Multiple ethernet Network Interface Card (NIC) device drivers do not pad frames with null bytes, which allows remote attackers to obtain information from previous packets or kernel memory by using malformed packets, as demonstrated by Etherleak. VU#412115 RHSA-2003:025 http://www.atstake.com/research/advisories/2003/atstake_etherleak_report.pdf A010603-1 20030110 More information regarding Etherleak 20030110 More information regarding Etherleak 20030117 Re: More information regarding Etherleak 20030106 Etherleak: Ethernet frame padding information leakage (A010603-1) RHSA-2003:088 9962 7996 oval:org.mitre.oval:def:2665 Cross-site scripting vulnerability (XSS) in ManualLogin.asp script for Microsoft Content Management Server (MCMS) 2001 allows remote attackers to execute arbitrary script via the REASONTXT parameter. MS03-002 mcms-manuallogin-reasontxt-xss (10318) 20021007 CSS on Microsoft Content Management Server 5922 Buffer overflow in the RPC Locator service for Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code via an RPC call to the service containing certain parameter information. VU#610986 CA-2003-03 MS03-001 win-locator-bo(11132) 6666 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) 20030130 Microsoft RPC Locator Buffer Overflow Vulnerability (#NISR29012003) oval:org.mitre.oval:def:103 Buffer overflow in the Windows Redirector function in Microsoft Windows XP allows local users to execute arbitrary code via a long parameter. MS03-005 6778 winxp-windows-redirector-bo(11260) 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability 20030327 NSFOCUS SA2003-01: Microsoft Windows XP Redirector Local Buffer Overflow Vulnerability Microsoft Outlook 2002 does not properly handle requests to encrypt email messages with V1 Exchange Server Security certificates, which causes Outlook to send the email in plaintext, aka "Flaw in how Outlook 2002 handles V1 Exchange Server Security Certificates could lead to Information Disclosure." MS03-003 outlook-v1-certificate-plaintext(11133) 6667 Cross-site scripting (XSS) vulnerability in Help and Support Center for Microsoft Windows Me allows remote attackers to execute arbitrary script in the Local Computer security context via an hcp:// URL with the malicious script in the topic parameter. VU#489721 6966 MS03-006 20030227 MS-Windows ME IE/Outlook/HelpCenter critical vulnerability winme-hsc-hcp-bo(11425) 6074 N-047 Integer overflow in JsArrayFunctionHeapSort function used by Windows Script Engine for JScript (JScript.dll) on various Windows operating system allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail that uses a large array index value that enables a heap-based buffer overflow attack. 7146 MS03-008 20030319 iDEFENSE Security Advisory 03.19.03: Heap Overflow in Windows Script Engine 20030319 Windows Scripting Engine issue 20030319 Heap Overflow in Windows Script Engine oval:org.mitre.oval:def:795 oval:org.mitre.oval:def:794 oval:org.mitre.oval:def:200 oval:org.mitre.oval:def:134 Unknown vulnerability in the DNS intrusion detection application filter for Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (blocked traffic to DNS servers) via a certain type of incoming DNS request that is not properly handled. 7145 MS03-009 The data collection script for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 sets world-writable permissions for the data/mining directory when it runs, which allows local users to modify or delete the data. 20030102 [BUGZILLA] Security Advisory - remote database password disclosure bugzilla-mining-world-writable(10971) 6502 RHSA-2003:012 DSA-230 The default .htaccess scripts for Bugzilla 2.14.x before 2.14.5, 2.16.x before 2.16.2, and 2.17.x before 2.17.3 do not include filenames for backup copies of the localconfig file that are made from editors such as vi and Emacs, which could allow remote attackers to obtain a database password by directly accessing the backup file. DSA-230 20030102 [BUGZILLA] Security Advisory - remote database password disclosure 6501 6351 bugzilla-htaccess-database-password(10970) gsinterf.c in bmv 1.2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. For the stable distribution this problem has been fixed in version 1.2-14.2. For the unstable distribution this problem has been fixed in version 1.2-17. bmv-symlink(18823) 12229 DSA-633 http://packages.debian.org/changelogs/pool/main/b/bmv/bmv_1.2-14.2/changelog 1012847 13796 13793 Double-free vulnerability in CVS 1.11.4 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed Directory request, as demonstrated by bypassing write checks to execute Update-prog and Checkin-prog commands. VU#650937 CA-2003-02 http://security.e-matters.de/advisories/012003.html RHSA-2003:013 cvs-doublefree-memory-corruption(11108) 6650 RHSA-2003:012 MDKSA-2003:009 DSA-233 N-032 FreeBSD-SA-03:01 20030202 Exploit for CVS double free() for Linux pserver 20030124 Test program for CVS double-free. 20030122 [security@slackware.com: [slackware-security] New CVS packages available] http://ccvs.cvshome.org/servlets/NewsItemView?newsID=51&JServSessionIdservlets=5of2iuhr14 20030120 Advisory 01/2003: CVS remote vulnerability Apache before 2.0.44, when running on unpatched Windows 9x and Me operating systems, allows remote attackers to cause a denial of service or execute arbitrary code via an HTTP request containing MS-DOS device names. VU#979793 VU#825177 [apache-httpd-announce] 20030120 [ANNOUNCE] Apache 2.0.44 Released http://www.apacheweek.com/issues/03-01-24#security apache-device-code-execution(11125) apache-device-name-dos(11124) 6659 Apache 2.0 before 2.0.44 on Windows platforms allows remote attackers to obtain certain files via an HTTP request that ends in certain illegal characters such as ">", which causes a different filename to be processed and served. http://marc.theaimsgroup.com/?l=apache-httpd-announce&m=104313442901017&w=2 Linux kernel 2.4.10 through 2.4.21-pre4 does not properly handle the O_DIRECT feature, which allows local attackers with write privileges to read portions of previously deleted files, or cause file system corruption. RHSA-2003:025 DSA-423 linux-odirect-information-leak(11249) 6763 MDKSA-2003:014 DSA-358 http://linux.bkbits.net:8080/linux-2.4/cset@3e2f193drGJDBg9SG6JwaDQwCBnAMQ uml_net in the kernel-utils package for Red Hat Linux 8.0 has incorrect setuid root privileges, which allows local users to modify network interfaces, e.g. by modifying ARP entries or placing interfaces into promiscuous mode. VU#134025 RHSA-2003:056 linux-umlnet-gain-privileges(11276) 6801 N-044 Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. 9930 apache-esc-seq-injection(11412) 20030224 Terminal Emulator Security Issues 2004-0027 2004-0017 SSA:2004-133 RHSA-2003:244 RHSA-2003:243 RHSA-2003:139 RHSA-2003:104 RHSA-2003:083 RHSA-2003:082 MDKSA-2003:050 57628 101555 GLSA-200405-22 SSRT4717 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) APPLE-SA-2004-05-03 MDKSA-2004:046 20030224 Terminal Emulator Security Issues oval:org.mitre.oval:def:4114 oval:org.mitre.oval:def:150 oval:org.mitre.oval:def:100109 The "screen dump" feature in Eterm 0.9.1 and earlier allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6936 MDKSA-2003:040 20030224 Terminal Emulator Security Issues The "screen dump" feature in rxvt 2.7.8 allows attackers to overwrite arbitrary files via a certain character escape sequence when it is echoed to a user's terminal, e.g. when the user views a file containing the malicious sequence. terminal-emulator-screen-dump(11413) 20030224 Terminal Emulator Security Issues 6938 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in rxvt 2.7.8 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6947 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:034 20030224 Terminal Emulator Security Issues The menuBar feature in aterm 0.42 allows attackers to modify menu options and execute arbitrary commands via a certain character escape sequence that inserts the commands into the menu. terminal-emulator-menu-modification(11416) 20030224 Terminal Emulator Security Issues 6949 20030224 Terminal Emulator Security Issues Multiple SQL injection vulnerabilities in IMP 2.2.8 and earlier allow remote attackers to perform unauthorized database activities and possibly gain privileges via certain database functions such as check_prefs() in db.pgsql, as demonstrated using mailbox.php3. DSA-229 20030108 IMP 2.x SQL injection vulnerabilities 1005904 6559 20030108 Re: IMP 2.x SQL injection vulnerabilities 8177 8087 Multiple stack-based buffer overflows in the error handling routines of the minires library, as used in the NSUPDATE capability for ISC DHCPD 3.0 through 3.0.1RC10, allow remote attackers to execute arbitrary code via a DHCP message containing a long hostname. VU#284857 CA-2003-01 RHSA-2003:011 DSA-231 SuSE-SA:2003:0006 dhcpd-minires-multiple-bo(11073) SuSE-SA:2003:0006 1005924 6627 OpenPKG-SA-2003.002 MDKSA-2003:007 N-031 CLA-2003:562 20030122 [securityslackware.com: [slackware-security] New DHCP packages available] Directory traversal vulnerability in Sun Kodak Color Management System (KCMS) library service daemon (kcms_server) allows remote attackers to read arbitrary files via the KCS_OPEN_PROFILE procedure. VU#850785 http://www.entercept.com/news/uspr/01-22-03.asp solaris-kcms-directory-traversal(11129) 6665 50104 20030122 Entercept Ricochet Advisory: Sun Solaris KCMS Library Service Daemon Arbitrary File Retrieval Vulner oval:org.mitre.oval:def:2592 oval:org.mitre.oval:def:195 oval:org.mitre.oval:def:120 Integer overflow in the xdrmem_getbytes() function, and possibly other functions, of XDR (external data representation) libraries derived from SunRPC, including libnsl, libc, glibc, and dietlibc, allows remote attackers to execute arbitrary code via certain integer values in length fields, a different vulnerability than CVE-2002-0391. CA-2003-10 VU#516825 20030522 [slackware-security] glibc XDR overflow fix (SSA:2003-141-03) RHSA-2003:091 RHSA-2003:089 RHSA-2003:052 RHSA-2003:051 SuSE-SA:2003:027 ESA-20030321-010 AD20030318 DSA-282 DSA-272 DSA-266 2003-0014 20030325 GLSA: glibc (200303-22) 20030319 MITKRB5-SA-2003-003: faulty length checks in xdrmem_getbytes 20030319 EEYE: XDR Integer Overflow 20030319 EEYE: XDR Integer Overflow NetBSD-SA2003-008 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030331 GLSA: dietlibc (200303-29) 20030319 RE: EEYE: XDR Integer Overflow MDKSA-2003:037 oval:org.mitre.oval:def:230 Buffer overflows in protegrity.dll of Protegrity Secure.Data Extension Feature (SEF) before 2.2.3.9 allow attackers with SQL access to execute arbitrary code via the extended stored procedures (1) xp_pty_checkusers, (2) xp_pty_insert, or (3) xp_pty_select. VU#247545 7085 7084 7083 20030313 Protegrity buffer overflow 8294 Multiple buffer overflows in libmcrypt before 2.5.5 allow attackers to cause a denial of service (crash). DSA-228 20030103 Multiple libmcrypt vulnerabilities 1006181 6510 20030105 GLSA: libmcrypt CLA-2003:567 Memory leak in libmcrypt before 2.5.5 allows attackers to cause a denial of service (memory exhaustion) via a large number of requests to the application, which causes libmcrypt to dynamically load algorithms via libtool. DSA-228 20030103 Multiple libmcrypt vulnerabilities libmcrypt-libtool-memory-leak(10988) 6512 20030105 GLSA: libmcrypt CLA-2003:567 Buffer overflow in the RPC preprocessor for Snort 1.8 and 1.9.x before 1.9.1 allows remote attackers to execute arbitrary code via fragmented RPC packets. VU#916785 CA-2003-13 6963 snort-rpc-fragment-bo(10956) 20030303 Snort RPC Preprocessing Vulnerability 4418 MDKSA-2003:029 ESA-20030307-007 DSA-297 GLSA-200304-06 GLSA-200303-6.1 20030303 Snort RPC Vulnerability (fwd) Buffer overflow in the mtink status monitor, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long HOME environment variable. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6656 MDKSA-2003:010 Buffer overflow in escputil, as included in the printer-drivers package in Mandrake Linux, allows local users to execute arbitrary code via a long printer-name command line argument. http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 6658 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 ml85p, as included in the printer-drivers package for Mandrake Linux, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable filenames of the form "mlg85p%d". http://www.idefense.com/advisory/01.21.03.txt 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package 1005959 20030121 iDEFENSE Security Advisory 01.21.03: Buffer Overflows in Mandrake Linux printer-drivers Package MDKSA-2003:010 Buffer overflows in noffle news server 1.0.1 and earlier allow remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code. DSA-244 noffle-multiple-bo(11181) 6695 7955 Cross-site scripting (XSS) vulnerability in options.py for Mailman 2.1 allows remote attackers to inject script or HTML into web pages via the (1) email or (2) language parameters. DSA-436 http://telia.dl.sourceforge.net/sourceforge/mailman/xss-2.1.0-patch.txt 20030124 Mailman: cross-site scripting bug mailman-email-variable-xss(11152) 1005987 6677 9205 ISC dhcrelay (dhcp-relay) 3.0rc9 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (packet storm) via a certain BOOTP packet that is forwarded to a broadcast MAC address, causing an infinite loop that is not restricted by a hop count. VU#149953 DSA-245 20030115 DoS against DHCP infrastructure with isc dhcrelay dhcp-dhcrelay-dos(11187) 6628 RHSA-2003:034 20030219 [OpenPKG-SA-2003.012] OpenPKG Security Advisory (dhcpd) CLSA-2003:616 TLSA-2003-26 SQL injection vulnerability in the PostgreSQL auth module for courier 0.40 and earlier allows remote attackers to execute SQL code via the user name. 6738 DSA-247 courierimap-authmysqllib-sql-injection(11213) Kerberos FTP client allows remote FTP sites to execute arbitrary code via a pipe (|) character in a filename that is retrieved by the client. RHSA-2003:020 20030128 MIT Kerberos FTP client remote shell commands execution MDKSA-2003:021 8114 7979 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, allows remote attackers to list directories even with an index.html or other file present, or obtain unprocessed source code for a JSP file, via a URL containing a null character. DSA-246 20030130 Apache Jakarta Tomcat 3 URL parsing vulnerability http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-null-directory-listing(11194) 6721 HPSBUX0303-249 N-060 7977 7972 Jakarta Tomcat before 3.3.1a, when used with JDK 1.3.1 or earlier, uses trusted privileges when processing the web.xml file, which could allow remote attackers to read portions of some files through the web.xml file. tomcat-webxml-read-files(11195) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ 6722 HPSBUX0303-249 DSA-246 N-060 Multiple cross-site scripting (XSS) vulnerabilities in the (1) examples and (2) ROOT web applications for Jakarta Tomcat 3.x through 3.3.1a allow remote attackers to insert arbitrary web script or HTML. DSA-246 HPSBUX0303-249 http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/ tomcat-web-app-xss(11196) 6720 9204 9203 N-060 7972 Jakarta Tomcat before 3.3.1a on certain Windows systems may allow remote attackers to cause a denial of service (thread hang and resource consumption) via a request for a JSP page containing an MS-DOS device name, such as aux.jsp. jakarta-tomcat-msdos-dos(12102) http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.3.1a/RELEASE-NOTES-3.3.1a.txt AbsoluteTelnet SSH2 client does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt http://www.celestialsoftware.net/telnet/beta_software.html 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006013 6725 7686 SSH2 clients for VanDyke (1) SecureCRT 4.0.2 and 3.4.7, (2) SecureFX 2.1.2 and 2.0.4, and (3) Entunnel 1.0.2 and earlier, do not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords 1006012 1006011 1006010 6728 6727 6726 PuTTY 0.53b and earlier does not clear logon credentials from memory, including plaintext passwords, which could allow attackers with access to memory to steal the SSH credentials. http://www.idefense.com/advisory/01.28.03.txt 1006014 6724 20030129 iDEFENSE Security Advisory 01.28.03: SSH2 Clients Insecurely Store Passwords Apple File Protocol (AFP) in Mac OS X before 10.2.4 allows administrators to log in as other users by using the administrator password. http://docs.info.apple.com/article.html?artnum=61798 macos-afp-unauthorized-access(11333) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6860 1006107 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via shell metacharacters. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-command-execution(11401) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6954 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to obtain the physical path of the server's installation path via a NULL file parameter. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-path-disclosure(11402) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6956 parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to list arbitrary directories. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-directory-disclosure(11403) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6955 Cross-site scripting (XSS) vulnerability in parse_xml.cgi in Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to insert arbitrary script via the filename parameter, which is inserted into an error message. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-parsexml-xss(11404) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6958 Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute certain code via a request to port 7070 with the script in an argument to the rtsp DESCRIBE method, which is inserted into a log file and executed when the log is viewed using a browser. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-describe-xss(11405) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6960 Buffer overflow in the MP3 broadcasting module of Apple Darwin Streaming Administration Server 4.1.2 and QuickTime Streaming Server 4.1.1 allows remote attackers to execute arbitrary code via a long filename. 20030224 QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities quicktime-darwin-mp3-bo(11406) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt 6957 Buffer overflow in secure locate (slocate) before 2.7 allows local users to execute arbitrary code via a long (1) -c or (2) -r command line argument. DSA-252 20030202 GLSA: slocate http://www.usg.org.uk/advisories/2003.001.txt oval:org.mitre.oval:def:11369 CLA-2003:643 MDKSA-2003:015 8749 8236 8118 8007 7982 7947 10720 RHSA-2004:041 20030125 Re: [USG- SA- 2003.001] USG Security Advisory (slocate) 20030124 [USG- SA- 2003.001] USG Security Advisory (slocate) 20040202-01-U CSSA-2003-009.0 Multiple buffer overflows in Hypermail 2 before 2.1.6 allows remote attackers to cause a denial of service and possibly execute arbitrary code (1) via a long attachment filename that is not properly handled by the hypermail executable, or (2) by connecting to the mail CGI program from an IP address that reverse-resolves to a long hostname. 20030127 Hypermail buffer overflows hypermail-long-hostname-bo(11158) hypermail-mail-attachment-bo(11157) 6690 6689 DSA-248 8030 20030126 Hypermail buffer overflows MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allows remote authenticated attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that causes a null dereference. VU#661243 6683 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-null-pointer-dos(10099) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 50142 CLSA-2003:639 oval:org.mitre.oval:def:1110 Unknown vulnerability in the chk_trans.c of the libkrb5 library for MIT Kerberos V5 before 1.2.5 allows users from one realm to impersonate users in other realms that have the same inter-realm keys. VU#684563 6714 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-user-spoofing(11188) RHSA-2003:168 RHSA-2003:052 RHSA-2003:051 MDKSA-2003:043 CLSA-2003:639 Format string vulnerabilities in the logging routines for MIT Kerberos V5 Key Distribution Center (KDC) before 1.2.5 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in Kerberos principal names. VU#787523 6712 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt kerberos-kdc-format-string(11189) 4879 CLSA-2003:639 Buffer overflow in passwd for HP UX B.10.20 allows local users to execute arbitrary commands with root privileges via a long LANG environment variable. 20030203 HP UX passwd Binary Buffer Overflow Vulnerability Buffer overflow in Eset Software NOD32 for UNIX before 1.013 allows local users to execute arbitrary code via a long path name. http://www.idefense.com/advisory/02.10.03.txt 6803 nod32-pathname-bo(11282) 20030210 iDEFENSE Security Advisory 02.10.03: Buffer Overflow In NOD32 Antivirus Software for Unix The xterm terminal emulator in XFree86 4.2.0 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6940 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues The dtterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6942 HPSBUX0401-309 20030224 Terminal Emulator Security Issues The uxterm terminal emulator allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6945 20030224 Terminal Emulator Security Issues The rxvt terminal emulator 2.7.8 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 6953 200303-16 RHSA-2003:055 RHSA-2003:054 MDKSA-2003:003 20030224 Terminal Emulator Security Issues The aterm terminal emulator 0.42 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 20030224 Terminal Emulator Security Issues The Eterm terminal emulator 0.9.1 and earlier allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 10237 MDKSA-2003:040 DSA-496 20030224 Terminal Emulator Security Issues The PuTTY terminal emulator 0.53 allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues 8347 20030224 Terminal Emulator Security Issues VTE, as used by default in gnome-terminal terminal emulator 2.2 and as an option in gnome-terminal 2.0, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. Per: http://cwe.mitre.org/data/definitions/77.html 'CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')' RHSA-2003:053 terminal-emulator-window-title(11414) GLSA-200303-2 20030224 Terminal Emulator Security Issues 20030224 Terminal Emulator Security Issues The DEC UDK processing feature in the xterm terminal emulator in XFree86 4.2.99.4 and earlier allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6950 RHSA-2003:067 RHSA-2003:066 RHSA-2003:065 RHSA-2003:064 DSA-380 20030224 Terminal Emulator Security Issues The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (aka "array overrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:052 RHSA-2003:051 7184 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 Double-free vulnerability in mysqld for MySQL before 3.23.55 allows attackers with MySQL access to cause a denial of service (crash) via mysql_change_user. DSA-303 20030129 [OpenPKG-SA-2003.008] OpenPKG Security Advisory (mysql) http://www.mysql.com/doc/en/News-3.23.55.html 6718 RHSA-2003:166 RHSA-2003:094 RHSA-2003:093 MDKSA-2003:013 ESA-20030220-004 mysql-mysqlchangeuser-doublefree-dos(11199) CLA-2003:743 oval:org.mitre.oval:def:436 Format string vulnerability in mpmain.c for plpnfsd of the plptools package allows remote attackers to execute arbitrary code via the functions (1) debuglog, (2) errorlog, and (3) infolog. 6715 plptools-plpnsfd-format-string(11193) 20030129 Re: Local root vuln in SuSE 8.0 plptools package 20030129 Local root vuln in SuSE 8.0 plptools package Integer signedness error in the myFseek function of samplein.c for Blade encoder (BladeEnc) 0.94.2 and earlier allows remote attackers to execute arbitrary code via a negative offset value following a "fmt" wave chunk. 6745 http://www.pivx.com/luigi/adv/blade942-adv.txt GLSA-200302-04 bladeenc-myfseek-code-execution(11227) 20030202 Bladeenc 0.94.2 code execution Unknown vulnerability in the directory parser for Direct Connect 4 Linux (dcgui) before 0.2.2 allows remote attackers to read files outside the sharelist. 20030204 GLSA: qt-dcgui qtdcgui-directory-download-files(11246) http://dc.ketelhot.de/pipermail/dc/2003-January/000094.html The hanterm (hanterm-xf) terminal emulator 2.0.5 and earlier, and possibly later versions, allows attackers to modify the window title via a certain character escape sequence and then insert it back to the command line in the user's terminal, e.g. when the user views a file containing the malicious sequence, which could allow the attacker to execute arbitrary commands. terminal-emulator-window-title(11414) 20030224 Terminal Emulator Security Issues RHSA-2003:071 RHSA-2003:070 4917 20030224 Terminal Emulator Security Issues ssl3_get_record in s3_pkt.c for OpenSSL before 0.9.7a and 0.9.6 before 0.9.6i does not perform a MAC computation if an incorrect block cipher padding is used, which causes an information leak (timing discrepancy) that may make it easier to launch cryptographic attacks that rely on distinguishing between padding and MAC verification errors, possibly leading to extraction of the original plaintext, aka the "Vaudenay timing attack." http://www.openssl.org/news/secadv_20030219.txt 20030219 [OpenPKG-SA-2003.013] OpenPKG Security Advisory (openssl) ssl-cbc-information-leak(11369) DSA-253 2003-0005 6884 RHSA-2003:205 RHSA-2003:104 RHSA-2003:082 RHSA-2003:063 RHSA-2003:062 3945 MDKSA-2003:020 ESA-20030220-005 N-051 GLSA-200302-10 20030219 OpenSSL 0.9.7a and 0.9.6i released CLSA-2003:570 20030501-01-I NetBSD-SA2003-001 The DEC UDK processing feature in the hanterm (hanterm-xf) terminal emulator before 2.0.5 allows attackers to cause a denial of service via a certain character escape sequence that causes the terminal to enter a tight loop. terminal-emulator-dec-udk(11415) 20030224 Terminal Emulator Security Issues 6944 RHSA-2003:071 RHSA-2003:070 4918 20030224 Terminal Emulator Security Issues The iptables ruleset in Gnome-lokkit in Red Hat Linux 8.0 does not include any rules in the FORWARD chain, which could allow attackers to bypass intended access restrictions if packet forwarding is enabled. 7128 RHSA-2003:072 gnomelokkit-forward-bypass-firewall(11552) 4400 Format string vulnerability in packet-socks.c of the SOCKS dissector for Ethereal 0.8.7 through 0.9.9 allows remote attackers to execute arbitrary code via SOCKS packets containing format string specifiers. 7049 http://www.guninski.com/etherre.html http://www.ethereal.com/appnotes/enpa-sa-00008.html DSA-258 ethereal-socks-format-string(11497) RHSA-2003:077 RHSA-2003:076 SuSE-SA:2003:019 GLSA-200303-10 20030308 Ethereal format string bug, yet still ethereal much better than windows MDKSA-2003:051 CLSA-2003:627 oval:org.mitre.oval:def:54 The Key Distribution Center (KDC) in Kerberos 5 (krb5) 1.2.7 and earlier allows remote, authenticated attackers to cause a denial of service (crash) on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (aka "buffer underrun"). DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 7185 20030331 GLSA: krb5 & mit-krb5 (200303-28) 54042 oval:org.mitre.oval:def:4430 oval:org.mitre.oval:def:2536 oval:org.mitre.oval:def:244 Apache 1.3 before 1.3.25 and Apache 2.0 before version 2.0.46 does not filter terminal escape sequences from its access logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences, a different vulnerability than CVE-2003-0020. RHSA-2003:139 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/loggers/mod_log_config.c?only_with_tag=APACHE_2_0_BRANCH http://cvs.apache.org/viewcvs.cgi/apache-1.3/src/modules/standard/mod_log_config.c?only_with_tag=APACHE_1_3_25 8146 20040325 GLSA200403-04 Multiple security vulnerabilities in Apache 2 oval:org.mitre.oval:def:151 mod_auth_any package in Red Hat Enterprise Linux 2.1 and other operating systems does not properly escape arguments when calling other programs, which allows attackers to execute arbitrary commands via shell metacharacters. 7448 RHSA-2003:114 modauthany-command-execution(11893) RHSA-2003:113 http://www.itlab.musc.edu/webNIS/mod_auth_any.html N-090 Buffer overflow in the SMB/CIFS packet fragment re-assembly code for SMB daemon (smbd) in Samba before 2.2.8, and Samba-TNG before 0.3.1, allows remote attackers to execute arbitrary code. VU#298233 7106 DSA-262 20030317 Security Bugfix for Samba - Samba 2.2.8 Released 20030317 GLSA: samba (200303-11) IMNX-2003-7+-003-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I IMNX-2003-7+-003-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:552 The code for writing reg files in Samba before 2.2.8 allows local users to overwrite arbitrary files via a race condition involving chown. 7107 DSA-262 20030317 GLSA: samba (200303-11) 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:095 SuSE-SA:2003:016 20030302-01-I APPLE-SA-2003-03-24 RHSA-2003:096 MDKSA-2003:032 GLSA-200303-11 8303 8299 20030318 [OpenPKG-SA-2003.021] OpenPKG Security Advisory (samba) oval:org.mitre.oval:def:554 Buffer overflow in libIM library (libIM.a) for National Language Support (NLS) on AIX 4.3 through 5.2 allows local users to gain privileges via several possible attack vectors, including a long -im argument to aixterm. http://www.idefense.com/advisory/02.12.03.txt aix-aixterm-libim-bo(11309) 6840 7996 IY40320 IY40317 IY40307 20030212 libIM.a buffer overflow vulnerability 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a 20030212 iDEFENSE Security Advisory 02.12.03: Buffer Overflow in AIX libIM.a TruBlueEnvironment for MacOS 10.2.3 and earlier allows local users to overwrite or create arbitrary files and gain root privileges by setting a certain environment variable that is used to write debugging information. A021403-1 macos-trublueenvironment-gain-privileges(11332) http://lists.apple.com/archives/security-announce/2003/Feb/25/applesa20030225macosx102.txt http://docs.info.apple.com/article.html?artnum=61798 6859 Buffer overflow in the Software Distributor utilities for HP-UX B.11.00 and B.11.11 allows local users to execute arbitrary code via a long LANG environment variable to setuid programs such as (1) swinstall and (2) swmodify. hp-sd-utilities-bo(13623) 8986 HPSBUX0311-293 20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability oval:org.mitre.oval:def:5466 20031113 NSFOCUS SA2003-07: HP-UX Software Distributor Buffer Overflow Vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2000-0844. Reason: This candidate is a duplicate of CVE-2000-0844. Notes: All CVE users should reference CVE-2000-0844 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in the bsd_queue() function for lpq on Solaris 2.6 and 7 allows local users to gain root privilege. 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 20030331 NSFOCUS SA2003-02: Solaris lpq Stack Buffer Overflow Vulnerability 8713 http://www.nsfocus.com/english/homepage/sa2003-02.htm N-068 52443 http://packetstormsecurity.org/0304-advisories/sa2003-02.txt oval:org.mitre.oval:def:4383 Heap-based buffer overflow in dtsession for Solaris 2.5.1 through Solaris 9 allows local users to gain root privileges via a long HOME environment variable. 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 7240 20030331 NSFOCUS SA2003-03: Solaris dtsession Heap Buffer Overflow Vulnerability 52388 oval:org.mitre.oval:def:1905 The RADIUS decoder in tcpdump 3.6.2 and earlier allows remote attackers to cause a denial of service (crash) via an invalid RADIUS packet with a header length field of 0, which causes tcpdump to generate data within an infinite loop. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=81585 tcpdump-radius-decoder-dos(11324) RHSA-2003:214 RHSA-2003:033 RHSA-2003:032 MDKSA-2003:027 DSA-261 A patch for mcookie in the util-linux package for Mandrake Linux 8.2 and 9.0 uses /dev/urandom instead of /dev/random, which causes mcookie to use an entropy source that is more predictable than expected, which may make it easier for certain types of attacks to succeed. utillinux-mcookie-cookie-predictable(11318) 6855 MDKSA-2003:016 Buffer overflow in ORACLE.EXE for Oracle Database Server 9i, 8i, 8.1.7, and 8.0.6 allows remote attackers to execute arbitrary code via a long username that is provided during login, as exploitable through client applications that perform their own authentication, as demonstrated using LOADPSP. VU#953746 CA-2003-05 http://otn.oracle.com/deploy/security/pdf/2003alert51.pdf 6849 6319 oracle-username-bo(11328) N-046 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Multiple buffer overflows in Oracle 9i Database release 2, Release 1, 8i, 8.1.7, and 8.0.6 allow remote attackers to execute arbitrary code via (1) a long conversion string argument to the TO_TIMESTAMP_TZ function, (2) a long time zone argument to the TZ_OFFSET function, or (3) a long DIRECTORY parameter to the BFILENAME function. VU#840666 VU#743954 VU#663786 CA-2003-05 6850 6848 6847 http://www.nextgenss.com/advisories/ora-tzofstbo.txt http://www.nextgenss.com/advisories/ora-tmstmpbo.txt http://www.nextgenss.com/advisories/ora-bfilebo.txt oracle-totimestamptz-bo(11327) oracle-tzoffset-bo(11326) oracle-bfilename-directory-bo(11325) N-046 http://otn.oracle.com/deploy/security/pdf/2003alert50.pdf http://otn.oracle.com/deploy/security/pdf/2003alert49.pdf http://otn.oracle.com/deploy/security/pdf/2003alert48.pdf 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle TO_TIMESTAMP_TZ Remote System Buffer Overrun (#NISR16022003b) 20030217 Oracle bfilename function buffer overflow vulnerability (#NISR16022003e) 20030217 Oracle TZ_OFFSET Remote System Buffer Overrun (#NISR16022003c) 20030217 Oracle unauthenticated remote system compromise (#NISR16022003a) Unknown vulnerability in CGI module for PHP 4.3.0 allows attackers to access arbitrary files as the PHP user, and possibly execute PHP code, by bypassing the CGI force redirect settings (cgi.force_redirect or --enable-force-cgi-redirect). GLSA-200302-09 20030217 PHP Security Advisory: CGI vulnerability in PHP version 4.3.0 http://www.slackware.com/changelog/current.php?cpu=i386 php-cgi-sapi-access(11343) 6875 GLSA-200302-09.1 Unknown vulnerability in apcupsd before 3.8.6, and 3.10.x before 3.10.5, allows remote attackers to gain root privileges, possibly via format strings in a request to a slave server. DSA-277 7200 SuSE-SA:2003:022 apcupsd-logevent-format-string(11334) http://sourceforge.net/project/shownotes.php?release_id=137900 1006108 http://hsj.shadowpenguin.org/misc/apcupsd_exp.txt http://cvs.sourceforge.net/cgi-bin/viewcvs.cgi/apcupsd/apcupsd/src/apcnisd.c.diff?r1=1.5&r2=1.6 CSSA-2003-015.0 6828 MDKSA-2003:018 Multiple buffer overflows in apcupsd before 3.8.6, and 3.10.x before 3.10.5, may allow attackers to cause a denial of service or execute arbitrary code, related to usage of the vsprintf function. DSA-277 7200 apcupsd-vsprintf-multiple-bo(11491) http://sourceforge.net/project/shownotes.php?release_id=137900 http://sourceforge.net/project/shownotes.php?release_id=137892 SuSE-SA:2003:022 MDKSA-2003:018 1006108 CSSA-2003-015.0 Buffer overflow in Cisco IOS 11.2.x to 12.0.x allows remote attackers to cause a denial of service and possibly execute commands via a large number of OSPF neighbor announcements. 20030221 Re: Cisco IOS OSPF exploit cisco-ios-ospf-bo(11373) 20030220 Cisco IOS OSPF exploit 6895 miniserv.pl in (1) Webmin before 1.070 and (2) Usermin before 1.000 does not properly handle metacharacters such as line feeds and carriage returns (CRLF) in Base-64 encoded strings during Basic authentication, which allows remote attackers to spoof a session ID and gain root privileges. http://marc.theaimsgroup.com/?l=webmin-announce&m=104587858408101&w=2 20030224 [SNS Advisory No.62] Webmin/Usermin Session ID Spoofing Vulnerability "Episode 2" 6915 http://www.lac.co.jp/security/english/snsadv_e/62_e.html webmin-usermin-root-access(11390) DSA-319 N-058 20030224 GLSA: usermin (200302-14) 20030224 Webmin 1.050 - 1.060 remote exploit ESA-20030225-006 HPSBUX0303-250 20030602-01-I 1006160 MDKSA-2003:025 http://www.linuxsecurity.com/advisories/gentoo_advisory-2886.html 8163 8115 Buffer overflow in tryelf() in readelf.c of the file command allows attackers to execute arbitrary code as the user running file, possibly via a large entity size value in an ELF header (elfhdr.e_shentsize). VU#611865 7008 http://www.idefense.com/advisory/03.04.03.txt file-afctr-read-bo(11469) RHSA-2003:087 RHSA-2003:086 SuSE-SA:2003:017 MDKSA-2003:030 DSA-260 20030304 iDEFENSE Security Advisory 03.04.03: Locally Exploitable Buffer Overflow in file(1) IMNX-2003-7+-012-01 NetBSD-SA2003-003 Format string vulnerability in Nokia 6210 handset allows remote attackers to cause a denial of service (crash, lockup, or restart) via a Multi-Part vCard with fields containing a large number of format string specifiers. 6952 nokia-6210-vcard-dos(11421) Directory traversal vulnerability in PeopleTools 8.10 through 8.18, 8.40, and 8.41 allows remote attackers to overwrite arbitrary files via the SchedulerTransfer servlet. 7053 peoplesoft-schedulertransfer-create-files(10962) 20030310 PeopleSoft PeopleTools Remote Command Execution Vulnerability ServerMask 2.2 and earlier does not obfuscate (1) ETag, (2) HTTP Status Message, or (3) Allow HTTP responses, which could tell remote attackers that the web server is an IIS server. servermask-header-obtain-info(16947) http://www.corsaire.com/advisories/c030224-001.txt 20040810 Corsaire Security Advisory - Port80 Software ServerMask inconsistencies The HTTP proxy for Symantec Enterprise Firewall (SEF) 7.0 allows proxy users to bypass pattern matching for blocked URLs via requests that are URL-encoded with escapes, Unicode, or UTF-8. http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2003032507434754 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 7196 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue 20030326 Corsaire Security Advisory - Symantec Enterprise Firewall (SEF) H TTP URL pattern evasion issue Buffer overflow in the gzprintf function in zlib 1.1.4, when zlib is compiled without vsnprintf or when long inputs are truncated using vsnprintf, allows attackers to cause a denial of service or possibly execute arbitrary code. VU#142121 zlib-gzprintf-bo(11381) 20030222 buffer overrun in zlib 1.1.4 20030223 poc zlib sploit just for fun :) http://lists.apple.com/mhonarc/security-announce/msg00038.html 6913 RHSA-2003:081 RHSA-2003:079 6599 MDKSA-2003:033 57405 GLSA-200303-25 20030225 [sorcerer-spells] ZLIB-SORCERER2003-02-25 20030224 Re: buffer overrun in zlib 1.1.4 CLSA-2003:619 NetBSD-SA2003-004 CSSA-2003-011.0 isakmp_sub_print in tcpdump 3.6 through 3.7.1 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed ISAKMP packet to UDP port 500, which causes tcpdump to enter an infinite loop. 6974 http://www.idefense.com/advisory/02.27.03.txt DSA-255 tcpdump-isakmp-dos(11434) RHSA-2003:214 RHSA-2003:085 RHSA-2003:032 SuSE-SA:2003:0015 MDKSA-2003:027 20030304 [OpenPKG-SA-2003.014] OpenPKG Security Advisory (tcpdump) 20030227 iDEFENSE Security Advisory 02.27.03: TCPDUMP Denial of Service Vulnerability in ISAKMP Packet Parsin CLA-2003:629 Buffer overflow in ntdll.dll on Microsoft Windows NT 4.0, Windows NT 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows remote attackers to execute arbitrary code, as demonstrated via a WebDAV request to IIS 5.0. CA-2003-09 VU#117394 7116 MS03-007 http-webdav-long-request(11533) 20030317 Microsoft IIS WebDAV Remote Compromise Vulnerability http://www.nextgenss.com/papers/ms03-007-ntdll.pdf Q815021 http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en 20030321 New attack vectors and a vulnerability dissection of MS03-007 20030708 WDAV exploit without netcat and with pretty magic number 20030328 Fate Research Labs Presents: Analysis of the NTDLL.DLL Exploit 20030326 WebDAV exploit: using wide character decoder scheme 20030325 IIS 5.0 WebDAV -Proof of concept-. Fully documented. 