Parsing Tool library buffer overflows. Format string vulnerability in Magic WinMail Server 2.3, and possibly other 2.x versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the PASS command. http://www.magicwinmail.net/changelog.asp 20030523 Magic Winmail Server Directory traversal vulnerability in ST FTP Service 3.0 allows remote attackers to list arbitrary directories via a CD command with a DoS drive letter argument (e.g. E:). 20030523 ST FTP Service v3.0: directory traversal Privacyware Privatefirewall 3.0 does not block certain incoming packets when in "Filter Internet Traffic" or Deny Internet Traffic" modes, which allows remote attackers to identify running services via FIN scans or Xmas scans. 7700 20030524 Some problems in Privatefirewall 3.0 objects.inc.php4 in BLNews 2.1.3 allows remote attackers to execute arbitrary PHP code via a Server[path] parameter that points to malicious code on an attacker-controlled web site. 20030524 PHP source code injection in BLNews 7677 Ultimate PHP Board (UPB) 1.9 allows remote attackers to execute arbitrary PHP code with UPB administrator privileges via an HTTP request containing the code in the User-Agent header, which is executed when the administrator executes admin_iplog.php. 20030524 UPB: Discussion Board/Web-Site Takeover http://f0kp.iplus.ru/bz/024.en.txt Buffer overflow in les for ATM on Linux (linux-atm) before 2.4.1, if used setuid, allows local users to gain privileges via a long -f command line argument. http://sourceforge.net/project/shownotes.php?release_id=156242 7437 http://www.securiteam.com/exploits/5EP0M1P9PO.html 20030428 ATM on Linux Exploit Code Release (les, local) atmonlinux-les-command-bo(11903) 20030524 ATM on linux Exploit(les,local) Buffer overflow in FastTrack (FT) network code, as used in Kazaa 2.0.2 and possibly other versions and products, allows remote attackers to execute arbitrary code via a packet containing a large list of supernodes, aka "Packet 0' death." 7680 fastrack-packet-0-bo(12086) 20030526 The PACKET 0' DEATH FastTrack network vulnerability Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, with the SSI EXEC feature enabled, allows remote attackers to execute arbitrary code via a text variable to a Vignette Application that is later displayed. 7685 http://www.s21sec.com/es/avisos/s21sec-016-en.txt vignette-ssi-command-execution(12077) 20030526 S21SEC-016 - Vignette SSI Injection Vignette StoryServer 4 and 5, Vignette V/5, and possibly other versions allows remote attackers to perform unauthorized SELECT queries by setting the vgn_creds cookie to an arbitrary value and directly accessing the save template. http://www.s21sec.com/es/avisos/s21sec-017-en.txt vignette-save-obtain-information(12076) 7683 20030526 S21SEC-017 - Vignette /vgn/legacy/save SQL access Vignette StoryServer and Vignette V/5 does not properly calculate the size of text variables, which causes Vignette to return unauthorized portions of memory, as demonstrated using the "-->" string in a CookieName argument to the login template, referred to as a "memory leak" in some reports. vignette-memory-leak(12075) 7684 http://www.s21sec.com/es/avisos/s21sec-018-en.txt 20030526 S21SEC-018 - Vignette memory leak AIX Platform Vignette StoryServer and Vignette V/5 allows remote attackers to obtain sensitive information via a request for the /vgn/style template. 7688 http://www.s21sec.com/es/avisos/s21sec-019-en.txt vignette-style-info-disclosure(12074) 20030526 S21SEC-019 - Vignette /vgn/style internal information leak The default login template (/vgn/login) in Vignette StoryServer 5 and Vignette V/5 generates different responses whether a user exists or not, which allows remote attackers to identify valid usernames via brute force attacks. http://www.s21sec.com/en/avisos/s21sec-020-en.txt 7691 vignette-login-account-bruteforce(12073) 20030526 S21SEC-020 - Vignette user enumeration Vignette StoryServer 5 and Vignette V/5 allows remote attackers to read and modify license information, and cause a denial of service (service halt) by directly accessing the /vgn/license template. http://www.s21sec.com/es/avisos/s21sec-021-en.txt 7694 vignette-license-modification(12072) 20030526 S21SEC-021 - Vignette License access and modification Multiple Cross Site Scripting (XSS) vulnerabilities in Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, allow remote attackers to insert arbitrary HTML and script via text variables, as demonstrated using the errInfo parameter of the default login template. 7687 http://www.s21sec.com/es/avisos/s21sec-023-en.txt vignette-multiple-xss(12071) 20030526 S21SEC-023 - Vignette multiple Cross Site Scripting vulnerabilities Vignette StoryServer 5 and Vignette V/6 allows remote attackers to execute arbitrary TCL code via (1) an HTTP query or cookie which is processed in the NEEDS command, or (2) an HTTP Referrer that is processed in the VALID_PATHS command. 7692 7690 http://www.s21sec.com/es/avisos/s21sec-024-en.txt vignette-tcl-code-execution(12070) 20030526 S21SEC-024 - Vignette TCL Injection PalmVNC 1.40 and earlier stores passwords in plaintext in the PalmVNCDB, which is backed up to PCs that the Palm is synchronized with, which could allow attackers to gain privileges. 7696 palmvnc-plaintext-passwords(12083) 20030526 PalmVNC 1.40 Insecure Records Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string. 