20030321 New attack vectors and a vulnerability dissection of MS03-007 oval:org.mitre.oval:def:109 The Winsock Proxy service in Microsoft Proxy Server 2.0 and the Microsoft Firewall service in Internet Security and Acceleration (ISA) Server 2000 allow remote attackers to cause a denial of service (CPU consumption or packet storm) via a spoofed, malformed packet to UDP port 1745. MS03-012 http://www.idefense.com/advisory/04.09.03.txt 20030409 iDEFENSE Security Advisory 04.09.03: Denial of Service in Microsoft Proxy Server and Internet Security and Acceleration Server 2000 oval:org.mitre.oval:def:406 The ByteCode Verifier component of Microsoft Virtual Machine (VM) build 5.0.3809 and earlier, as used in Windows and Internet Explorer, allows remote attackers to bypass security checks and execute arbitrary code via a malicious Java applet, aka "Flaw in Microsoft VM Could Enable System Compromise." VU#447569 MS03-011 msvm-bytecode-improper-validation(11751) oval:org.mitre.oval:def:136 Buffer overflow in Windows Kernel allows local users to gain privileges by causing certain error messages to be passed to a debugger. VU#446338 7370 MS03-013 win-kernel-lpcrequestwaitreplyport-bo(11803) oval:org.mitre.oval:def:779 oval:org.mitre.oval:def:3145 oval:org.mitre.oval:def:262 oval:org.mitre.oval:def:2265 oval:org.mitre.oval:def:2022 oval:org.mitre.oval:def:142 oval:org.mitre.oval:def:1264 Buffer overflow in URLMON.DLL in Microsoft Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via an HTTP response containing long values in (1) Content-type and (2) Content-encoding fields. VU#169753 MS03-015 20030426 Buffer overflow in Internet Explorer's HTTP parsing code 20030701 URLMON.DLL buffer overflow - technical details oval:org.mitre.oval:def:926 The file upload control in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to automatically upload files from the local system via a web page containing a script to upload the files. MS03-015 20030203 internet explorer local file reading oval:org.mitre.oval:def:963 Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check parameters that are passed during third party rendering, which could allow remote attackers to execute arbitrary web script, aka the "Third Party Plugin Rendering" vulnerability, a different vulnerability than CVE-2003-0233. MS03-015 ie-improper-thirdparty-rendering(11848) Microsoft Internet Explorer 5.01, 5.5 and 6.0 does not properly check the Cascading Style Sheet input parameter for Modal dialogs, which allows remote attackers to read files on the local system via a web page containing script that creates a dialog and then accesses the target files, aka "Modal Dialog script execution." VU#244729 6306 MS03-015 20021203 Poisonous Style for Dialog window turns the zone off. Buffer overflow in the HTTP receiver function (BizTalkHTTPReceive.dll ISAPI) of Microsoft BizTalk Server 2002 allows attackers to execute arbitrary code via a certain request to the HTTP receiver. MS03-016 20030505 Microsoft Biztalk Server ISAPI HTTP Receive function buffer overflow SQL injection vulnerability in the Document Tracking and Administration (DTA) website of Microsoft BizTalk Server 2000 and 2002 allows remote attackers to execute operating system commands via a request to (1) rawdocdata.asp or (2) RawCustomSearchField.asp containing an embedded SQL statement. MS03-016 20030505 Microsoft Biztalk Server DTA vulnerable to SQL injection The secldapclntd daemon in AIX 4.3, 5.1 and 5.2 uses an Internet socket when communicating with the loadmodule, which allows remote attackers to directly connect to the daemon and conduct unauthorized activities. VU#624713 7264 MSS-OAR-E01-2003:0245.1 8221 adb2mhc in the mhc-utils package before 0.25+20010625-7.1 allows local users to overwrite arbitrary files via a symlink attack on a default temporary directory with a predictable name. DSA-256 6978 mhc-adb2mhc-insecure-tmp(11439) Clearswift MAILsweeper 4.x allows remote attackers to bypass attachment detection via an attachment that does not specify a MIME-Version header field, which is processed by some mail clients. 7044 20030307 Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue 20030326 RE: Corsaire Security Advisory - Clearswift MAILsweeper MIME attachment evasion issue Buffer overflow in Notes server before Lotus Notes R4, R5 before 5.0.11, and early R6 allows remote attackers to execute arbitrary code via a long distinguished name (DN) during NotesRPC authentication and an outer field length that is less than that of the DN field. VU#433489 CA-2003-11 7037 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105101 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication http://www.rapid7.com/advisories/R7-0010.html lotus-nrpc-bo(11526) N-065 20030313 R7-0010: Buffer Overflow in Lotus Notes Protocol Authentication Buffer overflow in Web Retriever client for Lotus Notes/Domino R4.5 through R6 allows remote malicious web servers to cause a denial of service (crash) via a long HTTP status line. VU#411489 CA-2003-11 7038 http://www-1.ibm.com/support/docview.wss?rs=482&q=Domino&uid=swg21105060 20030313 R7-0011: Lotus Notes/Domino Web Retriever HTTP Status Buffer Overflow http://www.rapid7.com/advisories/R7-0011.html lotus-web-retriever-bo(11525) N-065 man before 1.5l allows attackers to execute arbitrary code via a malformed man file with improper quotes, which causes the my_xsprintf function to return a string with the value "unsafe," which is then executed as a program via a system call if it is in the search path of the user who runs man. 7066 20030311 Vulnerability in man < 1.5l man-myxsprintf-code-execution(11512) RHSA-2003:134 RHSA-2003:133 GLSA-200303-13 CLSA-2003:620 Buffer overflow in the web interface for SOHO Routefinder 550 before firmware 4.63 allows remote attackers to cause a denial of service (reboot) and execute arbitrary code via a long GET /OPTIONS value. http://www.krusesecurity.dk/advisories/routefind550bof.txt ftp://ftp.multitech.com/Routers/RF550VPN.TXT routefinder-vpn-options-bo(11514) 7067 The web interface for SOHO Routefinder 550 firmware 4.63 and earlier, and possibly later versions, has a default "admin" account with a blank password, which could allow attackers on the LAN side to conduct unauthorized activities. http://www.krusesecurity.dk/advisories/routefind550bof.txt The kernel module loader in Linux kernel 2.2.x before 2.2.25, and 2.4.x before 2.4.21, allows local users to gain root privileges by using ptrace to attach to a child process that is spawned by the kernel. VU#628849 RHSA-2003:098 RHSA-2003:145 DSA-495 DSA-423 DSA-336 DSA-332 DSA-312 DSA-311 DSA-276 DSA-270 GLSA-200303-17 RHSA-2003:088 CSSA-2003-020.0 RHSA-2003:103 MDKSA-2003:039 MDKSA-2003:038 ESA-20030515-017 20030317 Fwd: Ptrace hole / Linux 2.2.25 oval:org.mitre.oval:def:254 The try_uudecoding function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malicious uuencoded (UUE) header, possibly triggering a heap-based buffer overflow. 7117 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 20030321 GLSA: evolution (200303-18) CLA-2003:648 oval:org.mitre.oval:def:107 Ximian Evolution Mail User Agent 1.2.2 and earlier allows remote attackers to cause a denial of service (memory consumption) via a mail message that is uuencoded multiple times. 7118 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:108 The handle_image function in mail-format.c for Ximian Evolution Mail User Agent 1.2.2 and earlier does not properly escape HTML characters, which allows remote attackers inject arbitrary data and HTML via a MIME Content-ID header in a MIME-encoded image. 7119 http://www.coresecurity.com/common/showdoc.php?idx=309&idxseccion=10 20030321 GLSA: evolution (200303-18) RHSA-2003:108 20030319 CORE-2003-03-04-01: Multiple vulnerabilities in Ximian 's Evolution Mail User Agent MDKSA-2003:045 GLSA-200303-18 CLA-2003:648 oval:org.mitre.oval:def:111 The SSL and TLS components for OpenSSL 0.9.6i and earlier, 0.9.7, and 0.9.7a allow remote attackers to perform an unauthorized RSA private key operation via a modified Bleichenbacher attack that uses a large number of SSL or TLS connections using PKCS #1 v1.5 padding that cause OpenSSL to leak information regarding the relationship between ciphertext and the associated plaintext, aka the "Klima-Pokorny-Rosa attack." VU#888801 7148 20030319 [OpenSSL Advisory] Klima-Pokorny-Rosa attack on PKCS #1 v1.5 padding ssl-premaster-information-leak(11586) 20030327 Immunix Secured OS 7+ openssl update RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030319.txt SuSE-SA:2003:024 http://www.linuxsecurity.com/advisories/immunix_advisory-3066.html IMNX-2003-7+-001-01 DSA-288 http://lists.apple.com/mhonarc/security-announce/msg00028.html http://eprint.iacr.org/2003/052/ 20030501-01-I NetBSD-SA2003-007 SuSE-SA:2003:024 20030327 Immunix Secured OS 7+ openssl update OpenPKG-SA-2003.026 MDKSA-2003:035 GLSA-200303-20 2003-0013 20030324 GLSA: openssl (200303-20) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:461 A memory leak in Apache 2.0 through 2.0.44 allows remote attackers to cause a denial of service (memory consumption) via large chunks of linefeed characters, which causes Apache to allocate 80 bytes for each linefeed. VU#206537 20030402 [ANNOUNCE] Apache 2.0.45 Released ADV-2009-1233 RHSA-2003:139 http://www.idefense.com/advisory/04.08.03.txt http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=205147 8499 34920 http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030411 PATCH: [CAN-2003-0132] Apache 2.0.44 Denial of Service 20030410 working apache <= 2.0.44 DoS exploit for linux. 20030408 Exploit Code Released for Apache 2.x Memory Leak 20030409 GLSA: apache (200304-01) 20030408 iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x oval:org.mitre.oval:def:156 GtkHTML, as included in Evolution before 1.2.4, allows remote attackers to cause a denial of service (crash) via certain malformed messages. RHSA-2003:126 MDKSA-2003:046 CLA-2003:737 oval:org.mitre.oval:def:138 Unknown vulnerability in filestat.c for Apache running on OS2, versions 2.0 through 2.0.45, allows unknown attackers to cause a denial of service via requests related to device names. 20030402 [ANNOUNCE] Apache 2.0.45 Released http://cvs.apache.org/viewcvs/apr/file_io/os2/filestat.c.diff?r1=1.34&r2=1.35 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released vsftpd FTP daemon in Red Hat Linux 9 is not compiled against TCP wrappers (tcp_wrappers) but is installed as a standalone service, which inadvertently prevents vsftpd from restricting access as intended. 7253 RHSA-2003:084 oval:org.mitre.oval:def:634 psbanner in the LPRng package allows local users to overwrite arbitrary files via a symbolic link attack on the /tmp/before file. RHSA-2003:142 DSA-285 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=188366 oval:org.mitre.oval:def:423 SNMP daemon in the DX200 based network element for Nokia Serving GPRS support node (SGSN) allows remote attackers to read SNMP options via arbitrary community strings. A031303-2 8301 Version 4 of the Kerberos protocol (krb4), as used in Heimdal and other packages, allows an attacker to impersonate any principal in a realm via a chosen-plaintext attack. VU#623217 DSA-266 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-269 7113 20030331 GLSA: krb5 & mit-krb5 (200303-28) 20030317 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 protocol oval:org.mitre.oval:def:248 Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." VU#442569 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt 20030319 MITKRB5-SA-2003-004: Cryptographic weaknesses in Kerberos v4 RHSA-2003:091 RHSA-2003:052 RHSA-2003:051 DSA-273 DSA-266 20030330 GLSA: openafs (200303-26) 20030331 GLSA: krb5 & mit-krb5 (200303-28) oval:org.mitre.oval:def:250 Buffer overflow in Mutt 1.4.0 and possibly earlier versions, 1.5.x up to 1.5.3, and other programs that use Mutt code such as Balsa before 2.0.10, allows a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a crafted folder. 7120 20030320 CORE-20030304-02: Vulnerability in Mutt Mail User Agent mutt-folder-name-bo(11583) 20030319 mutt-1.4.1 fixes a buffer overflow. RHSA-2003:109 SuSE-SA:2003:020 DSA-268 MDKSA-2003:041 GLSA-200303-19 http://www.coresecurity.com/common/showdoc.php?idx=310&idxseccion=10 20030430 GLSA: balsa (200304-10) 20030322 GLSA: mutt (200303-19) 20030320 [OpenPKG-SA-2003.025] OpenPKG Security Advisory (mutt) CLA-2003:630 CLA-2003:626 oval:org.mitre.oval:def:434 oval:org.mitre.oval:def:2 The PNG deflate algorithm in RealOne Player 6.0.11.x and earlier, RealPlayer 8/RealPlayer Plus 8 6.0.9.584, and other versions allows remote attackers to corrupt the heap and overwrite arbitrary memory via a PNG graphic file format containing compressed data using fixed trees that contain the length values 286-287, which are treated as a very large length. VU#705761 7177 http://www.coresecurity.com/common/showdoc.php?idx=311&idxseccion=10 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability 20030328 CORE-2003-0306: RealPlayer PNG deflate heap corruption vulnerability Adobe Acrobat Reader (acroread) 6, under certain circumstances when running with the "Certified plug-ins only" option disabled, loads plug-ins with signatures used for older versions of Acrobat, which can allow attackers to cause Acrobat to enter Certified mode and run untrusted plugins by modifying the CTIsCertifiedMode function. VU#689835 20030708 Adobe Acrobat and PDF security: no improvements for 2 years The pop_msg function in qpopper 4.0.x before 4.0.5fc2 does not null terminate a message buffer after a call to Qvsnprintf, which could allow authenticated users to execute arbitrary code via a buffer overflow in a mdef command with a long macro name. 7058 DSA-259 qpopper-popmsg-macroname-bo(11516) 20030310 QPopper 4.0.x buffer overflow vulnerability SuSE-SA:2003:018 GLSA-200303-12 20030314 [OpenPKG-SA-2003.018] OpenPKG Security Advisory (qpopper) 20030312 Re: QPopper 4.0.x buffer overflow vulnerability Buffer overflow in the lprm command in the lprold lpr package on SuSE 7.1 through 7.3, OpenBSD 3.2 and earlier, and possibly other operating systems, allows local users to gain root privileges via long command line arguments such as (1) request ID or (2) user name. 7025 lprm-bo(11473) SuSE-SA:2003:0014 DSA-275 DSA-267 20030406-02-P ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/010_lprm.patch MDKSA-2003:059 8293 20030308 OpenBSD lprm(1) exploit 20030305 potential buffer overflow in lprm (fwd) Unknown vulnerability in tcpdump before 3.7.2 related to an inability to "Handle unknown RADIUS attributes properly," allows remote attackers to cause a denial of service (infinite loop), a different vulnerability than CAN-2003-0093. http://www.tcpdump.org/tcpdump-changes.txt tcpdump-radius-attribute-dos(11857) RHSA-2003:214 RHSA-2003:151 RHSA-2003:032 MDKSA-2003:027 DSA-261 Multiple vulnerabilities in NetPBM 9.20 and earlier, and possibly other versions, may allow remote attackers to cause a denial of service or execute arbitrary code via "maths overflow errors" such as (1) integer signedness errors or (2) integer overflows, which lead to buffer overflows. VU#630433 DSA-263 netpbm-multiple-bo(11463) 6979 RHSA-2003:060 20030228 NetPBM, multiple vulnerabilities CLSA-2003:656 OpenSSL does not use RSA blinding by default, which allows local and remote attackers to obtain the server's private key by determining factors using timing differences on (1) the number of extra reductions during Montgomery reduction, and (2) the use of different integer multiplication algorithms ("Karatsuba" and normal). VU#997481 20030327 Immunix Secured OS 7+ openssl update 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL RHSA-2003:102 RHSA-2003:101 http://www.openssl.org/news/secadv_20030317.txt MDKSA-2003:035 DSA-288 20030317 [ADVISORY] Timing Attack on OpenSSL 20030313 Vulnerability in OpenSSL http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf 20030313 OpenSSL Private Key Disclosure 20030501-01-I IMNX-2003-7+-001-01 20030325 Fwd: APPLE-SA-2003-03-24 Samba, OpenSSL OpenPKG-SA-2003.019 GLSA-200303-23 GLSA-200303-24 GLSA-200303-15 20030320 [OpenPKG-SA-2003.026] OpenPKG Security Advisory (openssl) CLA-2003:625 CSSA-2003-014.0 oval:org.mitre.oval:def:466 The default installation of MSDE via McAfee ePolicy Orchestrator 2.0 through 3.0 allows attackers to execute arbitrary code via a series of steps that (1) obtain the database administrator username and encrypted password in a configuration file from the ePO server using a certain request, (2) crack the password due to weak cryptography, and (3) use the password to pass commands through xp_cmdshell. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp A073103-1 Heap-based buffer overflow in ePO agent for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request containing long parameters. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp A073103-1 MySQL 3.23.55 and earlier creates world-writeable files and allows mysql users to gain root privileges by using the "SELECT * INFO OUTFILE" operator to overwrite a configuration file and cause mysql to run as root upon restart, as demonstrated by modifying my.cnf. VU#203897 7052 20030318 [OpenPKG-SA-2003.022] OpenPKG Security Advisory (mysql) mysql-datadir-root-privileges(11510) RHSA-2003:093 ESA-20030324-012 DSA-303 RHSA-2003:094 20030318 GLSA: mysql (200303-14) 20030310 Re: MySQL user can be changed to root 20030308 MySQL_user_can_be_changed_to_root? CLA-2003:743 MDKSA-2003:057 oval:org.mitre.oval:def:442 BEA WebLogic Server and Express 6.0 through 7.0 does not properly restrict access to certain internal servlets that perform administrative functions, which allows remote attackers to read arbitrary files or execute arbitrary code. 20030317 S21SEC-011 - Multiple vulnerabilities in BEA WebLogic Server 20030317 SPI ADVISORY: Remote Administration of BEA WebLogic Server and Express http://www.s21sec.com/en/avisos/s21sec-011-en.txt http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-28.jsp 7124 7122 Unknown vulnerability in bonsai Mozilla CVS query tool allows remote attackers to execute arbitrary commands as the www-data user. 7162 DSA-265 bonsai Mozilla CVS query tool leaks the absolute pathname of the tool in certain error messages generated by (1) cvslog.cgi, (2) cvsview2.cgi, or (3) multidiff.cgi. DSA-265 bonsai-path-disclosure(9921) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=187230 5517 Cross-site scripting vulnerabilities (XSS) in bonsai Mozilla CVS query tool allow remote attackers to execute arbitrary web script via (1) the file, root, or rev parameters to cvslog.cgi, (2) the file or root parameters to cvsblame.cgi, (3) various parameters to cvsquery.cgi, (4) the person parameter to showcheckins.cgi, (5) the module parameter to cvsqueryform.cgi, and (6) possibly other attack vectors as identified by Mozilla bug #146244. 5516 DSA-265 bonsai-error-message-xss(9920) 20020819 Advisory: Bonsai XSS and Physical Path Revealing Vulnerabilities http://bugzilla.mozilla.org/show_bug.cgi?id=163573 http://bugzilla.mozilla.org/show_bug.cgi?id=146244 http://bugzilla.mozilla.org/attachment.cgi?id=95985&action=view http://bugzilla.mozilla.org/attachment.cgi?id=95950&action=view bonsai Mozilla CVS query tool allows remote attackers to gain access to the parameters page without authentication. 7163 DSA-265 Directory traversal vulnerability in Cross-Referencing Linux (LXR) allows remote attackers to read arbitrary files via .. (dot dot) sequences in the v parameter. 7062 DSA-264 20030311 Cross-Referencing Linux vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0138. Reason: This candidate is a reservation duplicate of CVE-2003-0138 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0138 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0139. Reason: This candidate is a reservation duplicate of CVE-2003-0139 due to incomplete coordination. Notes: All CVE users should reference CVE-2003-0139 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in the NTLMSSP code for Ethereal 0.9.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. 7050 http://www.ethereal.com/appnotes/enpa-sa-00008.html SuSE-SA:2003:019 RHSA-2003:077 MDKSA-2003:051 20030309 GLSA: ethereal (200303-10) oval:org.mitre.oval:def:55 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail before 1.2.11 allow remote attackers to inject arbitrary HTML code and steal information from a client's web browser. http://sourceforge.net/mailarchive/forum.php?thread_id=1641953&forum_id=1988 RHSA-2003:112 oval:org.mitre.oval:def:614 The prescan() function in the address parser (parseaddr.c) in Sendmail before 8.12.9 does not properly handle certain conversions from char and int types, which can cause a length check to be disabled when Sendmail misinterprets an input value as a special "NOCHAR" control value, allowing attackers to cause a denial of service and possibly execute arbitrary code via a buffer overflow attack using messages, a different vulnerability than CVE-2002-1337. CA-2003-12 VU#897604 7230 RHSA-2003:120 IMNX-2003-7+-002-01 RHSA-2003:121 DSA-290 DSA-278 1001088 20030329 Sendmail: -1 gone wild 20030329 Sendmail: -1 gone wild http://lists.apple.com/mhonarc/security-announce/msg00028.html 20030401-01-P SCOSA-2004.11 FreeBSD-SA-03:07 CSSA-2003-016.0 IMNX-2003-7+-002-01 20030331 GLSA: sendmail (200303-27) 20030520 [Fwd: 127 Research and Development: 127 Day!] GLSA-200303-27 52700 52620 20030330 [OpenPKG-SA-2003.027] OpenPKG Security Advisory (sendmail) 20030329 sendmail 8.12.9 available CLA-2003:614 Ecartis 1.0.0 (formerly listar) before snapshot 20030227 allows remote attackers to reset passwords of other users and gain privileges by modifying hidden form fields in the HTML page. 6971 ecartis-password-reset(11431) DSA-271 20030303 Re: Ecardis Password Reseting Vulnerability 20030227 Ecardis Password Reseting Vulnerability decrypt_msg for the Gaim-Encryption GAIM plugin 1.15 and earlier does not properly validate a message length parameter, which allows remote attackers to cause a denial of service (crash) via a negative length, which overwrites arbitrary heap memory with a zero byte. 7182 http://www.rapid7.com/advisories/R7-0013.html 20030412 R7-0013: Heap Corruption in Gaim-Encryption Plugin Format string vulnerability in Eye Of Gnome (EOG) allows attackers to execute arbitrary code via format string specifiers in a command line argument for the file to display. VU#363001 7121 RHSA-2003:128 20030328 CORE-2003-0304-03: Vulnerability in GNOME's Eye of Gnome 20030328 Vulnerability in GNOME's Eye of Gnome MDKSA-2003:048 http://www.coresecurity.com/common/showdoc.php?idx=312&idxseccion=10 oval:org.mitre.oval:def:52 Integer signedness error in emalloc() function for PHP before 4.3.2 allow remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via negative arguments to functions such as (1) socket_recv, (2) socket_recvfrom, and possibly other functions. 7198 7197 20030326 @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator 20030402 Inaccurate Reports Concerning PHP Vulnerabilities 20030327 RE: FUD-ALARM: @(#)Mordred Labs advisory - Integer overflow in PHP memory allocator CLSA-2003:691 Multiple off-by-one buffer overflows in the IMAP capability for Mutt 1.3.28 and earlier, and Balsa 1.2.4 and earlier, allow a remote malicious IMAP server to cause a denial of service (crash) and possibly execute arbitrary code via a specially crafted mail folder, a different vulnerability than CVE-2003-0140. 7229 DSA-274 DSA-300 Buffer overflow in Apple QuickTime Player 5.x and 6.0 for Windows allows remote attackers to execute arbitrary code via a long QuickTime URL. VU#112553 20030401 Fwd: QuickTime 6.1 for Windows is available http://www.idefense.com/advisory/03.31.03.txt http://lists.apple.com/mhonarc/security-announce/msg00027.html 20030331 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player quicktime-url-bo(11671) 7247 20030401 iDEFENSE Security Advisory 03.31.03: Buffer Overflow in Windows QuickTime Player 20030401 Fwd: QuickTime 6.1 for Windows is available 10561 hpnst.exe in the GoAhead-Webs webserver for HP Instant TopTools before 5.55 allows remote attackers to cause a denial of service (CPU consumption) via a request to hpnst.exe that calls itself, which causes an infinite loop. 7246 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools 20030331 [DDI-1012] Malformed request causes denial of service in HP Instant TopTools Unknown vulnerability in ftpd in IBM AIX 5.2, when configured to use Kerberos 5 for authentication, allows remote attackers to gain privileges via unknown attack vectors. aix-ftpd-gain-access(11823) 7346 IY42424 MSS-OAR-E01-2003.0469.1 4878 DirectoryServices in MacOS X trusts the PATH environment variable to locate and execute the touch command, which allows local users to execute arbitrary commands by modifying the PATH to point to a directory containing a malicious touch program. A041003-1 http://lists.apple.com/mhonarc/security-announce/msg00028.html Buffer overflow in openlog function for PHP 4.3.1 on Windows operating system, and possibly other OSes, allows remote attackers to cause a crash and possibly execute arbitrary code via a long filename argument. 7210 20030327 @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function php-openlog-stack-bo(11637) 20041222 PHP v4.3.x exploit for Windows. 20030327 Re: @(#)Mordred Labs advisory - PHP for Win32: buffer overflow in openlog() function 2113 20030402 Inaccurate Reports Concerning PHP Vulnerabilities xfsdq in xfsdump does not create quota information files securely, which allows local users to gain root privileges. VU#111673 DSA-283 20030404-01-P MDKSA-2003:047 The LDAP name service (nsd) in IRIX 6.5.19 and earlier does not properly verify if the USERPASSWORD attribute has been provided by an LDAP server, which could allow attackers to log in without a password. 7442 20030407-01-P irix-ldap-authentication-bypass(11860) N-084 SGI IRIX before 6.5.21 allows local users to cause a denial of service (kernel panic) via a certain call to the PIOCSWATCH ioctl. VU#142228 irix-piocswatch-ioctl-dos(12241) 7868 20030603-01-P 1008770 The Name Service Daemon (nsd), when running on an NIS master on SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows remote attackers to cause a denial of service (crash) via a UDP port scan. 20030701-01-P SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, does not follow "-" entries in the /etc/group file, which may cause subsequent group membership entries to be processed inadvertently. 20030701-01-P Multiple buffer overflows in Lotus Domino Web Server before 6.0.1 allow remote attackers to cause a denial of service or execute arbitrary code via (1) the s_ViewName option in the PresetFields parameter for iNotes, (2) the Foldername option in the PresetFields parameter for iNotes, or (3) a long Host header, which is inserted into a long Location header and used during a redirect operation. VU#772817 VU#542873 VU#206361 CA-2003-11 6871 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) lotus-domino-hostname-bo(11337) lotus-domino-inotes-bo(11336) 6870 http://www.nextgenss.com/advisories/lotus-inotesoflow.txt http://www.nextgenss.com/advisories/lotus-hostlocbo.txt N-065 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Domino Advisories UPDATE 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Lotus Domino Web Server iNotes Overflow (#NISR17022003b) 20030217 Lotus Domino Web Server Host/Location Buffer Overflow Vulnerability (#NISR17022003a) Buffer overflow in the COM Object Control Handler for Lotus Domino 6.0.1 and earlier allows remote attackers to execute arbitrary code via multiple attack vectors, as demonstrated using the InitializeUsingNotesUserName method in the iNotes ActiveX control. VU#571297 CA-2003-11 6872 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) lotus-notes-activex-bo(11339) http://www.nextgenss.com/advisories/lotus-inotesclientaxbo.txt N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104543 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) 20030217 Domino Advisories UPDATE 20030217 Lotus iNotes Client ActiveX Control Buffer Overrun (#NISR17022003c) Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via an incomplete POST request, as demonstrated using the h_PageUI form. VU#355169 CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-incomplete-post-dos(11360) 6951 N-065 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories Lotus Domino Web Server (nhttp.exe) before 6.0.1 allows remote attackers to cause a denial of service via a "Fictionary Value Field POST request" as demonstrated using the s_Validation form with a long, unknown parameter name. CA-2003-11 http://www.nextgenss.com/advisories/lotus-60dos.txt lotus-invalid-field-dos(11361) 6951 http://www-1.ibm.com/support/docview.wss?uid=swg21104528 20030218 More Lotus Domino Advisories The connection tracking core of Netfilter for Linux 2.4.20, with CONFIG_IP_NF_CONNTRACK enabled or the ip_conntrack module loaded, allows remote attackers to cause a denial of service (resource consumption) due to an inconsistency with Linux 2.4.20's support of linked lists, which causes Netfilter to fail to identify connections with an UNCONFIRMED status and use large timeouts. 20030802 [SECURITY] Netfilter Security Advisory: Conntrack list_del() DoS oval:org.mitre.oval:def:260 lv reads a .lv file from the current working directory, which allows local users to execute arbitrary commands as other lv users by placing malicious .lv files into other directories. RHSA-2003:169 DSA-304 TLSA-2003-35 RHSA-2003:167 oval:org.mitre.oval:def:430 The authentication module for Apache 2.0.40 through 2.0.45 on Unix does not properly handle threads safely when using the crypt_r or crypt functions, which allows remote attackers to cause a denial of service (failed Basic authentication with valid usernames and passwords) when a threaded MPM is used. VU#479268 RHSA-2003:186 http://www.apache.org/dist/httpd/Announcement2.html 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released apache-aprpasswordvalidate-dos(12091) 7725 8881 CLA-2003:661 OpenSSH-portable (OpenSSH) 3.6.1p1 and earlier with PAM support enabled immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. 7467 20030430 OpenSSH/PAM timing attack allows remote users identification TLSA-2003-31 RHSA-2003:224 RHSA-2003:222 20030806 [OpenPKG-SA-2003.035] OpenPKG Security Advisory (openssh) 20030430 OpenSSH/PAM timing attack allows remote users identification http://lab.mediaservice.net/advisory/2003-01-openssh.txt oval:org.mitre.oval:def:445 Apache 2 before 2.0.47, and certain versions of mod_ssl for Apache 1.3, do not properly handle "certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one," which could cause Apache to use the weak ciphersuite. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released RHSA-2003:243 SCOSA-2004.6 RHSA-2003:244 MDKSA-2003:075 oval:org.mitre.oval:def:169 msxlsview.sh in xlsview for catdoc 0.91 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable temporary file names ("word$$.html"). DSA-575 catdoc-xlsview-symlink(16335) 11560 11193 13022 13021 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=183525 tcpdump does not properly drop privileges to the pcap user when starting up. RHSA-2003:174 RHSA-2003:151 CUPS before 1.1.19 allows remote attackers to cause a denial of service via a partial printing request to the IPP port (631), which does not time out. RHSA-2003:171 DSA-317 TLSA-2003-33 SuSE-SA:2003:028 7637 MDKSA-2003:062 20030529 [slackware-security] CUPS DoS vulnerability fixed (SSA:2003-149-01) CLSA-2003:678 oval:org.mitre.oval:def:6 Multiple buffer overflows in Samba before 2.2.8a may allow remote attackers to execute arbitrary code or cause a denial of service, as discovered by the Samba team and a different vulnerability than CVE-2003-0201. RHSA-2003:137 DSA-280 20030407 [OpenPKG-SA-2003.028] OpenPKG Security Advisory (samba) MDKSA-2003:044 20030407 Immunix Secured OS 7+ samba update oval:org.mitre.oval:def:564 Buffer overflow gds_lock_mgr of Interbase Database 6.x allows local users to gain privileges via a long ISC_LOCK_ENV environment variable (INTERBASE_LOCK). http://www.secnetops.com/research/advisories/SRT2003-04-03-1300.txt 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow 20030403 SRT2003-04-03-1300 - Interbase ISC_LOCK_ENV overflow Mac OS X before 10.2.5 allows guest users to modify the permissions of the DropBox folder and read unauthorized files. http://lists.apple.com/mhonarc/security-announce/msg00028.html Buffer overflow in the call_trans2open function in trans2.c for Samba 2.2.x before 2.2.8a, 2.0.10 and earlier 2.0.x versions, and Samba-TNG before 0.3.2, allows remote attackers to execute arbitrary code. VU#267873 7294 DSA-280 20030407 [DDI-1013] Buffer Overflow in Samba allows remote root compromise RHSA-2003:137 SuSE-SA:2003:025 http://www.digitaldefense.net/labs/advisories/DDI-1013.txt 20030403-01-P MDKSA-2003:044 20030409 GLSA: samba (200304-02) 20030408 [Sorcerer-spells] SAMBA--SORCERER2003-04-08 20030407 Immunix Secured OS 7+ samba update CLA-2003:624 oval:org.mitre.oval:def:567 oval:org.mitre.oval:def:2163 The (1) halstead and (2) gather_stats scripts in metrics 1.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-279 metrics-tmpfile-symlink(11734) 7293 Buffer overflow in moxftp 2.2 and earlier allows remote malicious FTP servers to execute arbitrary code via a long FTP banner. 6921 moxftp-welcome-banner-bo(11399) DSA-281 20030223 moxftp arbitrary code execution poc/advisory 1006156 20030223 moxftp arbitrary code execution poc/advisory 8136 KDE 2 and KDE 3.1.1 and earlier 3.x versions allows attackers to execute arbitrary commands via (1) PostScript (PS) or (2) PDF files, related to missing -dPARANOIDSAFER and -dSAFER arguments when using the kghostview Ghostscript viewer. http://www.kde.org/info/security/advisory-20030409-1.txt DSA-284 RHSA-2003:002 DSA-296 DSA-293 http://bugs.kde.org/show_bug.cgi?id=56808 http://bugs.kde.org/show_bug.cgi?id=53343 MDKSA-2003:049 20030414 GLSA: kde-2.x (200304-05.1) 20030412 [Sorcerer-spells] KDE-SORCERER2003-04-12 20030411 GLSA: kde-2.x (200304-05) 20030410 GLSA: kde-3.x (200304-04) CLA-2003:747 CLA-2003:668 gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the ticker title of a URI. DSA-294 20030423 Security problems in gkrellm-newsticker gkrellm-newsticker gkrellm plugin before 0.3-3.1 allows remote attackers to cause a denial of service (crash) via (1) link or (2) title elements that contain multiple lines. DSA-294 20030423 Security problems in gkrellm-newsticker ps2epsi creates insecure temporary files when calling ghostscript, which allows local attackers to overwrite arbitrary files. DSA-286 Cross-site scripting (XSS) vulnerability in Macromedia Flash ad user tracking capability allows remote attackers to insert arbitrary Javascript via the clickTAG field. http://www.securiteam.com/securitynews/5XP0B0U9PE.html http://www.macromedia.com/support/flash/ts/documents/clicktag_security.htm 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach 20030413 Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach Integer overflow in the TCP stream reassembly module (stream4) for Snort 2.0 and earlier allows remote attackers to execute arbitrary code via large sequence numbers in packets, which enable a heap-based buffer overflow. VU#139129 CA-2003-13 7178 DSA-297 http://www.coresecurity.com/common/showdoc.php?idx=313&idxseccion=10 ESA-20030430-013 20030428 GLSA: snort (200304-06) 20030423 Snort <=1.9.1 exploit 20030422 GLSA: snort (200304-05) 20030415 CORE-2003-0307: Snort TCP Stream Reassembly Integer Overflow Vulnerability MDKSA-2003:052 Buffer overflow in the administration service (CSAdmin) for Cisco Secure ACS before 3.1.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long user parameter to port 2002. VU#697049 20030423 Cisco Secure Access Control Server for Windows Admin Buffer Overflow Vulnerability 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS 20030424 NSFOCUS SA2003-04 : Remote Buffer Overflow Vulnerability in Web Management Interface of Cisco Secure ACS Memory leak in xinetd 2.3.10 allows remote attackers to cause a denial of service (memory consumption) via a large number of rejected connections. 20030418 Xinetd 2.3.10 Memory Leaks RHSA-2003:160 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=88537 MDKSA-2003:056 CLA-2003:782 oval:org.mitre.oval:def:657 handleAccept in rinetd before 0.62 does not properly resize the connection list when it becomes full and sets an array index incorrectly, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of connections. DSA-289 20030417 Vulnerability in rinetd ctrlpacket.c in PoPToP PPTP server before 1.1.4-b3 allows remote attackers to cause a denial of service via a length field of 0 or 1, which causes a negative value to be fed into a read operation, leading to a buffer overflow. VU#673993 7316 20030409 PoPToP PPTP server remotely exploitable buffer overflow DSA-295 SuSE-SA:2003:029 20030418 Exploit for PoPToP PPTP server 20030422 Re: Exploit for PoPToP PPTP server - Linux version http://sourceforge.net/project/shownotes.php?release_id=138437 20030428 GLSA: pptpd (200304-08) run-mailcap in mime-support 3.22 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. DSA-292 SQL injection vulnerability in bttlxeForum 2.0 beta 3 and earlier allows remote attackers to bypass authentication via the (1) username and (2) password fields, and possibly other fields. http://www.battleaxesoftware.com/forums/forum.asp?forumid=36&select=1812 20030424 SQL injection in BttlxeForum 1006632 Unknown vulnerability in Cisco Catalyst 7.5(1) allows local users to bypass authentication and gain access to the enable mode without a password. VU#443257 20030424 Cisco Security Advisory: Cisco Catalyst Enable Password Bypass Vulnerability Cross-site scripting (XSS) vulnerability in Neoteris Instant Virtual Extranet (IVE) 3.01 and earlier allows remote attackers to insert arbitrary web script and bypass authentication via a certain CGI script. 20030513 XSS In Neoteris IVE Allows Session Hijacking Buffer overflow in PostMethod() function for Monkey HTTP Daemon (monkeyd) 0.6.1 and earlier allows remote attackers to execute arbitrary code via a POST request with a large body. 7202 20030428 GLSA: monkeyd (200304-07.1) 20030420 Monkey HTTPd Remote Buffer Overflow http://monkeyd.sourceforge.net/Changelog.txt 20030420 Monkey HTTPd Remote Buffer Overflow Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute administrator commands by sniffing packets from a valid session and replaying them against the remote administration server. VU#641012 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7179 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall Buffer overflow in the administrator authentication process for Kerio Personal Firewall (KPF) 2.1.4 and earlier allows remote attackers to execute arbitrary code via a handshake packet. VU#454716 http://www.coresecurity.com/common/showdoc.php?idx=314&idxseccion=10 7180 20030428 CORE-2003-0305-02: Vulnerabilities in Kerio Personal Firewall The (1) dupatch and (2) setld utilities in HP Tru64 UNIX 5.1B PK1 and earlier allows local users to overwrite files and possibly gain root privileges via a symlink attack. tru64-dupatch-setld-symlink(11892) 7452 SSRT3471 Stack-based buffer overflow in Oracle Net Services for Oracle Database Server 9i release 2 and earlier allows attackers to execute arbitrary code via a "CREATE DATABASE LINK" query containing a connect string with a long USING parameter. 7453 http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf oracle-database-link-bo(11885) N-085 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) 20030429 Oracle Database Server Buffer Overflow Vulnerability (#NISR29042003) Cross-site scripting vulnerability (XSS) in the ASP function responsible for redirection in Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 allows remote attackers to embed a URL containing script in a redirection message. MS03-018 oval:org.mitre.oval:def:66 Buffer overflow in ssinc.dll for Microsoft Internet Information Services (IIS) 5.0 allows local users to execute arbitrary code via a web page with a Server Side Include (SSI) directive with a long filename, aka "Server Side Include Web Pages Buffer Overrun." MS03-018 20030530 NSFOCUS SA2003-05: Microsoft IIS ssinc.dll Over-long Filename Buffer Overflow Vulnerability oval:org.mitre.oval:def:483 The ASP function Response.AddHeader in Microsoft Internet Information Server (IIS) 4.0 and 5.0 does not limit memory requests when constructing headers, which allow remote attackers to generate a large header to cause a denial of service (memory consumption) with an ASP page. MS03-018 http://www.aqtronix.com/Advisories/AQ-2003-01.txt 20030418 Microsoft Active Server Pages DoS oval:org.mitre.oval:def:373 Microsoft Internet Information Services (IIS) 5.0 and 5.1 allows remote attackers to cause a denial of service via a long WebDAV request with a (1) PROPFIND or (2) SEARCH method, which generates an error condition that is not properly handled. http://www.spidynamics.com/iis_alert.html MS03-018 20030528 Internet Information Services 5.0 Denial of service 20030528 Internet Information Services 5.0 Denial of service 20030529 IIS WEBDAV Denial of Service attacks oval:org.mitre.oval:def:933 The logging capability for unicast and multicast transmissions in the ISAPI extension for Microsoft Windows Media Services in Microsoft Windows NT 4.0 and 2000, nsiislog.dll, allows remote attackers to cause a denial of service in Internet Information Server (IIS) and execute arbitrary code via a certain network request. MS03-019 20030528 MS03-019: DoS or Code of Choice 20030528 Re: Alert: MS03-019, Microsoft... wrong, again. 20030528 RE: Alert: MS03-019, Microsoft... wrong, again. oval:org.mitre.oval:def:966 oval:org.mitre.oval:def:936 Directory traversal vulnerability in Microsoft Windows Media Player 7.1 and Windows Media Player for Windows XP allows remote attackers to execute arbitrary code via a skins file with a URL containing hex-encoded backslash characters (%5C) that causes an executable to be placed in an arbitrary location. VU#384932 7517 MS03-017 20030507 Windows Media Player directory traversal vulnerability mediaplayer-skin-code-execution(11953) 20030507 Windows Media Player directory traversal vulnerability 20030508 why i love xs4all + mediaplayer thingie oval:org.mitre.oval:def:321 Microsoft SQL Server 7, 2000, and MSDE allows local users to gain privileges by hijacking a named pipe during the authentication of another user, aka the "Named Pipe Hijacking" vulnerability. VU#556356 MS03-031 oval:org.mitre.oval:def:235 Microsoft SQL Server 7, 2000, and MSDE allows local or remote authenticated users to cause a denial of service (crash or hang) via a long request to a named pipe. VU#918652 MS03-031 A072303-2 oval:org.mitre.oval:def:299 Microsoft SQL Server 7, 2000, and MSDE allows local users to execute arbitrary code via a certain request to the Local Procedure Calls (LPC) port that leads to a buffer overflow. VU#584868 MS03-031 A072303-3 oval:org.mitre.oval:def:303 Heap-based buffer overflow in plugin.ocx for Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute arbitrary code via the Load() method, a different vulnerability than CVE-2003-0115. MS03-015 20030424 Internet Explorer Plugin.ocx heap overflow (#NISR24042003) ie-plugin-load-bo(11854) oval:org.mitre.oval:def:1094 Format string vulnerability in POP3 client for Mirabilis ICQ Pro 2003a allows remote malicious servers to execute arbitrary code via format strings in the response to a UIDL command. 7461 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-pop3-format-string(11938) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client Integer signedness errors in the POP3 client for Mirabilis ICQ Pro 2003a allow remote attackers to execute arbitrary code via the (1) Subject or (2) Date headers. 7463 7462 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-pop3-email-bo(11939) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The "ICQ Features on Demand" functionality for Mirabilis ICQ Pro 2003a does not properly verify the authenticity of software upgrades, which allows remote attackers to install arbitrary software via a spoofing attack. 7464 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-features-no-auth(11944) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The Message Session window in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service (CPU consumption) by spoofing the address of an ADS server and sending HTML with a -1 width in a table tag. 7465 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-table-tag-dos(11947) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icqateimg32.dll parsing/rendering library in Mirabilis ICQ Pro 2003a allows remote attackers to cause a denial of service via malformed GIF89a headers that do not contain a GCT (Global Color Table) or an LCT (Local Color Table) after an Image Descriptor. 7466 http://www.coresecurity.com/common/showdoc.php?idx=315&idxseccion=10 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client icq-gif89a-header-dos(11948) 20030505 CORE-2003-0303: Multiple Vulnerabilities in Mirabilis ICQ client The web-based administration capability for various Axis Network Camera products allows remote attackers to bypass access restrictions and modify configuration via an HTTP request to the admin/admin.shtml containing a leading // (double slash). VU#799060 axis-admin-authentication-bypass(12104) 7652 1006854 8876 4804 http://www.coresecurity.com/common/showdoc.php?idx=329&idxseccion=10 20030527 CORE-2003-0403: Axis Network Camera HTTP Authentication Bypass FrontRange GoldMine mail agent 5.70 and 6.00 before 30503 directly sends HTML to the default browser without setting its security zone or otherwise labeling it untrusted, which allows remote attackers to execute arbitrary code via a message that is rendered in IE using a less secure zone. http://www.secnap.net/security/gm001.html 20030528 SECNAP Security Advisory: Invalid HTML processing in GoldMine(tm) IPSec in Mac OS X before 10.2.6 does not properly handle certain incoming security policies that match by port, which could allow traffic that is not explicitly allowed by the policies. VU#869548 http://docs.info.apple.com/article.html?artnum=61798 macos-ipsec-acl-bypass(12027) 7628 1006796 8798 Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameter for the (1) normal_html.cgi or (2) member_html.cgi scripts. 1006707 20030507 Happymall E-Commerce Remote Command Execution The route cache implementation in Linux 2.4, and the Netfilter IP conntrack module, allows remote attackers to cause a denial of service (CPU consumption) via packets with forged source addresses that cause a large number of hash table collisions. RHSA-2003:145 DSA-311 RHSA-2003:172 RHSA-2003:147 http://www.enyo.de/fw/security/notes/linux-dst-cache-dos.html DSA-442 DSA-336 DSA-332 DSA-312 20030618 [slackware-security] 2.4.21 kernels available (SSA:2003-168-01) ESA-20030515-017 20030517 Algorithmic Complexity Attacks and the Linux Networking Code data-algorithmic-complexity-dos(15382) 7601 8786 MDKSA-2003:074 MDKSA-2003:066 http://marc.theaimsgroup.com/?l=linux-kernel&m=104956079213417 oval:org.mitre.oval:def:261 Vulnerability in the apr_psprintf function in the Apache Portable Runtime (APR) library for Apache 2.0.37 through 2.0.45 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via long strings, as demonstrated using XML objects to mod_dav, and possibly other vectors. VU#757612 RHSA-2003:186 http://www.apache.org/dist/httpd/Announcement2.html 20030528 [SECURITY] [ANNOUNCE] Apache 2.0.46 released apache-aprpsprintf-code-execution(12090) 7723 http://www.idefense.com/advisory/05.30.03.txt 20030530 iDEFENSE Security Advisory 05.30.03: Apache Portable Runtime Denial of Service and Arbitrary Code Execution Vulnerability MDKSA-2003:063 CLA-2003:661 The ioperm system call in Linux kernel 2.4.20 and earlier does not properly restrict privileges, which allows local users to gain read or write access to certain I/O ports. RHSA-2003:172 DSA-311 ESA-20030515-017 TLSA-2003-41 RHSA-2003:147 DSA-442 DSA-336 DSA-332 DSA-312 20030520 Linux 2.4 kernel ioperm vuln MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:278 Unknown vulnerability in the TTY layer of the Linux kernel 2.4 allows attackers to cause a denial of service ("kernel oops"). RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:198 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:284 The mxcsr code in Linux kernel 2.4 allows attackers to modify CPU state registers via a malformed address. RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 MDKSA-2003:074 MDKSA-2003:066 oval:org.mitre.oval:def:292 ** DISPUTED ** PHP treats unknown methods such as "PoSt" as a GET request, which could allow attackers to intended access restrictions if PHP is running on a server that passes on all methods, such as Apache httpd 2.0, as demonstrated using a Limit directive. NOTE: this issue has been disputed by the Apache security team, saying "It is by design that PHP allows scripts to process any request method. A script which does not explicitly verify the request method will hence be processed as normal for arbitrary methods. It is therefore expected behaviour that one cannot implement per-method access control using the Apache configuration alone, which is the assumption made in this report." 20030625 PHP/Apache .htaccess Authentication Bypass Vulnerability ypserv NIS server before 2.7 allows remote attackers to cause a denial of service via a TCP client request that does not respond to the server, which causes ypserv to block. RHSA-2003:173 ADV-2006-2873 TLSA-2003-43 SSRT061154 55600 8031 HPSBTU02132 RHSA-2003:201 MDKSA-2003:072 1016517 21112 oval:org.mitre.oval:def:667 Off-by-one error in the xlog function of mountd in the Linux NFS utils package (nfs-utils) before 1.0.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via certain RPC requests to mountd that do not contain newlines. VU#258564 20030715 [slackware-security] nfs-utils packages replaced (SSA:2003-195-01b) nfs-utils-offbyone-bo(12600) TLSA-2003-44 8179 RHSA-2003:207 RHSA-2003:206 SuSE-SA:2003:031 DSA-349 1001262 1007187 9259 20030716 Immunix Secured OS 7+ nfs-utils update -- bugtraq 20030714 Linux nfs-utils xlog() off-by-one bug http://isec.pl/vulnerabilities/isec-0010-linux-nfs-utils.txt 20030714 Reality of the rpc.mountd bug 20030714 Linux nfs-utils xlog() off-by-one bug MDKSA-2003:076 oval:org.mitre.oval:def:443 The prefork MPM in Apache 2 before 2.0.47 does not properly handle certain errors from accept, which could lead to a denial of service. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released MDKSA-2003:075 oval:org.mitre.oval:def:173 Apache 2 before 2.0.47, when running on an IPv6 host, allows attackers to cause a denial of service (CPU consumption by infinite loop) when the FTP proxy server fails to create an IPv6 socket. RHSA-2003:240 20030709 [ANNOUNCE][SECURITY] Apache 2.0.47 released MDKSA-2003:075 oval:org.mitre.oval:def:183 The key validation code in GnuPG before 1.2.2 does not properly determine the validity of keys with multiple user IDs and assigns the greatest validity of the most valid user ID, which prevents GnuPG from warning the encrypting user when a user ID does not have a trusted path. VU#397604 RHSA-2003:175 20030504 Key validity bug in GnuPG 1.2.1 and earlier gnupg-invalid-key-acceptance(11930) 7497 RHSA-2003:176 4947 TLSA200334 MDKSA-2003:061 http://www.linuxsecurity.com/advisories/gentoo_advisory-3266.html 20030515-016 20030522 [slackware-security] GnuPG key validation fix (SSA:2003-141-04) 20030516 [OpenPKG-SA-2003.029] OpenPKG Security Advisory (gnupg) ESA-20030515-016 CLA-2003:694 oval:org.mitre.oval:def:135 The GnuPG plugin in kopete before 0.6.2 does not properly cleanse the command line when executing gpg, which allows remote attackers to execute arbitrary commands. MDKSA-2003:055 http://kopete.kde.org/index.php?page=newsstory&news=Kopete_releases_version_0.6.2 CLA-2003:665 Format string vulnerability in the printer capability for IBM AIX .3, 5.1, and 5.2 allows local users to gain printq or root privileges. MSS-OAR-E01-2003:0660.1 aix-print-format-string(12000) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 3.5.x through 4.0.REL, when enabling IPSec over TCP for a port on the concentrator, allow remote attackers to reach the private network without authentication. VU#727780 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-unauth-access(11954) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7 allows remote attackers to cause a denial of service (reload) via a malformed SSH initialization packet. VU#317348 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-ssh-dos(11955) Cisco VPN 3000 series concentrators and Cisco VPN 3002 Hardware Client 2.x.x through 3.6.7A allow remote attackers to cause a denial of service (slowdown and possibly reload) via a flood of malformed ICMP packets. VU#221164 20030507 Cisco VPN 3000 Concentrator Vulnerabilities cisco-vpn-icmp-dos(11956) fuzz 0.6 and earlier creates temporary files insecurely, which could allow local users to gain root privileges. DSA-302 leksbot 1.2.3 in Debian GNU/Linux installs the KATAXWR as setuid root, which allows local users to gain root privileges by exploiting unknown vulnerabilities related to the escalated privileges, which KATAXWR is not designed to have. DSA-299 kataxwr-gain-privileges(11945) 7505 Multiple buffer overflows in Floosietek FTGate Pro Mail Server (FTGatePro) 1.22 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands. 7508 7506 20030506 Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) ftgate-mailfrom-rcptto-bo(11951) 20030506 Multiple Buffer Overflow Vulnerabilities Found in FTGate Pro Mail Server v. 1.22 (1328) Multiple buffer overflows in SLMail 5.1.0.4420 allows remote attackers to execute arbitrary code via (1) a long EHLO argument to slmail.exe, (2) a long XTRN argument to slmail.exe, (3) a long string to POPPASSWD, or (4) a long password to the POP3 server. http://www.nextgenss.com/advisories/slmail-vulns.txt 20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A) 20030507 Multiple Buffer Overflow Vulnerabilities in SLMail (#NISR07052003A) Race condition in SDBINST for SAP database 7.3.0.29 creates critical files with world-writable permissions before initializing the setuid bits, which allows local attackers to gain root privileges by modifying the files before the permissions are changed. 7421 20030507 SAP database local root vulnerability during installation. (fwd) Multiple buffer overflows in SLWebMail 3 on Windows systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via (1) a long Language parameter to showlogin.dll, (2) a long CompanyID parameter to recman.dll, (3) a long CompanyID parameter to admin.dll, or (4) a long CompanyID parameter to globallogin.dll. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail ShowGodLog.dll in SLWebMail 3 on Windows systems allows remote attackers to read arbitrary files by directly calling ShowGodLog.dll with an argument specifying the full path of the target file. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail SLWebMail 3 on Windows systems allows remote attackers to identify the full path of the server via invalid requests to DLLs such as WebMailReq.dll, which reveals the path in an error message. http://www.nextgenss.com/advisories/slwebmail-vulns.txt 20030507 Multiple Vulnerabilities in SLWebmail 20030507 Multiple Vulnerabilities in SLWebmail Buffer overflow in youbin allows local users to gain privileges via a long HOME environment variable. 7503 20030506 youbin local root exploit + advisory 20030506 youbin local root exploit + advisory youbin-home-bo(11949) 20030506 youbin local root exploit + advisory The administration capability for Apple AirPort 802.11 wireless access point devices uses weak encryption (XOR with a fixed key) for protecting authentication credentials, which could allow remote attackers to obtain administrative access via sniffing when the capability is available via Ethernet or non-WEP connections. airport-auth-credentials-disclosure(11980) 7554 A051203-1 1006742 8773 Buffer overflow in Personal FTP Server allows remote attackers to execute arbitrary code via a long USER argument. 20030331 Personal FTP Server http://security.nnov.ru/search/document.asp?docid=4309 20030508 Remote Stack Overflow exploit for Personal FTPD admin.php in miniPortail allows remote attackers to gain administrative privileges by setting the miniPortailAdmin cookie to an "adminok" value. 20030508 miniPortail (PHP) : Admin Access http://www.frog-man.org/tutos/miniPortail.txt Cross-site scripting (XSS) vulnerability in the web interface for Request Tracker (RT) 1.0 through 1.0.7 allows remote attackers to execute script via message bodies. http://lists.fsck.com/pipermail/rt-announce/2003-May/000071.html 20030508 Fw: [rt-users] [rt-announce] RT 1.0.7 vulnerable to Cross Site Scripting attacks Buffer overflow in catmail for ListProc 8.2.09 and earlier allows remote attackers to execute arbitrary code via a long ULISTPROC_UMASK value. 20030508 SRT2003-05-08-1137 - ListProc mailing list ULISTPROC_UMASK overflow SSI.php in YaBB SE 1.5.2 allows remote attackers to execute arbitrary PHP code by modifying the sourcedir parameter to reference a URL on a remote web server that contains the code. 20030509 II-Labs Advisory: Remote code execution in YaBBse 1.5.2 (php version) Buffer overflow in Pi3Web 2.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a GET request with a large number of / characters. pi3web-get-request-bo(11889) 7555 20030512 Unix Version of the Pi3web DoS 20030428 Pi3Web 2.0.1 DoS Directory traversal vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the file parameter. happymall-dotdot-directory-traversal(11987) 7559 20030512 One more flaw in Happymall Cross-site scripting (XSS) vulnerability in normal_html.cgi in Happycgi.com Happymall 4.3 and 4.4 allows remote attackers to insert arbitrary web script via the file parameter. 20030512 One more flaw in Happymall happymall-normalhtml-xss(11988) 7557 Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 5.x through 6.5 allows remote attackers to steal sensitive information via numeric fields, as demonstrated using (1) the viewlink function and cid parameter, or (2) index.php. phpnuke-web-sql-injection(11984) 7558 20030512 Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) 7588 20030513 More and More SQL injection on PHP-Nuke 6.5. Multiple buffer overflows in the SMTP Service for ESMTP CMailServer 4.0.2003.03.27 allow remote attackers to execute arbitrary code via long (1) MAIL FROM or (2) RCPT TO commands. 20030510 Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0 cmailserver-smtp-bo(11975) 7548 7547 20030510 Multiple Buffer Overflow Vulnerabilities Found in CMailServer 4.0 Buffer overflow in Firebird 1.0.2 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows local users to execute arbitrary code via a long INTERBASE environment variable when calling (1) gds_inet_server, (2) gds_lock_mgr, or (3) gds_drop. firebird-interbase-bo(11977) 7546 GLSA-200405-18 8758 20020617 Interbase 6.0 malloc() issues 20030509 Firebird Local exploit Directory traversal vulnerability in UnZip 5.50 allows attackers to overwrite arbitrary files via invalid characters between two . (dot) characters, which are filtered and result in a ".." sequence. 7550 RHSA-2003:199 TLSA-2003-42 RHSA-2003:200 DSA-344 20030509 unzip directory traversal revisited IMNX-2003-7+-017-01 CSSA-2003-031.0 CSSA-2003-031.0 unzip-dotdot-directory-traversal(12004) MDKSA-2003:073 N-111 20030710 [OpenPKG-SA-2003.033] OpenPKG Security Advisory (infozip) CLA-2003:672 oval:org.mitre.oval:def:619 Cross-site scripting (XSS) vulnerability in Phorum before 3.4.3 allows remote attackers to inject arbitrary web script and HTML tags via a message with a "<<" before a tag name in the (1) subject, (2) author's name, or (3) author's e-mail. phorum-message-html-injection(11974) 7545 20030509 Re: A Phorum's bug... 20030509 A Phorum's bug... Adobe Acrobat 5 does not properly validate JavaScript in PDF files, which allows remote attackers to write arbitrary files into the Plug-ins folder that spread to other PDF documents, as demonstrated by the W32.Yourde virus. VU#184820 http://www.adobe.com/support/downloads/detail.jsp?ftpID=2121 IBM AIX 5.2 and earlier distributes Sendmail with a configuration file (sendmail.cf) with the (1) promiscuous_relay, (2) accept_unresolvable_domains, and (3) accept_unqualified_senders features enabled, which allows Sendmail to be used as an open mail relay for sending spam e-mail. VU#814617 aix-sendmail-mail-relay(11993) 7580 http://security.sdsc.edu/advisories/2003.05.13-AIX-sendmail.txt 20030513 AIX sendmail open relay SQL injection vulnerability in register.asp in Snitz Forums 2000 before 3.4.03, and possibly 3.4.07 and earlier, allows remote attackers to execute arbitrary stored procedures via the Email variable. 7549 35764 snitz-register-sql-injection(11981) 35733 http://packetstormsecurity.org/0305-exploits/snitz_exec.txt 56166 20030513 Snitz Forum 3.3.03 Remote Command Execution 20030512 Snitz Forum 3.3.03 Remote Command Execution Cross-site scripting (XSS) vulnerability in Movable Type before 2.6, and possibly other versions including 2.63, allows remote attackers to insert arbitrary web script or HTML via the Name textbox, possibly when the "Allow HTML in comments?" option is enabled. 20030512 Re: CSS found in Movable Type 20030512 CSS found in Movable Type 20030513 Re: CSS found in Movable Type -- Nope movable-type-comment-xss(12003) 7560 Buffer overflow in the file & folder transfer mechanism for IP Messenger for Win 2.00 through 2.02 allows remote attackers to execute arbitrary code via file with a long filename, which triggers the overflow when the user saves the file. http://www.lac.co.jp/security/english/snsadv_e/64_e.html 20030513 [SNS Advisory No.64] IP Messenger for Win Buffer Overflow Vulnerability ip-messenger-filename-bo(11986) 7566 Format string vulnerability in scsiopen.c of the cdrecord program in cdrtools 2.0 allows local users to gain privileges via format string specifiers in the dev parameter. 7565 20030513 cdrtools2.0 Format String Vulnerability 20030513 Cdrecord_local_root_exploit. ftp://ftp.berlios.de/pub/cdrecord/alpha/cdrtools-2.01a14.tar.gz cdrtools-scsiopen-format-string(12007) http://www.securiteam.com/exploits/5ZP0C2AAAC.html MDKSA-2003:058 200305-06 Memory leak in eServ 2.9x allows remote attackers to cause a denial of service (memory exhaustion) via a large number of connections, whose memory is not freed when the connection is terminated. 20030513 eServ Memory Leak Solution 20030511 eServ Memory Leak Enables Denial of Service Attacks eserv-multiple-connections-dos(11973) 7552 20030511 eServ Memory Leak Enables Denial of Service Attacks 3com OfficeConnect Remote 812 ADSL Router 1.1.7 does not properly clear memory from DHCP responses, which allows remote attackers to identify the contents of previous HTTP requests by sniffing DHCP packets. http://nautopia.coolfreepages.com/vulnerabilidades/3com812_dhcp_leak.htm 20030514 Memory leak in 3COM 812 DSL routers 20030515 RE : Memory leak in 3COM DSL routers 3com-officeconnect-memory-leak(11999) 7592 Cross-site scripting (XSS) vulnerability in Inktomi Traffic-Server 5.5.1 allows remote attackers to insert arbitrary web script or HTML into an error page that appears to come from the domain that the client is visiting, aka "Man-in-the-Middle" XSS. 7596 20030514 Inktomi Traffic-Server XSS: man-in-the-middle XSS ! PalmOS allows remote attackers to cause a denial of service (CPU consumption) via a flood of ICMP echo request (ping) packets. 20030514 PalmOS ICMP flood DoS. autohtml.php in php-proxima 6.0 and earlier allows remote attackers to read arbitrary files via the name parameter in a modload operation. 20030514 php-proxima Remote File Access Vulnerability Cross-site scripting (XSS) vulnerability in private.php for vBulletin 3.0.0 Beta 2 allows remote attackers to inject arbitrary web script and HTML via the "Preview Message" capability. 20030514 VBulletin Preview Message - XSS Vuln 20030514 Re: VBulletin Preview Message - XSS Vuln The IMAP Client for Evolution 1.2.4 allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients c-client IMAP Client, as used in imap-2002b and Pine 4.53, allows remote malicious IMAP servers to cause a denial of service (crash) and possibly execute arbitrary code via certain large (1) literal and (2) mailbox size values that cause either integer signedness errors or integer overflow errors. RHSA-2005:114 RHSA-2005:015 FLSA:184074 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Mozilla 1.3 and 1.4a allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large (1) literal and possibly (2) mailbox size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client, as used in mutt 1.4.1 and Balsa 2.0.10, allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large mailbox size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Sylpheed 0.8.11 allows remote malicious IMAP servers to cause a denial of service (crash) via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Outlook Express 6.00.2800.1106 allows remote malicious IMAP servers to cause a denial of service (crash) via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients The IMAP Client for Eudora 5.2.1 allows remote malicious IMAP servers to cause a denial of service and possibly execute arbitrary code via certain large literal size values that cause either integer signedness errors or integer overflow errors. 20030514 Buffer overflows in multiple IMAP clients SQL injection vulnerability in one||zero (aka One or Zero) Helpdesk 1.4 rc4 allows remote attackers to modify arbitrary ticket number descriptions via the sg parameter. 20030515 OneOrZero Security Problems (PHP) 20030515 OneOrZero Security Problems (PHP) 7609 one||zero (aka One or Zero) Helpdesk 1.4 rc4 allows remote attackers to create administrator accounts by directly calling the install.php Helpdesk Installation script. 20030515 OneOrZero Security Problems (PHP) 20030515 OneOrZero Security Problems (PHP) The Service Assurance Agent (SAA) in Cisco IOS 12.0 through 12.2, aka Response Time Reporter (RTR), allows remote attackers to cause a denial of service (crash) via malformed RTR packets to port 1967. 20030515 Cisco Security Advisory: Cisco IOS Software Processing of SAA Packets oval:org.mitre.oval:def:5608 Buffer overflow in EXPLORER.EXE on Windows XP allows attackers to execute arbitrary code as the XP user via a desktop.ini file with a long .ShellClassInfo parameter. MS03-027 20030507 Buffer overflow in Explorer.exe 20030515 Re[2]: EXPLOIT: Buffer overflow in Explorer.exe on Windows XP SP1 20030511 Detailed analysis: Buffer overflow in Explorer.exe on Windows XP SP1 oval:org.mitre.oval:def:3095 Poster version.two allows remote authenticated users to gain administrative privileges by appending the "|" field separator and an "admin" value into the email address field. 20030514 [VULNERABILITY] PHP 'poster version.two' The Sendmail 8.12.3 package in Debian GNU/Linux 3.0 does not securely create temporary files, which could allow local users to gain additional privileges via (1) expn, (2) checksendmail, or (3) doublebounce.pl. DSA-305 https://bugs.gentoo.org/show_bug.cgi?id=235770 [oss-security] 20081030 CVE requests: tempfile issues for aview, mgetty, openoffice, crossfire http://dev.gentoo.org/~rbu/security/debiantemp/sendmail-base http://bugs.debian.org/496408 Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to bypass security zone restrictions and execute arbitrary programs via a web document with a large number of duplicate file:// or other requests that point to the program and open multiple file download dialogs, which eventually cause Internet Explorer to execute the program, as demonstrated using a large number of FRAME or IFRAME tags, aka the "File Download Dialog Vulnerability." VU#251788 ie-frame-restrictions-bypass(12019) 7539 MS03-020 8807 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030513 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! - UPDATED 20030508 Flooding Internet Explorer 6.0.2800 (6.x?) security zones ! [CRITICAL] oval:org.mitre.oval:def:948 Cross-site scripting (XSS) vulnerability in articleview.php for eZ publish 2.2 allows remote attackers to insert arbitrary web script. 20030516 EzPublish Directory XSS Vulnerability Directory traversal vulnerability in Snowblind Web Server 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in an HTTP request. 20030516 Snowblind Web Server: multiple issues Directory traversal vulnerability in Snowblind Web Server 1.0 allows remote attackers to list arbitrary directory contents via a ... (triple dot) in an HTTP request. 20030516 Snowblind Web Server: multiple issues Snowblind Web Server 1.0 allows remote attackers to cause a denial of service (crash) via a URL that ends in a "</" sequence. 20030516 Snowblind Web Server: multiple issues Snowblind Web Server 1.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP request, which may trigger a buffer overflow. 20030516 Snowblind Web Server: multiple issues Venturi Client before 2.2, as used in certain Fourelle and Venturi Wireless products, can be used as an open proxy for various protocols, including an open relay for SMTP, which allows it to be abused by spammers. http://www.venturiwireless.com/tech_support/Q_and_A/Q_A_09.htm 20030516 Venturi Client 2.1 confirmed as open relay [Verizon Wireless Mobile Office] iisPROTECT 2.1 and 2.2 allows remote attackers to bypass authentication via an HTTP request containing URL-encoded characters. 20030522 Authentication Bypass in iisPROTECT Cross-site scripting (XSS) vulnerability in the Statistics module for PHP-Nuke 6.0 and earlier allows remote attackers to insert arbitrary web script via the year parameter. 20030517 PHP-Nuke code injection in Yearly Stats at Statistics module Buffer overflow in the IMAP server (IMAPMax) for SmartMax MailMax 5.0.10.8 and earlier allows remote authenticated users to execute arbitrary code via a long SELECT command. 20030517 Buffer overflow vulnerability found in MailMax version 5 20030517 Buffer overflow vulnerability found in MailMax version 5 header.php in ttCMS 2.3 and earlier allows remote attackers to inject arbitrary PHP code by setting the ttcms_user_admin parameter to "1" and modifying the admin_root parameter to point to a URL that contains a Trojan horse header.inc.php script. 20030517 Remote code execution in ttCMS <=v2.3 Multiple buffer overflows in BitchX IRC client 1.0-0c19 and earlier allow remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via long hostnames, nicknames, or channel names, which are not properly handled by the functions (1) send_ctcp, (2) cannot_join_channel, (3) cluster, (4) BX_compress_modes, (5) handle_oper_vision, and (6) ban_it. DSA-306 http://security.debian.org/pool/updates/main/i/ircii-pana/ircii-pana_1.0-0c16-2.1.diff.gz 20030324 GLSA: bitchx (200303-21) 20030313 Buffer overflows in ircII-based clients 7100 7099 7097 7096 CLA-2003:655 Integer overflow in BitchX IRC client 1.0-0c19 and earlier allows remote malicious IRC servers to cause a denial of service (crash). DSA-306 http://security.debian.org/pool/updates/main/i/ircii-pana/ircii-pana_1.0-0c16-2.1.diff.gz Multiple buffer overflows in ircII 20020912 allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via responses that are not properly fed to the my_strcat function by (1) ctcp_buffer, (2) cannot_join_channel, (3) status_make_printable for Statusbar drawing, (4) create_server_list, and possibly other functions. DSA-291 20030319 [OpenPKG-SA-2003.024] OpenPKG Security Advisory (ircii) 20030313 Buffer overflows in ircII-based clients DSA-298 7098 Buffer overflows in EPIC IRC Client (EPIC4) 1.0.1 allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via long replies that are not properly handled by the (1) userhost_cmd_returned function, or (2) Statusbar capability. DSA-287 20030313 Buffer overflows in ircII-based clients 7091 Buffer overflow in Maelstrom 3.0.6, 3.0.5, and earlier allows local users to execute arbitrary code via a long -server command line argument. 20030520 Maelstrom Local Buffer Overflow Exploit, FreeBSD 4.8 edition 20030519 Maelstrom exploit 20030518 Maelstrom Buffer Overflow Integer overflow in parse_decode_path() of slocate may allow attackers to execute arbitrary code via a LOCATE_PATH with a large number of ":" (colon) characters, whose count is used in a call to malloc. 20030519 bazarr slocate 7629 Sybase Adaptive Server Enterprise (ASE) 12.5 allows remote attackers to cause a denial of service (hang) via a remote password array with an invalid length, which triggers a heap-based buffer overflow. http://www.rapid7.com/advisories/R7-0016.html sybase-passwordarray-bo(13800) 20031120 R7-0016: Sybase ASE 12.5 Remote Password Array Denial of Service EPIC IRC Client (EPIC4) pre2.002, pre2.003, and possibly later versions, allows remote malicious IRC servers to cause a denial of service (crash) and possibly execute arbitrary code via a CTCP request from a large nickname, which causes an incorrect length calculation. ftp://ftp.prbh.org/pub/epic/patches/alloca_underrun-patch-1 RHSA-2003:342 DSA-399 DSA-306 CesarFTP 0.99g stores user names and passwords in plaintext in the settings.ini file, which could allow local users to gain privileges. 20030520 Plaintext Password in Settings.ini of CesarFTP 20030520 Plaintext Password in Settings.ini of CesarFTP Buffer overflow in unknown versions of Maelstrom allows local users to execute arbitrary code via a long -player command line argument. 20030520 Maelstrom Local Buffer Overflow Exploit 1008832 SQL injection vulnerability in ttForum allows remote attackers to execute arbitrary SQL and gain ttForum Administrator privileges via the Ignorelist-Textfield argument in the Preferences page. 20030520 More vulnerabilities in ttForum/ttCMS -> SQL injection The ISAPI extension in BadBlue 1.7 through 2.2, and possibly earlier versions, modifies the first two letters of a filename extension after performing a security check, which allows remote attackers to bypass authentication via a filename with a .ats extension instead of a .hts extension. 20030520 BadBlue Remote Administrative Interface Access Vulnerability 20030520 BadBlue Remote Administrative Interface Access Vulnerability Multiple buffer overflows in kermit in HP-UX 10.20 and 11.00 (C-Kermit 6.0.192 and possibly other versions before 8.0) allow local users to gain privileges via long arguments to (1) ask, (2) askq, (3) define, (4) assign, and (5) getc, some of which may share the same underlying function "doask," a different vulnerability than CVE-2001-0085. VU#971364 20030502 Re: from bugtraq: HP-UX 11.0 /usr/bin/kermit (fwd) hp-ckermit-bo(11929) 7627 20030502 HP-UX 11.0 /usr/bin/kermit BitchX IRC client 1.0c20cvs and earlier allows attackers to cause a denial of service (core dump) via certain channel mode changes that are not properly handled in names.c. 20030510 BitchX: Crash when channel modes change CLA-2003:655 bitchx-mode-change-dos(12008) 7551 MDKSA-2003:069 rc.M in Slackware 9.0 calls quotacheck with the -M option, which causes the filesystem to be remounted and possibly reset security-relevant mount flags such as nosuid, nodev, and noexec. 20030522 [slackware-security] quotacheck security fix in rc.M (SSA:2003-141-06) Qualcomm Eudora 5.2.1 allows remote attackers to read arbitrary files via an email message with a carriage return (CR) character in a spoofed "Attachment Converted:" string, which is not properly handled by Eudora. 20030522 Eudora 5.2.1 attachment spoof The ckconfig command in lsadmin for Load Sharing Facility (LSF) 5.1 allows local users to execute arbitrary programs by modifying the LSF_ENVDIR environment variable to reference an alternate lsf.conf file, then modifying LSF_SERVERDIR to point to a malicious lim program, which lsadmin then executes. 20030522 Security advisory: LSF 5.1 local root exploit Directory traversal vulnerability in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allows remote attackers to read and execute arbitrary files via .. (dot dot) sequences in HTTP GET or POST requests. 20030521 [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability 20030521 [INetCop Security Advisory] WsMP3d Directory Traversing Vulnerability Multiple heap-based buffer overflows in WsMp3 daemon (WsMp3d) 0.0.10 and earlier allow remote attackers to execute arbitrary code via long HTTP requests. 20030522 WsMp3d remote exploit. 20030521 Remote Heap Corruption Overflow vulnerability in WsMp3d. 20030521 Remote Heap Corruption Overflow vulnerability in WsMp3d. Demarc Puresecure 1.6 stores authentication information for the logging server in plaintext, which allows attackers to steal login names and passwords to gain privileges. 20030521 Demarc Puresecure v1.6 - Plaintext password issue - Cross-site scripting (XSS) vulnerability in Owl Intranet Engine 0.71 and earlier allows remote attackers to insert arbitrary script via the Search field. 20030521 [AP] Owl Intranet Engine CSS Bug BlackMoon FTP Server 2.6 Free Edition, and possibly other distributions and versions, stores user names and passwords in plaintext in the blackmoon.mdb file, which can allow local users to gain privileges. 20030520 [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration BlackMoon FTP Server 2.6 Free Edition, and possibly other distributions and versions, generates an "Account does not exist" error message when an invalid username is entered, which makes it easier for remote attackers to conduct brute force attacks. 20030520 [[ TH 026 Inc. ]] SA #4 - Blackmoon FTP Server cleartext passwords and User enumeration Buffer overflow in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote attackers to execute arbitrary code via / (slash) characters in the Type property of an Object tag in a web page. VU#679556 MS03-020 AD20030604 8943 20030709 IE Object Type Overflow Exploit 20030604 Internet Explorer Object Type Property Overflow oval:org.mitre.oval:def:922 Buffer overflow in the SMB capability for Microsoft Windows XP, 2000, and NT allows remote attackers to cause a denial of service and possibly execute arbitrary code via an SMB packet that specifies a smaller buffer length than is required. VU#337764 win-smb-bo(12544) 8152 MS03-024 1007154 9225 oval:org.mitre.oval:def:3391 oval:org.mitre.oval:def:146 oval:org.mitre.oval:def:118 Multiple integer overflows in a Microsoft Windows DirectX MIDI library (QUARTZ.DLL) allow remote attackers to execute arbitrary code via a MIDI (.mid) file with (1) large length for a Text or Copyright string, or (2) a large number of tracks, which leads to a heap-based buffer overflow. CA-2003-18 VU#561284 VU#265232 MS03-030 20030723 EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption oval:org.mitre.oval:def:218 oval:org.mitre.oval:def:1104 oval:org.mitre.oval:def:1095 Heap-based buffer overflow in VBE.DLL and VBE6.DLL of Microsoft Visual Basic for Applications (VBA) SDK 5.0 through 6.3 allows remote attackers to execute arbitrary code via a document with a long ID parameter. VU#804780 8534 MS03-037 9666 20030903 EEYE: VBE Document Property Buffer Overflow 20030903 EEYE: VBE Document Property Buffer Overflow A certain Microsoft Windows Media Player 9 Series ActiveX control allows remote attackers to view and manipulate the Media Library on the local system via HTML script. VU#320516 MS03-021 mediaplayer-activex-obtain-information(12440) 8034 Buffer overflow in the streaming media component for logging multicast requests in the ISAPI for the logging capability of Microsoft Windows Media Services (nsiislog.dll), as installed in IIS 5.0, allows remote attackers to execute arbitrary code via a large POST request to nsiislog.dll. VU#113716 20030626 Windows Media Services Remote Command Execution #2 MS03-022 20030626 Windows Media Services Remote Command Execution #2 1007059 9115 oval:org.mitre.oval:def:938 The control for listing accessibility options in the Accessibility Utility Manager on Windows 2000 (ListView) does not properly handle Windows messages, which allows local users to execute arbitrary code via a "Shatter" style message to the Utility Manager that references a user-controlled callback function. http://www.ngssoftware.com/advisories/utilitymanager.txt MS03-025 20030709 Microsoft Utility Manager Local Privilege Escalation 20030709 Microsoft Utility Manager Local Privilege Escalation win2k-accessibility-gain-privileges 8154 oval:org.mitre.oval:def:451 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0306. Reason: This candidate is a reservation duplicate of CVE-2003-0306. Notes: All CVE users should reference CVE-2003-0306 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in a certain DCOM interface for RPC in Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a malformed message, as exploited by the Blaster/MSblast/LovSAN and Nachi/Welchia worms. VU#568148 CA-2003-19 CA-2003-16 win-rpc-dcom-bo(12629) 8205 http://www.xfocus.org/documents/200307/2.html MS03-026 20030730 rpcdcom Universal offsets 20030726 Re: The French BUGTRAQ (New Win RPC Exploit) 20030725 The Analysis of LSD's Buffer Overrun in Windows RPC Interface(code revised ) 20030716 [LSD] Critical security vulnerability in Microsoft Operating Systems oval:org.mitre.oval:def:296 oval:org.mitre.oval:def:2343 oval:org.mitre.oval:def:194 Buffer overflow in a component of SQL-DMO for Microsoft Data Access Components (MDAC) 2.5 through 2.7 allows remote attackers to execute arbitrary code via a long response to a broadcast request to UDP port 1434. MS03-033 8455 oval:org.mitre.oval:def:6954 20030821 AppSecInc Security Alert: Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities 20030821 AppSecInc Security Alert: Buffer Overflow in UDP broadcasts for Microsoft SQL Server client utilities oval:org.mitre.oval:def:962 oval:org.mitre.oval:def:961 oval:org.mitre.oval:def:1039 Unknown vulnerability in GNU Ghostscript before 7.07 allows attackers to execute arbitrary commands, even when -dSAFER is enabled, via a PostScript file that causes the commands to be executed from a malicious print job. RHSA-2003:181 RHSA-2003:182 MDKSA-2003:065 20030603 [OpenPKG-SA-2003.030] OpenPKG Security Advisory (ghostscript) oval:org.mitre.oval:def:133 Safari 1.0 Beta 2 (v73) and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates. 20030507 Problem: Multiple Web Browsers do not do not validate CN on certificates. Multiple off-by-one vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) AIM, (2) GIOP Gryphon, (3) OSPF, (4) PPTP, (5) Quake, (6) Quake2, (7) Quake3, (8) Rsync, (9) SMB, (10) SMPP, and (11) TSP dissectors, which do not properly use the tvb_get_nstringz and tvb_get_nstringz0 functions. VU#641013 http://www.ethereal.com/appnotes/enpa-sa-00009.html DSA-313 RHSA-2003:077 MDKSA-2003:067 oval:org.mitre.oval:def:69 Multiple integer overflow vulnerabilities in Ethereal 0.9.11 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) Mount and (2) PPP dissectors. VU#361700 VU#232164 http://www.ethereal.com/appnotes/enpa-sa-00009.html DSA-313 7495 7494 MDKSA-2003:067 RHSA-2003:077 oval:org.mitre.oval:def:73 Buffer overflow in (1) nethack 3.4.0 and earlier, and (2) falconseye 1.9.3 and earlier, which is based on nethack, allows local users to gain privileges via a long -s command line option. 