7699 batalla-naval-bo(12087) 20030526 [Priv8security_Advisory]_Batalla_Naval_remote_overflow Buffer overflow in Uptime Client (UpClient) 5.0b7, and possibly other versions, allows local users to gain privileges via a long -p argument. 7703 upclient-command-line-bo(12131) 20030527 NuxAcid#002 - Buffer Overflow in UpClient Buffer overflow in BRS WebWeaver 1.04 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP (1) POST or (2) HEAD request. 7695 webweaver-head-post-bo(12107) 20030527 BRS WebWeaver: POST and HEAD Overflaws Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588. 7681 analogx-proxy-url-bo(12068) 20030526 NII Advisory - Buffer Overflow in Analogx Proxy 20030526 NII Advisory - Buffer Overflow in Analogx Proxy http://www.analogx.com/contents/download/network/proxy.htm Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension. 7709 sunone-jsp-source-disclosure(12093) N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 20030526 Multiple Vulnerabilities in Sun-One Application Server Sun ONE Application Server 7.0 for Windows 2000/XP does not log the complete URI of a long HTTP request, which could allow remote attackers to hide malicious activities. 7711 N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 20030526 Multiple Vulnerabilities in Sun-One Application Server Cross-site scripting (XSS) vulnerability in the webapps-simple sample application for (1) Sun ONE Application Server 7.0 for Windows 2000/XP or (2) Sun Java System Web Server 6.1 allows remote attackers to insert arbitrary web script or HTML via an HTTP request that generates an "Invalid JSP file" error, which inserts the text in the resulting error message. 7710 sunone-http-error-xss(12095) N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 201009 57605 20030526 Multiple Vulnerabilities in Sun-One Application Server The installation of Sun ONE Application Server 7.0 for Windows 2000/XP creates a statefile with world-readable permissions, which allows local users to gain privileges by reading a plaintext password in the statefile. http://www.spidynamics.com/sunone_alert.html 7712 sunone-insecure-file-permissions(12096) N-103 1000610 55221 20030526 Multiple Vulnerabilities in Sun-One Application Server Remote PC Access Server 2.2 allows remote attackers to cause a denial of service (crash) by receiving packets from the server and sending them back to the server. http://www.ytech.co.il/advisories/rpca/rpcaccess.htm 7698 20030528 Remote PC Access Server 2.2 Vulnerability Cross-site scripting (XSS) vulnerability in index.cgi for Bandmin 1.4 allows remote attackers to insert arbitrary HTML or script via (1) the year parameter in a showmonth action, (2) the month parameter in a showmonth action, or (3) the host parameter in a showhost action. 7729 bandmin-index-xss(12108) 20030528 Bandmin 1.4 XSS Exploit Directory traversal vulnerability in Son hServer 0.2 allows remote attackers to read arbitrary files via ".|." (modified dot-dot) sequences. 7717 sonhserver-pipe-directory-traversal(12103) 20030529 Son hServer v0.2: directory traversal The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses. VU#471084 http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt 20030609 Linux 2.0 remote info leak from too big icmp citation SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR allows remote attackers to cause a denial of service via certain packets to PPTP port 1723 on the internal interface. http://www.idefense.com/advisory/06.11.03.txt Information leak in dsimportexport for Apple Macintosh OS X Server 10.2.6 allows local users to obtain the username and password of the account running the tool. http://www.kb.cert.org/vuls/id/JPLA-5NTL8E macos-dsimportexport-obtain-information(12342) 7894 ESB-2003.0415 9025 Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. DSA-320 oval:org.mitre.oval:def:10194 RHSA-2005:506 oval:org.mitre.oval:def:647 Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. VU#542540 http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:75 The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:84 The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. http://www.ethereal.com/appnotes/enpa-sa-00010.html 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:88 The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:101 Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:106 Multiple buffer overflows in gnocatan 0.6.1 and earlier allow attackers to execute arbitrary code. DSA-315 Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. VU#200132 RHSA-2003:197 RHSA-2003:196 9038 9037 20030709 xpdf vulnerability - CAN-2003-0434 20030613 -10Day CERT Advisory on PDF Files MDKSA-2003:071 oval:org.mitre.oval:def:664 Buffer overflow in net_swapscore for typespeed 0.4.1 and earlier allows remote attackers to execute arbitrary code. DSA-322 20030612 BAZARR THUG LIFE , DONT READ OR VIRUS INFECT YOU Buffer overflow in search.cgi for mnoGoSearch 3.1.20 allows remote attackers to execute arbitrary code via a long ul parameter. 7865 20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow Buffer overflow in search.cgi for mnoGoSearch 3.2.10 allows remote attackers to execute arbitrary code via a long tmplt parameter. 7866 20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow eldav WebDAV client for Emacs, version 0.7.2 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. DSA-325 The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. RHSA-2003:234 DSA-339 RHSA-2003:231 oval:org.mitre.oval:def:569 Multiple buffer overflows in Orville Write (orville-write) 2.53 and earlier allow local users to gain privileges. 7988 DSA-326 orvillewrite-variables-bo(12381) Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. RHSA-2003:204 http://shh.thathost.com/secadv/2003-05-11-php.txt 20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php) 7761 DSA-351 20030530 PHP Trans SID XSS (Was: New php release with security fixes) php-session-id-xss(12259) TLSA-2003-47 1008653 4758 MDKSA-2003:082 N-112 CLSA-2003:691 oval:org.mitre.oval:def:485 Heap-based buffer overflow in GTKSee 0.5 and 0.5.1 allows remote attackers to execute arbitrary code via a PNG image of certain color depths. gtksee-png-bo(12462) 8061 DSA-337 Buffer overflow in webfs before 1.17.1 allows remote attackers to execute arbitrary code via an HTTP request with a long Request-URI. DSA-328 Cross-site scripting (XSS) in Internet Explorer 5.5 and 6.0, possibly in a component that is also used by other Microsoft products, allows remote attackers to insert arbitrary web script via an XML file that contains a parse error, which inserts the script in the resulting error message. http://security.greymagic.com/adv/gm013-ie/ 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) 20030617 Re: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) ie-msxml-xss(12334) 7938 3065 9055 20030617 Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE) The Custom HTTP Errors capability in Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute script in the Local Zone via an argument to shdocvw.dll that causes a "javascript:" link to be generated. http://security.greymagic.com/adv/gm014-ie/ 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) Portmon 1.7 and possibly earlier versions allows local users to read and write arbitrary files via the (1) -c (host file) or (2) -l (log file) command line options. 20030618 Portmon file arbitrary read/write access vulnerability Progress Database 9.1 to 9.1D06 trusts user input to find and load libraries using dlopen, which allows local users to gain privileges via (1) a PATH environment variable that points to malicious libraries, as demonstrated using libjutil.so in_proapsv, or (2) the -installdir command line parameter, as demonstrated using librocket_r.so in _dbagent. http://www.secnetops.com/research/advisories/SRT2003-06-13-1009.txt http://www.secnetops.com/research/advisories/SRT2003-06-13-0945.txt 20030614 SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue 20030614 SRT2003-06-13-0945 - Progress PATH based dlopen() issue Cistron RADIUS daemon (radiusd-cistron) 1.6.6 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large value in an NAS-Port attribute, which is interpreted as a negative number and causes a buffer overflow. TLSA-2003-40 DSA-321 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063 SuSE-SA:2003:030 CLA-2003:664 Multiple buffer overflows in xbl before 1.0k allow local users to gain privileges via certain long command line arguments. DSA-327 Buffer overflows in osh before 1.7-11 allow local users to execute arbitrary code and bypass shell restrictions via (1) long environment variables or (2) long "file redirections." DSA-329 traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobes" and "max_ttl" arguments that cause an integer overflow that is used when allocating memory, which leads to a buffer overflow. DSA-348 20030620 BAZARR FAREWELL Multiple buffer overflows in xgalaga 2.0.34 and earlier allow local users to gain privileges via a long HOME environment variable. DSA-334 The imagemagick libmagick library 5.5 and earlier creates temporary files insecurely, which allows local users to create or overwrite arbitrary files. DSA-331 RHSA-2004:494 20030710 [OpenPKG-SA-2003.034] OpenPKG Security Advisory (imagemagick) VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe. 8075 20030701 VisNetic WebSite Path Disclosure Vulnerability 20030701 VisNetic WebSite Path Disclosure Vulnerability visnetic-website-path-disclosure(12483) http://www.krusesecurity.dk/advisories/vis0103.txt Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges. 8080 SSRT3488 KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. RHSA-2003:236 RHSA-2003:235 20030802 [slackware-security] KDE packages updated (SSA:2003-213-01) TLSA-2003-45 http://www.kde.org/info/security/advisory-20030729-1.txt DSA-361 20030729 KDE Security Advisory: Konqueror Referrer Authentication Leak MDKSA-2003:079 CLA-2003:747 oval:org.mitre.oval:def:411 The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service. VU#694428 http://www.apache.org/dist/httpd/Announcement.html /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. RHSA-2003:238 DSA-423 RHSA-2004:188 DSA-358 http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html oval:org.mitre.oval:def:9330 oval:org.mitre.oval:def:997 oval:org.mitre.oval:def:304 A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). RHSA-2003:238 DSA-423 RHSA-2003:198 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:309 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd. RHSA-2003:238 oval:org.mitre.oval:def:311 The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. RHSA-2004:188 oval:org.mitre.oval:def:10285 http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2 http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. VU#743092 8315 libc-realpath-offbyone-bo(12785) TLSA-2003-46 20060214 Re: Latest wu-ftpd exploit :-s 20060213 Latest wu-ftpd exploit :-s RHSA-2003:246 RHSA-2003:245 6602 SuSE-SA:2003:032 DSA-357 1001257 1007380 9535 9447 9446 9423 20030804 Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3) 20030804 wu-ftpd-2.6.2 off-by-one remote exploit. FreeBSD-SA-03:08 20030731 wu-ftpd fb_realpath() off-by-one bug http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt IMNX-2003-7+-019-01 20030731 wu-ftpd fb_realpath() off-by-one bug NetBSD-SA2003-011.txt.asc MDKSA-2003:080 oval:org.mitre.oval:def:1970 Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error. 