20030209 #!ICadv-02.09.03: nethack 3.4.0 local buffer overflow DSA-350 DSA-316 http://nethack.sourceforge.net/v340/bugmore/secpatch.txt nethack-s-command-bo(11283) 6806 nethack 3.4.0 and earlier installs certain setgid binaries with insecure permissions, which allows local users to gain privileges by replacing the original binaries with malicious code. DSA-316 Multiple buffer overflows in gPS before 1.0.0 allow attackers to cause a denial of service and possibly execute arbitrary code. DSA-307 http://gps.seul.org/changelog.html gPS before 1.1.0 does not properly follow the rgpsp connection source acceptation policy as specified in the rgpsp.conf file, which could allow unauthorized remote attackers to connect to rgpsp. DSA-307 http://gps.seul.org/changelog.html Buffer overflow in gPS before 0.10.2 may allow local users to cause a denial of service (SIGSEGV) in rgpsp via long command lines. DSA-307 http://gps.seul.org/changelog.html Format string vulnerability in LICQ 1.2.6, 1.0.3 and possibly other versions allows remote attackers to perform unknown actions via format string specifiers. http://csdl.computer.org/comp/proceedings/hicss/2004/2056/09/205690277.pdf The TCP/IP fragment reassembly handling in the Linux kernel 2.4 allows remote attackers to cause a denial of service (CPU consumption) via certain packets that cause a large number of hash table collisions. RHSA-2003:187 DSA-311 TLSA-2003-41 RHSA-2003:198 RHSA-2003:195 DSA-442 DSA-336 DSA-332 DSA-312 oval:org.mitre.oval:def:295 ICQLite 2003a creates the ICQ Lite directory with an ACE for "Full Control" privileges for Interactive Users, which allows local users to gain privileges as other users by replacing the executables with malicious programs. 20030529 ICQLite executable trojaning lyskom-server 2.0.7 and earlier allows unauthenticated users to cause a denial of service (CPU consumption) via a large query. DSA-318 znew in the gzip package allows local users to overwrite arbitrary files via a symlink attack on temporary files. TLSA-2003-38 http://www.openpkg.org/security/OpenPKG-SA-2003.031-gzip.html DSA-308 7872 MDKSA-2003:068 Nokia Gateway GPRS support node (GGSN) allows remote attackers to cause a denial of service (kernel panic) via a malformed IP packet with a 0xFF TCP option. VU#924812 nokia-ggsn-ip-dos(12221) 7854 A060903-1 Konqueror Embedded and KDE 2.2.2 and earlier does not validate the Common Name (CN) field for X.509 Certificates, which could allow remote attackers to spoof certificates via a man-in-the-middle attack. RHSA-2003:192 http://www.kde.org/info/security/advisory-20030602-1.txt TLSA-2003-36 20030507 Problem: Multiple Web Browsers do not do not validate CN on certificates. RHSA-2003:193 DSA-361 20030510 [forward]Apple Safari and Konqueror Embedded Common Name Verification Vulnerability 7520 Buffer overflow in Prishtina FTP client 1.x allows remote FTP servers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP banner. 20030522 Prishtina FTP v.1.*: remote DoS Signed integer vulnerability in libnasl in Nessus before 2.0.6 allows local users with plugin upload privileges to cause a denial of service (core dump) and possibly execute arbitrary code by causing a negative argument to be provided to the insstr function as used in a NASL script. 20030523 nessus NASL scripting engine security issues 20030522 Potential security vulnerability in Nessus 7664 Multiple buffer overflows in libnasl in Nessus before 2.0.6 allow local users with plugin upload privileges to cause a denial of service (core dump) and possibly execute arbitrary code via (1) a long proto argument to the scanner_add_port function, (2) a long user argument to the ftp_log_in function, (3) a long pass argument to the ftp_log_in function. 20030522 Potential security vulnerability in Nessus 7664 20030523 nessus NASL scripting engine security issues Multiple unknown vulnerabilities in Nessus before 2.0.6, in libnessus and possibly libnasl, a different set of vulnerabilities than those identified by CVE-2003-0372 and CVE-2003-0373, aka "similar issues in other nasl functions as well as in libnessus." 7664 20030522 Potential security vulnerability in Nessus Cross-site scripting (XSS) vulnerability in member.php of XMBforum XMB 1.8.x (aka Partagium) allows remote attackers to insert arbitrary HTML and web script via the "member" parameter. 7662 20030522 XMB 1.8 Partagium cross site scripting vulnerability http://forums.xmbforum.com/viewthread.php?tid=773046 Buffer overflow in Eudora 5.2.1 allows remote attackers to cause a denial of service (crash and failed restart) and possibly execute arbitrary code via an Attachment Converted argument with a large number of . (dot) characters. 20030523 Eudora 5.2.1 buffer overflow DoS SQL injection vulnerability in the web-based administration interface for iisPROTECT 2.2-r4, and possibly earlier versions, allows remote attackers to insert arbitrary SQL and execute code via certain variables, as demonstrated using the GroupName variable in SiteAdmin.ASP. 20030523 iisPROTECT SQL injection in admin interface The Kerberos login authentication feature in Mac OS X, when used with an LDAPv3 server and LDAP bind authentication, may send cleartext passwords to the LDAP server when the AuthenticationAuthority attribute is not set. VU#467828 http://docs.info.apple.com/article.html?artnum=107579 Unknown vulnerability in Apple File Service (AFP Server) for Mac OS X Server, when sharing files on a UFS or re-shared NFS volume, allows remote attackers to overwrite arbitrary files. http://lists.apple.com/mhonarc/security-announce/msg00030.html Buffer overflow in atftp daemon (atftpd) 0.6.1 and earlier, and possibly later versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename. DSA-314 20030606 atftpd bug 20030604 possible remote buffer overflow in atftpd Multiple vulnerabilities in noweb 2.9 and earlier creates temporary files insecurely, which allows local users to overwrite arbitrary files via multiple vectors including the noroff script. DSA-323 Buffer overflow in Eterm 0.9.2 allows local users to gain privileges via a long ETERMPATH environment variable. DSA-309 7708 20030509 BAZARR CODE NINER PINK TEAM GO GO GO Buffer overflow in xaos 3.0-23 and earlier, when running setuid, allows local users to gain root privileges via a long -language option. DSA-310 20030605 BAZARR LOCAL ROOT AGAIN. HI GUYS. DONT READ THIS OpenSSH 3.6.1 and earlier, when restricting host access by numeric IP addresses and with VerifyReverseMapping disabled, allows remote attackers to bypass "from=" and "user@host" address restrictions by connecting to a host from a system whose reverse DNS hostname contains the numeric IP address. VU#978316 20030605 OpenSSH remote clent address restriction circumvention oval:org.mitre.oval:def:9894 http://lists.apple.com/mhonarc/security-announce/msg00038.html http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html 7831 RHSA-2006:0698 RHSA-2006:0298 http://support.avaya.com/elmodocs2/security/ASA-2006-174.htm 23680 22196 21724 21262 21129 20060703-01-P pam_wheel in Linux-PAM 0.78, with the trust option enabled and the use_uid option disabled, allows local users to spoof log entries and gain privileges by causing getlogin() to return a spoofed user name. http://www.idefense.com/advisory/06.16.03.txt 20030616 FW: iDEFENSE Security Advisory 06.16.03: Linux-PAM getlogin() Spoofing RHSA-2004:304 Cross-site scripting (XSS) vulnerability in the secure redirect function of RSA ACE/Agent 5.0 for Windows, and 5.x for Web, allows remote attackers to insert arbitrary web script and possibly cause users to enter a passphrase via a GET request containing the script. http://www.rapid7.com/advisories/R7-0014.html 20030619 R7-0014: RSA SecurID ACE Agent Cross Site Scripting Multiple buffer overflows in Options Parsing Tool (OPT) shared library 3.18 and earlier, when used in setuid programs, may allow local users to execute arbitrary code via long command line options that are fed into macros such as opt_warn_2, as used in functions such as opt_atoi. http://nis-www.lanl.gov/~jt/Software/opt/opt-3.19.tar.gz 20030523 Re: Options Parsing Tool library buffer overflows. 20030424 SRT2003-04-24-1532 - Options Parsing Tool library buffer overflows. Format string vulnerability in Magic WinMail Server 2.3, and possibly other 2.x versions, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the PASS command. http://www.magicwinmail.net/changelog.asp 20030523 Magic Winmail Server Directory traversal vulnerability in ST FTP Service 3.0 allows remote attackers to list arbitrary directories via a CD command with a DoS drive letter argument (e.g. E:). 20030523 ST FTP Service v3.0: directory traversal Privacyware Privatefirewall 3.0 does not block certain incoming packets when in "Filter Internet Traffic" or Deny Internet Traffic" modes, which allows remote attackers to identify running services via FIN scans or Xmas scans. 7700 20030524 Some problems in Privatefirewall 3.0 objects.inc.php4 in BLNews 2.1.3 allows remote attackers to execute arbitrary PHP code via a Server[path] parameter that points to malicious code on an attacker-controlled web site. 20030524 PHP source code injection in BLNews 7677 Ultimate PHP Board (UPB) 1.9 allows remote attackers to execute arbitrary PHP code with UPB administrator privileges via an HTTP request containing the code in the User-Agent header, which is executed when the administrator executes admin_iplog.php. 20030524 UPB: Discussion Board/Web-Site Takeover http://f0kp.iplus.ru/bz/024.en.txt Buffer overflow in les for ATM on Linux (linux-atm) before 2.4.1, if used setuid, allows local users to gain privileges via a long -f command line argument. http://sourceforge.net/project/shownotes.php?release_id=156242 7437 http://www.securiteam.com/exploits/5EP0M1P9PO.html 20030428 ATM on Linux Exploit Code Release (les, local) atmonlinux-les-command-bo(11903) 20030524 ATM on linux Exploit(les,local) Buffer overflow in FastTrack (FT) network code, as used in Kazaa 2.0.2 and possibly other versions and products, allows remote attackers to execute arbitrary code via a packet containing a large list of supernodes, aka "Packet 0' death." 7680 fastrack-packet-0-bo(12086) 20030526 The PACKET 0' DEATH FastTrack network vulnerability Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, with the SSI EXEC feature enabled, allows remote attackers to execute arbitrary code via a text variable to a Vignette Application that is later displayed. 7685 http://www.s21sec.com/es/avisos/s21sec-016-en.txt vignette-ssi-command-execution(12077) 20030526 S21SEC-016 - Vignette SSI Injection Vignette StoryServer 4 and 5, Vignette V/5, and possibly other versions allows remote attackers to perform unauthorized SELECT queries by setting the vgn_creds cookie to an arbitrary value and directly accessing the save template. http://www.s21sec.com/es/avisos/s21sec-017-en.txt vignette-save-obtain-information(12076) 7683 20030526 S21SEC-017 - Vignette /vgn/legacy/save SQL access Vignette StoryServer and Vignette V/5 does not properly calculate the size of text variables, which causes Vignette to return unauthorized portions of memory, as demonstrated using the "-->" string in a CookieName argument to the login template, referred to as a "memory leak" in some reports. vignette-memory-leak(12075) 7684 http://www.s21sec.com/es/avisos/s21sec-018-en.txt 20030526 S21SEC-018 - Vignette memory leak AIX Platform Vignette StoryServer and Vignette V/5 allows remote attackers to obtain sensitive information via a request for the /vgn/style template. 7688 http://www.s21sec.com/es/avisos/s21sec-019-en.txt vignette-style-info-disclosure(12074) 20030526 S21SEC-019 - Vignette /vgn/style internal information leak The default login template (/vgn/login) in Vignette StoryServer 5 and Vignette V/5 generates different responses whether a user exists or not, which allows remote attackers to identify valid usernames via brute force attacks. http://www.s21sec.com/en/avisos/s21sec-020-en.txt 7691 vignette-login-account-bruteforce(12073) 20030526 S21SEC-020 - Vignette user enumeration Vignette StoryServer 5 and Vignette V/5 allows remote attackers to read and modify license information, and cause a denial of service (service halt) by directly accessing the /vgn/license template. http://www.s21sec.com/es/avisos/s21sec-021-en.txt 7694 vignette-license-modification(12072) 20030526 S21SEC-021 - Vignette License access and modification Multiple Cross Site Scripting (XSS) vulnerabilities in Vignette StoryServer 4 and 5, and Vignette V/5 and V/6, allow remote attackers to insert arbitrary HTML and script via text variables, as demonstrated using the errInfo parameter of the default login template. 7687 http://www.s21sec.com/es/avisos/s21sec-023-en.txt vignette-multiple-xss(12071) 20030526 S21SEC-023 - Vignette multiple Cross Site Scripting vulnerabilities Vignette StoryServer 5 and Vignette V/6 allows remote attackers to execute arbitrary TCL code via (1) an HTTP query or cookie which is processed in the NEEDS command, or (2) an HTTP Referrer that is processed in the VALID_PATHS command. 7692 7690 http://www.s21sec.com/es/avisos/s21sec-024-en.txt vignette-tcl-code-execution(12070) 20030526 S21SEC-024 - Vignette TCL Injection PalmVNC 1.40 and earlier stores passwords in plaintext in the PalmVNCDB, which is backed up to PCs that the Palm is synchronized with, which could allow attackers to gain privileges. 7696 palmvnc-plaintext-passwords(12083) 20030526 PalmVNC 1.40 Insecure Records Buffer overflow in gbnserver for Gnome Batalla Naval 1.0.4 allows remote attackers to execute arbitrary code via a long connection string. 7699 batalla-naval-bo(12087) 20030526 [Priv8security_Advisory]_Batalla_Naval_remote_overflow Buffer overflow in Uptime Client (UpClient) 5.0b7, and possibly other versions, allows local users to gain privileges via a long -p argument. 7703 upclient-command-line-bo(12131) 20030527 NuxAcid#002 - Buffer Overflow in UpClient Buffer overflow in BRS WebWeaver 1.04 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP (1) POST or (2) HEAD request. 7695 webweaver-head-post-bo(12107) 20030527 BRS WebWeaver: POST and HEAD Overflaws Buffer overflow in AnalogX Proxy 4.13 allows remote attackers to execute arbitrary code via a long URL to port 6588. 7681 analogx-proxy-url-bo(12068) 20030526 NII Advisory - Buffer Overflow in Analogx Proxy 20030526 NII Advisory - Buffer Overflow in Analogx Proxy http://www.analogx.com/contents/download/network/proxy.htm Sun ONE Application Server 7.0 for Windows 2000/XP allows remote attackers to obtain JSP source code via a request that uses the uppercase ".JSP" extension instead of the lowercase .jsp extension. 7709 sunone-jsp-source-disclosure(12093) N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 20030526 Multiple Vulnerabilities in Sun-One Application Server Sun ONE Application Server 7.0 for Windows 2000/XP does not log the complete URI of a long HTTP request, which could allow remote attackers to hide malicious activities. 7711 N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 20030526 Multiple Vulnerabilities in Sun-One Application Server Cross-site scripting (XSS) vulnerability in the webapps-simple sample application for (1) Sun ONE Application Server 7.0 for Windows 2000/XP or (2) Sun Java System Web Server 6.1 allows remote attackers to insert arbitrary web script or HTML via an HTTP request that generates an "Invalid JSP file" error, which inserts the text in the resulting error message. 7710 sunone-http-error-xss(12095) N-103 55221 http://www.spidynamics.com/sunone_alert.html 1000610 201009 57605 20030526 Multiple Vulnerabilities in Sun-One Application Server The installation of Sun ONE Application Server 7.0 for Windows 2000/XP creates a statefile with world-readable permissions, which allows local users to gain privileges by reading a plaintext password in the statefile. http://www.spidynamics.com/sunone_alert.html 7712 sunone-insecure-file-permissions(12096) N-103 1000610 55221 20030526 Multiple Vulnerabilities in Sun-One Application Server Remote PC Access Server 2.2 allows remote attackers to cause a denial of service (crash) by receiving packets from the server and sending them back to the server. http://www.ytech.co.il/advisories/rpca/rpcaccess.htm 7698 20030528 Remote PC Access Server 2.2 Vulnerability Cross-site scripting (XSS) vulnerability in index.cgi for Bandmin 1.4 allows remote attackers to insert arbitrary HTML or script via (1) the year parameter in a showmonth action, (2) the month parameter in a showmonth action, or (3) the host parameter in a showhost action. 7729 bandmin-index-xss(12108) 20030528 Bandmin 1.4 XSS Exploit Directory traversal vulnerability in Son hServer 0.2 allows remote attackers to read arbitrary files via ".|." (modified dot-dot) sequences. 7717 sonhserver-pipe-directory-traversal(12103) 20030529 Son hServer v0.2: directory traversal The Linux 2.0 kernel IP stack does not properly calculate the size of an ICMP citation, which causes it to include portions of unauthorized memory in ICMP error responses. VU#471084 http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt 20030609 Linux 2.0 remote info leak from too big icmp citation SMC Networks Barricade Wireless Cable/DSL Broadband Router SMC7004VWBR allows remote attackers to cause a denial of service via certain packets to PPTP port 1723 on the internal interface. http://www.idefense.com/advisory/06.11.03.txt Information leak in dsimportexport for Apple Macintosh OS X Server 10.2.6 allows local users to obtain the username and password of the account running the tool. http://www.kb.cert.org/vuls/id/JPLA-5NTL8E macos-dsimportexport-obtain-information(12342) 7894 ESB-2003.0415 9025 Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0502. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to cause a denial of service (crash) via a request to view_broadcast.cgi that does not contain the required parameters. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server parse_xml.cgi in Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to obtain the source code for parseable files via the filename parameter. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to obtain the source code for scripts by appending encoded space (%20) or . (%2e) characters to an HTTP request for the script, e.g. view_broadcast.cgi. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Directory traversal vulnerability in Apple QuickTime / Darwin Streaming Server before 4.1.3f allows remote attackers to read arbitrary files via a ... (triple dot) in an HTTP request. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server The installation of Apple QuickTime / Darwin Streaming Server before 4.1.3f starts the administration server with a "Setup Assistant" page that allows remote attackers to set the administrator password and gain privileges before the real administrator. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Buffer overflow in mikmod 3.1.6 and earlier allows remote attackers to execute arbitrary code via an archive file that contains a file with a long filename. DSA-320 oval:org.mitre.oval:def:10194 RHSA-2005:506 oval:org.mitre.oval:def:647 Unknown vulnerability in the DCERPC (DCE/RPC) dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (memory consumption) via a certain NDR string. VU#542540 http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:75 The OSI dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via invalid IPv4 or IPv6 prefix lengths, possibly triggering a buffer overflow. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:84 The SPNEGO dissector in Ethereal 0.9.12 and earlier allows remote attackers to cause a denial of service (crash) via an invalid ASN.1 value. http://www.ethereal.com/appnotes/enpa-sa-00010.html 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:88 The tvb_get_nstringz0 function in Ethereal 0.9.12 and earlier does not properly handle a zero-length buffer size, with unknown consequences. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:101 Ethereal 0.9.12 and earlier does not handle certain strings properly, with unknown consequences, in the (1) BGP, (2) WTP, (3) DNS, (4) 802.11, (5) ISAKMP, (6) WSP, (7) CLNP, (8) ISIS, and (9) RMI dissectors. http://www.ethereal.com/appnotes/enpa-sa-00010.html DSA-324 9007 CSSA-2003-030.0 RHSA-2003:077 CLA-2003:662 oval:org.mitre.oval:def:106 Multiple buffer overflows in gnocatan 0.6.1 and earlier allow attackers to execute arbitrary code. DSA-315 Various PDF viewers including (1) Adobe Acrobat 5.06 and (2) Xpdf 1.01 allow remote attackers to execute arbitrary commands via shell metacharacters in an embedded hyperlink. VU#200132 RHSA-2003:197 RHSA-2003:196 9038 9037 20030709 xpdf vulnerability - CAN-2003-0434 20030613 -10Day CERT Advisory on PDF Files MDKSA-2003:071 oval:org.mitre.oval:def:664 Buffer overflow in net_swapscore for typespeed 0.4.1 and earlier allows remote attackers to execute arbitrary code. DSA-322 20030612 BAZARR THUG LIFE , DONT READ OR VIRUS INFECT YOU Buffer overflow in search.cgi for mnoGoSearch 3.1.20 allows remote attackers to execute arbitrary code via a long ul parameter. 7865 20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow Buffer overflow in search.cgi for mnoGoSearch 3.2.10 allows remote attackers to execute arbitrary code via a long tmplt parameter. 7866 20030610 mnogosearch 3.1.20 and 3.2.10 buffer overflow eldav WebDAV client for Emacs, version 0.7.2 and earlier, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. DSA-325 The (1) semi MIME library 1.14.5 and earlier, and (2) wemi 1.14.0 and possibly other versions, allows local users to overwrite arbitrary files via a symlink attack on temporary files. RHSA-2003:234 DSA-339 RHSA-2003:231 oval:org.mitre.oval:def:569 Multiple buffer overflows in Orville Write (orville-write) 2.53 and earlier allow local users to gain privileges. 7988 DSA-326 orvillewrite-variables-bo(12381) Cross-site scripting (XSS) vulnerability in the transparent SID support capability for PHP before 4.3.2 (session.use_trans_sid) allows remote attackers to insert arbitrary script via the PHPSESSID parameter. RHSA-2003:204 http://shh.thathost.com/secadv/2003-05-11-php.txt 20030707 [OpenPKG-SA-2003.032] OpenPKG Security Advisory (php) 7761 DSA-351 20030530 PHP Trans SID XSS (Was: New php release with security fixes) php-session-id-xss(12259) TLSA-2003-47 1008653 4758 MDKSA-2003:082 N-112 CLSA-2003:691 oval:org.mitre.oval:def:485 Heap-based buffer overflow in GTKSee 0.5 and 0.5.1 allows remote attackers to execute arbitrary code via a PNG image of certain color depths. gtksee-png-bo(12462) 8061 DSA-337 Buffer overflow in webfs before 1.17.1 allows remote attackers to execute arbitrary code via an HTTP request with a long Request-URI. DSA-328 Cross-site scripting (XSS) in Internet Explorer 5.5 and 6.0, possibly in a component that is also used by other Microsoft products, allows remote attackers to insert arbitrary web script via an XML file that contains a parse error, which inserts the script in the resulting error message. http://security.greymagic.com/adv/gm013-ie/ 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) 20030617 Re: [Full-Disclosure] Cross-Site Scripting in Unparsable XML Files 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) 20030617 Cross-Site Scripting in Unparsable XML Files (GM#013-IE) ie-msxml-xss(12334) 7938 3065 9055 20030617 Re: Cross-Site Scripting in Unparsable XML Files (GM#013-IE) The Custom HTTP Errors capability in Internet Explorer 5.01, 5.5 and 6.0 allows remote attackers to execute script in the Local Zone via an argument to shdocvw.dll that causes a "javascript:" link to be generated. http://security.greymagic.com/adv/gm014-ie/ 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) 20030617 Script Injection to Custom HTTP Errors in Local Zone (GM#014-IE) Portmon 1.7 and possibly earlier versions allows local users to read and write arbitrary files via the (1) -c (host file) or (2) -l (log file) command line options. 20030618 Portmon file arbitrary read/write access vulnerability Progress Database 9.1 to 9.1D06 trusts user input to find and load libraries using dlopen, which allows local users to gain privileges via (1) a PATH environment variable that points to malicious libraries, as demonstrated using libjutil.so in_proapsv, or (2) the -installdir command line parameter, as demonstrated using librocket_r.so in _dbagent. http://www.secnetops.com/research/advisories/SRT2003-06-13-1009.txt http://www.secnetops.com/research/advisories/SRT2003-06-13-0945.txt 20030614 SRT2003-06-13-1009 - Progress _dbagent -installdir dlopen() issue 20030614 SRT2003-06-13-0945 - Progress PATH based dlopen() issue Cistron RADIUS daemon (radiusd-cistron) 1.6.6 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large value in an NAS-Port attribute, which is interpreted as a negative number and causes a buffer overflow. TLSA-2003-40 DSA-321 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=196063 SuSE-SA:2003:030 CLA-2003:664 Multiple buffer overflows in xbl before 1.0k allow local users to gain privileges via certain long command line arguments. DSA-327 Buffer overflows in osh before 1.7-11 allow local users to execute arbitrary code and bypass shell restrictions via (1) long environment variables or (2) long "file redirections." DSA-329 traceroute-nanog 6.1.1 allows local users to overwrite unauthorized memory and possibly execute arbitrary code via certain "nprobes" and "max_ttl" arguments that cause an integer overflow that is used when allocating memory, which leads to a buffer overflow. DSA-348 20030620 BAZARR FAREWELL Multiple buffer overflows in xgalaga 2.0.34 and earlier allow local users to gain privileges via a long HOME environment variable. DSA-334 The imagemagick libmagick library 5.5 and earlier creates temporary files insecurely, which allows local users to create or overwrite arbitrary files. DSA-331 RHSA-2004:494 20030710 [OpenPKG-SA-2003.034] OpenPKG Security Advisory (imagemagick) VisNetic WebSite 3.5 allows remote attackers to obtain the full pathname of the server via a request containing a folder that does not exist, which leaks the pathname in an error message, as demonstrated using _vti_bin/fpcount.exe. 8075 20030701 VisNetic WebSite Path Disclosure Vulnerability 20030701 VisNetic WebSite Path Disclosure Vulnerability visnetic-website-path-disclosure(12483) http://www.krusesecurity.dk/advisories/vis0103.txt Unknown vulnerability in HP NonStop Server D40.00 through D48.03, and G01.00 through G06.20, allows local users to gain additional privileges. 8080 SSRT3488 KDE Konqueror for KDE 3.1.2 and earlier does not remove authentication credentials from URLs of the "user:password@host" form in the HTTP-Referer header, which could allow remote web sites to steal the credentials for pages that link to the sites. RHSA-2003:236 RHSA-2003:235 20030802 [slackware-security] KDE packages updated (SSA:2003-213-01) TLSA-2003-45 http://www.kde.org/info/security/advisory-20030729-1.txt DSA-361 20030729 KDE Security Advisory: Konqueror Referrer Authentication Leak MDKSA-2003:079 CLA-2003:747 oval:org.mitre.oval:def:411 The rotatelogs program on Apache before 1.3.28, for Windows and OS/2 systems, does not properly ignore certain control characters that are received over the pipe, which could allow remote attackers to cause a denial of service. VU#694428 http://www.apache.org/dist/httpd/Announcement.html /proc/tty/driver/serial in Linux 2.4.x reveals the exact number of characters used in serial links, which could allow local users to obtain potentially sensitive information such as the length of passwords. RHSA-2003:238 DSA-423 RHSA-2004:188 DSA-358 http://rsbac.dyndns.org/pipermail/rsbac/2002-May/000162.html oval:org.mitre.oval:def:9330 oval:org.mitre.oval:def:997 oval:org.mitre.oval:def:304 A race condition in the way env_start and env_end pointers are initialized in the execve system call and used in fs/proc/base.c on Linux 2.4 allows local users to cause a denial of service (crash). RHSA-2003:238 DSA-423 RHSA-2003:198 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:309 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The RPC code in Linux kernel 2.4 sets the reuse flag when sockets are created, which could allow local users to bind to UDP ports that are used by privileged services such as nfsd. RHSA-2003:238 oval:org.mitre.oval:def:311 The kernel strncpy function in Linux 2.4 and 2.5 does not %NUL pad the buffer on architectures other than x86, as opposed to the expected behavior of strncpy as implemented in libc, which could lead to information leaks. RHSA-2004:188 oval:org.mitre.oval:def:10285 http://marc.theaimsgroup.com/?l=linux-kernel&m=105796415223490&w=2 http://marc.theaimsgroup.com/?l=linux-kernel&m=105796021120436&w=2 Off-by-one error in the fb_realpath() function, as derived from the realpath function in BSD, may allow attackers to execute arbitrary code, as demonstrated in wu-ftpd 2.5.0 through 2.6.2 via commands that cause pathnames of length MAXPATHLEN+1 to trigger a buffer overflow, including (1) STOR, (2) RETR, (3) APPE, (4) DELE, (5) MKD, (6) RMD, (7) STOU, or (8) RNTO. VU#743092 8315 libc-realpath-offbyone-bo(12785) TLSA-2003-46 20060214 Re: Latest wu-ftpd exploit :-s 20060213 Latest wu-ftpd exploit :-s RHSA-2003:246 RHSA-2003:245 6602 SuSE-SA:2003:032 DSA-357 1001257 1007380 9535 9447 9446 9423 20030804 Off-by-one Buffer Overflow Vulnerability in BSD libc realpath(3) 20030804 wu-ftpd-2.6.2 off-by-one remote exploit. FreeBSD-SA-03:08 20030731 wu-ftpd fb_realpath() off-by-one bug http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.txt IMNX-2003-7+-019-01 20030731 wu-ftpd fb_realpath() off-by-one bug NetBSD-SA2003-011.txt.asc MDKSA-2003:080 oval:org.mitre.oval:def:1970 Unknown vulnerability in ip_nat_sack_adjust of Netfilter in Linux kernels 2.4.20, and some 2.5.x, when CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC is enabled, or the ip_nat_ftp or ip_nat_irc modules are loaded, allows remote attackers to cause a denial of service (crash) in systems using NAT, possibly due to an integer signedness error. 20030802 [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port. DSA-363 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning 8333 RHSA-2003:251 SuSE-SA:2003:033 9433 MDKSA-2003:081 CLA-2003:717 oval:org.mitre.oval:def:522 Buffer overflow in the HTML Converter (HTML32.cnv) on various Windows operating systems allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via cut-and-paste operation, as demonstrated in Internet Explorer 5.0 using a long "align" argument in an HR tag. VU#823260 CA-2003-14 MS03-023 20030622 Internet Explorer >=5.0 : Buffer overflow 20030625 Re: Internet Explorer >=5.0 : Buffer overflow 20030701 PoC for Internet Explorer >=5.0 buffer overflow (trivial exploit for hard case). 8016 Buffer overflow in the "RuFSI Utility Class" ActiveX control (aka "RuFSI Registry Information Class"), as used for the Symantec Security Check service, allows remote attackers to execute arbitrary code via a long argument to CompareVersionStrings. VU#527228 20030624 [Symantec Security Advisor] Symantec Security Check ActiveX Buffer Overflow symantec-security-activex-bo(12423) 8008 1007029 9091 20030622 Symantec ActiveX control buffer overflow Buffer overflow in WebAdmin.exe for WebAdmin allows remote attackers to execute arbitrary code via an HTTP request to WebAdmin.dll with a long USER argument. 20030624 Remote Buffer Overrun WebAdmin.exe 8024 2207 20030624 Re: WebAdmin from ALT-N remote exploit PoC The IPv6 capability in IRIX 6.5.19 allows remote attackers to cause a denial of service (hang) in inetd via port scanning. 20030607-01-P irix-inetd-portscan-dos(12676) 8027 8585 Unknown vulnerability in the IPv6 capability in IRIX 6.5.19 causes snoop to process packets as the root user, with unknown implications. 20030607-01-P irix-snoop-gain-privileges(12677) 8029 8586 Directory traversal vulnerability in iWeb Server allows remote attackers to read arbitrary files via an HTTP request containing .. sequences, a different vulnerability than CVE-2003-0475. 20030627 Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server 20030416 SFAD03-001: iWeb Mini Web Server Remote Directory Traversal Directory traversal vulnerability in iWeb Server 2 allows remote attackers to read arbitrary files via an HTTP request containing URL-encoded .. sequences ("%5c%2e%2e"), a different vulnerability than CVE-2003-0474. 20030627 Re: TA-2003-06 Directory Transversal Vulnerability in iWeb Server 20030623 TA-2003-06 Directory Transversal Vulnerability in iWeb Server 2 The execve system call in Linux 2.4.x records the file descriptor of the executable process in the file table of the calling process, which allows local users to gain read access to restricted file descriptors. RHSA-2003:368 DSA-423 RHSA-2003:408 RHSA-2003:238 DSA-358 MDKSA-2003:074 20030626 Linux 2.4.x execve() file read race vulnerability oval:org.mitre.oval:def:327 wzdftpd 0.1rc4 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command without an argument. http://www.wzdftpd.net/changea.html 20030627 wzdftpd remote DoS Format string vulnerability in (1) Bahamut IRCd 1.4.35 and earlier, and other IRC daemons based on Bahamut including (2) digatech 1.2.1, (3) methane 0.1.1, (4) AndromedeIRCd 1.2.3-Release, and (5) ircd-RU, when running in debug mode, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a request containing format strings. 20030627 Bahamut DoS 20030627 Re: Bahamut IRCd <= 1.4.35 and several derived daemons 20030626 Bahamut IRCd <= 1.4.35 and several derived daemons Cross-site scripting (XSS) vulnerability in the guestbook for WebBBS allows remote attackers to insert arbitrary web script via the (1) Name, (2) Email, or (3) Message fields. 20030627 WebBBS Guestbook : Cross Site Scripting VMware Workstation 4.0 for Linux allows local users to overwrite arbitrary files and gain privileges via "symlink manipulation." http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1019 20030627 VMware Workstation 4.0: Possible privilege escalation on the host Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to insert arbitrary web script, as demonstrated using the msg parameter to file_select.php. 20030623 [KSA-001] Multiple vulnerabilities in Tutos TUTOS 1.1 allows remote attackers to execute arbitrary code by uploading the code using file_new.php, then directly accessing the uploaded code via a request to the repository containing the code. 20030623 [KSA-001] Multiple vulnerabilities in Tutos Cross-site scripting (XSS) vulnerabilities in XMB Forum 1.8 Partagium allow remote attackers to insert arbitrary script via (1) the member parameter to member.php or (2) the action parameter to buddy.php. 20030623 Many XSS Vulnerabilities in XMB Forum. Cross-site scripting (XSS) vulnerability in viewtopic.php for phpBB allows remote attackers to insert arbitrary web script via the topic_id parameter. 20030621 XSS Exploit In phpBB viewtopic.php Buffer overflow in Progress 4GL Compiler 9.1D06 and earlier allows attackers to execute arbitrary code via source code containing a long, invalid data type. 7997 20030620 SRT2003-06-20-1232 - Progress 4GL Compiler datatype overflow SQL injection vulnerability in viewtopic.php for phpBB 2.0.5 and earlier allows remote attackers to steal password hashes via the topic_id parameter. phpbb-viewtopic-sql-injection(12366) 7979 http://www.phpbb.com/phpBB/viewtopic.php?t=112052 20030619 phpBB password disclosure by sql injection Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module. 7967 kerio-multiple-modules-bo(12368) http://nautopia.org/vulnerabilidades/kerio_mailserver.htm 20030618 Multiple buffer overflows and XSS in Kerio MailServer Multiple cross-site scripting (XSS) vulnerabilities in Kerio MailServer 5.6.3 allow remote attackers to insert arbitrary web script via (1) the add_name parameter in the add_acl module, or (2) the alias parameter in the do_map module. 7968 7966 kerio-multiple-modules-xss(12367) http://nautopia.org/vulnerabilidades/kerio_mailserver.htm 20030618 Multiple buffer overflows and XSS in Kerio MailServer tcptraceroute 1.4 and earlier does not fully drop privileges after obtaining a file descriptor for capturing packets, which may allow local users to gain access to the descriptor via a separate vulnerability in tcptraceroute. DSA-330 The installation of Dantz Retrospect Client 5.0.540 on MacOS X 10.2.6, and possibly other versions, creates critical directories and files with world-writable permissions, which allows local users to gain privileges as other users by replacing programs with malicious code. 20030616 Dantz Retrospect Client 5.0.540 for Mac OS X - permission issues The Tutorials 2.0 module in XOOPS and E-XOOPS allows remote attackers to execute arbitrary code by uploading a PHP file without a MIME image type, then directly accessing the uploaded file. 20030616 Directory traversal vulnerability on Xoops/E-xoops CMS module "tutorials" 20030614 Directory traversal vulnerability on Xoops/E-xoops CMS module "tutorials" Cross-site scripting (XSS) vulnerability in search.asp for Snitz Forums 3.4.03 and earlier allows remote attackers to execute arbitrary web script via the Search parameter. snitz-search-xss(12325) 7922 20030616 Multiple Vulnerabilities In Snitz Forums Snitz Forums 3.4.03 and earlier allows attackers to gain privileges as other users by stealing and replaying the encrypted password after obtaining a valid session ID. 7924 20030616 Multiple Vulnerabilities In Snitz Forums password.asp in Snitz Forums 3.4.03 and earlier allows remote attackers to reset passwords and gain privileges as other users by via a direct request to password.asp with a modified member id. snitz-forums-password-reset(12326) 7925 20030616 Multiple Vulnerabilities In Snitz Forums Cross-site scripting (XSS) vulnerability in LedNews 0.7 allows remote attackers to insert arbitrary web script via a news item. lednews-message-xss(12304) 7920 20030615 XSS Vulnerability in LedNews (CGI/Perl) v0.7 Microsoft SQL Server before Windows 2000 SP4 allows local users to gain privileges as the SQL Server user by calling the xp_fileexist extended stored procedure with a named pipe as an argument instead of a normal file. A070803-1 20030709 Pipe Filename Local Privilege Escalation FAQ 20030715 CreateFile exploit, (working) 20030714 @stake named pipe exploit Cach�Ã�© Database 5.x installs /cachesys/bin/cache with world-writable permissions, which allows local users to gain privileges by modifying cache and executing it via cuxs. Cach�Ã�© Database 5.x installs the /cachesys/csp directory with insecure permissions, which allows local users to execute arbitrary code by adding server-side scripts that are executed with root privileges. Mantis 0.17.5 and earlier stores its database password in cleartext in a world-readable configuration file, which allows local users to perform unauthorized database operations. DSA-335 SQL injection vulnerability in the PostgreSQL authentication module (mod_sql_postgres) for ProFTPD before 1.2.9rc1 allows remote attackers to execute arbitrary SQL and gain privileges by bypassing authentication or stealing passwords via the USER name. DSA-338 20030618 SQL Inject in ProFTPD login against Postgresql using mod_sql The /proc filesystem in Linux allows local users to obtain sensitive information by opening various entries in /proc/self before executing a setuid program, which causes the program to fail to change the ownership and permissions of those entries. RHSA-2003:198 DSA-423 RHSA-2003:238 DSA-358 20030620 Linux /proc sensitive information disclosure RHSA-2003:239 oval:org.mitre.oval:def:328 Apple QuickTime / Darwin Streaming Server before 4.1.3g allows remote attackers to cause a denial of service (crash) via a .. (dot dot) sequence followed by an MS-DOS device name (e.g. AUX) in a request to HTTP port 1220, a different vulnerability than CVE-2003-0421. http://www.rapid7.com/advisories/R7-0015.html 20030723 R7-0015: Multiple Vulnerabilities Apple QuickTime/Darwin Streaming Server Buffer overflow in the ShellExecute API function of SHELL32.DLL in Windows 2000 before SP4 may allow attackers to cause a denial of service or execute arbitrary code via a long third argument. 