20030802 [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port. DSA-363 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning 8333 RHSA-2003:251 SuSE-SA:2003:033 9433 MDKSA-2003:081 CLA-2003:717 oval:org.mitre.oval:def:522 Buffer overflow in the HTML Converter (HTML32.cnv) on various Windows operating systems allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via cut-and-paste operation, as demonstrated in Internet Explorer 5.0 using a long "align" argument in an HR tag. VU#823260 CA-2003-14 MS03-023 20030622 Internet Explorer >=5.0 : Buffer overflow 20030625 Re: Internet Explorer >=5.0 : Buffer overflow 20030701 PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case). 8016 Buffer overflow in the "RuFSI Utility Class" ActiveX control (aka "RuFSI Registry Information Class"), as used for the Symantec Security Check service, allows remote attackers to execute arbitrary code via a long argument to CompareVersionStrings. VU#527228 20030624 [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow symantec-security-activex-bo(12423) 8008 1007029 9091 20030622 Symantec ActiveX control buffer overflow Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument. 20030624 Remote Buffer Overrun WebAdmin.exe 8024 2207 20030624 Re: WebAdmin from ALT-N remote exploit PoC The IPv6 capability in IRIX 6.5.19 allows remote attackers to cause a denial of service (hang) in inetd via port scanning. 20030607-01-P irix-inetd-portscan-dos(12676) 8027 8585 Unknown vulnerability in the IPv6 capability in IRIX 6.5.19 causes snoop to process packets as the root user, with unknown implications. 20030607-01-P irix-snoop-gain-privileges(12677) 8029 8586 Directory traversal vulnerability in iWeb Server allows remote attackers to read arbitrary files via an HTTP request containing .. sequences, a different vulnerability than CVE-2003-0475. 20030627 Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server 20030416 SFAD03-001: iWeb Mini Web Server Remote Directory Traversal Directory traversal vulnerability in iWeb Server 2 allows remote attackers to read arbitrary files via an HTTP request containing URL-encoded .. sequences ("%5c%2e%2e"), a different vulnerability than CVE-2003-0474. 20030627 Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server 20030623 TA-2003-06 Directory Transversal Vulnerability in iWeb Server 2 The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. RHSA-2003:368 DSA-423 RHSA-2003:408 RHSA-2003:238 DSA-358 MDKSA-2003:074 20030626 Linux 2.4.x execve() file read race vulnerability oval:org.mitre.oval:def:327 wzdftpd 0.1rc4 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command without an argument. http://www.wzdftpd.net/changea.html 20030627 wzdftpd remote DoS Format string vulnerability in (1) Bahamut IRCd 1.4.35 and earlier, and other IRC daemons based on Bahamut including (2) digatech 1.2.1, (3) methane 0.1.1, (4) AndromedeIRCd 1.2.3-Release, and (5) ircd-RU, when running in debug mode, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request containing format strings. 20030627 Bahamut DoS 20030627 Re: Bahamut IRCd <= 1.4.35 and several derived daemons 20030626 Bahamut IRCd <= 1.4.35 and several derived daemons Cross-site scripting (XSS) vulnerability in the guestbook for WebBBS allows remote attackers to insert arbitrary web script via the (1) Name, (2) Email, or (3) Message fields. 20030627 WebBBS Guestbook : Cross Site Scripting VMware Workstation 4.0 for Linux allows local users to overwrite arbitrary files and gain privileges via "symlink manipulation." http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1019 20030627 VMware Workstation 4.0: Possible privilege escalation on the host Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to insert arbitrary web script, as demonstrated using the msg parameter to file_select.php. 20030623 [KSA-001] Multiple vulnerabilities in Tutos TUTOS 1.1 allows remote attackers to execute arbitrary code by uploading the code using file_new.php, then directly accessing the uploaded code via a request to the repository containing the code. 20030623 [KSA-001] Multiple vulnerabilities in Tutos Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium allow remote attackers to insert arbitrary script via (1) the member parameter to member.php or (2) the action parameter to buddy.php. 20030623 Many XSS Vulnerabilities in XMB Forum. Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB allows remote attackers to insert arbitrary web script via the topic_id parameter. 20030621 XSS Exploit In phpBB viewtopic.php Buffer overflow in Progress 4GL Compiler 9.1D06 and earlier allows attackers to execute arbitrary code via source code containing a long, invalid data type. 7997 20030620 SRT2003-06-20-1232 - Progress 4GL Compiler datatype overflow SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. phpbb-viewtopic-sql-injection(12366) 7979 http://www.phpbb.com/phpBB/viewtopic.php?t=112052 20030619 phpBB password disclosure by sql injection Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module. 7967 kerio-multiple-modules-bo(12368) http://nautopia.org/vulnerabilidades/kerio_mailserver.htm 20030618 Multiple buffer overflows and XSS in Kerio MailServer Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module. 7968 7966 kerio-multiple-modules-xss(12367) http://nautopia.org/vulnerabilidades/kerio_mailserver.htm 20030618 Multiple buffer overflows and XSS in Kerio MailServer tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets, which may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. DSA-330 The installation of Dantz Retrospect Client 5.0.540 on MacOS X 10.2.6, and possibly other versions, creates critical directories and files with world-writable permissions, which allows local users to gain privileges as other users by replacing programs with malicious code. 20030616 Dantz Retrospect Client 5.0.540 for Mac OS X - permission issues The Tutorials 2.0 module in XOOPS and E-XOOPS allows remote attackers to execute arbitrary code by uploading a PHP file without a MIME image type, then directly accessing the uploaded file. 20030616 Directory traversal vulnerability on Xoops/E-xoops CMS module "tutorials" 20030614 Directory traversal vulnerability on Xoops/E-xoops CMS module "tutorials" Cross-site scripting (XSS) vulnerability in search.asp for Snitz Forums 3.4.03 and earlier allows remote attackers to execute arbitrary web script via the Search parameter. snitz-search-xss(12325) 7922 20030616 Multiple Vulnerabilities In Snitz Forums Snitz Forums 3.4.03 and earlier allows attackers to gain privileges as other users by stealing and replaying the encrypted password after obtaining a valid session ID. 7924 20030616 Multiple Vulnerabilities In Snitz Forums password.asp in Snitz Forums 3.4.03 and earlier allows remote attackers to reset passwords and gain privileges as other users by via a direct request to password.asp with a modified member id. snitz-forums-password-reset(12326) 7925 20030616 Multiple Vulnerabilities In Snitz Forums Cross-site scripting (XSS) vulnerability in LedNews 0.7 allows remote attackers to insert arbitrary web script via a news item. lednews-message-xss(12304) 7920 20030615 XSS Vulnerability in LedNews (CGI/Perl) v0.7 Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file. A070803-1 20030709 Pipe Filename Local Privilege Escalation FAQ 20030715 CreateFile exploit, (working) 20030714 @stake named pipe exploit Caché Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs. 20030701 Caché Insecure Installation File and Directory Permissions Caché Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. 20030701 Caché Insecure Installation File and Directory Permissions Mantis 0.17.5 and earlier stores its database password in cleartext in a world-readable configuration file, which allows local users to perform unauthorized database operations. DSA-335 SQL injection vulnerability in the PostgreSQL authentication module (mod_sql_postgres) for ProFTPD before 1.2.9rc1 allows remote attackers to execute arbitrary SQL and gain privileges by bypassing authentication or stealing passwords via the USER name. DSA-338 20030618 SQL Inject in ProFTPD login against Postgresql using mod_sql The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. RHSA-2003:198 DSA-423 RHSA-2003:238 DSA-358 20030620 Linux /proc sensitive information disclosure RHSA-2003:239 oval:org.mitre.oval:def:328 Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Buffer overflow in the ShellExecute API function of SHELL32.DLL in Windows 2000 before SP4 may allow attackers to cause a denial of service or execute arbitrary code via a long third argument. 20030703 [SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow 20030703 [SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to index.php in the addressbook module. 20030702 [KSA-003] Cross Site Scripting Vulnerability in Phpgroupware http://www.security-corporation.com/articles-20030702-005.html DSA-365 MDKSA-2003:077 CLA-2003:697 Directory traversal vulnerability in Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to read arbitrary files via "..\.." (dot dot) sequences in a file transfer request. 7931 20030702 CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to cause a denial of service (shutdown of NetMeeting conference) via malformed packets, as demonstrated via the chat conversation. 20030702 CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability Stack-based buffer overflow in Active Directory in Windows 2000 before SP4 allows remote attackers to cause a denial of service (reboot) and possibly execute arbitrary code via an LDAP version 3 search request with a large number of (1) "AND," (2) "OR," and possibly other statements, which causes LSASS.EXE to crash. VU#594108 Q319709 20030702 CORE-2003-0305-03: Active Directory Stack Overflow 7930 9171 Buffer overflow in the WWWLaunchNetscape function of Adobe Acrobat Reader (acroread) 5.0.7 and earlier allows remote attackers to execute arbitrary code via a .pdf file with a long mailto link. 20030701 [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow 20030709 Acroread 5.0.7 buffer overflow SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allows remote attackers to steal authentication information and gain privileges via the ProductCode parameter in (1) 10expand.asp, (2) 10browse.asp, and (3) 20review.asp. 20030701 CyberStrong Shopping Cart - Advisory & Exploit Code cyberstrongeshop-multiple-sql-injection(12485) 14112 14103 14101 10100 10099 10098 1007092 9165 Format string vulnerability in ezbounce 1.0 through 1.50 allows remote attackers to execute arbitrary code via the "sessions" command. 