20030703 [SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow 20030703 [SNS Advisory No.65] Windows 2000 ShellExecute() API Let Applications to Cause Buffer Overflow http://www.lac.co.jp/security/intelligence/SNSAdvisory/65.html Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware 0.9.14.003 (aka webdistro) allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to index.php in the addressbook module. 20030702 [KSA-003] Cross Site Scripting Vulnerability in Phpgroupware http://www.security-corporation.com/articles-20030702-005.html DSA-365 MDKSA-2003:077 CLA-2003:697 Directory traversal vulnerability in Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to read arbitrary files via "..\.." (dot dot) sequences in a file transfer request. 7931 20030702 CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability Microsoft NetMeeting 3.01 2000 before SP4 allows remote attackers to cause a denial of service (shutdown of NetMeeting conference) via malformed packets, as demonstrated via the chat conversation. 20030702 CORE-2003-0305-04: NetMeeting Directory Traversal Vulnerability Stack-based buffer overflow in Active Directory in Windows 2000 before SP4 allows remote attackers to cause a denial of service (reboot) and possibly execute arbitrary code via an LDAP version 3 search request with a large number of (1) "AND," (2) "OR," and possibly other statements, which causes LSASS.EXE to crash. VU#594108 Q319709 20030702 CORE-2003-0305-03: Active Directory Stack Overflow 7930 9171 Buffer overflow in the WWWLaunchNetscape function of Adobe Acrobat Reader (acroread) 5.0.7 and earlier allows remote attackers to execute arbitrary code via a .pdf file with a long mailto link. 20030701 [sec-labs] Adobe Acrobat Reader <=5.0.7 Buffer Overflow 20030709 Acroread 5.0.7 buffer overflow SQL injection vulnerability in Cyberstrong eShop 4.2 and earlier allows remote attackers to steal authentication information and gain privileges via the ProductCode parameter in (1) 10expand.asp, (2) 10browse.asp, and (3) 20review.asp. 20030701 CyberStrong Shopping Cart - Advisory & Exploit Code cyberstrongeshop-multiple-sql-injection(12485) 14112 14103 14101 10100 10099 10098 1007092 9165 Format string vulnerability in ezbounce 1.0 through 1.50 allows remote attackers to execute arbitrary code via the "sessions" command. 20030701 ezbounce[v1.0-(1.04a/1.50pre6)]: remote format string exploit. http://druglord.freelsd.org/ezbounce/ The web server for Cisco Aironet AP1x00 Series Wireless devices running certain versions of IOS 12.2 allow remote attackers to cause a denial of service (reload) via a malformed URL. http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003001.htm 20030728 HTTP GET Vulnerability in AP1x00 oval:org.mitre.oval:def:5834 20030728 Cisco Aironet AP 1100 Malformed HTTP Request Crash Vulnerability Cisco IOS 12.2 and earlier generates a "% Login invalid" message instead of prompting for a password when an invalid username is provided, which allows remote attackers to identify valid usernames on the system and conduct brute force password guessing, as reported for the Aironet Bridge. VU#886796 http://www.vigilante.com/inetsecurity/advisories/VIGILANTE-2003002.htm 20030724 Enumerating Locally Defined Users in Cisco IOS oval:org.mitre.oval:def:5824 20030728 Cisco Aironet AP1100 Valid Account Disclosure Vulnerability Microsoft Internet Explorer allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Internet Explorer to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue Apple Safari allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Safari to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue SQL injection vulnerabilities in the (1) PostgreSQL or (2) MySQL authentication modules for teapop 0.3.5 and earlier allow attackers to execute arbitrary SQL and possibly gain privileges. DSA-347 cnd.c in mgetty 1.1.28 and earlier does not properly filter non-printable characters and quotes, which may allow remote attackers to execute arbitrary commands via shell metacharacters in (1) caller ID or (2) caller name strings. ftp://alpha.greenie.net/pub/mgetty/source/1.1/mgetty1.1.29-Nov25.tar.gz faxrunqd.in in mgetty 1.1.28 and earlier allows local users to overwrite files via a symlink attack on JOB files. ftp://alpha.greenie.net/pub/mgetty/source/1.1/mgetty1.1.29-Nov25.tar.gz The screen saver in MacOS X allows users with physical access to cause the screen saver to crash and gain access to the underlying session via a large number of characters in the password field, possibly triggering a buffer overflow. 20030715 FIXED: MacOSX - crash screensaver locked with password and get thedesktop back http://docs.info.apple.com/article.html?artnum=120232 20030704 MacOSX - crash screensaver locked with password and get the desktop back Certain versions of Internet Explorer 5 and 6, in certain Windows environments, allow remote attackers to cause a denial of service (freeze) via a URL to C:\aux (MS-DOS device name) and possibly other devices. 20030707 Internet Explorer 6 DoS Bug Trillian 1.0 Pro and 0.74 Freeware allows remote attackers to cause a denial of service (crash) via a TypingUser message in which the "TypingUser" string has been modified. 8107 20030704 Trillian Remote DoS Cross-site scripting (XSS) vulnerability in cPanel 6.4.2 allows remote attackers to insert arbitrary HTML and possibly gain cPanel administrator privileges via script in a URL that is logged but not properly quoted when displayed via the (1) Error Log or (2) Latest Visitors screens. This vulnerability is addressed in the following product release: cPanel, cPanel, 7.0 20030706 cPanel Malicious HTML Tags Injection Vulnerability Multiple SQL injection vulnerabilities in ProductCart 1.5 through 2 allow remote attackers to (1) gain access to the admin control panel via the idadmin parameter to login.asp or (2) gain other privileges via the Email parameter to Custva.asp. 20030705 Re: Another ProductCart SQL Injection Vulnerability 20030704 Another ProductCart SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in msg.asp for certain versions of ProductCart allow remote attackers to execute arbitrary web script via the message parameter. 20030705 ProductCart XSS Vulnerability Qt in Knoppix 3.1 Live CD allows local users to overwrite arbitrary files via a symlink attack on the qt_plugins_3.0rc temporary file in the .qt directory. 20030708 Qt temporary files race condition in Knoppix 3.1 The getCanonicalPath function in Windows NT 4.0 may free memory that it does not own and cause heap corruption, which allows attackers to cause a denial of service (crash) via requests that cause a long file name to be passed to getCanonicalPath, as demonstrated on the IBM JVM using a long string to the java.io.getCanonicalPath Java method. winnt-file-management-dos (12701) MS03-029 A072303-1 oval:org.mitre.oval:def:319 Cross-site scripting (XSS) vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to inject arbitrary web script via a URL containing the script in the domain name portion, which is not properly cleansed in the default error pages (1) 500.htm for "500 Internal Server error" or (2) 404.htm for "404 Not Found." MS03-028 http://pivx.com/larholm/adv/TL006 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 Microsoft ISA Server HTTP error handler XSS (TL#007) 20030716 ISA Server - Error Page Cross Site Scripting 20030716 ISA Server - Error Page Cross Site Scripting oval:org.mitre.oval:def:117 Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed RPC request with a long filename parameter, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0715. CA-2003-23 VU#254236 MS03-039 http://www.nsfocus.com/english/homepage/research/0306.htm 20030911 NSFOCUS SA2003-06 : Microsoft Windows RPC DCOM Interface Heap Overflow Vulnerability 20030920 The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows oval:org.mitre.oval:def:3966 oval:org.mitre.oval:def:2968 oval:org.mitre.oval:def:2884 oval:org.mitre.oval:def:127 Buffer overflow in the BR549.DLL ActiveX control for Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to execute arbitrary code. VU#548964 CA-2003-22 MS03-032 ie-br549-activex-bo(12962) 8454 1007538 9580 Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to access and execute script in the My Computer domain using the browser cache via crafted Content-Type and Content-Disposition headers, aka the "Browser Cache Script Execution in My Computer Zone" vulnerability. VU#205148 CA-2003-22 MS03-032 ie-cache-script-injection(12961) 8457 http://www.lac.co.jp/security/english/snsadv_e/67_e.html 9580 Internet Explorer 5.01 SP3 through 6.0 SP1 does not properly determine object types that are returned by web servers, which could allow remote attackers to execute arbitrary code via an object tag with a data parameter to a malicious file hosted on a server that returns an unsafe Content-Type, aka the "Object Type" vulnerability. VU#865940 MS03-032 http://www.eeye.com/html/Research/Advisories/AD20030820.html 20030820 EEYE: Internet Explorer Object Data Remote Execution Vulnerability 20030820 EEYE: Internet Explorer Object Data Remote Execution Vulnerability Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm. VU#753212 TA04-104A MS04-011 AD20040413C 20040429 MS04011 Lsasrv.dll RPC buffer overflow remote exploit (PoC) 20040413 EEYE: Windows Local Security Authority Service Remote Buffer Overflow win-lsass-bo(15699) 10108 O-114 oval:org.mitre.oval:def:919 oval:org.mitre.oval:def:898 oval:org.mitre.oval:def:883 Buffer overflow in xbl 1.0k and earlier allows local users to gain privileges via a long -display command line option. DSA-345 20030708 Fwd: xbl vulnerabilty Directory traversal vulnerability in phpSysInfo 2.1 and earlier allows attackers with write access to a local directory to read arbitrary files as the PHP user or cause a denial of service via .. (dot dot) sequences in the (1) template or (2) lng parameters. DSA-346 20030425 Unauthorized reading files on phpSysInfo http://sourceforge.net/tracker/index.php?func=detail&aid=670222&group_id=15&atid=100015 The liece Emacs IRC client 2.0+0.20030527 and earlier creates temporary files insecurely, which could allow local users to overwrite arbitrary files as other users. DSA-341 The mailcap file for mozart 1.2.5 and earlier causes Oz applications to be passed to the Oz interpreter, which allows remote attackers to execute arbitrary Oz programs in a MIME-aware client program. DSA-342 skk (Simple Kana to Kanji conversion program) 12.1 and earlier, and the ddskk package which is based on skk, creates temporary files insecurely, which allows local users to overwrite arbitrary files. DSA-343 RHSA-2003:242 oval:org.mitre.oval:def:28 The address parser code in Postfix 1.1.12 and earlier allows remote attackers to cause a denial of service (lock) via (1) a malformed envelope address to a local host that would generate a bounce and contains the ".!" string in the MAIL FROM or Errors-To headers, which causes nqmgr to lock up, or (2) via a valid MAIL FROM with a RCPT TO containing a ".!" string, which causes an instance of the SMTP listener to lock up. VU#895508 RHSA-2003:251 DSA-363 8333 SuSE-SA:2003:033 ESA-20030804-019 9433 2003-0029 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning CLA-2003:717 MDKSA-2003:081 20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning oval:org.mitre.oval:def:544 gtkhtml before 1.1.10, as used in Evolution, allows remote attackers to cause a denial of service (crash) via a malformed message that causes a null pointer dereference. RHSA-2003:264 DSA-710 MDKSA-2003:093 CLA-2003:737 oval:org.mitre.oval:def:148 Multiple stack-based buffer overflows in (1) mod_alias and (2) mod_rewrite for Apache before 1.3.29 allow attackers to create configuration files to cause a denial of service (crash) or execute arbitrary code via a regular expression with more than 9 captures. VU#549142 VU#434566 8911 RHSA-2004:015 20031031 GLSA: apache (200310-04) apache-modalias-modrewrite-bo(13400) 9504 20031028 [OpenPKG-SA-2003.046] OpenPKG Security Advisory (apache) HPSBUX0311-301 RHSA-2005:816 RHSA-2003:405 RHSA-2003:360 RHSA-2003:320 MDKSA-2003:103 101841 101444 10593 10580 10463 10264 10260 10153 10114 10112 10102 10098 10096 oval:org.mitre.oval:def:9458 SSRT090208 HPSBOV02683 http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2004-01-26 http://httpd.apache.org/dist/httpd/Announcement2.html http://docs.info.apple.com/article.html?artnum=61798 20040202-01-U 20031203-01-U SCOSA-2004.6 oval:org.mitre.oval:def:864 oval:org.mitre.oval:def:863 oval:org.mitre.oval:def:3799 Integer overflow in OpenSSL 0.9.6 and 0.9.7 allows remote attackers to cause a denial of service (crash) via an SSL client certificate with certain ASN.1 tag values. VU#255484 CA-2003-26 RHSA-2003:291 ADV-2006-3900 http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm RHSA-2003:292 ESA-20030930-027 DSA-394 DSA-393 201029 oval:org.mitre.oval:def:5292 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893 8732 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:4254 OpenSSL 0.9.6 and 0.9.7 does not properly track the number of characters in certain ASN.1 inputs, which allows remote attackers to cause a denial of service (crash) via an SSL client certificate that causes OpenSSL to read past the end of a buffer when the long form is used. VU#380864 CA-2003-26 RHSA-2003:292 RHSA-2003:291 ADV-2006-3900 http://www.uniras.gov.uk/vuls/2003/006489/openssl.htm ESA-20030930-027 DSA-394 DSA-393 201029 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=104893 openssl-asn1-sslclient-dos(43041) 8732 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:4574 Double free vulnerability in OpenSSL 0.9.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an SSL client certificate with a certain invalid ASN.1 encoding. VU#935264 CA-2003-26 RHSA-2003:292 ADV-2006-3900 8732 DSA-394 http://www-1.ibm.com/support/docview.wss?uid=swg21247112 22249 oval:org.mitre.oval:def:2590 up2date 3.0.7 and 3.1.23 does not properly verify RPM GPG signatures, which could allow remote attackers to cause unsigned packages to be installed from the Red Hat Network, if that network is compromised. RHSA-2003:255 oval:org.mitre.oval:def:631 GDM before 2.4.1.6, when using the "examine session errors" feature, allows local users to read arbitrary files via a symlink attack on the ~/.xsession-errors file. RHSA-2003:258 20030824 [slackware-security] GDM security update (SSA:2003-236-01) http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:112 The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) when a chosen host expires, a different issue than CVE-2003-0549. RHSA-2003:259 RHSA-2003:258 http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:113 The X Display Manager Control Protocol (XDMCP) support for GDM before 2.4.1.6 allows attackers to cause a denial of service (daemon crash) via a short authorization key name. RHSA-2003:259 RHSA-2003:258 http://mail.gnome.org/archives/gnome-hackers/2003-August/msg00045.html CLA-2003:729 oval:org.mitre.oval:def:129 The STP protocol, as enabled in Linux 2.4.x, does not provide sufficient security by design, which allows attackers to modify the bridge topology. RHSA-2003:238 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:380 The STP protocol implementation in Linux 2.4.x does not properly verify certain lengths, which could allow attackers to cause a denial of service. RHSA-2003:238 RHSA-2003:198 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:384 Linux 2.4.x allows remote attackers to spoof the bridge Forwarding table via forged packets whose source addresses are the same as the target. RHSA-2003:238 RHSA-2003:198 DSA-423 DSA-358 RHSA-2003:239 oval:org.mitre.oval:def:385 Buffer overflow in the Client Detection Tool (CDT) plugin (npcdt.dll) for Netscape 7.02 allows remote attackers to execute arbitrary code via an attachment with a long filename. 20030714 Netscape 7.02 Client Detection Tool plug-in buffer overrun http://jimmers.russia.webmatrixhosting.net/whitepapers/CDTbug.pdf NeoModus Direct Connect 1.0 build 9, and possibly other versions, allows remote attackers to cause a denial of service (connection and possibly memory exhaustion) via a flood of ConnectToMe requests containing arbitrary IP addresses and ports. 20030714 [sec-labs] Remote Denial of Service vulnerability in NeoModus Direct Connect 1.0 build 9 20030714 [sec-labs] Remote Denial of Service vulnerability in NeoModus Direct Connect 1.0 build 9 ImageMagick 5.4.3.x and earlier allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a "%x" filename, possibly triggering a format string vulnerability. 20030714 ImageMagick's Overflow Polycom MGC 25 allows remote attackers to cause a denial of service (crash) via a large number of "user" requests to the control port 5003, as demonstrated using the blast TCP stress tester. 20030712 DoS - Polycom MGC 25 Control Port 20030712 DoS - Polycom MGC 25 Control Port SQL injection vulnerability in login.asp for StoreFront 6.0, and possibly earlier versions, allows remote attackers to obtain sensitive user information via SQL statements in the password field. This issue was addressed in a hot fix for StoreFront 6.1 in late January 2004. 20030712 ZH2003-3SA (security advisory): Storefront sql injection: users Buffer overflow in LeapFTP 2.7.3.600 allows remote FTP servers to execute arbitrary code via a long IP address response to a PASV request. 20030711 LeapFTP remote buffer overflow exploit mainfile.php in phpforum 2 RC-1, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by modifying the MAIN_PATH parameter to reference a URL on a remote web server that contains the code. 20030710 PHP-Include-Hack-Possibility in phpforum 2 RC-1 SQL injection vulnerability in shopexd.asp for VP-ASP allows remote attackers to gain administrator privileges via the id parameter. 20030704 VPASP SQL Injection Vulnerability & Exploit CODE 8159 Multiple buffer overflows in IglooFTP PRO 3.8 allow remote FTP servers to execute arbitrary code via (1) a long FTP banner, or long responses to the client commands (2) USER, (3) PASS, (4) ACCT, and possibly other commands. 20030707 Multiple Buffer Overflows in IglooFTP PRO 20030707 Multiple Buffer Overflows in IglooFTP PRO Buffer overflow in the CGI2PERL.NLM PERL handler in Novell Netware 5.1 and 6.0 allows remote attackers to cause a denial of service (ABEND) via a long input string. VU#185593 http://www.protego.dk/advisories/200301.html http://support.novell.com/servlet/tidfinder/2966549 20030723 Buffer Overflow in Netware Web Server PERL Handler 20030723 Buffer Overflow in Netware Web Server PERL Handler 20030723 NOVL-2003-2966549 - Enterprise Web Server PERL Buffer Overflow Multiple vulnerabilities in multiple vendor implementations of the Secure/Multipurpose Internet Mail Extensions (S/MIME) protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an S/MIME email message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. VU#428230 http://www.uniras.gov.uk/vuls/2003/006489/smime.htm RHSA-2004:110 SSRT4722 smime-asn1-bo(13603) 8981 RHSA-2004:112 oval:org.mitre.oval:def:11462 20040402-01-U MDKSA-2004:021 FLSA:2089 oval:org.mitre.oval:def:914 oval:org.mitre.oval:def:872 Multiple vulnerabilities in multiple vendor implementations of the X.400 protocol allow remote attackers to cause a denial of service and possibly execute arbitrary code via an X.400 message containing certain unexpected ASN.1 constructs, as demonstrated using the NISSC test suite. VU#927278 http://www.uniras.gov.uk/vuls/2003/006489/x400.htm Cisco IOS 11.x and 12.0 through 12.2 allows remote attackers to cause a denial of service (traffic block) by sending a particular sequence of IPv4 packets to an interface on the device, causing the input queue on that interface to be marked as full. CA-2003-17 CA-2003-15 VU#411332 20030717 IOS Interface Blocked by IPv4 Packet oval:org.mitre.oval:def:5603 20030718 (no subject) Unknown vulnerability in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, allows attackers to cause a denial of service (memory consumption). 20030701-01-P irix-nsd-map-dos(12635) 8587 The DNS callbacks in nsd in SGI IRIX 6.5.x through 6.5.20f, and possibly earlier versions, do not perform sufficient sanity checking, with unknown impact. 20030701-01-P Unknown vulnerability in SGI IRIX 6.5.x through 6.5.20, and possibly earlier versions, allows local users to cause a core dump in scheme and possibly gain privileges via certain environment variables, a different vulnerability than CVE-2001-0797 and CVE-1999-0028. 20030702-01-P Heap-based buffer overflow in the name services daemon (nsd) in SGI IRIX 6.5.x through 6.5.21f, and possibly earlier versions, allows attackers to gain root privileges via the AUTH_UNIX gid list. VU#682900 20030704-01-P 8304 20030730 [LSD] IRIX nsd remote buffer overflow vulnerability irix-authunix-nsd-bo(12763) 2337 N-130 9390 Unknown vulnerability in the NFS daemon (nfsd) in SGI IRIX 6.5.19f and earlier allows remote attackers to cause a denial of service (kernel panic) via certain packets that cause XDR decoding errors, a different vulnerability than CVE-2003-0619. 20030801-02-P 20030801-01-P mpg123 0.59r allows remote attackers to cause a denial of service and possibly execute arbitrary code via an MP3 file with a zero bitrate, which creates a negative frame size. 6629 20030116 Re[2]: Local/remote mpg123 exploit CLA-2003:695 CSSA-2004-002.0 MDKSA-2003:078 7875 cci_dir in IBM U2 UniVerse 10.0.0.9 and earlier creates hard links and unlinks files as root, which allows local users to gain privileges by deleting and overwriting arbitrary files. 20030716 SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root 20030716 SRT2003-07-07-0831 - IBM U2 UniVerse cci_dir creates hard links as root uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier trusts the user-supplied -uv.install command line option to find and execute the uv.install program, which allows local users to gain privileges by providing a pathname that is under control of the user. 20030716 SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh 20030716 SRT2003-07-07-0833 - IBM U2 UniVerse users with uvadm rights can take root via uvadmsh Buffer overflow in uvadmsh in IBM U2 UniVerse 10.0.0.9 and earlier allows the uvadm user to execute arbitrary code via a long -uv.install command line argument. 20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows 20030716 SRT2003-07-08-1223 - IBM U2 UniVerse uvadm can take root via buffer overflows X Fontserver for Truetype fonts (xfstt) 1.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a (1) FS_QueryXExtents8 or (2) FS_QueryXBitmaps8 packet, and possibly other types of packets, with a large num_ranges value, which causes an out-of-bounds array access. DSA-360 20030714 xfstt-1.4 vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0504. Reason: This candidate is a duplicate of CVE-2003-0504. Notes: All CVE users should reference CVE-2003-0504 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via a long command line argument. 20030716 SRT2003-07-16-0358 - bru has buffer overflow and format issues Format string vulnerability in Backup and Restore Utility for Unix (BRU) 17.0 and earlier, when running setuid, allows local users to execute arbitrary code via format string specifiers in a command line argument. 20030716 SRT2003-07-16-0358 - bru has buffer overflow and format issues SQL injection vulnerability in login.asp of Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to bypass authentication and execute arbitrary SQL code via the (1) user or (2) pass parameters. 20030717 eStore SQL Injection Vulnerability & Path Disclosure Brooky eStore 1.0.1 through 1.0.2b allows remote attackers to obtain sensitive path information via a direct HTTP request to settings.inc.php. 20030717 eStore SQL Injection Vulnerability & Path Disclosure Cross-site scripting (XSS) vulnerability in Infopop Ultimate Bulletin Board (UBB) 6.x allows remote authenticated users to execute arbitrary web script and gain administrative access via the "displayed name" attribute of the "ubber" cookie. 20030716 Changing UBB cookie allows account hijack admin.php in Digi-news 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. 20030716 Digi-news and Digi-ads version 1.1 admin access without password admin.php in Digi-ads 1.1 allows remote attackers to bypass authentication via a cookie with the username set to the name of the administrator, which satisfies an improper condition in admin.php that does not require a correct password. 20030716 Digi-news and Digi-ads version 1.1 admin access without password Cross-site scripting (XSS) vulnerability in Splatt Forum allows remote attackers to insert arbitrary HTML and web script via the post icon (image_subject) field. http://members.fortunecity.it/lethalman2002/bugs/splatt.html 20030715 Splatt Forum html injection code in post icon ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a duplicate number that was created during the refinement phase. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. Konqueror in KDE 3.1.3 and earlier (kdelibs) allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Konqueror to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. RHSA-2004:074 DSA-459 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue MDKSA-2004:022 oval:org.mitre.oval:def:823 Opera allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Opera to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue Mozilla allows remote attackers to bypass intended cookie access restrictions on a web application via "%2e%2e" (encoded dot dot) directory traversal sequences in a URL, which causes Mozilla to send the cookie outside the specified URL subsets, e.g. to a vulnerable application that runs on the same server as the target application. oval:org.mitre.oval:def:9826 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue 20040310 Corsaire Security Advisory: Multiple vendor HTTP user agent cookie path traversal issue RHSA-2004:112 MDKSA-2004:021 oval:org.mitre.oval:def:917 oval:org.mitre.oval:def:873 Buffer overflow in WiTango Application Server and Tango 2000 allows remote attackers to execute arbitrary code via a long cookie to Witango_UserReference. 20030718 Witango & Tango 2000 Application Server Remote System Buffer Overrun FDclone 2.00a, and other versions before 2.02a, creates temporary directories with predictable names and uses them if they already exist, which allows local users to read or modify files of other fdclone users by creating the directory ahead of time. DSA-352 http://bugs.debian.org/cgi-bin/bugreport.cgi?archive=no&bug=186219 Unknown vulnerability in display of Merge before 5.3.23a in UnixWare 7.1.x allows local users to gain root privileges. CSSA-2003-SCO-11 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0657. Reason: This candidate is a reservation duplicate of CVE-2003-0657. Notes: All CVE users should reference CVE-2003-0657 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in the Virtual File System (VFS) capability for phpGroupWare 0.9.16preRC and versions before 0.9.14.004 with unknown implications, related to the VFS path being under the web document root. http://www.phpgroupware.org DSA-365 http://mail.gnu.org/archive/html/phpgroupware-users/2003-07/msg00035.html Workgroup Manager in Apple Mac OS X Server 10.2 through 10.2.6 does not disable a password for a new account before it is saved for the first time, which allows remote attackers to gain unauthorized access via the new account before it is saved. macos-workgroup-gain-access(12728) 8266 http://docs.info.apple.com/article.html?artnum=25631 Multiple cross-site scripting vulnerabilities (XSS) in Bugzilla 2.16.x before 2.16.3 and 2.17.x before 2.17.4 allow remote attackers to insert arbitrary HTML or web script via (1) multiple default German and Russian HTML templates or (2) ALT and NAME attributes in AREA tags as used by the GraphViz graph generation feature for local dependency graphs. 6868 6861 http://www.bugzilla.org/security/2.16.2/ CLA-2003:653 Bugzilla 2.16.x before 2.16.3, 2.17.x before 2.17.4, and earlier versions allows local users to overwrite arbitrary files via a symlink attack on temporary files that are created in directories with group-writable or world-writable permissions. 7412 http://www.bugzilla.org/security/2.16.2/ CLA-2003:653 Windows Media Player (WMP) 7 and 8, as running on Internet Explorer and possibly other Microsoft products that process HTML, allows remote attackers to bypass zone restrictions and access or execute arbitrary files via an IFRAME tag pointing to an ASF file whose Content-location contains a File:// URL. http://www.pivx.com/larholm/unpatched/ http://www.malware.com/once.again!.html 20030723 Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! 20030723 Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! 20030723 Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! 20030723 Re: Drivial Pursuit: Internet Explorer Browser & Your Files and Folders ! The RPC DCOM interface in Windows 2000 SP3 and SP4 allows remote attackers to cause a denial of service (crash), and local attackers to use the DoS to hijack the epmapper pipe to gain privileges, via certain messages to the __RemoteGetClassObject interface that cause a NULL pointer to be passed to the PerformScmStage function. VU#326746 CA-2003-23 CA-2003-19 MS03-039 20030720 Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability 20030721 Microsoft Windows 2000 RPC DCOM Interface DOS AND Privilege Escalation Vulnerability oval:org.mitre.oval:def:494 oval:org.mitre.oval:def:1118 sup 1.8 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. DSA-353 Buffer overflow in xconq 7.4.1 allows local users to become part of the "games" group via the (1) USER or (2) DISPLAY environment variables. xconq-user-display-bo(12765) DSA-354 8307 Stack-based buffer overflow in the runtime linker, ld.so.1, on Solaris 2.6 through 9 allows local users to gain root privileges via a long LD_PRELOAD environment variable. 20030729 Solaris ld.so.1 buffer overflow 20030729 Buffer Overflow in Sun Solaris Runtime Linker 55680 sun-ldso1-ldpreload-bo(12755) 8722 oval:org.mitre.oval:def:3601 Directory traversal vulnerability in ePO agent for McAfee ePolicy Orchestrator 3.0 allows remote attackers to read arbitrary files via a certain HTTP request. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp Multiple buffer overflows in xtokkaetama 1.0 allow local users to gain privileges via a long (1) -display command line argument or (2) XTOKKAETAMADIR environment variable. 8312 DSA-356 Multiple buffer overflows in main.c for Crafty 19.3 allow local users to gain group "games" privileges via long command line arguments to crafty.bin. crafty-long-argument-bo(13017) 9577 crafty-command-line-bo(15501) 9893 20040315 Crafty Game Stack Overflow & Exploit 1009398 1009393 http://packages.debian.org/changelogs/pool/non-free/c/crafty/crafty_19.15-1/changelog.txt http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203541 Buffer overflow in zblast-svgalib of zblast 1.2.1 and earlier allows local users to execute arbitrary code via the high score file. DSA-369 Cross-site scripting (XSS) vulnerability in search.php of Gallery 1.1 through 1.3.4 allows remote attackers to insert arbitrary web script via the searchstring parameter. DSA-355 20040101 Re: Gallery v1.3.3 Cross Site Scripting Vulnerabillity 20030727 Gallery XSS security advisory (with fix and patch instructions) 20030902 GLSA: gallery (200309-06) http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=82&mode=thread&order=0&thold=0 Cross-site scripting (XSS) vulnerability in start_form() of CGI.pm allows remote attackers to insert web script via a URL that is fed into the form's action parameter. VU#246409 8231 20030720 CGI.pm vulnerable to Cross-site Scripting cgi-startform-xss(12669) RHSA-2003:256 DSA-371 MDKSA-2003:084 N-155 101426 1007234 13638 20030720 CGI.pm vulnerable to Cross-site Scripting. 20030806 [OpenPKG-SA-2003.036] OpenPKG Security Advisory (perl-www) CLA-2003:713 oval:org.mitre.oval:def:470 oval:org.mitre.oval:def:307 Format string vulnerability in ePO service for McAfee ePolicy Orchestrator 2.0, 2.5, and 2.5.1 allows remote attackers to execute arbitrary code via a POST request with format strings in the computerlist parameter, which are used when logging a failed name resolution. http://www.nai.com/us/promos/mcafee/epo_vulnerabilities.asp A073103-1 mindi 0.58 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. DSA-362 20030902 GLSA: mindi (200309-05) Multiple vulnerabilities in suidperl 5.6.1 and earlier allow a local user to obtain sensitive information about files for which the user does not have appropriate permissions. DSA-431 suidperl-obtain-information(15012) 9543 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=203426 Integer signedness error in the decode_fh function of nfs3xdr.c in Linux kernel before 2.4.21 allows remote attackers to cause a denial of service (kernel panic) via a negative size value within XDR data of an NFSv3 procedure call. RHSA-2003:198 DSA-358 20030729 Remote Linux Kernel < 2.4.21 DoS in XDR routine. RHSA-2003:239 oval:org.mitre.oval:def:386 Multiple buffer overflows in man-db 2.4.1 and earlier, when installed setuid, allow local users to gain privileges via (1) MANDATORY_MANPATH, MANPATH_MAP, and MANDB_MAP arguments to add_to_dirlist in manp.c, (2) a long pathname to ult_src in ult_src.c, (3) a long .so argument to test_for_include in ult_src.c, (4) a long MANPATH environment variable, or (5) a long PATH environment variable. DSA-364 20030730 Re: man-db[] multiple(4) vulnerabilities. 20030729 man-db[] multiple(4) vulnerabilities. The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to determine the existence of files outside the web root via modified paths in the INIFILE argument. 8931 20031031 Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple argument issues http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp bea-tuxedo-file-disclosure(13559) The Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to cause a denial of service (hang) via pathname arguments that contain MS-DOS device names such as CON and AUX. 8931 20031031 Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple argument issues http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp bea-tuxedo-device-dos(13560) Cross-site scripting (XSS) vulnerability in the Administration Console for BEA Tuxedo 8.1 and earlier allows remote attackers to inject arbitrary web script via the INIFILE argument. 8931 20031031 Corsaire Security Advisory: BEA Tuxedo Administration CGI multiple argument issues http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/advisory03_38_00.jsp bea-tuxedo-filename-xss(13561) Cross-site scripting (XSS) vulnerability in InteractiveQuery.jsp for BEA WebLogic 8.1 and earlier allows remote attackers to inject malicious web script via the person parameter. http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/SA_BEA03_36.00.jsp bea-weblogic-interactivequery-xss(13568) 8938 20031031 Corsaire Security Advisory: BEA WebLogic example InteractiveQuery.jsp XSS issue Off-by-one error in certain versions of xfstt allows remote attackers to read potentially sensitive memory via a malformed client request in the connection handshake, which leaks the memory in the server's response. DSA-360 8255 20030727 [PAPER]: Address relay fingerprinting. http://developer.berlios.de/forum/forum.php?forum_id=2819 psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote attackers to read arbitrary files via the (1) headername or (2) footername arguments. 10225 peoplesoft-searchcgi-directory-traversal(13754) 9037 ESB-2003.0786 20031103 Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues 20031113 Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues psdoccgi.exe in PeopleSoft PeopleTools 8.4 through 8.43 allows remote attackers to cause a denial of service (application crash), possibly via the headername and footername arguments. peoplesoft-searchcgi-directory-traversal(13754) 9038 10225 20031103 Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues 20031113 Corsaire Security Advisory: PeopleSoft PeopleBooks Search CGI multiple argument issues PeopleSoft Gateway Administration servlet (gateway.administration) in PeopleTools 8.43 and earlier allows remote attackers to obtain the full pathnames for server-side include (SSI) files via an HTTP request with an invalid value. 20031113 Corsaire Security Advisory: PeopleSoft Gateway Administration servlet path disclosure issue Cross-site scripting (XSS) vulnerability in PeopleSoft IScript environment for PeopleTools 8.43 and earlier allows remote attackers to insert arbitrary web script via a certain HTTP request to IScript. 20031113 Corsaire Security Advisory: PeopleSoft Gateway Administration servlet path disclosure issue Multiple buffer overflows in the atari800.svgalib setuid program of the Atari 800 emulator (atari800) before 1.2.2 allow local users to gain privileges via long command line arguments, as demonstrated with the -osa_rom argument. DSA-359 20030902 GLSA: atari800 (200309-07) VMware GSX Server 2.5.1 build 4968 and earlier, and Workstation 4.0 and earlier, allows local users to gain root privileges via certain enivronment variables that are used when launching a virtual machine session. http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1039 20030723 VMware GSX Server 2.5.1 / Workstation 4.0 (for Linux systems) Buffer overflow in the Oracle Applications Web Report Review (FNDWRR) CGI program (FNDWRR.exe) of Oracle E-Business Suite 11.0 and 11.5.1 through 11.5.8 may allow remote attackers to execute arbitrary code via a long URL. http://otn.oracle.com/deploy/security/pdf/2003alert56.pdf 20030724 Integrigy Security Alert - Oracle E-Business Suite FNDWRR Buffer Overflow Multiple vulnerabilities in aoljtest.jsp of Oracle Applications AOL/J Setup Test Suite in Oracle E-Business Suite 11.5.1 through 11.5.8 allow a remote attacker to obtain sensitive information without authentication, such as the GUEST user password and the application server security key. http://otn.oracle.com/deploy/security/pdf/2003alert55.pdf 8268 20030724 Integrigy Security Alert - Oracle E-Business Suite AOL/J Setup Test Information Disclosure Stack-based buffer overflow in the PL/SQL EXTPROC functionality for Oracle9i Database Release 2 and 1, and Oracle 8i, allows authenticated database users, and arbitrary database users in some cases, to execute arbitrary code via a long library name. VU#936868 8267 20030725 Oracle Extproc Buffer Overflow (#NISR25072003) oracle-extproc-bo(12721) http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf 20030725 Oracle Extproc Buffer Overflow (#NISR25072003) 20030725 question about oracle advisory 20030912 Update to the Oracle EXTPROC advisory Unknown vulnerability or vulnerabilities in Novell iChain 2.2 before Support Pack 1, with unknown impact, possibly related to unauthorized access to (1) NCPIP.NLM and (2) JSTCP.NLM. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm 20030606 NOVL-2003-2966205 - iChain 2.2 Field Patch 1a Novell iChain 2.2 before Support Pack 1 does not properly verify that URL redirects match the DNS name of an accelerator, which allows attackers to redirect URLs to malicious web sites. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm Novell iChain 2.2 before Support Pack 1 uses a shorter timeout for a non-existent user than a valid user, which makes it easier for remote attackers to guess usernames and conduct brute force password guessing. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm Multiple buffer overflows in Novell iChain 2.1 before Field Patch 3, and iChain 2.2 before Field Patch 1a, allow attackers to cause a denial of service (ABEND) and possibly execute arbitrary code via (1) a long user name or (2) an unknown attack related to a "special script against login." http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm 20030606 NOVL-2003-2966205 - iChain 2.2 Field Patch 1a 20030606 NOVL-2003-2966207 - iChain 2.1 Field Patch 3 Unknown vulnerability in Novell iChain 2.2 before Support Pack 1 allows users to access restricted or secure pages without authentication. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2966435.htm 20030606 NOVL-2003-2966205 - iChain 2.2 Field Patch 1a BEA WebLogic Server and Express, when using NodeManager to start servers, provides Operator users with privileges to overwrite usernames and passwords, which may allow Operators to gain Admin privileges. 9232 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-33.jsp WatchGuard ServerLock for Windows 2000 before SL 2.0.3 allows local users to load arbitrary modules via the OpenProcess() function, as demonstrated using (1) a DLL injection attack, (2) ZwSetSystemInformation, and (3) API hooking in OpenProcess. 8222 20030717 Bypassing ServerLock protection on Windows 2000 serverlock-openprocess-load-module(12665) 6578 9310 WatchGuard ServerLock for Windows 2000 before SL 2.0.4 allows local users to access kernel memory via a symlink attack on \Device\PhysicalMemory. 8223 20030717 Bypassing ServerLock protection on Windows 2000 serverlock-physicalmemory-symlink(12666) 9310 Integer signedness error in the Linux Socket Filter implementation (filter.c) in Linux 2.4.3-pre3 to 2.4.22-pre10 allows attackers to cause a denial of service (crash). http://www.ultramonkey.org/bugs/cve/CAN-2003-0643.shtml http://www.ultramonkey.org/bugs/cve-patch/CAN-2003-0643.patch http://gentoo.kems.net/gentoo-x86-portage/sys-kernel/gentoo-sources/ChangeLog http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf 23265 Kdbg 1.1.0 through 1.2.8 does not check permissions of the .kdbgrc file, which allows local users to execute arbitrary commands. http://lists.kde.org/?l=kde-announce&m=106296509815092&w=2 [debian-devel-changes] 20030909 Accepted kdbg 1.2.9-1 (i386 source) RHSA-2005:416 man-db 2.3.12 and 2.3.18 to 2.4.1 uses certain user-controlled DEFINE directives from the ~/.manpath file, even when running setuid, which could allow local users to gain privileges. DSA-364 mandb-opencatstream-gain-privileges(12848) 8352 20030806 man-db[v2.4.1-]: open_cat_stream() privileged call exploit. Multiple buffer overflows in ActiveX controls used by Trend Micro HouseCall 5.5 and 5.7, and Damage Cleanup Server 1.0, allow remote attackers to execute arbitrary code via long parameter strings. 20030711 Trend Micro ActiveX Multiple Overflows http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionID=15274 Buffer overflow in the HTTP server for Cisco IOS 12.2 and earlier allows remote attackers to execute arbitrary code via an extremely long (2GB) HTTP GET request. VU#579324 20030731 Sending 2GB Data in GET Request Causes Buffer Overflow in Cisco IOS Software Multiple buffer overflows in vfte, based on FTE, before 0.50, allow local users to execute arbitrary code. VU#900964 VU#354838 DSA-472 ftetexteditor-vfte-bo(15726) 10041 1009656 1009655 11290 Buffer overflow in xpcd-svga for xpcd 2.08 and earlier allows local users to execute arbitrary code via a long HOME environment variable. DSA-368 MDKSA-2004:053 Directory traversal vulnerability in GSAPAK.EXE for GameSpy Arcade, possibly versions before 1.3e, allows remote attackers to overwrite arbitrary files and execute arbitrary code via .. (dot dot) sequences in filenames in a .APK (Zip) file. 8309 http://www.gamespyarcade.com/features/versions.shtml 20030730 GameSpy Arcade Arbitrary File Writing Vulnerability 20030730 GameSpy Arcade Arbitrary File Writing Vulnerability Buffer overflow in the mylo_log logging function for mod_mylo 0.2.1 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. 8287 20030728 Remotely exploitable overflow in mod_mylo for Apache Buffer overflow in xtokkaetama allows local users to gain privileges via a long -nickname command line argument, a different vulnerability than CVE-2003-0611. DSA-367 20030803 xtokkaetama[v1.0b+]: (missed) buffer overflow exploit. The OSI networking kernel (sys/netiso) in NetBSD 1.6.1 and earlier does not use a BSD-required "PKTHDR" mbuf when sending certain error responses to the sender of an OSI packet, which allows remote attackers to cause a denial of service (kernel panic or crash) via certain OSI packets. NetBSD-SA2003-010 Buffer overflow in autorespond may allow remote attackers to execute arbitrary code as the autorespond user via qmail. DSA-373 rscsi in cdrtools 2.01 and earlier allows local users to overwrite arbitrary files and gain root privileges by specifying the target file as a command line argument, which is modified while rscsi is running with privileges. http://www.secnetops.com/research/advisories/SRT2003-08-01-0126.txt 20030801 SRT2003-08-01-0126 - cdrtools local root exploit eroaster before 2.2.0 allows local users to overwrite arbitrary files via a symlink attack on a temporary file that is used as a lockfile. DSA-366 20030902 GLSA: eroaster (200309-04) MDKSA-2003:083 Multiple SQL injection vulnerabilities in the infolog module for phpgroupware 0.9.14 and earlier could allow remote attackers to conduct unauthorized database actions. DSA-365 Docview before 1.1-18 in Caldera OpenLinux 3.1.1, SCO Linux 4.0, OpenServer 5.0.7, configures the Apache web server in a way that allows remote attackers to read arbitrary publicly readable files via a certain URL, possibly related to rewrite rules. Buffer overflow in a function in User32.dll on Windows NT through Server 2003 allows local users to execute arbitrary code via long (1) LB_DIR messages to ListBox or (2) CB_DIR messages to ComboBox controls in a privileged application. VU#967668 CA-2003-27 8827 MS03-045 20031016 Listbox And Combobox Control Buffer Overflow win-user32-control-bo(13424) 20031016 Listbox And Combobox Control Buffer Overflow oval:org.mitre.oval:def:340 oval:org.mitre.oval:def:201 The Authenticode capability in Microsoft Windows NT through Server 2003 does not prompt the user to download and install ActiveX controls when the system is low on memory, which could allow remote attackers execute arbitrary code without user approval. VU#838572 CA-2003-27 8830 MS03-041 win-authenticode-code-execution(13422) oval:org.mitre.oval:def:198 oval:org.mitre.oval:def:185 The NetBT Name Service (NBNS) for NetBIOS in Windows NT 4.0, 2000, XP, and Server 2003 may include random memory in a response to a NBNS query, which could allow remote attackers to obtain sensitive information. VU#989932 MS03-034 oval:org.mitre.oval:def:3483 Buffer overflow in Troubleshooter ActiveX Control (Tshoot.ocx) in Microsoft Windows 2000 SP4 and earlier allows remote attackers to execute arbitrary code via an HTML document with a long argument to the RunQuery2 method. VU#989932 CA-2003-27 8833 MS03-042 20031016 Microsoft Local Troubleshooter ActiveX control buffer overflow win2k-local-troubleshooter-bo(13423) 20031016 Microsoft Local Troubleshooter ActiveX control buffer overflow 20031016 Microsoft Local Troubleshooter ActiveX control buffer overflow oval:org.mitre.oval:def:237 Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message. VU#639428 TA04-104A MS04-011 win2k-lsass-ldap-dos(15700) 10114 O-114 oval:org.mitre.oval:def:1016 Microsoft Word 2002, 2000, 97, and 98(J) does not properly check certain properties of a document, which allows attackers to bypass the macro security model and automatically execute arbitrary macros via a malicious document. MS03-035 oval:org.mitre.oval:def:188 Buffer overflow in the ActiveX control for Microsoft Access Snapshot Viewer for Access 97, 2000, and 2002 allows remote attackers to execute arbitrary code via long parameters to the control. VU#992132 MS03-038 9668 Buffer overflow in Microsoft Wordperfect Converter allows remote attackers to execute arbitrary code via modified data offset and data size parameters in a Corel WordPerfect file. MS03-036 20030903 EEYE: Microsoft WordPerfect Document Converter Buffer Overflow 20030903 EEYE: Microsoft WordPerfect Document Converter Buffer Overflow 20030905 Microsoft WordPerfect Document Converter Exploit Unknown vulnerability in Solaris 2.6 through 9 causes a denial of service (system panic) via "a rare race condition" or an attack by local users. 47353 oval:org.mitre.oval:def:4561 Sustworks IPNetSentryX and IPNetMonitorX allow local users to sniff network packets via the setuid helper applications (1) RunTCPDump, which calls tcpdump, and (2) RunTCPFlow, which calls tcpflow. A080703-1 Format string vulnerability in tcpflow, when used in a setuid context, allows local users to execute arbitrary code via the device name argument, as demonstrated in Sustworks IPNetSentryX and IPNetMonitorX the setuid program RunTCPFlow. A080703-1 A080703-2 Format string vulnerability in pam-pgsql 0.5.2 and earlier allows remote attackers to execute arbitrary code via the username that isp rovided during authentication, which is not properly handled when recording a log message. DSA-370 Directory traversal vulnerability in ViewLog for iPlanet Administration Server 5.1 (aka Sun ONE) allows remote attackers to read arbitrary files via "..%2f" (partially encoded dot dot) sequences. 20030808 Directory Traversal in Sun iPlanet Administration Server 5.1 Cisco CSS 11000 routers on the CS800 chassis allow remote attackers to cause a denial of service (CPU consumption or reboot) via a large number of TCP SYN packets to the circuit IP address, aka "ONDM Ping failure." 20030807 Cisco CSS 11000 Series DoS 20030808 Re: [VulnWatch] Cisco CSS 11000 Series DoS 20030807 Cisco CSS 11000 Series DoS Unknown vulnerability in the libcpr library for the Checkpoint/Restart (cpr) system on SGI IRIX 6.5.21f and earlier allows local users to truncate or overwrite certain files. 20030802-01-P Unknown vulnerability in NFS for SGI IRIX 6.5.21 and earlier may allow an NFS client to bypass read-only restrictions. 20030901-01-P A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. VU#108964 http://www.sendmail.org/8.12.10.html sendmail-ruleset-parsing-bo(13216) 8649 RHSA-2003:283 DSA-384 20030919 [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail) 20030917 GLSA: sendmail (200309-13) CLA-2003:742 MDKSA-2003:092 oval:org.mitre.oval:def:595 oval:org.mitre.oval:def:3606 "Memory bugs" in OpenSSH 3.7.1 and earlier, with unknown impact, a different set of vulnerabilities than CVE-2003-0693 and CVE-2003-0695. RHSA-2003:280 DSA-382 RHSA-2003:279 DSA-383 20030917 [OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh) CLA-2003:741 oval:org.mitre.oval:def:446 NFS in SGI 6.5.21m and 6.5.21f does not perform access checks in certain configurations when an /etc/exports entry uses wildcards without any hostnames or groups, which could allow attackers to bypass intended restrictions. 8921 20031004-01-P 2734 10095 Buffer overflow in Netris 0.52 and earlier, and possibly other versions, allows remote malicious Netris servers to execute arbitrary code on netris clients via a long server response. DSA-372 20030812 Netris client Buffer Overflow Vulnerability. Buffer overflow in PAM SMB module (pam_smb) 1.1.6 and earlier, when authenticating to a remote service, allows remote attackers to execute arbitrary code. VU#680260 RHSA-2003:262 DSA-374 TLSA-2003-50 RHSA-2003:261 http://us2.samba.org/samba/ftp/pam_smb/ 9611 20030901 GLSA: pam_smb (200309-01) CLA-2003:734 oval:org.mitre.oval:def:469 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was internally assigned to a problem that was not reachable (the affected routine was not used by the software). Notes: none. The DNS map code in Sendmail 8.12.8 and earlier, when using the "enhdnsbl" feature, does not properly initialize certain data structures, which allows remote attackers to cause a denial of service (process crash) via an invalid DNS response that causes Sendmail to free incorrect data. VU#993452 RHSA-2003:265 http://www.sendmail.org/dnsmap1.html SuSE-SA:2003:035 20030803-01-P MDKSA-2003:086 CLA-2003:727 oval:org.mitre.oval:def:597 The getgrouplist function in GNU libc (glibc) 2.2.4 and earlier allows attackers to cause a denial of service (segmentation fault) and execute arbitrary code when a user is a member of a large number of groups, which can cause a buffer overflow. RHSA-2003:249 RHSA-2003:325 KDM in KDE 3.1.3 and earlier does not verify whether the pam_setcred function call succeeds, which may allow attackers to gain root privileges by triggering error conditions within PAM modules, as demonstrated in certain configurations of the MIT pam_krb5 module. RHSA-2003:270 http://www.kde.org/info/security/advisory-20030916-1.txt 20030916 [KDE SECURITY ADVISORY] KDM vulnerabilities RHSA-2003:289 RHSA-2003:286 DSA-443 DSA-388 http://cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.html RHSA-2003:288 RHSA-2003:287 MDKSA-2003:091 CLA-2003:747 oval:org.mitre.oval:def:193 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not associated with any specific security issue. Notes: none. KDM in KDE 3.1.3 and earlier uses a weak session cookie generation algorithm that does not provide 128 bits of entropy, which allows attackers to guess session cookies via brute force methods and gain access to the user session. RHSA-2003:270 http://www.kde.org/info/security/advisory-20030916-1.txt DSA-388 http://cert.uni-stuttgart.de/archive/suse/security/2002/12/msg00101.html RHSA-2003:288 MDKSA-2003:091 20030916 [KDE SECURITY ADVISORY] KDM vulnerabilities CLA-2003:747 oval:org.mitre.oval:def:215 A "buffer management error" in buffer_append_space of buffer.c for OpenSSH before 3.7 may allow remote attackers to execute arbitrary code by causing an incorrect amount of memory to be freed and corrupting the heap, a different vulnerability than CVE-2003-0695. VU#333628 CA-2003-24 20030916 OpenSSH Buffer Management Bug Advisory openssh-packet-bo(13191) RHSA-2003:280 http://www.openssh.com/txt/buffer.adv DSA-383 DSA-382 1000620 20030917 [OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh) 2003-0033 20030916 [slackware-security] OpenSSH Security Advisory (SSA:2003-259-01) RHSA-2003:279 20030916 The lowdown on SSH vulnerability 20030915 openssh remote exploit 20030915 new ssh exploit? MDKSA-2003:090 oval:org.mitre.oval:def:447 oval:org.mitre.oval:def:2719 The prescan function in Sendmail 8.12.9 allows remote attackers to execute arbitrary code via buffer overflow attacks, as demonstrated using the parseaddr function in parseaddr.c. CA-2003-25 VU#784980 http://www.sendmail.org/8.12.10.html RHSA-2003:284 RHSA-2003:283 DSA-384 20030919 [OpenPKG-SA-2003.041] OpenPKG Security Advisory (sendmail) 20030917 GLSA: sendmail (200309-13) 20030917 [slackware-security] Sendmail vulnerabilities fixed (SSA:2003-260-02) 20030917 Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694] CLA-2003:742 20030917 Zalewski Advisory - Sendmail 8.12.9 prescan bug 20030917 Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694] SCOSA-2004.11 MDKSA-2003:092 oval:org.mitre.oval:def:603 oval:org.mitre.oval:def:572 oval:org.mitre.oval:def:2975 Multiple "buffer management errors" in OpenSSH before 3.7.1 may allow attackers to cause a denial of service or execute arbitrary code using (1) buffer_init in buffer.c, (2) buffer_free in buffer.c, or (3) a separate function in channels.c, a different vulnerability than CVE-2003-0693. RHSA-2003:280 DSA-383 RHSA-2003:279 http://www.openssh.com/txt/buffer.adv DSA-382 http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106375582924840 20030917 [slackware-security] OpenSSH updated again (SSA:2003-260-01) 20030917 [OpenPKG-SA-2003.040] OpenPKG Security Advisory (openssh) 2003-0033 CLA-2003:741 MDKSA-2003:090 oval:org.mitre.oval:def:452 The getipnodebyname() API in AIX 5.1 and 5.2 does not properly close sockets, which allows attackers to cause a denial of service (resource exhaustion). 8738 https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs?mode=7&heading=AIX51&topic=SECURITY&month=200310&label=getipnodebyname%28%29+API+does+not+close+sockets.&date=20031001&bulletin=datafile150755&embed=true aix-sendmail-getipnodebyname-dos(13328) Format string vulnerability in lpd in the bos.rte.printers fileset for AIX 4.3 through 5.2, with debug enabled, allows local users to cause a denial of service (crash) or gain root privileges. IY45344 http://www-1.ibm.com/services/continuity/recover1.nsf/mss/MSS-OAR-E01-2003.1605.1 IY46256 IY45250 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0743. Reason: This candidate is a duplicate of CVE-2003-0743. Notes: All CVE users should reference CVE-2003-0743 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The C-Media PCI sound driver in Linux before 2.4.21 does not use the get_user function to access userspace, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0700. RHSA-2003:238 RHSA-2003:198 RHSA-2003:239 oval:org.mitre.oval:def:387 The C-Media PCI sound driver in Linux before 2.4.22 does not use the get_user function to access userspace in certain conditions, which crosses security boundaries and may facilitate the exploitation of vulnerabilities, a different vulnerability than CVE-2003-0699. RHSA-2004:044 RHSA-2003:238 oval:org.mitre.oval:def:401 Buffer overflow in Internet Explorer 6 SP1 for certain languages that support double-byte encodings (e.g., Japanese) allows remote attackers to execute arbitrary code via the Type property of an Object tag, a variant of CVE-2003-0344. VU#334928 MS03-032 20030820 [SNS Advisory No.68] Internet Explorer Object Type Buffer Overflow in Double-Byte Character Set Environment ie-dbcs-object-bo(12970) Unknown vulnerability in an ISAPI plugin for ISS Server Sensor 7.0 XPU 20.16, 20.18, and possibly other versions before 20.19, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code in Internet Information Server (IIS) via a certain URL through SSL. realsecure-isapi-dos(13088) http://www.enteredge.com/research/CAN-2003-0702.asp 20030905 ISS Server Sensor Denial of Service KisMAC before 0.05d trusts user-supplied variables to load arbitrary kernels or kernel modules, which allows local users to gain privileges via the $DRIVER_KEXT environment variable as used in (1) viha_driver.sh, (2) macjack_load.sh, or (3) airojack_load.sh, or (4) via "similar techniques" using exchangeKernel.sh. kismac-driverkext-load-modules(13007) A082203-1 kismac-exchangekernel-kernel-overwrite(13008) 8497 KisMAC before 0.05d trusts user-supplied variables when chown'ing files or directories, which allows local users to gain privileges via the $DRIVER_KEXT environment variable in (1) viha_driver.sh, (2) macjack_load.sh, (3) airojack_load.sh, (4) setuid_enable.sh, (5) setuid_disable.sh, and using a "similar technique" for (6) viha_prep.sh and (7) viha_unprep.sh. kismac-setuid-modify-ownership(13009) A082203-1 kismac-viha-gain-privileges kismac-driverkext-modify-ownership 8497 Buffer overflow in mah-jong 1.5.6 and earlier allows remote attackers to execute arbitrary code. DSA-378 Unknown vulnerability in mah-jong 1.5.6 and earlier allows remote attackers to cause a denial of service (tight loop). DSA-378 Buffer overflow in LinuxNode (node) before 0.3.2 allows remote attackers to execute arbitrary code. DSA-375 Format string vulnerability in LinuxNode (node) before 0.3.2 may allow attackers to cause a denial of service or execute arbitrary code. DSA-375 Buffer overflow in the whois client, which is not setuid but is sometimes called from within CGI programs, may allow remote attackers to execute arbitrary code via a long command line option. http://www.zone-h.org/en/advisories/read/id=2925/ Stack-based buffer overflow in the PCHealth system in the Help and Support Center function in Windows XP and Windows Server 2003 allows remote attackers to execute arbitrary code via a long query in an HCP URL. VU#467036 CA-2003-27 8828 MS03-044 20031016 Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003) http://www.ngssoftware.com/advisories/ms-pchealth.txt 20031016 Microsoft PCHealth 2003/XP Buffer Overflow (#NISR15102003) oval:org.mitre.oval:def:4706 oval:org.mitre.oval:def:3889 oval:org.mitre.oval:def:3685 oval:org.mitre.oval:def:217 Cross-site scripting (XSS) vulnerability in the HTML encoding for the Compose New Message form in Microsoft Exchange Server 5.5 Outlook Web Access (OWA) allows remote attackers to execute arbitrary web script. VU#435444 CA-2003-27 8832 MS03-047 20031016 Vulnerability in Exchange Server 5.5 Outlook Web Access Could Allow The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request, possibly triggering a buffer overflow in Exchange 2000. VU#422156 CA-2003-27 8838 MS03-046 20031022 MS03-046 Microsoft Exchange 2000 Heap Overflow Heap-based buffer overflow in the Distributed Component Object Model (DCOM) interface in the RPCSS Service allows remote attackers to execute arbitrary code via a malformed DCERPC DCOM object activation request packet with modified length fields, a different vulnerability than CVE-2003-0352 (Blaster/Nachi) and CVE-2003-0528. VU#483492 CA-2003-23 MS03-039 20030910 EEYE: Microsoft RPC Heap Corruption Vulnerability - Part II oval:org.mitre.oval:def:4224 oval:org.mitre.oval:def:264 oval:org.mitre.oval:def:20 oval:org.mitre.oval:def:1813 oval:org.mitre.oval:def:1202 The Messenger Service for Windows NT through Server 2003 does not properly verify the length of the message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. VU#575892 CA-2003-27 8826 MS03-043 20031016 MS03-043 Popup Messenger Servce buffer-overflow 20031018 Proof of concept for Windows Messenger Service overflow oval:org.mitre.oval:def:268 oval:org.mitre.oval:def:213 The WebDAV Message Handler for Internet Information Services (IIS) 5.0, 5.1, and 6.0 allows remote attackers to cause a denial of service (memory and CPU exhaustion, application crash) via a PROPFIND request with an XML message containing XML elements with a large number of attributes. iis-ms04030-patch(17656) iis-webdav-xml-attribute-dos(17645) MS04-030 20041012 Microsoft IIS 5.x/6.0 WebDAV (XML parser) attribute blowup DoS oval:org.mitre.oval:def:4767 oval:org.mitre.oval:def:1427 oval:org.mitre.oval:def:1330 Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets. VU#586540 TA04-104A 20040413 Microsoft SSL Library Remote Compromise Vulnerability 20040430 A technical description of the SSL PCT vulnerability (CVE-2003-0719) MS04-011 oval:org.mitre.oval:def:951 oval:org.mitre.oval:def:903 oval:org.mitre.oval:def:889 oval:org.mitre.oval:def:1093 Buffer overflow in PINE before 4.58 allows remote attackers to execute arbitrary code via a malformed message/external-body MIME type. RHSA-2003:273 http://www.idefense.com/advisory/09.10.03.txt RHSA-2003:274 20030910 iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE 20030911 [slackware-security] security issues in pine (SSA:2003-253-01) 20030910 iDEFENSE Security Advisory 09.10.03: Two Exploitable Overflows in PINE oval:org.mitre.oval:def:499 Integer signedness error in rfc2231_get_param from strings.c in PINE before 4.58 allows remote attackers to execute arbitrary code via an email that causes an out-of-bounds array access using a negative number. RHSA-2003:273 20030910 Two Exploitable Overflows in PINE RHSA-2003:274 20030911 Pine: .procmailrc rule against integer overflow 20030915 remote Pine <= 4.56 exploit fully automatic 20030911 [slackware-security] security issues in pine (SSA:2003-253-01) oval:org.mitre.oval:def:503 The default installation of sadmind on Solaris uses weak authentication (AUTH_SYS), which allows local and remote attackers to spoof Solstice AdminSuite clients and gain root privileges via a certain sequence of RPC packets. VU#41870 8615 http://www.idefense.com/advisory/09.16.03.txt N-148 9742 20030918 Solaris SADMIND Exploitation 56740 20030918 Solaris SADMIND Exploitation oval:org.mitre.oval:def:1273 Buffer overflow in gkrellmd for gkrellm 2.1.x before 2.1.14 may allow remote attackers to execute arbitrary code. MDKSA-2003:087 ssh on HP Tru64 UNIX 5.1B and 5.1A does not properly handle RSA signatures when digital certificates and RSA keys are used, which could allow local and remote attackers to gain privileges. 8492 SSRT3588 Buffer overflow in the RTSP protocol parser for the View Source plug-in (vsrcplin.so or vsrcplin3260.dll) for RealNetworks Helix Universal Server 9 and RealSystem Server 8, 7 and RealServer G2 allows remote attackers to execute arbitrary code. VU#934932 8476 http://www.service.real.com/help/faq/security/rootexploit082203.html http://lists.immunitysec.com/pipermail/dailydave/2003-August/000030.html 20030825 New Bug in RealServer RealOne player allows remote attackers to execute arbitrary script in the "My Computer" zone via a SMIL presentation with a URL that references a scripting protocol, which is executed in the security context of the previously loaded URL, as demonstrated using a "javascript:" URL in the area tag. 8453 http://www.digitalpranksters.com/advisories/realnetworks/smilscriptprotocol.html realone-smil-execute-code(13028) http://www.service.real.com/help/faq/security/securityupdate_august2003.html 20030827 RealOne Player Allows Cross Zone and Domain Access 1007532 Multiple buffer overflows in the XML Database (XDB) functionality for Oracle 9i Database Release 2 allow local users to cause a denial of service or hijack user sessions. http://otn.oracle.com/deploy/security/pdf/2003Alert58.pdf Horde before 2.2.4 allows remote malicious web sites to steal session IDs and read or create arbitrary email by stealing the ID from a referrer URL. 20030901 GLSA: horde (200309-02) 20030813 PCL-0001: Remote Vulnerability in HORDE MTA < 2.2.4 Buffer overflow in Tellurian TftpdNT 1.8 allows remote attackers to execute arbitrary code via a TFTP request with a long filename. http://www.securiteam.com/windowsntfocus/5RP0M1PAUM.html 20030901 Security Vulnerability in Tellurian TftpdNT (Long Filename) 20030901 Security Vulnerability in Tellurian TftpdNT (Long Filename) Multiple integer overflows in the font libraries for XFree86 4.3.0 allow local or remote attackers to cause a denial of service or execute arbitrary code via heap-based and stack-based buffer overflow attacks. 8514 RHSA-2003:286 DSA-380 20030830 Multiple integer overflows in XFree86 (local/remote) ADV-2007-0589 RHSA-2003:289 RHSA-2003:288 20031101-01-U NetBSD-SA2003-015 RHSA-2003:287 MDKSA-2003:089 http://support.avaya.com/elmodocs2/security/ASA-2007-074.htm 102803 24247 24168 CLA-2004:821 CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to gain administrative privileges via a certain POST request to com.cisco.nm.cmf.servlet.CsAuthServlet, possibly involving the "cmd" parameter with a modifyUser value and a modified "priviledges" parameter. 20030813 CiscoWorks Application Vulnerabilities 20030813 Portcullis Security Advisory: CiscoWorks 2000 Privilege Escalation Vulnerabilities CiscoWorks Common Management Foundation (CMF) 2.1 and earlier allows the guest user to obtain restricted information and possibly gain administrative privileges by changing the "guest" user to the Admin user on the Modify or delete users pages. 20030813 CiscoWorks Application Vulnerabilities 20030813 Portcullis Security Advisory: CiscoWorks 2000 Privilege Escalation Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in WebLogic Integration 7.0 and 2.0, Liquid Data 1.1, and WebLogic Server and Express 5.1 through 7.0, allow remote attackers to execute arbitrary web script and steal authentication credentials via (1) a forward instruction to the Servlet container or (2) other vulnerabilities in the WebLogic Server console application. 8357 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/SA_BEA03_36.00.jsp Unknown vulnerability in the pam_filter mechanism in pam_ldap before version 162, when LDAP based authentication is being used, allows users to bypass host-based access restrictions and log onto the system. MDKSA-2003:088 SQL injection vulnerability in the Calendar module of phpWebSite 0.9.x and earlier allows remote attackers to execute arbitrary SQL queries, as demonstrated using the year parameter. VU#925166 20030902 GLSA: phpwebsite (200309-03) 20030810 phpWebSite SQL Injection & DoS & XSS Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in phpWebSite 0.9.x and earlier allow remote attackers to execute arbitrary web script via (1) the day parameter in the calendar module, (2) the fatcat_id parameter in the fatcat module, (3) the PAGE_id parameter in the pagemaster module, (4) the PDA_limit parameter in the search, and (5) possibly other parameters in the calendar, fatcat, and pagemaster modules. VU#664422 20030902 GLSA: phpwebsite (200309-03) 20030810 phpWebSite SQL Injection & DoS & XSS Vulnerabilities The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to obtain the full pathname of phpWebSite via an invalid year, which generates an error from localtime() in TimeZone.php of the Pear library. 20030902 GLSA: phpwebsite (200309-03) 20030810 phpWebSite SQL Injection & DoS & XSS Vulnerabilities The calendar module in phpWebSite 0.9.x and earlier allows remote attackers to cause a denial of service (crash) via a long year parameter. 20030902 GLSA: phpwebsite (200309-03) 20030810 phpWebSite SQL Injection & DoS & XSS Vulnerabilities VMware Workstation 4.0.1 for Linux, build 5289 and earlier, allows local users to delete arbitrary files via a symlink attack. http://www.vmware.com/support/kb/enduser/std_adp.php?p_faqid=1106 20030807 VMware Workstation 4.0.1 (for Linux systems) vulnerability Stunnel 4.00, and 3.24 and earlier, leaks a privileged file descriptor returned by listen(), which allows local users to hijack the Stunnel server. 20030903 Stunnel-3.x Daemon Hijacking RHSA-2003:297 MDKSA-2003:108 CLA-2003:736 SCO Internet Manager (mana) allows local users to execute arbitrary programs by setting the REMOTE_ADDR environment variable to cause menu.mana to run as if it were called from ncsa_httpd, then modifying the PATH environment variable to point to a malicious "hostname" program. Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer. DSA-376 20030901 exim remote heap overflow, probably not exploitable [Exim] 20030815 Minor security bug [Exim] 20030814 Minor security bug http://www.exim.org/pipermail/exim-announce/2003q3/000094.html http://packages.debian.org/changelogs/pool/main/e/exim4/exim4_4.34-10/changelog http://packages.debian.org/changelogs/pool/main/e/exim/exim_3.36-13/changelog 20030903 Re: exim remote heap overflow, probably not exploitable CLA-2003:735 The fetchnews NNTP client in leafnode 1.9.3 to 1.9.41 allows remote attackers to cause a denial of service (process hang and termination) via certain malformed Usenet news articles that cause fetchnews to hang while waiting for input. 8541 6452 9678 20030904 leafnode 1.9.3 - 1.9.41 security announcement SA-2003-01 http://leafnode.sourceforge.net/leafnode-SA-2003-01.txt 20030903 leafnode 1.9.3 - 1.9.41 security announcement SA-2003-01 SNMPc 6.0.8 and earlier performs authentication to the server on the client side, which allows remote attackers to gain privileges by decrypting the password that is returned by the server. 20030825 SNMPc v5 and v6 remote vulnerability Various Distributed Computing Environment (DCE) implementations, including HP OpenView, allow remote attackers to cause a denial of service (process hang or termination) via certain malformed inputs, as triggered by attempted exploits against the vulnerabilities CVE-2003-0352 or CVE-2003-0605, such as the Blaster/MSblast/LovSAN worm. VU#377804 9482 HPSBUX0308-274 20030902-01-P wgate.dll in SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to obtain potentially sensitive information such as directory structure and operating system via incorrect parameters (1) ~service, (2) ~templatelanguage, (3) ~language, (4) ~theme, or (5) ~template, which leaks the information in the resulting error message. its-wgatedll-information-disclosure(13063) 8515 20030830 SAP Internet Transaction Server Directory traversal vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to read arbitrary files via ..\ (dot-dot backslash) sequences in the ~theme parameter and a ~template parameter with a filename followed by space characters, which can prevent SAP from effectively adding a .html extension to the filename. its-wgatedll-directory-traversal(13066) 8516 20030830 SAP Internet Transaction Server Cross-site scripting (XSS) vulnerability in wgate.dll for SAP Internet Transaction Server (ITS) 4620.2.0.323011 allows remote attackers to insert arbitrary web script and steal cookies via the ~service parameter. 8517 20030830 SAP Internet Transaction Server secure.php in PY-Membres 4.2 and earlier allows remote attackers to bypass authentication by setting the adminpy parameter. 20030826 [PHP] PY-Membres 4.2 : Admin Access, SQL Injection SQL injection vulnerability in pass_done.php for PY-Membres 4.2 and earlier allows remote attackers to execute arbitrary SQL queries via the email parameter. 20030826 [PHP] PY-Membres 4.2 : Admin Access, SQL Injection SQL injection vulnerability in global.php3 of AttilaPHP 3.0, and possibly earlier versions, allows remote attackers to bypass authentication via a modified cook_id parameter. 20030826 [PHP] AttilaPHP 3.0 : User/Admin Access nphpd.php in newsPHP 216 and earlier allows remote attackers to read arbitrary files via a full pathname to the target file in the nphp_config[LangFile] parameter. 20030824 newsPHP file inclusion & bad login validation nphpd.php in newsPHP 216 and earlier allows remote attackers to bypass authentication via an HTTP request with a modified nphp_users array, which is used for authentication. 20030824 newsPHP file inclusion & bad login validation Buffer overflow in sys_cmd.c for gtkftpd 1.0.4 and earlier allows remote attackers to execute arbitrary code by creating long directory names and listing them with a LIST command. 20030826 gtkftpd[v1.0.4(and below)]: remote root buffer overflow exploit. Directory traversal vulnerability in sitebuilder.cgi in SiteBuilder 1.4 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the selectedpage parameter. 20030831 Directory Traversal in SITEBUILDER - v1.4 Check Point FireWall-1 4.0 and 4.1 before SP5 allows remote attackers to obtain the IP addresses of internal interfaces via certain SecuRemote requests to TCP ports 256 or 264, which leaks the IP addresses in a reply packet. 20030902 IRM 007: The IP addresses of Check Point Firewall-1 internal interfaces may be enumerated using SecuRemote Buffer overflow in db2dart in IBM DB2 Universal Data Base 7.2 before Fixpak 10 allows local users to gain root privileges via a long command line argument. 8552 ibm-db2-db2dart-bo(13218) N-154 20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities 20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10 Buffer overflow in db2licm in IBM DB2 Universal Data Base 7.2 before Fixpak 10a allows local users to gain root privileges via a long command line argument. 8553 N-154 IY47653 20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities 20030918 CORE-2003-0531: Multiple IBM DB2 Stack Overflow Vulnerabilities ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt http://www.coresecurity.com/common/showdoc.php?idx=366&idxseccion=10 Blubster 2.5 allows remote attackers to cause a denial of service (crash) via a flood of connections to UDP port 701. http://www.securiteam.com/windowsntfocus/5RP0N15AUC.html blubster-port701-dos(13012) 8482 Buffer overflow in the get_msg_text of chan_sip.c in the Session Initiation Protocol (SIP) protocol implementation for Asterisk releases before August 15, 2003, allows remote attackers to execute arbitrary code via certain (1) MESSAGE or (2) INFO requests. A090403-1 Buffer overflow in (1) foxweb.dll and (2) foxweb.exe of Foxweb 2.5 allows remote attackers to execute arbitrary code via a long URL (PATH_INFO value). 20030905 [SCAN Associates Sdn Bhd Security Advisory] Foxweb 2.5 bufferoverflow in CGI and ISAPI extension Cross-site scripting (XSS) vulnerability in Escapade Scripting Engine (ESP) allows remote attackers to inject arbitrary script via the method parameter, as demonstrated using the PAGE parameter. 20030909 Escapade Scripting Engine XSS Vulnerability and Path Disclosure Escapade Scripting Engine (ESP) allows remote attackers to obtain sensitive path information via a malformed request, which leaks the information in an error message, as demonstrated using the PAGE parameter. 20030909 Escapade Scripting Engine XSS Vulnerability and Path Disclosure The IN_MIDI.DLL plugin 3.01 and earlier, as used in Winamp 2.91, allows remote attackers to execute arbitrary code via a MIDI file with a large "Track data size" value. 20030908 Winamp 2.91 lets code execution through MIDI files Multiple heap-based buffer overflows in FTP Desktop client 3.5, and possibly earlier versions, allow remote malicious servers to execute arbitrary code via (1) a long FTP banner, (2) a long response to a USER copmmand, or (3) a long response to a PASS command. 20030908 Multiple Heap Overflows in FTP Desktop Buffer overflow in RogerWilco graphical server 1.4.1.6 and earlier, dedicated server 0.32a and earlier for Windows, and 0.27 and earlier for Linux and BSD, allows remote attackers to cause a denial of service and execute arbitrary code via a client request with a large length value. 20030908 Rogerwilco: server's buffer overflow Microsoft ASP.Net 1.1 allows remote attackers to bypass the Cross-Site Scripting (XSS) and Script Injection protection feature via a null character in the beginning of a tag name. 20030908 Advisory: Incorrect Handling of XSS Protection in ASP.Net Cross-site scripting (XSS) vulnerability in the ICQ Web Front guestbook (guestbook.html) allows remote attackers to insert arbitrary web script and HTML via the message field. FUNC.pm in IkonBoard 3.1.2a and earlier, including 3.1.1, does not properly cleanse the "lang" cookie when it contains illegal characters, which allows remote attackers to execute arbitrary code when the cookie is inserted into a Perl "eval" statement. 20030401 IkonBoard v3.1.1: arbitrary command execution 20030908 IkonBoard 3.1.2a arbitrary command execution 20030917 Exploit: IkonBoard 3.1.1/3.1.2a arbitrary command execution Gallery.pm in Apache::Gallery (aka A::G) uses predictable temporary filenames when running Inline::C, which allows local users to execute arbitrary code by creating and modifying the files before Apache::Gallery does. 20030907 Apache::Gallery local webserver compromise, privilege escalation Multiple buffer overflows in WS_FTP 3 and 4 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via long (1) APPE (append) or (2) STAT (status) arguments. VU#792284 VU#219140 wsftp-ftp-command-bo(13119) 8542 9671 20030906 Remote and Local Vulnerabilities In WS_FTP Server saned in sane-backends 1.0.7 and earlier does not check the IP address of the connecting host during the SANE_NET_INIT RPC call, which allows remote attackers to use that call even if they are restricted in saned.conf. 8595 RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8593 MDKSA-2003:099 saned in sane-backends 1.0.7 and earlier does not quickly handle connection drops, which allows remote attackers to cause a denial of service (segmentation fault) when invalid memory is accessed. RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8593 MDKSA-2003:099 saned in sane-backends 1.0.7 and earlier calls malloc with an arbitrary size value if a connection is dropped before the size value has been sent, which allows remote attackers to cause a denial of service (memory consumption or crash). 8600 RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8593 MDKSA-2003:099 saned in sane-backends 1.0.7 and earlier does not properly "check the validity of the RPC numbers it gets before getting the parameters," with unknown consequences. RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8593 MDKSA-2003:099 saned in sane-backends 1.0.7 and earlier, when debug messages are enabled, does not properly handle dropped connections, which can prevent strings from being null terminated and cause a denial of service (segmentation fault). RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8597 8593 MDKSA-2003:099 saned in sane-backends 1.0.7 and earlier, and possibly later versions, does not properly allocate memory in certain cases, which could allow attackers to cause a denial of service (memory consumption). RHSA-2003:278 DSA-379 RHSA-2003:285 SuSE-SA:2003:046 CSSA-2004-005.0 8596 8593 MDKSA-2003:099 SQL injection vulnerability in the Call Detail Record (CDR) logging functionality for Asterisk allows remote attackers to execute arbitrary SQL via a CallerID string. A091103-1 Buffer overflow in get_salt_from_password from sql_acl.cc for MySQL 4.0.14 and earlier, and 3.23.x, allows attackers with ALTER TABLE privileges to execute arbitrary code via a long Password field. VU#516492 20030910 Buffer overflow in MySQL RHSA-2003:281 DSA-381 RHSA-2003:282 9709 2003-0034 20030913 exploit for mysql -- [get_salt_from_password] problem 20030910 Buffer overflow in MySQL CLA-2003:743 MDKSA-2003:094 Unknown vulnerability in ecartis before 1.0.0 does not properly validate user input, which allows attackers to obtain mailing list passwords. DSA-467 ecartis-subscribe-password-disclosure(12929) Multiple buffer overflows in ecartis before 1.0.0 allow attackers to cause a denial of service and possibly execute arbitrary code. DSA-467 ecartis-multiple-bo(12928) Multiple buffer overflows in hztty 2.0 allow local users to gain root privileges. 