20030701 ezbounce[v1.0-(1.04a/1.50pre6)]: remote format string exploit. http://druglord.freelsd.org/ezbounce/ The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm 20030728 HTTP GET Vulnerability in AP1x00 oval:org.mitre.oval:def:5834 20030728 Cisco Aironet AP 1100 Malformed HTTP Request Crash Vulnerability Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. VU#886796 http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm 20030724 Enumerating Locally Defined Users in Cisco IOS oval:org.mitre.oval:def:5824 20030728 Cisco Aironet AP1100 Valid Account Disclosure Vulnerability Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authentication modules for teapop 0.3.5 and earlier allow attackers to execute arbitrary SQL and possibly gain privileges. DSA-347 cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printable characters and quotes, which may allow remote attackers to execute arbitrary commands via shell metacharacters in (1) caller ID or (2) caller name strings. ftp://alpha.greenie.net/pub/mgetty/source/1.1/mgetty1.1.29-Nov25.tar.gz faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwrite files via a symlink attack on JOB files. ftp://alpha.greenie.net/pub/mgetty/source/1.1/mgetty1.1.29-Nov25.tar.gz The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow. 20030715 FIXED: MacOSX - crash screensaver locked with password and get thedesktop back http://docs.info.apple.com/article.html?artnum=120232 20030704 MacOSX - crash screensaver locked with password and get the desktop back Certain versions of Internet Explorer 5 and 6, in certain Windows environments, allow remote attackers to cause a denial of service (freeze) via a URL to C:\aux (MS-DOS device name) and possibly other devices. 20030707 Internet Explorer 6 DoS Bug Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a denial of service (crash) via a TypingUser message in which the "TypingUser" string has been modified. 8107 20030704 Trillian Remote DoS Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens. This vulnerability is addressed in the following product release: cPanel, cPanel, 7.0 20030706 cPanel Malicious HTML Tags Injection Vulnerability Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 allow remote attackers to (1) gain access to the admin control panel via the idadmin parameter to login.asp or (2) gain other privileges via the Email parameter to Custva.asp. 20030705 Re: Another ProductCart SQL Injection Vulnerability 20030704 Another ProductCart SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in msg.asp for certain versions of ProductCart allow remote attackers to execute arbitrary web script via the message parameter. 20030705 ProductCart XSS Vulnerability Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary files via a symlink attack on the qt_plugins_3.0rc temporary file in the .qt directory. 20030708 Qt temporary files race condition in Knoppix 3.1 The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. winnt-file-management-dos (12701) MS03-029 A072303-1 oval:org.mitre.oval:def:319 Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." MS03-028 http://pivx.com/larholm/adv/TL006 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 ISA Server - Error Page Cross Site Scripting 20030716 ISA Server - Error Page Cross Site Scripting oval:org.mitre.oval:def:117 Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CA-2003-23 VU#254236 MS03-039 http://www.nsfocus.com/english/homepage/research/0306.htm 20030911 NSFOCUS SA2003-06 : Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability 20030920 The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows oval:org.mitre.oval:def:3966 oval:org.mitre.oval:def:2968 oval:org.mitre.oval:def:2884 oval:org.mitre.oval:def:127 Buffer overflow in the BR549.DLL ActiveX control for Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to execute arbitrary code. VU#548964 CA-2003-22 MS03-032 ie-br549-activex-bo(12962) 8454 1007538 9580 Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to access and execute script in the My Computer domain using the browser cache via crafted Content-Type and Content-Disposition headers, aka the "Browser Cache Script Execution in My Computer Zone" vulnerability. VU#205148 CA-2003-22 MS03-032 ie-cache-script-injection(12961) 8457 http://www.lac.co.jp/security/english/snsadv_e/67_e.html 9580 Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine object types that are returned by web servers, which could allow remote attackers to execute arbitrary code via an object tag with a data parameter to a malicious file hosted on a server that returns an unsafe Content-Type, aka the "Object Type" vulnerability. VU#865940 MS03-032 http://www.eeye.com/html/Research/Advisories/AD20030820.html 20030820 EEYE: Internet Explorer Object Data Remote Execution Vulnerability 20030820 EEYE: Internet Explorer Object Data Remote Execution Vulnerability Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. VU#753212 TA04-104A MS04-011 AD20040413C 20040429 MS04011 Lsasrv.dll RPC buffer overflow remote exploit (PoC) 20040413 EEYE: Windows Local Security Authority Service Remote Buffer Overflow win-lsass-bo(15699) 10108 O-114 oval:org.mitre.oval:def:919 oval:org.mitre.oval:def:898 oval:org.mitre.oval:def:883 Buffer overflow in xbl 1.0k and earlier allows local users to gain privileges via a long -display command line option. DSA-345 20030708 Fwd: xbl vulnerabilty Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters. DSA-346 20030425 Unauthorized reading files on phpSysInfo http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015 The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporary files insecurely, which could allow local users to overwrite arbitrary files as other users. DSA-341 The mailcap file for mozart 1.2.5 and earlier causes Oz applications to be passed to the Oz interpreter, which allows remote attackers to execute arbitrary Oz programs in a MIME-aware client program. DSA-342 skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. DSA-343 RHSA-2003:242 oval:org.mitre.oval:def:28 The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. VU#895508 RHSA-2003:251 DSA-363 8333 SuSE-SA:2003:033 ESA-20030804-019 9433 2003-0029 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning CLA-2003:717 MDKSA-2003:081 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning oval:org.mitre.oval:def:544 gtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference. RHSA-2003:264 DSA-710 MDKSA-2003:093 CLA-2003:737 oval:org.mitre.oval:def:148 Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. VU#549142 VU#434566 8911 RHSA-2004:015 20031031 GLSA: apache (200310-04) apache-modalias-modrewrite-bo(13400) 9504 20031028 [OpenPKG-SA-2003.046] OpenPKG Security Advisory (apache) HPSBUX0311-301 RHSA-2005:816 RHSA-2003:405 RHSA-2003:360 RHSA-2003:320 MDKSA-2003:103 101841 101444 10593 10580 10463 10264 10260 10153 10114 10112 10102 10098 10096 oval:org.mitre.oval:def:9458 SSRT090208 HPSBOV02683 http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2004-01-26 http://httpd.apache.org/dist/httpd/Announcement2.html http://docs.info.apple.com/article.html?artnum=61798 20040202-01-U 20031203-01-U SCOSA-2004.6 oval:org.mitre.oval:def:864 oval:org.mitre.oval:def:863 oval:org.mitre.oval:def:3799 Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. VU#255484 CA-2003-26 RHSA-2003:291 ADV-2006-3900 http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm RHSA-2003:292 ESA-20030930-027 DSA-394 DSA-393 201029 oval:org.mitre.oval:def:5292 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893 8732 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:4254 OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. VU#380864 CA-2003-26 RHSA-2003:292 RHSA-2003:291 ADV-2006-3900 http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm ESA-20030930-027 DSA-394 DSA-393 201029 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893 openssl-asn1-sslclient-dos(43041) 8732 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:4574 Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. VU#935264 CA-2003-26 RHSA-2003:292 ADV-2006-3900 8732 DSA-394 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:2590 up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. RHSA-2003:255 oval:org.mitre.oval:def:631 GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. RHSA-2003:258 20030824 [slackware-security] GDM security update (SSA:2003-236-01) http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:112 The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. RHSA-2003:259 RHSA-2003:258 http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:113 The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. RHSA-2003:259 RHSA-2003:258 http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:129 The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. RHSA-2003:238 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:380 The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. RHSA-2003:238 RHSA-2003:198 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:384 Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. RHSA-2003:238 RHSA-2003:198 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:385 Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) for Netscape 7.02 allows remote attackers to execute arbitrary code via an attachment with a long filename. 20030714 Netscape 7.02 Client Detection Tool plug-in buffer overrun http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports. 20030714 [sec-labs] Remote Denial of Service vulnerability in NeoModus Direct Connect 1.0 build 9 20030714 [sec-labs] Remote Denial of Service vulnerability in NeoModus Direct Connect 1.0 build 9 ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability. 20030714 ImageMagick's Overflow Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester. 20030712 DoS - Polycom MGC 25 Control Port 20030712 DoS - Polycom MGC 25 Control Port SQL injection vulnerability in login.asp for StoreFront 6.0, and possibly earlier versions, allows remote attackers to obtain sensitive user information via SQL statements in the password field. This issue was addressed in a hot fix for StoreFront 6.1 in late January 2004. 20030712 ZH2003-3SA (security advisory): Storefront sql injection: users Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request. 20030711 LeapFTP remote buffer overflow exploit mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by modifying the MAIN_PATH parameter to reference a URL on a remote web server that contains the code. 20030710 PHP-Include-Hack-Possibility in phpforum 2 RC-1 SQL injection vulnerability in shopexd.asp for VP-ASP allows remote attackers to gain administrator privileges via the id parameter. 