8656 DSA-385 20030921 Fw: 0x333hztty => hztty 2.0 local root exploit hztty-bo(13243) 7119 1007757 1007756 9792 Format string vulnerability in tsm for the bos.rte.security fileset on AIX 5.2 allows remote attackers to gain root privileges via login, and local users to gain privileges via login, su, or passwd, with a username that contains format string specifiers. IY47764 ipmasq before 3.5.12, in certain configurations, may forward packets to the external interface even if the packets are not associated with an established connection, which could allow remote attackers to bypass intended filtering. DSA-389 The SSH1 PAM challenge response authentication in OpenSSH 3.7.1 and 3.7.1p1, when Privilege Separation is disabled, does not check the result of the authentication attempt, which can allow remote attackers to gain privileges. VU#602204 http://www.openssh.com/txt/sshpam.adv 20030924 [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh) 8677 20030923 Multiple PAM vulnerabilities in portable OpenSSH 20030923 Portable OpenSSH 3.7.1p2 released The PAM conversation function in OpenSSH 3.7.1 and 3.7.1p1 interprets an array of structures as an array of pointers, which allows attackers to modify the stack and possibly gain privileges. VU#209807 http://www.openssh.com/txt/sshpam.adv 20030924 [OpenPKG-SA-2003.042] OpenPKG Security Advisory (openssh) 8677 20030923 Multiple PAM vulnerabilities in portable OpenSSH 20030923 Portable OpenSSH 3.7.1p2 released Unknown vulnerability in the Internet Printing Protocol (IPP) implementation in CUPS before 1.1.19 allows remote attackers to cause a denial of service (CPU consumption from a "busy loop") via certain inputs to the IPP port (TCP 631). 8952 RHSA-2003:275 cups-ipp-dos(13584) TLSA-2003-63 MDKSA-2003:104 10123 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=97958 CLA-2003:788 CLA-2003:779 mod_cgid in Apache before 2.0.48, when using a threaded MPM, does not properly handle CGI redirect paths, which could cause Apache to send the output of a CGI program to the wrong client. RHSA-2003:320 20031031 GLSA: apache (200310-04) apache-modcgi-info-disclosure(13552) 8926 HPSBUX0311-301 MDKSA-2003:103 O-015 200310-04 http://lists.apple.com/mhonarc/security-announce/msg00045.html http://docs.info.apple.com/article.html?artnum=61798 CLA-2003:775 http://apache.secsup.org/dist/httpd/Announcement2.html 9504 APPLE-SA-2004-01-26 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: the reported issue is not a vulnerability or exposure. Notes: This candidate was assigned to a "head-reading" bug in a component of fetchmail 6.2.4 and earlier, which was claimed to allow a denial of service. However, the bug is in a broken component of fetchmail that is not "reachable" by any execution path, so it cannot be triggered by any sort of attack and is not exploitable. The Script.prototype.freeze/thaw functionality in Mozilla 1.4 and earlier allows attackers to execute native methods by modifying the string used as input to the script.thaw JavaScript function, which is then deserialized and executed. https://bugzilla.mozilla.org/show_bug.cgi?id=221526 9322 SCOSA-2004.8 8390 11103 MDKSA-2004:021 Fetchmail 6.2.4 and earlier does not properly allocate memory for long lines, which allows remote attackers to cause a denial of service (crash) via a certain email. fetchmail-email-dos(13450) 8843 TLSA-2003-61 IMNX-2003-7+-023-01 MDKSA-2003:101 GLSA-200403-10 20040220 LNSA-#2004-0002: Fetchmail 6.2.4 and earlier remote denial of service CSSA-2004-004.0 GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not restrict the size of input, which allows attackers to cause a denial of service (memory consumption). gdm-dos(13447) 8846 CLA-2003:766 http://cvs.gnome.org/bonsai/cvsblame.cgi?file=gdm2/NEWS&rev=&root=/cvs/gnome MDKSA-2003:100 GDM 2.4.4.x before 2.4.4.4, and 2.4.1.x before 2.4.1.7, does not limit the number or duration of commands and uses a blocking socket connection, which allows attackers to cause a denial of service (resource exhaustion) by sending commands and not reading the results. gdm-command-dos(13448) 8846 CLA-2003:766 http://cvs.gnome.org/bonsai/cvsblame.cgi?file=gdm2/NEWS&rev=&root=/cvs/gnome MDKSA-2003:100 The vty layer in Quagga before 0.96.4, and Zebra 0.93b and earlier, does not verify that sub-negotiation is taking place when processing the SE marker, which allows remote attackers to cause a denial of service (crash) via a malformed telnet command to the telnet CLI port, which may trigger a null dereference. RHSA-2003:307 RHSA-2003:305 DSA-415 20031114 Quagga remote vulnerability 10563 Unknown vulnerability in rpc.mountd SGI IRIX 6.5.18 through 6.5.22 allows remote attackers to mount from unprivileged ports even with the -n option disabled. rpcmountd-mount-gain-access(13807) 9085 20031102-02-P 20031102-01-P Unknown vulnerability in rpc.mountd in SGI IRIX 6.5 through 6.5.22 allows remote attackers to cause a denial of service (process death) via unknown attack vectors. rpcmountd-dos(13808) 9084 20031102-02-P 20031102-01-P 8520 Cross-site scripting (XSS) vulnerability in Nokia Electronic Documentation (NED) 5.0 allows remote attackers to execute arbitrary web script and steal cookies via a URL to the docs/ directory that contains the script. A091503-1 Nokia Electronic Documentation (NED) 5.0 allows remote attackers to obtain a directory listing of the WebLogic web root, and the physical path of the NED server, via a "retrieve" action with a location parameter of . (dot). A091503-1 Nokia Electronic Documentation (NED) 5.0 allows remote attackers to use NED as an open HTTP proxy via a URL in the location parameter, which NED accesses and returns to the user. A091503-1 The arplookup function in FreeBSD 5.1 and earlier, Mac OS X before 10.2.8, and possibly other BSD-based systems, allows remote attackers on a local subnet to cause a denial of service (resource starvation and panic) via a flood of spoofed ARP requests. http://docs.info.apple.com/article.html?artnum=61798 20040502-01-P FreeBSD-SA-03:14 Multiple buffer overflows in UMN gopher daemon (gopherd) 2.x and 3.x before 3.0.6 allows attackers to execute arbitrary code via (1) a long filename as a result of a LIST command, and (2) the GSisText function, which calculates the view-type. DSA-387 20030818 FW: [gopher] UMN Gopher 3.0.6 released 20030712 UMN gopherd[2.x.x/3.x.x]: ftp gateway, and GSisText() buffer Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code. VU#471260 TA04-104A MS04-011 win-winlogon-bo(15702) 10126 O-114 oval:org.mitre.oval:def:896 oval:org.mitre.oval:def:895 oval:org.mitre.oval:def:1054 Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request. VU#698564 TA04-104A win-cis-rpc-http-dos(15709) 10123 MS04-012 O-115 1009762 oval:org.mitre.oval:def:995 oval:org.mitre.oval:def:969 oval:org.mitre.oval:def:1030 Internet Explorer 5.01 through 6.0 does not properly handle object tags returned from a Web server during XML data binding, which allows remote attackers to execute arbitrary code via an HTML e-mail message or web page. 8565 MS03-040 ie-xmlobject-code-execution (13300) 7887 oval:org.mitre.oval:def:123 Stack-based buffer overflow in a logging function for Windows Workstation Service (WKSSVC.DLL) allows remote attackers to execute arbitrary code via RPC calls that cause long entries to be written to a debug log file ("NetSetup.LOG"), as demonstrated using the NetAddAlternateComputerName API. VU#567620 CA-2003-28 9011 MS03-049 20031111 EEYE: Windows Workstation Service Remote Buffer Overflow 20040129 Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049) 20031112 Proof of concept for Windows Workstation Service overflow oval:org.mitre.oval:def:575 oval:org.mitre.oval:def:331 A multi-threaded race condition in the Windows RPC DCOM functionality with the MS03-039 patch installed allows remote attackers to cause a denial of service (crash or reboot) by causing two threads to process the same RPC request, which causes one thread to use memory after it has been freed, a different vulnerability than CVE-2003-0352 (Blaster/Nachi), CVE-2003-0715, and CVE-2003-0528, and as demonstrated by certain exploits against those vulnerabilities. VU#547820 TA04-104A 20031014 Microsoft RPC Race Condition Denial of Service http://www.securitylab.ru/_exploits/rpc2.c.txt 20031010 Bad news on RPC DCOM vulnerability 20031011 Bad news on RPC DCOM2 vulnerability 20031010 Re: Bad news on RPC DCOM vulnerability 20031010 Re : [VERY] BAD news on RPC DCOM Exploit 8811 MS04-012 20031010 Bad news on RPC DCOM vulnerability 20031011 RE: Bad news on RPC DCOM vulnerability oval:org.mitre.oval:def:900 oval:org.mitre.oval:def:894 oval:org.mitre.oval:def:893 Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and execute Javascript by setting the window's "href" to the malicious Javascript, then calling execCommand("Refresh") to refresh the page, aka BodyRefreshLoadsJPU or the "ExecCommand Cross Domain" vulnerability. VU#326412 MS03-048 20030911 LiuDieYu's missing files are here. http://www.safecenter.net/liudieyu/BodyRefreshLoadsJPU/BodyRefreshLoadsJPU-Content.htm 20030910 MSIE->BodyRefreshLoadsJPU:refresh is a new navigation method 1007687 10192 oval:org.mitre.oval:def:392 oval:org.mitre.oval:def:349 oval:org.mitre.oval:def:344 oval:org.mitre.oval:def:343 oval:org.mitre.oval:def:342 oval:org.mitre.oval:def:341 oval:org.mitre.oval:def:335 Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions and read arbitrary files by (1) modifying the createTextRange method and using CreateLink, as demonstrated using LinkillerSaveRef, LinkillerJPU, and Linkiller, or (2) modifying the createRange method and using the FIND dialog to select text, as demonstrated using Findeath, aka the "Function Pointer Override Cross Domain" vulnerability. 9014 MS03-048 20030911 LiuDieYu's missing files are here. http://www.safecenter.net/UMBRELLAWEBV4/LinkillerSaveRef/LinkillerSaveRef-Content.HTM http://www.safecenter.net/UMBRELLAWEBV4/LinkillerJPU/LinkillerJPU-Content.HTM http://www.safecenter.net/UMBRELLAWEBV4/Linkiller/Linkiller-Content.HTM ie-pointer-zone-bypass(13676) 7889 7888 20030910 MSIE->LinkillerSaveRef:another caller-based authorization O-021 1007687 10192 20030910 MSIE->Findeath: break caller-based authorization 20030910 MSIE->LinkillerJPU:another caller-based authorization(is broken). oval:org.mitre.oval:def:472 oval:org.mitre.oval:def:359 oval:org.mitre.oval:def:357 oval:org.mitre.oval:def:356 oval:org.mitre.oval:def:353 oval:org.mitre.oval:def:352 oval:org.mitre.oval:def:351 Internet Explorer 6 SP1 and earlier allows remote attackers to bypass zone restrictions by (1) using the NavigateAndFind method to load a file: URL containing Javascript, as demonstrated by NAFfileJPU, (2) using the window.open method to load a file: URL containing Javascript, as demonstrated using WsOpenFileJPU, (3) setting the href property in the base tag for the _search window, as demonstrated using WsBASEjpu, (4) loading the search window into an Iframe, as demonstrated using WsFakeSrc, (5) caching a javascript: URL in the browser history, then accessing that URL in the same frame as the target domain, as demonstrated using WsOpenJpuInHistory, NAFjpuInHistory, BackMyParent, BackMyParent2, and RefBack, aka the "Script URLs Cross Domain" vulnerability. VU#652452 VU#771604 MS03-048 20030911 LiuDieYu's missing files are here. http://www.safecenter.net/UMBRELLAWEBV4/WsOpenFileJPU/WsOpenFileJPU-Content.HTM http://www.safecenter.net/UMBRELLAWEBV4/NAFfileJPU/NAFfileJPU-Content.htm http://www.safecenter.net/liudieyu/WsOpenJpuInHistory/WsOpenJpuInHistory-Content.HTM http://www.safecenter.net/liudieyu/WsFakeSrc/WsFakeSrc-Content.HTM http://www.safecenter.net/liudieyu/WsBASEjpu/WsBASEjpu-Content.HTM http://www.safecenter.net/liudieyu/RefBack/RefBack-Content.HTM http://www.safecenter.net/liudieyu/NAFjpuInHistory/NAFjpuInHistory-Content.HTM http://www.safecenter.net/liudieyu/BackMyParent2/BackMyParent2-Content.HTM http://www.safecenter.net/liudieyu/BackMyParent/BackMyParent-content.htm 20030910 MSIE->NAFfileJPU 20030910 MSIE->WsOpenJpuInHistory 1007687 10192 20030910 MSIE->BackMyParent2:Multi-Thread version 20030910 MSIE->WsBASEjpu 20030910 MSIE->WsOpenFileJPU 20030910 MSIE->WsFakeSrc 20030910 MSIE->NAFjpuInHistory 20030910 MSIE->RefBack oval:org.mitre.oval:def:479 oval:org.mitre.oval:def:459 oval:org.mitre.oval:def:416 oval:org.mitre.oval:def:409 oval:org.mitre.oval:def:363 oval:org.mitre.oval:def:362 oval:org.mitre.oval:def:361 Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions and read arbitrary files via an XML object. 9012 MS03-048 10192 oval:org.mitre.oval:def:566 oval:org.mitre.oval:def:556 oval:org.mitre.oval:def:549 oval:org.mitre.oval:def:548 oval:org.mitre.oval:def:543 oval:org.mitre.oval:def:520 oval:org.mitre.oval:def:508 Multiple integer overflows in Microsoft ASN.1 library (MSASN1.DLL), as used in LSASS.EXE, CRYPT32.DLL, and other Microsoft executables and libraries on Windows NT 4.0, 2000, and XP, allow remote attackers to execute arbitrary code via ASN.1 BER encodings with (1) very large length fields that cause arbitrary heap data to be overwritten, or (2) modified bit strings. TA04-041A VU#583108 VU#216324 MS04-007 20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption 20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption 20040210 EEYE: Microsoft ASN.1 Library Bit String Heap Corruption 20040210 EEYE: Microsoft ASN.1 Library Length Overflow Heap Corruption oval:org.mitre.oval:def:799 oval:org.mitre.oval:def:797 oval:org.mitre.oval:def:796 oval:org.mitre.oval:def:653 Buffer overflow in the H.323 filter of Microsoft Internet Security and Acceleration Server 2000 allows remote attackers to execute arbitrary code in the Microsoft Firewall Service via certain H.323 traffic, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 9408 MS04-001 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm 1008698 9406 10611 oval:org.mitre.oval:def:478 Microsoft Word 97, 98(J), 2000, and 2002, and Microsoft Works Suites 2001 through 2004, do not properly check the length of the "Macro names" data value, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. word-macro-execute-code(13682) 8835 MS03-050 http://www.security.nnov.ru/search/document.asp?docid=5243 20031015 Few issues previously unpublished in English oval:org.mitre.oval:def:668 oval:org.mitre.oval:def:586 oval:org.mitre.oval:def:585 oval:org.mitre.oval:def:336 Microsoft Excel 97, 2000, and 2002 allows remote attackers to execute arbitrary code via a spreadsheet with a malicious XLM (Excel 4) macro that bypasses the macro security model. excel-macro-execute-code (13681) MS03-050 9010 oval:org.mitre.oval:def:695 oval:org.mitre.oval:def:675 oval:org.mitre.oval:def:636 Buffer overflow in the debug functionality in fp30reg.dll of Microsoft FrontPage Server Extensions (FPSE) 2000 and 2002 allows remote attackers to execute arbitrary code via a crafted chunked encoded request. VU#279156 fpse-debug-bo(13674) MS03-051 10195 20031112 Frontpage Extensions Remote Command Execution 20031112 Frontpage Extensions Remote Command Execution oval:org.mitre.oval:def:743 oval:org.mitre.oval:def:699 oval:org.mitre.oval:def:367 oval:org.mitre.oval:def:366 oval:org.mitre.oval:def:364 Internet Explorer 6 SP1 and earlier allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by calling the window.moveBy method, aka HijackClick, a different vulnerability than CVE-2003-1027. VU#413886 MS03-048 20030910 MSIE->HijackClick: 1+1=2 20030911 LiuDieYu's missing files are here. 1006036 10192 oval:org.mitre.oval:def:733 oval:org.mitre.oval:def:588 oval:org.mitre.oval:def:372 oval:org.mitre.oval:def:371 oval:org.mitre.oval:def:370 oval:org.mitre.oval:def:369 oval:org.mitre.oval:def:368 Unknown vulnerability in the SmartHTML interpreter (shtml.dll) in Microsoft FrontPage Server Extensions 2000 and 2002, and Microsoft SharePoint Team Services 2002, allows remote attackers to cause a denial of service (response failure) via a certain request. VU#179012 fpse-smarthtml-dos(13680) MS03-051 10195 oval:org.mitre.oval:def:762 oval:org.mitre.oval:def:625 oval:org.mitre.oval:def:606 oval:org.mitre.oval:def:591 oval:org.mitre.oval:def:308 The Windows Internet Naming Service (WINS) for Microsoft Windows Server 2003, and possibly Windows NT and Server 2000, does not properly validate the length of certain packets, which allows attackers to cause a denial of service and possibly execute arbitrary code. VU#445214 9624 MS04-006 win-wins-gsflag-dos(15037) 3903 O-077 oval:org.mitre.oval:def:802 oval:org.mitre.oval:def:801 oval:org.mitre.oval:def:800 oval:org.mitre.oval:def:704 lsh daemon (lshd) does not properly return from certain functions in (1) read_line.c, (2) channel_commands.c, or (3) client_keyexchange.c when long input is provided, which could allow remote attackers to execute arbitrary code via a heap-based buffer overflow attack. 20030920 LSH: Buffer overrun and remote root compromise in lshd DSA-717 http://lists.lysator.liu.se/pipermail/lsh-bugs/2003q3/000120.html 20030919 lsh patch (was Re: [Full-Disclosure] new ssh exploit?) http://bugs.debian.org/211662 20030919 Remote root vuln in lsh 1.4.x The DB2 Discovery Service for IBM DB2 before FixPak 10a allows remote attackers to cause a denial of service (crash) via a long packet to UDP port 523. 20030919 AppSecInc Security Alert: Denial of Service Vulnerability in DB2 Discovery Service IY47686 Buffer overflow in freesweep in Debian GNU/Linux 3.0 allows local users to gain "games" group privileges when processing environment variables. freesweep-bo(13301) 8716 DSA-391 Buffer overflow in marbles 1.0.2 and earlier allows local users to gain privileges via a long HOME environment variable. DSA-390 ProFTPD 1.2.7 through 1.2.9rc2 does not properly translate newline characters when transferring files in ASCII mode, which allows remote attackers to execute arbitrary code via a buffer overflow using certain files. VU#405348 20030924 [slackware-security] ProFTPD Security Advisory (SSA:2003-259-02) proftpd-ascii-xfer-newline-bo(12200) 20030923 ProFTPD ASCII File Remote Compromise Vulnerability MDKSA-2003:095 9829 20031013 Remote root exploit for proftpd \n bug 20031014 Another ProFTPd root EXPLOIT ? Directory traversal vulnerability in webfs before 1.20 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a Hostname header. DSA-392 Stack-based buffer overflow in webfs before 1.20 allows attackers to execute arbitrary code by creating directories that result in a long pathname. DSA-392 Buffer overflow in CDE libDtHelp library allows local users to execute arbitrary code via (1) a modified DTHELPUSERSEARCHPATH environment variable and the Help feature, (2) DTSEARCHPATH, or (3) LOGNAME. VU#575804 8973 57414 HPSBUX0311-297 20040801-01-P 20040825 CDE libDtHelp LOGNAME Buffer Overflow Vulnerability oval:org.mitre.oval:def:5141 Multiple buffer overflows in asf_http_request of MPlayer before 0.92 allows remote attackers to execute arbitrary code via an ASX header with a long hostname. 20030925 MPlayer Security Advisory #01: Remotely exploitable buffer overflow http://www.mplayerhq.hu/homepage/design6/news.html 20030929 GLSA: media-video/mplayer (200309-15) 20030926 Mplayer Buffer Overflow CLA-2003:760 Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 before Fixpak 10 and 10a, and 8.1 before Fixpak 2, allows attackers with "Connect" privileges to execute arbitrary code via a LOAD command. Stack-based buffer overflow in IBM DB2 Universal Data Base 7.2 for Windows, before Fixpak 10a, allows attackers with "Connect" privileges to execute arbitrary code via the INVOKE command. 8743 db2-invoke-bo(13331) 20031001 ptl-2003-02: IBM DB2 INVOKE Command Stack Overflow Vulnerability Internet Explorer allows remote attackers to bypass zone restrictions to inject and execute arbitrary programs by creating a popup window and inserting ActiveX object code with a "data" tag pointing to the malicious code, which Internet Explorer treats as HTML or Javascript, but later executes as an HTA application, a different vulnerability than CVE-2003-0532, and as exploited using the QHosts Trojan horse (aka Trojan.Qhosts, QHosts-1, VBS.QHOSTS, or aolfix.exe). MS03-040 http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html 20030907 BAD NEWS: Microsoft Security Bulletin MS03-032 20030907 BAD NEWS: Microsoft Security Bulletin MS03-032 ie-popup-code-execution(13314) 8556 7872 20031001 DNS/Hosts file issues 20030907 BAD NEWS: Microsoft Security Bulletin MS03-032 20030908 Temporary Fix for IE Zero Day Malware RE: BAD NEWS: Microsoft Security Bulletin MS03-032 oval:org.mitre.oval:def:204 Directory traversal vulnerability in the "Shell Folders" capability in Microsoft Windows Server 2003 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a "shell:" link. http://www.geocities.co.jp/SiliconValley/1667/advisory08e.html 20031008 Microsoft Windows Server 2003 "Shell Folders" Directory Traversal Vulnerability Buffer overflow in dtprintinfo on HP-UX 11.00, and possibly other operating systems, allows local users to gain root privileges via a long DISPLAY environment variable. 20031008 HPUX dtprintinfo buffer overflow vulnerability The grid option in PeopleSoft 8.42 stores temporary .xls files in guessable directories under the web document root, which allows remote attackers to steal search results by directly accessing the files via a URL request. 20031007 PeopleSoft Grid Option Vulnerability Stack-based buffer overflow in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode, allows remote attackers to execute arbitrary code via a long filename in a GET request with an "Accept-Encoding: gzip" header. 20030601 Mod_gzip Debug Mode Vulnerabilities Format string vulnerability in mod_gzip_printf for mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode and using the Apache log, allows remote attackers to execute arbitrary code via format string characters in an HTTP GET request with an "Accept-Encoding: gzip" header. 20030601 Mod_gzip Debug Mode Vulnerabilities mod_gzip 1.3.26.1a and earlier, and possibly later official versions, when running in debug mode without the Apache log, allows local users to overwrite arbitrary files via (1) a symlink attack on predictable temporary filenames on Unix systems, or (2) an NTFS hard link on Windows systems when the "Strengthen default permissions of internal system objects" policy is not enabled. 20030601 Mod_gzip Debug Mode Vulnerabilities Unknown vulnerability in the HSQLDB component in JBoss 3.2.1 and 3.0.8 on Java 1.4.x platforms, when running in the default configuration, allows remote attackers to conduct unauthorized activities and possibly execute arbitrary code via certain SQL statements to (1) TCP port 1701 in JBoss 3.2.1, and (2) port 1476 in JBoss 3.0.8. 8773 oval:org.mitre.oval:def:11300 20031005 JBoss 3.2.1: Remote Command Injection RHSA-2007:1048 http://sourceforge.net/docman/display_doc.php?docid=19314&group_id=22866 27914 20031006 Update JBoss 308 & 321: Remote Command Injection SuSEconfig.javarunt in the javarunt package on SuSE Linux 7.3Pro allows local users to overwrite arbitrary files via a symlink attack on the .java_wrapper temporary file. 20031006 Local root exploit in SuSE Linux 7.3Pro 20031006 Re: Local root exploit in SuSE Linux 8.2Pro SuSEconfig.susewm in the susewm package on SuSE Linux 8.2Pro allows local users to overwrite arbitrary files via a symlink attack on the susewm.$$ temporary file. 20031006 Local root exploit in SuSE Linux 8.2Pro 20031006 Re: Local root exploit in SuSE Linux 8.2Pro Heap-based buffer overflow in main.c of slocate 2.6, and possibly other versions, may allow local users to gain privileges via a modified slocate database that causes a negative "pathlen" value to be used. DSA-428 2004-0005 RHSA-2004:041 http://www.ebitech.sk/patrik/SA/SA-20031006.txt http://www.ebitech.sk/patrik/SA/SA-20031006-A.txt oval:org.mitre.oval:def:11033 20031011 SA-20031006 slocate buffer overflow - exploitation proof 20031006 SA-20031006 slocate vulnerability 20040201-01-U CSSA-2004-001.0 FEDORA-2004-059 MDKSA-2004:004 9962 10722 10720 10702 10698 10686 10683 10670 RHSA-2004:040 20040202-01-U oval:org.mitre.oval:def:821 Buffer overflow in net.c for cfengine 2.x before 2.0.8 allows remote attackers to execute arbitrary code via certain packets with modified length values, which is trusted by the ReceiveTransaction function when using a buffer provided by the BusyWithConnection function. 20030925 Cfengine2 cfservd remote stack overflow 20031005 GLSA: cfengine (200310-02) 20030928 cfengine2-2.0.3 remote exploit for redhat The TCP reassembly functionality in libnids before 1.18 allows remote attackers to cause "memory corruption" and possibly execute arbitrary code via "overlarge TCP packets." DSA-410 20031027 Libnids <= 1.17 buffer overflow http://sourceforge.net/project/shownotes.php?release_id=191323 10543 CLA-2003:773 OpenSSL 0.9.6k allows remote attackers to cause a denial of service (crash via large recursion) via malformed ASN.1 sequences. VU#412478 8970 http://www.openssl.org/news/secadv_20031104.txt 20031104 [OpenSSL Advisory] Denial of Service in ASN.1 parsing 20030930 SSL Implementation Vulnerabilities RHSA-2004:119 oval:org.mitre.oval:def:5528 20040304-01-U NetBSD-SA2004-003 FEDORA-2005-1042 17381 20040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerability Format string vulnerability in send_message.c for Sylpheed-claws 0.9.4 through 0.9.6 allows remote SMTP servers to cause a denial of service (crash) in sylpheed via format strings in an error message. 8877 http://www.guninski.com/sylph.html 20031022 Sylpheed-claws format string bug, yet still sylpheed much better than windows sylpheed-smtp-format-string(13508) http://sylpheed.good-day.net/#changes An integer overflow in ls in the fileutils or coreutils packages may allow local users to cause a denial of service or execute arbitrary code via a large -w value, which could be remotely exploited via applications that use ls, such as wu-ftpd. 8875 TLSA-2003-60 IMNX-2003-7+-026-01 RHSA-2003:310 RHSA-2003:309 http://www.guninski.com/binls.html http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf 17069 10126 20031022 Fun with /bin/ls, yet still ls better than windows CLA-2003:771 CLA-2003:768 MDKSA-2003:106 ls in the fileutils or coreutils packages allows local users to consume a large amount of memory via a large -w value, which can be remotely exploited via applications that use ls, such as wu-ftpd. TLSA-2003-60 IMNX-2003-7+-026-01 RHSA-2003:310 RHSA-2003:309 http://www.guninski.com/binls.html DSA-705 http://support.avaya.com/elmodocs2/security/ASA-2005-213.pdf 17069 10126 20031022 Fun with /bin/ls, yet still ls better than windows CLA-2003:771 CLA-2003:768 115 MDKSA-2003:106 Pan 0.13.3 and earlier allows remote attackers to cause a denial of service (crash) via a news post with a long author email address. http://bugzilla.gnome.org/show_bug.cgi?id=107025 RHSA-2003:312 RHSA-2003:311 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=107519 20040202-01-U iproute 2.4.7 and earlier allows local users to cause a denial of service via spoofed messages as other users to the kernel netlink interface. RHSA-2003:317 DSA-492 RHSA-2003:316 FEDORA-2004-115 oval:org.mitre.oval:def:10912 SUSE-SR:2005:001 The (1) ipq_read and (2) ipulog_read functions in iptables allow local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. https://bugzilla.redhat.com/show_bug.cgi?id=108574 Zebra 0.93b and earlier, and quagga before 0.95, allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. RHSA-2003:315 RHSA-2003:307 RHSA-2003:305 DSA-415 10563 oval:org.mitre.oval:def:10169 The getifaddrs function in GNU libc (glibc) 2.2.4 and earlier allows local users to cause a denial of service by sending spoofed messages as other users to the kernel netlink interface. RHSA-2003:325 RHSA-2003:334 oval:org.mitre.oval:def:11337 Buffer overflows in PHP before 4.3.3 have unknown impact and unknown attack vectors. http://www.php.net/release_4_3_3.php http://www.php.net/ChangeLog-4.php#4.3.3 Integer overflows in (1) base64_encode and (2) the GD library for PHP before 4.3.3 have unknown impact and unknown attack vectors. http://www.php.net/release_4_3_3.php http://www.php.net/ChangeLog-4.php#4.3.3 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0813. Reason: This candidate is a duplicate of CVE-2003-0813. Notes: All CVE users should reference CVE-2003-0813 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The php_check_safe_mode_include_dir function in fopen_wrappers.c of PHP 4.3.x returns a success value (0) when the safe_mode_include_dir variable is not specified in configuration, which differs from the previous failure value and may allow remote attackers to exploit file include vulnerabilities in PHP applications. 20030716 PHP safe mode broken? Buffer overflow in m_join in channel.c for IRCnet IRCD 2.10.x to 2.10.3p3 allows remote attackers to cause a denial of service. 8817 20031019 [OpenPKG-SA-2003.045] OpenPKG Security Advisory (ircd) 20031012 buffer overflow in IRCD software ftp://ftp.irc.org/irc/server/ChangeLog ircd-mjoin-bo(13408) CLA-2003:765 Heap-based buffer overflow in readstring of httpget.c for mpg123 0.59r and 0.59s allows remote attackers to execute arbitrary code via a long request. 8680 DSA-435 20030930 GLSA: mpg123 (200309-17) 20030923 mpg123[v0.59r,v0.59s]: remote client-side heap corruption exploit. CSSA-2004-002.0 CLA-2003:781 The Catalina org.apache.catalina.connector.http package in Tomcat 4.0.x up to 4.0.3 allows remote attackers to cause a denial of service via several requests that do not follow the HTTP protocol, which causes Tomcat to reject later requests. 8824 DSA-395 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=215506 ADV-2008-1979 tomcat-non-http-dos(13429) http://tomcat.apache.org/security-4.html 239312 30908 30899 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0662. Reason: This candidate is a duplicate of CVE-2003-0662. Notes: All CVE users should reference CVE-2003-0662 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in Opera 7.11 and 7.20 allows remote attackers to execute arbitrary code via an HREF with a large number of escaped characters in the server name. opera-escape-heap-overflow(13458) 8853 A102003-1 20031020 Opera HREF escaped server name overflow Unknown vulnerability in QuickTime Java in Mac OS X v10.3 and Mac OS X Server 10.3 allows attackers to gain "unauthorized access to a system." 8922 APPLE-SA-2003-10-28 Certain scripts in OpenServer before 5.0.6 allow local users to overwrite files and conduct other unauthorized activities via a symlink attack on temporary files. 8864 CSSA-2003-SCO.27 Multiple SQL injection vulnerabilities in DeskPRO 1.1.0 and earlier allow remote attackers to insert arbitrary SQL and conduct unauthorized activities via (1) the cat parameter in faq.php, (2) the article parameter in faq.php, (3) the tickedid parameter in view.php, and (4) the Password entry on the logon screen. 8856 http://www.securiteam.com/unixfocus/6R0052K8KM.html deskpro-multiple-sql-injection(13391) 20031020 Multiple SQL Injection Vulnerabilities in DeskPRO 20031020 Multiple SQL Injection Vulnerabilities in DeskPRO Symbolic link vulnerability in the slpd script slpd.all_init for OpenSLP before 1.0.11 allows local users to overwrite arbitrary files via the route.check temporary file. 20030818 OpenSLP initscript symlink vulnerability CLA-2003:723 Finder in Mac OS X 10.2.8 and earlier sets global read/write/execute permissions on directories when they are dragged (copied) from a mounted volume such as a disk image (DMG), which could cause the directories to have less restrictive permissions than intended. 8916 macos-insecure-file-permissions(13537) 8917 A102803-1 Mac OS X before 10.3 with core files enabled allows local users to overwrite arbitrary files and read core files via a symlink attack on core files that are created with predictable names in the /cores directory. A102803-1 macos-core-files-symlink(13542) 8917 8914 slpd daemon in Mac OS X before 10.3 allows local users to overwrite arbitrary files via a symlink attack on a temporary file, a different vulnerability than CVE-2003-0875. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00038.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0518. Reason: This candidate is a reservation duplicate of CVE-2003-0518. Notes: All CVE users should reference CVE-2003-0518 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in Mac OS X before 10.3 allows local users to access Dock functions from behind Screen Effects when Full Keyboard Access is enabled using the Keyboard pane in System Preferences. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00038.html Mail in Mac OS X before 10.3, when configured to use MD5 Challenge Response, uses plaintext authentication if the CRAM-MD5 hashed login fails, which could allow remote attackers to gain privileges by sniffing the password. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00038.html Mac OS X before 10.3 initializes the TCP timestamp with a constant number, which allows remote attackers to determine the system's uptime via the ID field in a TCP packet. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00038.html The System Preferences capability in Mac OS X before 10.3 allows local users to access secure Preference Panes for a short period after an administrator has authenticated to the system. http://docs.info.apple.com/article.html?artnum=61798 http://lists.apple.com/mhonarc/security-announce/msg00038.html Xscreensaver 4.14 contains certain debugging code that should have been omitted, which causes Xscreensaver to create temporary files insecurely in the (1) apple2, (2) xanalogtv, and (3) pong screensavers, and allows local users to overwrite arbitrary files via a symlink attack. http://bugs.gentoo.org/show_bug.cgi?id=41253 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182286 Format string vulnerability in hfaxd for Hylafax 4.1.7 and earlier allows remote attackers to execute arbitrary code. DSA-401 20031111 HylaFAX - Format String Vulnerability Fixed SuSE-SA:2003:045 MDKSA-2003:105 CLA-2003:783 ez-ipupdate 3.0.11b7 and earlier creates insecure temporary cache files, which allows local users to conduct unauthorized operations via a symlink attack on the ez-ipupdate.cache file. http://cvs.mandriva.com/cgi-bin/viewcvs.cgi/SPECS/ez-ipupdate/ez-ipupdate.spec?rev=1.6 http://cvs.mandriva.com/cgi-bin/viewcvs.cgi/SPECS/ez-ipupdate/ez-ipupdate.spec?r1=1.4&r2=1.5 Buffer overflow in the (1) oracle and (2) oracleO programs in Oracle 9i Database 9.0.x and 9.2.x before 9.2.0.4 allows local users to execute arbitrary code via a long command line argument. VU#496340 oracle-oracleo-binaries-bo(13451) 8845 8844 1007956 http://otn.oracle.com/deploy/security/pdf/2003alert59.pdf Buffer overflow in the Mac OS X kernel 10.2.8 and earlier allows local users, and possibly remote attackers, to cause a denial of service (crash), access portions of memory, and possibly execute arbitrary code via a long command line argument (argv[]). macos-long-command-bo(13541) 8913 A102803-3 http://lists.apple.com/mhonarc/security-announce/msg00038.html The loadClass method of the sun.applet.AppletClassLoader class in the Java Virtual Machine (JVM) in Sun SDK and JRE 1.4.1_03 and earlier allows remote attackers to bypass sandbox restrictions and execute arbitrary code via a loaded class name that contains "/" (slash) instead of "." (dot) characters, which bypasses a call to the Security Manager's checkPackageAccess method. 200356 57221 20021023 [LSD] Security vulnerability in SUN's Java Virtual Machine implementation http://lsd-pl.net/code/JVM/jre.tar.gz 8879 20031027 Re: [LSD] Security vulnerability in SUN's Java Virtual Machineimplementation 20031027 Re: [LSD] Security vulnerability in SUN's Java Virtual Machine implementation HPSBUX0311-295 "Shatter" vulnerability in CommCtl32.dll in Windows XP may allow local users to execute arbitrary code by sending (1) BCM_GETTEXTMARGIN or (2) BCM_SETTEXTMARGIN button control messages to privileged applications. winxp-commctl32-code-execution(13558) 20031023 Shatter XP IBM DB2 7.2 before FixPak 10a, and earlier versions including 7.1, allows local users to overwrite arbitrary files and gain privileges via a symlink attack on (1) db2job and (2) db2job2. ftp://ftp.software.ibm.com/ps/products/db2/fixes/english-us/db2aixv7/FP10a_U495172/FixpakReadme.txt 20030805 Local Vulnerability in IBM DB2 7.1 db2job binary Buffer overflow in defang in libhttpd.c for thttpd 2.21 to 2.23b1 allows remote attackers to execute arbitrary code via requests that contain '<' or '>' characters, which trigger the overflow when the characters are expanded to "&lt;" and "&gt;" sequences. This vulnerability is addressed in the following product release: Acme Labs, thttpd, 2.24 thttpd-defang-bo(13530) 8906 10092 DSA-396 20031027 Remote overflow in thttpd 2729 Perl 5.8.1 on Fedora Core does not properly initialize the random number generator when forking, which makes it easier for attackers to predict random numbers. https://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=108711 Buffer overflow in to_ascii for PostgreSQL 7.2.x, and 7.3.x before 7.3.4, allows remote attackers to execute arbitrary code. 8741 RHSA-2003:314 RHSA-2003:313 DSA-397 http://developer.postgresql.org/cvsweb.cgi/pgsql-server/src/backend/utils/adt/ascii.c CLSA-2003:772 CLA-2003:784 Unknown vulnerability in minimalist mailing list manager 2.4, 2.2, and possibly other versions, allows remote attackers to execute arbitrary commands. DSA-402 Buffer overflow in a component of Microsoft Data Access Components (MDAC) 2.5 through 2.8 allows remote attackers to execute arbitrary code via a malformed UDP response to a broadcast request. VU#139150 MS04-003 mdac-broadcastrequest-bo(14187) 9407 3457 oval:org.mitre.oval:def:775 oval:org.mitre.oval:def:751 oval:org.mitre.oval:def:553 oval:org.mitre.oval:def:525 Microsoft Exchange 2003 and Outlook Web Access (OWA), when configured to use NTLM authentication, does not properly reuse HTTP connections, which can cause OWA users to view mailboxes of other users when Kerberos has been disabled as an authentication method for IIS 6.0, e.g. when SharePoint Services 2.0 is installed. VU#530660 exchange-owa-account-access(13869) http://www.microsoft.com/exchange/support/e2k3owa.asp 9409 9118 20031114 Exchange 2003 OWA major security flaw MS04-002 10615 oval:org.mitre.oval:def:477 Unknown vulnerability in Windows Media Station Service and Windows Media Monitor Service components of Windows Media Services 4.1 allows remote attackers to cause a denial of service (disallowing new connections) via a certain sequence of TCP/IP packets. VU#982630 9825 MS04-008 win-media-services-dos(15038) oval:org.mitre.oval:def:842 Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image. VU#547028 TA04-104A MS04-011 10120 oval:org.mitre.oval:def:959 oval:org.mitre.oval:def:897 oval:org.mitre.oval:def:1064 Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe. VU#260588 TA04-104A MS04-011 20040413 [Full-Disclosure] iDEFENSE Security Advisory 04.13.04 - Microsoft Help and Support 20040413 Microsoft Help and Support Center argument injection vulnerability win-hcpurl-code-execution(15704) 10119 http://www.idefense.com/application/poi/display?id=100&type=vulnerabilities O-114 oval:org.mitre.oval:def:904 oval:org.mitre.oval:def:1000 The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213. VU#526084 TA04-104A MS04-011 http://www.appsecinc.com/resources/alerts/general/04-0001.html 20040414 [SHATTER Team Security Alert] Microsoft Windows Utility Manager Vulnerability win2k-utilitymgr-gain-privileges(15632) 10124 http://www.securiteam.com/windowsntfocus/5LP0C2ACKU.html O-114 oval:org.mitre.oval:def:1046 Windows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability." VU#206468 TA04-104A MS04-011 winxp-task-gain-privileges(15678) 10125 O-114 oval:org.mitre.oval:def:1004 The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory. VU#122076 TA04-104A AD20040413D MS04-011 20040413 EEYE: Windows Expand-Down Data Segment Local Privilege Escalation win-ldt-gain-privileges(15707) 10122 O-114 oval:org.mitre.oval:def:911 oval:org.mitre.oval:def:890 Unknown vulnerability in the Terminal application for Mac OS X 10.3 (Client and Server) may allow "unauthorized access." 