20030704 VPASP SQL Injection Vulnerability & Exploit CODE 8159 Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands. 20030707 Multiple Buffer Overflows in IglooFTP PRO 20030707 Multiple Buffer Overflows in IglooFTP PRO Buffer overflow in the CGI2PERL.NLM PERL handler in Novell Netware 5.1 and 6.0 allows remote attackers to cause a denial of service (ABEND) via a long input string. VU#185593 http://www.protego.dk/advisories/200301.html http://support.novell.com/servlet/tidfinder/2966549 20030723 Buffer Overflow in Netware Web Server PERL Handler 20030723 Buffer Overflow in Netware Web Server PERL Handler 20030723 NOVL-2003-2966549 - Enterprise Web Server PERL Buffer Overflow Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. VU#428230 http://www.uniras.gov.uk/vuls/2003/006489/smime.htm RHSA-2004:110 SSRT4722 smime-asn1-bo(13603) 8981 RHSA-2004:112 oval:org.mitre.oval:def:11462 20040402-01-U MDKSA-2004:021 FLSA:2089 oval:org.mitre.oval:def:914 oval:org.mitre.oval:def:872 Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an X.400 message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. VU#927278 http://www.uniras.gov.uk/vuls/2003/006489/x400.htm Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full. CA-2003-17 CA-2003-15 VU#411332 20030717 IOS Interface Blocked by IPv4 Packet oval:org.mitre.oval:def:5603 20030718 (no subject) Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows attackers to cause a denial of service (memory consumption). 20030701-01-P irix-nsd-map-dos(12635) 8587 The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact. 20030701-01-P Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly earlier versions, allows local users to cause a core dump in scheme and possibly gain privileges via certain environment variables, a different vulnerability than CVE-2001-0797 and CVE-1999-0028. 20030702-01-P Heap-based buffer overflow in the name services daemon (nsd) in SGI IRIX 6.5.x through 6.5.21f, and possibly earlier versions, allows attackers to gain root privileges via the AUTH_UNIX gid list. VU#682900 20030704-01-P 8304 20030730 [LSD] IRIX nsd remote buffer overflow vulnerability irix-authunix-nsd-bo(12763) 2337 N-130 9390 Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and earlier allows remote attackers to cause a denial of service (kernel panic) via certain packets that cause XDR decoding errors, a different vulnerability than CVE-2003-0619. 20030801-02-P 20030801-01-P mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size. 6629 20030116 Re[2]: Local/remote mpg123 exploit CLA-2003:695 CSSA-2004-002.0 MDKSA-2003:078 7875 cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. 20030716 SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root 20030716 SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. 20030716 SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh 20030716 SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument. 20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows 20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access. DSA-360 20030714 xfstt-1.4 vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0504. Reason: This candidate is a duplicate of CVE-2003-0504. Notes: All CVE users should reference CVE-2003-0504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via a long command line argument. 20030716 SRT2003-07-16-0358 - bru has buffer overflow and format issues Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument. 20030716 SRT2003-07-16-0358 - bru has buffer overflow and format issues SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to bypass authentication and execute arbitrary SQL code via the (1) user or (2) pass parameters. 20030717 eStore SQL Injection Vulnerability & Path Disclosure Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain sensitive path information via a direct HTTP request to settings.inc.php. 20030717 eStore SQL Injection Vulnerability & Path Disclosure Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie. 20030716 Changing UBB cookie allows account hijack admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. 20030716 Digi-news and Digi-ads version 1.1 admin access without password admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. 20030716 Digi-news and Digi-ads version 1.1 admin access without password Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field. http://members.fortunecity.it/lethalman2002/bugs/splatt.html 20030715 Splatt Forum html injection code in post icon ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a duplicate number that was created during the refinement phase. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. RHSA-2004:074 DSA-459 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue MDKSA-2004:022 oval:org.mitre.oval:def:823 Opera allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. oval:org.mitre.oval:def:9826 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue RHSA-2004:112 MDKSA-2004:021 oval:org.mitre.oval:def:917 oval:org.mitre.oval:def:873 Buffer overflow in WiTango Application Server and Tango 2000 allows remote attackers to execute arbitrary code via a long cookie to Witango_UserReference. 20030718 Witango & Tango 2000 Application Server Remote System Buffer Overrun