8979 http://docs.info.apple.com/article.html?artnum=61798 macos-terminal-gain-access(13620) http://lists.apple.com/mhonarc/security-announce/msg00040.html http://docs.info.apple.com/article.html?artnum=120269 ISC BIND 8.3.x before 8.3.7, and 8.4.x before 8.4.3, allows remote attackers to poison the cache via a malicious name server that returns negative responses with a large TTL (time-to-live) value. VU#734644 DSA-409 2003-0044 57434 10542 CSSA-2003-SCO.33 CSSA-2004-003.0 oval:org.mitre.oval:def:2011 netpbm 9.25 and earlier does not properly create temporary files, which allows local users to overwrite arbitrary files. VU#487102 RHSA-2004:030 DSA-426 netpbm-temp-insecure-file(14874) 9442 RHSA-2004:031 MDKSA-2004:011 GLSA-200410-02 20040201-01-U oval:org.mitre.oval:def:810 oval:org.mitre.oval:def:804 Buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a malformed GTP MSISDN string. 8951 RHSA-2003:323 http://www.ethereal.com/appnotes/enpa-sa-00011.html TLSA-2003-64 RHSA-2003:324 DSA-407 oval:org.mitre.oval:def:9692 MDKSA-2003:114 10531 CLA-2003:780 Ethereal 0.9.15 and earlier, and Tethereal, allows remote attackers to cause a denial of service (crash) via certain malformed (1) ISAKMP or (2) MEGACO packets. 8951 RHSA-2003:324 http://www.ethereal.com/appnotes/enpa-sa-00011.html TLSA-2003-64 RHSA-2003:323 DSA-407 oval:org.mitre.oval:def:11648 CLA-2003:780 MDKSA-2003:114 10531 Heap-based buffer overflow in Ethereal 0.9.15 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via the SOCKS dissector. 8951 RHSA-2003:323 http://www.ethereal.com/appnotes/enpa-sa-00011.html ethereal-socks-heap-overflow(13578) TLSA-2003-64 RHSA-2003:324 DSA-407 oval:org.mitre.oval:def:9691 CLA-2003:780 MDKSA-2003:114 10531 Clearswift MAILsweeper before 4.3.15 does not properly detect and filter RAR 3.20 encoded files, which allows remote attackers to bypass intended policy. http://www.corsaire.com/advisories/c030807-001.txt 20040813 Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues Clearswift MAILsweeper before 4.3.15 does not properly detect and filter ZIP 6.0 encoded files, which allows remote attackers to bypass intended policy. http://www.corsaire.com/advisories/c030807-001.txt 20040813 Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues Clearswift MAILsweeper before 4.3.15 does not properly detect filenames in BinHex (HQX) encoded files, which allows remote attackers to bypass intended policy. http://www.corsaire.com/advisories/c030807-001.txt 20040813 Corsaire Security Advisory - Clearswift MAILsweeper multiple encoding/compression issues Sygate Enforcer 4.0 earlier allows remote attackers to cause a denial of service (service hang) by replaying a malformed discovery packet to UDP port 39999. http://www.corsaire.com/advisories/c031120-001.txt sygate-enforcer-payload-dos(16949) 20040810 Corsaire Security Advisory - Sygate Enforcer discovery packet DoS issue Buffer overflow in omega-rpg 0.90 allows local users to execute arbitrary code via a long (1) command line or (2) environment variable. DSA-400 Buffer overflow in conquest 7.2 and earlier may allow a local user to execute arbitrary code via a long environment variable. DSA-398 Symbol Access Portable Data Terminal (PDT) 8100 does not hide the default WEP keys if they are not changed, which could allow attackers to retrieve the keys and gain access to the wireless network. http://www.secnap.net/security/031106.html 20031110 Symbol Technologies Default WEP KEYS Vulnerability Net-SNMP before 5.0.9 allows a user or community to access data in MIB objects, even if that data is not allowed to be viewed. RHSA-2003:335 http://sourceforge.net/forum/forum.php?forum_id=308015 RHSA-2004:023 oval:org.mitre.oval:def:9802 CLA-2003:778 oval:org.mitre.oval:def:869 Symantec PCAnywhere 10.x and 11, when started as a service, allows attackers to gain SYSTEM privileges via the help interface using AWHOST32.exe. http://securityresponse.symantec.com/avcenter/security/Content/2003.11.13.html 20031113 RE: Secure Network Operations SRT2003-11-13-0218, PCAnywhere allows local users to become SYSTEM 20031113 SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit SCO UnixWare 7.1.1, 7.1.3, and Open UNIX 8.0.0 allows local users to bypass protections for the "as" address space file for a process ID (PID) by obtaining a procfs file descriptor for the file and calling execve() on a setuid or setgid program, which leaves the descriptor open to the user. http://www.texonet.com/advisories/TEXONET-20031024.txt CSSA-2003-SCO.32 20031112 Insecure handling of procfs descriptors in UnixWare can lead to local privilege escalation. vos24u.c in SAP database server (SAP DB) 7.4.03.27 and earlier allows local users to gain SYSTEM privileges via a malicious "NETAPI32.DLL" in the current working directory, which is found and loaded by SAP DB before the real DLL, as demonstrated using the SQLAT stored procedure. A111703-1 sapdb-NETAPI32-gain-privileges(13765) eo420_GetStringFromVarPart in veo420.c for SAP database server (SAP DB) 7.4.03.27 and earlier may allow remote attackers to execute arbitrary code via a connect packet with a 256 byte segment to the niserver (aka serv.exe) process on TCP port 7269, which prevents the server from NULL terminating the string and leads to a buffer overflow. A111703-1 http://www.sapdb.org/7.4/new_relinfo.txt Directory traversal vulnerability in sqlfopenc for web-tools in SAP DB before 7.4.03.30 allows remote attackers to read arbitrary files via .. (dot dot) sequences in a URL. A111703-2 web-tools in SAP DB before 7.4.03.30 allows remote attackers to access the Web Agent Administration pages and modify configuration via a direct request to waadmin.wa. A111703-2 Buffer overflow in Web Agent Administration service in web-tools for SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a long Name parameter to waadmin.wa. A111703-2 web-tools in SAP DB before 7.4.03.30 installs several services that are enabled by default, which could allow remote attackers to obtain potentially sensitive information or redirect attacks against internal databases via (1) waecho, (2) Web SQL Interface (websql), or (3) Web Database Manager (webdbm). A111703-2 Buffer overflow in the WAECHO default service in web-tools in SAP DB before 7.4.03.30 allows remote attackers to execute arbitrary code via a URL with a long requestURI. A111703-2 The Web Database Manager in web-tools for SAP DB before 7.4.03.30 generates predictable session IDs, which allows remote attackers to conduct unauthorized activities. sapdb-manager-sessionid-predictable(13774) A111703-2 Format string vulnerability in clamav-milter for Clam AntiVirus 0.60 through 0.60p, and other versions before 0.65, allows remote attackers to cause a denial of service and possibly execute arbitrary code via format string specifiers in the email address argument of a "MAIL FROM" command. http://sourceforge.net/project/shownotes.php?release_id=197038 20031112 SRT2003-11-11-1151 - clamav-milter remote exploit / DoS Buffer overflow in iwconfig, when installed setuid, allows local users to execute arbitrary code via a long OUT environment variable. 20031112 iwconfig vulnerability - the last code was demaged sending by email Buffer overflow in iwconfig allows local users to execute arbitrary code via a long HOME environment variable. 8901 http://www.securiteam.com/exploits/6Y00R1P8KY.html xsok 1.02 does not properly drop privileges before finding and executing the "gunzip" program, which allows local users to execute arbitrary commands. 9321 DSA-405 xsok-command-execution(14098) PeopleSoft PeopleTools 8.1x, 8.2x, and 8.4x allows remote attackers to execute arbitrary commands by uploading a file to the IClient Servlet, guessing the insufficiently random (system time) name of the directory used to store the file, and directly requesting that file. peoplesoft-iclientservlet-file-upload(12805) 20031112 IClient Servlet Remote Command Execution Vulnerability 9041 Partition Manager (parmgr) in HP-UX B.11.23 does not properly validate certificates that are provided by the cimserver, which allows attackers to obtain sensitive data or gain privileges. HPSBUX0311-296 oval:org.mitre.oval:def:5146 Buffer overflow in rcp for AIX 4.3.3, 5.1 and 5.2 allows local users to gain privileges. 9078 10276 IY49238 IY48747 IY48272 1008258 OpenBSD kernel 3.3 and 3.4 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code in 3.4 via a program with an invalid header that is not properly handled by (1) ibcs2_exec.c in the iBCS2 emulation (compat_ibcs2) or (2) exec_elf.c, which leads to a stack-based buffer overflow. http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106917441524978&w=2 20031105 005: RELIABILITY FIX: November 4, 2003 8978 20031104 010: RELIABILITY FIX: November 4, 2003 http://www.guninski.com/msuxobsd2.html 20031104 OpenBSD kernel overflow, yet still *BSD much better than windows http://marc.theaimsgroup.com/?l=openbsd-security-announce&m=106808820119679&w=2 Multiple race conditions in the handling of O_DIRECT in Linux kernel prior to version 2.4.22 could cause stale data to be returned from the disk when handling sparse files, or cause incorrect data to be returned when a file is truncated as it is being read, which might allow local users to obtain sensitive data that was originally owned by other users, a different vulnerability than CVE-2003-0018. This vulnerability affects Linux O_DIRECT versions 2.4.22 and previous http://linux.bkbits.net:8080/linux-2.4/cset@3ef33d95ym_22QH2xwhDMt264M55Fg linux-kernel-odirect-information-disclosure(42942) Multiple integer overflows in the 32bit emulation for AMD64 architectures in Linux 2.4 kernel before 2.4.21 allows attackers to cause a denial of service or gain root privileges via unspecified vectors that trigger copy_from_user function calls with improper length arguments. linux-kernel-unspecified-priv-escalation(43072) http://linux.bkbits.net:8080/linux-2.4/cset@3ed382f7UfJ9Q2LKCJq1Tc5B7-EC5A OpenCA before 0.9.1.4 does not use the correct certificate in a chain to check the serial, which could cause OpenCA to accept revoked or expired certificates. 20031128 [OpenCA Advisory] Vulnerabilities in signature verification Integer overflow in the do_brk function for the brk system call in Linux kernel 2.4.22 and earlier allows local users to gain root privileges. VU#301156 RHSA-2003:389 DSA-403 RHSA-2003:368 SuSE-SA:2003:049 DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-433 DSA-423 DSA-417 10338 10333 10330 10329 10328 20031204 [iSEC] Linux kernel do_brk() vulnerability details http://isec.pl/papers/linux_kernel_do_brk.pdf MDKSA-2003:110 20040112 SmoothWall Project Security Advisory SWP-2004:001 20031204 Hot fix for do_brk bug CLA-2003:796 Heap-based buffer overflow in rsync before 2.5.7, when running in server mode, allows remote attackers to execute arbitrary code and possibly escape the chroot jail. VU#325603 9153 RHSA-2003:398 20031204 rsync security advisory (fwd) linux-rsync-heap-overflow(13899) 2898 10474 10378 10364 10363 10362 10361 10360 10359 10358 10357 10356 10355 10354 10353 oval:org.mitre.oval:def:9415 20031204 GLSA: exploitable heap overflow in rsync (200312-03) 20031204 [OpenPKG-SA-2003.051] OpenPKG Security Advisory (rsync) 2003-0048 CLA-2003:794 20031202-01-U MDKSA-2003:111 Buffer overflows in (1) try_netscape_proxy and (2) try_squid_eplf for lftp 2.6.9 and earlier allow remote HTTP servers to execute arbitrary code via long directory names that are processed by the ls or rels commands. 20031213 lftp buffer overflows RHSA-2003:404 SuSE-SA:2003:051 DSA-406 oval:org.mitre.oval:def:11180 20040101-01-U RHSA-2003:403 MDKSA-2003:116 10548 10525 CLA-2004:800 20031218 GLSA: lftp (200312-07) 20031217 [OpenPKG-SA-2003.053] OpenPKG Security Advisory (lftp) 20031212 [slackware-security] lftp security update (SSA:2003-346-01) 20040202-01-U ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: N/A. Notes: none. Cross-site scripting (XSS) vulnerability in the admin CGI script for Mailman before 2.1.4 allows remote attackers to steal session cookies and conduct unauthorized activities. RHSA-2004:020 [Mailman-Announce] 20031231 RELEASED Mailman 2.1.4 mailman-admin-xss(14121) 9336 DSA-436 3305 MDKSA-2004:013 10519 CLA-2004:842 oval:org.mitre.oval:def:813 Buffer overflow in the frm command in elm 2.5.6 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code via a long Subject line. 9430 RHSA-2004:009 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=112078 elm-frm-subject-bo(14840) 20040103-01-U rad_decode in FreeRADIUS 0.9.2 and earlier allows remote attackers to cause a denial of service (crash) via a short RADIUS string attribute with a tag, which causes memcpy to be called with a -1 length argument, as demonstrated using the Tunnel-Password attribute. RHSA-2003:386 oval:org.mitre.oval:def:10917 http://marc.theaimsgroup.com/?l=freeradius-users&m=106947389449613&w=2 20031121 FreeRADIUS 0.9.2 "Tunnel-Password" attribute Handling Vulnerability 20031120 Remote DoS in FreeRADIUS, all versions. Stack-based buffer overflow in SMB_Logon_Server of the rlm_smb experimental module for FreeRADIUS 0.9.3 and earlier allows remote attackers to execute arbitrary code via a long User-Password attribute. 20031126 FreeRADIUS <= 0.9.3 rlm_smb module stack overflow vulnerability mpg321 0.2.10 allows remote attackers to overwrite memory and possibly execute arbitrary code via an mp3 file that passes certain strings to the printf function, possibly triggering a format string vulnerability. mpg321-mp3-format-string(14148) 9364 3331 SuSE-SA:2004:002 DSA-411 The Network Management Port on Sun Fire B1600 systems allows remote attackers to cause a denial of service (packet loss) via ARP packets, which cause all ports to become temporarily disabled. 57430 GnuPG (GPG) 1.0.2, and other versions up to 1.2.3, creates ElGamal type 20 (sign+encrypt) keys using the same key component for encryption as for signing, which allows attackers to determine the private key from a signature. VU#940388 9115 20031127 GnuPG's ElGamal signing keys compromised http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000277.html http://lists.gnupg.org/pipermail/gnupg-announce/2003q4/000276.html RHSA-2003:395 RHSA-2003:390 SuSE-SA:2003:048 DSA-429 10400 10399 10349 10304 oval:org.mitre.oval:def:10982 MDKSA-2003:109 CLA-2003:798 20040202-01-U Integer signedness error in ansi.c for GNU screen 4.0.1 and earlier, and 3.9.15 and earlier, allows local users to execute arbitrary code via a large number of ";" (semicolon) characters in escape sequences, which leads to a buffer overflow. DSA-408 http://groups.yahoo.com/group/gnu-screen/message/3118 MDKSA-2003:113 10539 20031127 GNU screen buffer overflow CLA-2004:809 Unknown vulnerability in mod_python 3.0.x before 3.0.4, and 2.7.x before 2.7.9, allows remote attackers to cause a denial of service (httpd crash) via a certain query string. RHSA-2004:058 http://www.modpython.org/pipermail/mod_python/2003-November/004005.html DSA-452 RHSA-2004:063 oval:org.mitre.oval:def:10259 FEDORA-2004-1325 CLA-2004:837 oval:org.mitre.oval:def:839 oval:org.mitre.oval:def:828 Applied Watch Command Center allows remote attackers to conduct unauthorized activities without authentication, such as (1) add new users to a console, as demonstrated using appliedsnatch.c, or (2) add spurious IDS rules to sensors, as demonstrated using addrule.c. 9124 http://www.bugtraq.org/advisories/_BSSADV-0000.txt 20031128 Applied Watch Response to Bugtraq.org post - Was: Multiple Remote Issues in Applied Watch IDS Suite 20031128 Multiple Remote Issues in Applied Watch IDS Suite (advisory attached) 20031201 Re: Multiple Remote Issues in Applied Watch IDS Suite (advisory attached) Apple Safari 1.0 through 1.1 on Mac OS X 10.3.1 and Mac OS X 10.2.8 allows remote attackers to steal user cookies from another domain via a link with a hex-encoded null character (%00) followed by the target domain. mozilla-netscape-steal-cookies(7973) 20031118 Apple Safari 1.1 (v100) http://lists.apple.com/mhonarc/security-announce/msg00042.html http://docs.info.apple.com/article.html?artnum=61798 NFS Server (XNFS.NLM) for Novell NetWare 6.5 does not properly enforce sys:\etc\exports when hostname aliases from sys:etc\hosts file are used, which could allow users to mount file systems when XNFS should deny the host. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10089375.htm netware-nfs-share-access(13915) CVS server before 1.11.10 may allow attackers to cause the CVS server to create directories and files in the file system root directory via malformed module requests. DSA-422 http://ccvs.cvshome.org/servlets/NewsItemView?newsID=84&JServSessionIdservlets=8u3x1myav1 cvs-module-file-manipulation(13929) RHSA-2004:004 RHSA-2004:003 oval:org.mitre.oval:def:11528 20040103-01-U MDKSA-2003:112 10601 20040129 [FLSA-2004:1207] Updated cvs resolves security vulnerability 20031217 [OpenPKG-SA-2003.052] OpenPKG Security Advisory (cvs) CLA-2004:808 20040202-01-U oval:org.mitre.oval:def:866 oval:org.mitre.oval:def:855 Format string vulnerability in gpgkeys_hkp (experimental HKP interface) for the GnuPG (gpg) client 1.2.3 and earlier, and 1.3.3 and earlier, allows remote attackers or a malicious keyserver to cause a denial of service (crash) and possibly execute arbitrary code during key retrieval. gnupg-gpgkeyshkp-format-string(13892) http://www.s-quadra.com/advisories/Adv-20031203.txt SuSE-SA:2003:048 20031203 GnuPG 1.2.3, 1.3.3 external HKP interface format string issue FreeScripts VisitorBook LE (visitorbook.pl) does not properly escape line breaks in input, which allows remote attackers to (1) use VisitorBook as an open mail relay, when $mailuser is 1, via extra headers in the email field, or (2) cause the guestbook database to be deleted via a large number of line breaks that exceeds the $max_posts variable. http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt 20031210 Visitorbook LE Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in FreeScripts VisitorBook LE (visitorbook.pl) allows remote attackers to inject arbitrary HTML or web script via (1) the "do" parameter, (2) via the "user" parameter from a host with a malicious reverse DNS name, (3) via quote marks or ampersands in other parameters. http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt 20031210 Visitorbook LE Multiple Vulnerabilities FreeScripts VisitorBook LE (visitorbook.pl) logs the reverse DNS name of a visiting host, which allows remote attackers to spoof the origin of their incoming requests and facilitate cross-site scripting (XSS) attacks. http://www.westpoint.ltd.uk/advisories/wp-03-0001.txt 20031210 Visitorbook LE Multiple Vulnerabilities Buffer overflow in the authentication module for Cisco ACNS 4.x before 4.2.11, and 5.x before 5.0.5, allows remote attackers to execute arbitrary code via a long password. VU#352462 9187 20031210 Vulnerability in Authentication Library for ACNS cisco-acns-password-bo(13945) 10409 Cisco Unity on IBM servers is shipped with default settings that should have been disabled by the manufacturer, which allows local or remote attackers to conduct unauthorized activities via (1) a "bubba" local user account, (2) an open TCP port 34571, or (3) when a local DHCP server is unavailable, a DHCP server on the manufacturer's test network. 20031210 Unity Vulnerabilities on IBM-based Servers Real time clock (RTC) routines in Linux kernel 2.4.23 and earlier do not properly initialize their structures, which could leak kernel data to user space. RHSA-2004:188 linux-rtc-memory-leak(13943) 9154 RHSA-2003:417 SuSE-SA:2003:049 ESA-20040105-001 oval:org.mitre.oval:def:9406 1008594 FEDORA-2003-046 3317 MDKSA-2004:001 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 10583 10582 10555 10538 10537 10536 10533 20040112 SmoothWall Project Security Advisory SWP-2004:001 CLA-2004:799 oval:org.mitre.oval:def:859 oval:org.mitre.oval:def:1013 The mremap system call (do_mremap) in Linux kernel 2.4.x before 2.4.21, and possibly other versions before 2.4.24, does not properly perform bounds checks, which allows local users to cause a denial of service and possibly gain privileges by causing a remapping of a virtual memory area (VMA) to create a zero length VMA, a different vulnerability than CAN-2004-0077. VU#490620 9356 RHSA-2003:417 ESA-20040105-001 linux-domremap-gain-privileges(14135) RHSA-2003:419 RHSA-2003:418 RHSA-2003:416 3315 SuSE-SA:2004:003 MDKSA-2004:001 http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.24 DSA-1082 DSA-1070 DSA-1069 DSA-1067 DSA-475 DSA-470 DSA-450 DSA-442 DSA-440 DSA-439 DSA-427 DSA-423 DSA-417 DSA-413 O-045 http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2005-0528?op=file&rev=0&sc=0 20338 20202 20163 10532 20040112 SmoothWall Project Security Advisory SWP-2004:001 20040107 [slackware-security] Kernel security update (SSA:2004-006-01) 20040106 Linux mremap bug correction 20040105 Linux kernel do_mremap() proof-of-concept exploit code 20040105 Linux kernel mremap vulnerability 2004-0001 http://klecker.debian.org/~joey/security/kernel/patches/patch.CAN-2005-0528.mremap http://isec.pl/vulnerabilities/isec-0013-mremap.txt IMNX-2004-73-001-01 CLA-2004:799 20040108 [slackware-security] Slackware 8.1 kernel security update (SSA:2004-008-01) 20040102-01-U oval:org.mitre.oval:def:867 oval:org.mitre.oval:def:860 Various routines for the ppc64 architecture on Linux kernel 2.6 prior to 2.6.2 and 2.4 prior to 2.4.24 do not use the copy_from_user function when copying data from userspace to kernelspace, which crosses security boundaries and allows local users to cause a denial of service. RHSA-2004:017 http://linux.bkbits.net:8080/linux-2.6/cset@3ffcf122S7e3xPZCpibrXq6KRRjwqw http://linux.bkbits.net:8080/linux-2.4/cset@3fdd54b3u9Eq0Wny2Nn1HGfI3pofOQ oval:org.mitre.oval:def:9707 mod_digest for Apache before 1.3.31 does not properly verify the nonce of a client response by using a AuthNonce secret. apache-moddigest-response-replay(15041) 9571 http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) 2004-0027 RHSA-2004:600 http://www.mail-archive.com/dev@httpd.apache.org/msg19014.html GLSA-200405-22 SSA:2004-133 RHSA-2005:816 MDKSA-2004:046 57628 101841 101555 1008920 oval:org.mitre.oval:def:4416 oval:org.mitre.oval:def:100108 Buffer overflow in the VCF file information reader for KDE Personal Information Management (kdepim) suite in KDE 3.1.0 through 3.1.4 allows attackers to execute arbitrary code via a VCF file. VU#820798 9419 RHSA-2004:005 http://www.kde.org/info/security/advisory-20040114-1.txt 20040114 KDE Security Advisory: VCF file information reader vulnerability kde-kdepim-bo(14833) RHSA-2004:006 MDKSA-2004:003 GLSA-200404-02 CLA-2004:810 oval:org.mitre.oval:def:865 oval:org.mitre.oval:def:858 tcpdump before 3.8.1 allows remote attackers to cause a denial of service (infinite loop) via certain ISAKMP packets, a different vulnerability than CVE-2004-0057. VU#738518 RHSA-2004:007 DSA-425 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 12179 11032 11022 10718 10668 10652 10644 10639 10637 10636 oval:org.mitre.oval:def:10599 ESA-20040119-002 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008716 9507 FLSA:1222 MDKSA-2004:008 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) 20040202-01-U oval:org.mitre.oval:def:852 oval:org.mitre.oval:def:847 The parseAddress code in (1) SquirrelMail 1.4.0 and (2) GPG Plugin 1.1 allows remote attackers to execute commands via shell metacharacters in the "To:" field. 20031224 Bugtraq Security Systems ADV-0001 squirrelmail-parseaddress-command-execution(14079) 9296 20031226 Re: Reported Command Injection in Squirrelmail GPG http://www.bugtraq.org/advisories/_BSSADV-0001.txt Unknown vulnerability in the mail command handler in Mailman before 2.0.14 allows remote attackers to cause a denial of service (crash) via malformed e-mail commands. mailman-command-handler-dos(15106) 9620 RHSA-2004:019 DSA-436 [Mailman-Announce] 20040208 RELEASED: Mailman 2.0.14 patch-only release MDKSA-2004:013 CLA-2004:842 20040201-01-U Cross-site scripting (XSS) vulnerability in the create CGI script for Mailman before 2.1.3 allows remote attackers to steal cookies of other users. RHSA-2004:020 http://mail.python.org/pipermail/mailman-announce/2003-September/000061.html MDKSA-2004:013 CLA-2004:842 oval:org.mitre.oval:def:815 mod_access in Apache 1.3 before 1.3.30, when running big-endian 64-bit platforms, does not properly parse Allow/Deny rules using IP addresses without a netmask, which could allow remote attackers to bypass intended access restrictions. 9829 apache-modaccess-obtain-information(15422) http://www.apacheweek.com/features/security-13 2004-0027 SSA:2004-133 57628 101841 101555 GLSA-200405-22 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) [apache-cvs] 20040307 cvs commit: apache-1.3/src/modules/standard mod_access.c http://issues.apache.org/bugzilla/show_bug.cgi?id=23850 MDKSA-2004:046 oval:org.mitre.oval:def:4670 oval:org.mitre.oval:def:100111 The GUI functionality for an interactive session in Symantec LiveUpdate 1.70.x through 1.90.x, as used in Norton Internet Security 2001 through 2004, SystemWorks 2001 through 2004, and AntiVirus and Norton AntiVirus Pro 2001 through 2004, AntiVirus for Handhelds v3.0, allows local users to gain SYSTEM privileges. 20040112 Re: SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM http://www.secnetops.biz/research/SRT2004-01-09-1022.txt 20040112 SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM 3428 20040112 SRT2004-01-9-1022 - Symantec LiveUpdate allows local users to become SYSTEM Buffer overflow in the Microsoft Message Queue Manager (MSQM) allows remote attackers to cause a denial of service (RPC service crash) via a queue registration request. win2k-message-queue-bo(13131) MS03-039 Unknown "System Security Vulnerability" in Computer Associates (CA) Unicenter Remote Control (URC) 6.0 allows attackers to gain privileges via the help interface. 10420 http://support.ca.com/techbases/rp/urc6x-secnote.html Unknown "Denial of Service Attack" vulnerability in Computer Associates (CA) Unicenter Remote Control (URC) 6.0 allows attackers to cause a denial of service (CPU consumption in URC host service). 10420 http://support.ca.com/techbases/rp/urc6x-secnote.html Unknown "potential system security vulnerability" in Computer Associates (CA) Unicenter Remote Control 5.0 through 5.2, and ControlIT 5.0 and 5.1, may allow attackers to gain privileges to the local system account. 10420 http://support.ca.com/techbases/rp/urc5x-secnote.html Unknown multiple vulnerabilities in (1) lpstat and (2) the libprint library in Solaris 2.6 through 9 may allow attackers to execute arbitrary code or read or write arbitrary files. 57451 oval:org.mitre.oval:def:4098 xchat 2.0.6 allows remote attackers to cause a denial of service (crash) via a passive DCC request with an invalid ID number, which causes a null dereference. http://mail.nl.linux.org/xchat-announce/2003-12/msg00000.html 20031214 GLSA: Malformed dcc send requests in xchat-2.0.6 lead to a denial of service Buffer overflow in the Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via HTTP auth requests for (1) TACACS+ or (2) RADIUS authentication. 20031215 Cisco FWSM Vulnerabilities Cisco Firewall Services Module (FWSM) in Cisco Catalyst 6500 and 7600 series devices allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. 20031215 Cisco FWSM Vulnerabilities Cisco PIX firewall 5.x.x, and 6.3.1 and earlier, allows remote attackers to cause a denial of service (crash and reload) via an SNMPv3 message when snmp-server is set. 20031215 Cisco PIX Vulnerabilities Cisco PIX firewall 6.2.x through 6.2.3, when configured as a VPN Client, allows remote attackers to cause a denial of service (dropped IPSec tunnel connection) via an IKE Phase I negotiation request to the outside interface of the firewall. 20031215 Cisco PIX Vulnerabilities The PKI functionality in Mac OS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (service crash) via malformed ASN.1 sequences. ESB-2003.0867 10474 APPLE-SA-2003-12-19 9266 Buffer overflow in cd9660.util in Apple Mac OS X 10.0 through 10.3.2 and Apple Mac OS X Server 10.0 through 10.3.2 may allow local users to execute arbitrary code via a long command line parameter. VU#878526 macos-cd9660-bo(13995) 9228 http://docs.info.apple.com/article.html?artnum=61798 20031219 Re: Buffer overflow/privilege escalation in MacOS X - hfs.util also 20031216 Re: Buffer overflow/privilege escalation in MacOS X 20031215 Buffer overflow/privilege escalation in MacOS X AppleFileServer (AFS) in Apple Mac OS X 10.2.8 and 10.3.2 does not properly handle certain malformed requests, with unknown impact. applefileserver-dos(14051) http://docs.info.apple.com/article.html?artnum=61798 9264 1008532 Unknown vulnerability in Mac OS X 10.2.8 and 10.3.2 allows local users to bypass the screen saver login window and write a text clipping to the desktop or another application. macos-screen-saver-bypass(14195) http://docs.info.apple.com/article.html?artnum=61798 Directory Services in Apple Mac OS X 10.0.2, 10.0.3, 10.2.8, 10.3.2 and Apple Mac OS X Server 10.2 through 10.3.2 accepts authentication server information from unknown LDAP or NetInfo sources as provided by a malicious DHCP server, which allows remote attackers to gain privileges. macos-dhcp-gain-privileges(13874) http://docs.info.apple.com/article.html?artnum=61798 9110 http://www.carrel.org/dhcp-vuln.html http://docs.info.apple.com/article.html?artnum=32478 Unknown vulnerability in fs_usage in Mac OS X 10.2.8 and 10.3.2 and Mac OS X Server 10.2.8 and 10.3.2 allows local users to gain privileges via unknown attack vectors. macos-fsusage-gain-privileges(14193) http://docs.info.apple.com/article.html?artnum=61798 9265 Apple Mac OS X 10.0 through 10.2.8 allows local users with a USB keyboard to gain unauthorized access by holding down the CTRL and C keys when the system is booting, which crashes the init process and leaves the user in a root shell. macos-ctrlc-gain-access(13573) http://docs.info.apple.com/article.html?artnum=61798 8945 20031031 Console Root On OSX up to 10.2.8 The SMB dissector in Ethereal before 0.10.0 allows remote attackers to cause a denial of service via a malformed SMB packet that triggers a segmentation fault during processing of Selected packets. RHSA-2004:001 http://www.ethereal.com/appnotes/enpa-sa-00012.html DSA-407 RHSA-2004:002 oval:org.mitre.oval:def:10202 20040103-01-U MDKSA-2004:002 10570 10568 10531 CLA-2004:801 20040202-01-U oval:org.mitre.oval:def:856 The Q.931 dissector in Ethereal before 0.10.0, and Tethereal, allows remote attackers to cause a denial of service (crash) via a malformed Q.931, which triggers a null dereference. RHSA-2004:001 http://www.ethereal.com/appnotes/enpa-sa-00012.html RHSA-2004:002 DSA-407 oval:org.mitre.oval:def:10097 20040103-01-U MDKSA-2004:002 10570 10568 10531 CLA-2004:801 20040202-01-U oval:org.mitre.oval:def:857 Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use multiple MIME fields with the same name, which may be interpreted differently by mail clients. mime-field-filtering-bypass(17333) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME field multiple occurrence issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use whitespace in an unusual fashion, which may be interpreted differently by mail clients. mime-tools-incorrect-concatenation(9273) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME field whitespace issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use malformed quoting in MIME headers, parameters, and values, including (1) fields that should not be quoted, (2) duplicate quotes, or (3) missing leading or trailing quote characters, which may be interpreted differently by mail clients. mime-quote-filtering-bypass(17336) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME field quoting issue Macromedia Flash Player before 7,0,19,0 stores a Flash data file in a predictable location that is accessible to web browsers such as Internet Explorer and Opera, which allows remote attackers to read restricted files via vulnerabilities in web browsers whose exploits rely on predictable names. 8900 http://www.macromedia.com/devnet/security/security_zone/mpsb03-08.html flash-file-predictable-location(14013) Format string vulnerability in enq command in AIX 4.3, 5.1, and 5.2 allows local users with rintq group privileges to gain privileges via unknown attack vectors. aix-enq-format-string(14037) 9254 MSS-OAR-E01-20 The format_send_to_gui function in formats.c for irssi before 0.8.9 allows remote IRC users to cause a denial of service (crash). irssi-dos(13973) 20031211 irssi - potential remote crash MDKSA-2003:117 The scosession program in OpenServer 5.0.6 and 5.0.7 allows local users to gain privileges via crafted strings on the commandline. VU#972598 openserver-scosession-gain-privilege(19479) 14012 12372 SCOSA-2005.5 Directory traversal vulnerability in fsp before 2.81.b18 allows remote users to access files outside the FSP root directory. 9377 DSA-416 O-048 fspsuite-dot-directory-traversal(14154) 3346 Stack-based buffer overflow in vfs_s_resolve_symlink of vfs/direntry.c for Midnight Commander (mc) 4.6.0 and earlier, and possibly later versions, allows remote attackers to execute arbitrary code during symlink conversion. 20040405 [OpenPKG-SA-2004.009] OpenPKG Security Advisory (mc) midnight-commander-vfssresolvesymlink-bo(13247) 8658 DSA-424 GLSA-200403-09 RHSA-2004:035 RHSA-2004:034 20040201-01-U FLSA:1224 MDKSA-2004:007 9833 11296 11268 11262 11219 10823 10772 10716 10685 10645 FEDORA-2004-058 CLA-2004:833 20030919 uninitialized buffer in midnight commander 20040202-01-U CSSA-2004-014.0 oval:org.mitre.oval:def:822 Unknown vulnerability in the ls-F builtin function in tcsh on Solaris 8 allows local users to create or delete files as other users, and gain privileges. VU#281356 9280 57455 solaris-lsf-gain-privileges(14065) 10486 oval:org.mitre.oval:def:1528 Internet Explorer 5.01 through 6 SP1 allows remote attackers to spoof the domain of a URL via a "%01" character before an @ sign in the user@domain portion of the URL, which hides the rest of the URL, including the real site, in the address bar, aka the "Improper URL Canonicalization Vulnerability." TA04-033A VU#652278 ie-domain-url-spoofing(13935) http://www.zapthedingbat.com/security/ex01/vun1.htm 20031209 Internet Explorer URL parsing vulnerability MS04-004 oval:org.mitre.oval:def:526 oval:org.mitre.oval:def:513 oval:org.mitre.oval:def:512 oval:org.mitre.oval:def:511 oval:org.mitre.oval:def:510 oval:org.mitre.oval:def:491 oval:org.mitre.oval:def:490 Internet Explorer 5.01 through 6 SP1 allows remote attackers to bypass zone restrictions via a javascript protocol URL in a sub-frame, which is added to the history list and executed in the top window's zone when the history.back (back) function is called, as demonstrated by BackToFramedJpu, aka the "Travel Log Cross Domain Vulnerability." TA04-033A VU#784102 20031125 BackToFramedJpu - a successor of BackToJpu attack ie-subframe-xss(13846) http://www.safecenter.net/UMBRELLAWEBV4/BackToFramedJpu MS04-004 20031201 Comments on 5 IE vulnerabilities oval:org.mitre.oval:def:805 oval:org.mitre.oval:def:774 oval:org.mitre.oval:def:745 oval:org.mitre.oval:def:689 oval:org.mitre.oval:def:687 oval:org.mitre.oval:def:643 oval:org.mitre.oval:def:630 Internet Explorer 5.01 through 6 SP1 allows remote attackers to direct drag and drop behaviors and other mouse click actions to other windows by using method caching (SaveRef) to access the window.moveBy method, which is otherwise inaccessible, as demonstrated by HijackClickV2, a different vulnerability than CVE-2003-0823, aka the "Function Pointer Drag and Drop Vulnerability." TA04-033A VU#413886 20031125 HijackClickV2 - a successor of HijackClick attack ie-method-perform-actions(13844) 1006036 http://www.safecenter.net/UMBRELLAWEBV4/HijackClickV2 MS04-004 20031201 Comments on 5 IE vulnerabilities oval:org.mitre.oval:def:629 oval:org.mitre.oval:def:534 oval:org.mitre.oval:def:532 oval:org.mitre.oval:def:531 oval:org.mitre.oval:def:530 oval:org.mitre.oval:def:529 oval:org.mitre.oval:def:527 The download function of Internet Explorer 6 SP1 allows remote attackers to obtain the cache directory name via an HTTP response with an invalid ContentType and a .htm file, which could allow remote attackers to bypass security mechanisms that rely on random names, as demonstrated by threadid10008. 20031125 Invalid ContentType may disclose cache directory ie-download-directory-disclosure(13847) http://www.safecenter.net/UMBRELLAWEBV4/threadid10008 7890 20031201 Comments on 5 IE vulnerabilities 20031125 Note for "Invalid ContentType may disclose cache directory" The L2TP protocol parser in tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a packet with invalid data to UDP port 1701, which causes l2tp_avp_print to use a bad length value when calling print_octets. DSA-425 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. 10718 10668 10652 10636 20031221 Re: Remote crash in tcpdump from OpenBSD 20031220 Remote crash in tcpdump from OpenBSD ESA-20040119-002 1008748 MDKSA-2004:008 [tcpdump-workers] 20031224 Seg fault of tcpdump (v 3.8.1 and below) with malformed l2tp packets Buffer overflow in DameWare Mini Remote Control before 3.73 allows remote attackers to execute arbitrary code via a long pre-authentication request to TCP port 6129. VU#909678 dameware-spoof-packet-bo(14001) 9213 http://sh0dan.org/files/dwmrcs372.txt 20031214 DameWare Mini Remote Control Server <= 3.72 Buffer Overflow 20040110 DameWare Mini Remote Control < v3.73 remote exploit by kralor] 20031219 [Exploit]: DameWare Mini Remote Control Server Overflow Exploit Cross-site scripting (XSS) vulnerability in register.php for vBulletin 3.0 Beta 2 allows remote attackers to inject arbitrary HTML or web script via optional fields such as (1) "Interests-Hobbies", (2) "Biography", or (3) "Occupation." 20030808 VBulletin New Member XSS Vulnerability Pi3Web web server 2.0.2 Beta 1, when the Directory Index is configured to use the "Name" column and sort using the column title as a hyperlink, allows remote attackers to cause a denial of service (crash) via a malformed URL to the web server, possibly involving a buffer overflow. 7787 20030602 Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web 1006913 20030605 Re: Tripbit Advisory TA-2003-05 Buffer Overflow Vulnerability in Pi3 Web The (1) instdbmsrv and (2) instlserver programs in SAP DB Development Tools 7.x trust the user-provided INSTROOT environment variable as a path when assigning setuid permissions to the lserver program, which allows local users to gain root privileges via a modified INSTROOT that points to a malicious dbmsrv or lserver program. 7407 sap-db-gain-privileges(11842) 7408 [SAP DB Dev] 20030422 Security Alert: Development Tools 20030422 SRT2003-04-22-1336 - SAP DB Development Tools install flaw The RPM installation of SAP DB 7.x creates the (1) dbmsrv or (2) lserver programs with world-writable permissions, which allows local users to gain privileges by modifying those programs. sap-db-world-writable(11669) 7242 20030331 SRT2003-03-31-1219 - SAP world writable server binaries The default installation of SAP R/3 46C/D allows remote attackers to bypass account locking by using the RFC API instead of the SAPGUI to conduct a brute force password guessing attack, which does not lock out the account like the SAPGUI does. sap-sapinfo-lockout-bypass(11487) 7007 20030304 SAP R/3, account locking and RFC SDK 20061112 Old SAP exploits Multiple buffer overflows in the AGate component for SAP Internet Transaction Server (ITS) allow remote attackers to execute arbitrary code via long (1) ~command, (2) ~runtimemode, or (3) ~session parameters, or (4) a long HTTP Content-Type header. sap-multiple-bo(14186) http://www.phenoelit.de/stuff/Phenoelit20c3.pd Format string vulnerability in the WGate component for SAP Internet Transaction Server (ITS) allows remote attackers to execute arbitrary code via a high "trace level." sap-wgate-format-string(15514) http://www.phenoelit.de/stuff/Phenoelit20c3.pd 1009453 The AGate component for SAP Internet Transaction Server (ITS) allows remote attackers to obtain sensitive information via a ~command parameter with an AgateInstallCheck value, which provides a list of installed DLLs and full pathnames. sap-agate-path-disclosure(15516) http://www.phenoelit.de/stuff/Phenoelit20c3.pd Multiple buffer overflows in the mySAP.com architecture for SAP allow remote attackers to execute arbitrary code via a long HTTP Host header to (1) Message Server, (2) Web Dispatcher, or (3) Application Server. mysap-host-header-bo(15513) http://www.phenoelit.de/stuff/Phenoelit20c3.pd kmod in the Linux kernel does not set its uid, suid, gid, or sgid to 0, which allows local users to cause a denial of service (crash) by sending certain signals to kmod. linux-kmod-signals-dos(15577) RHSA-2004:188 RHSA-2004:106 RHSA-2004:069 RHSA-2004:065 SuSE-SA:2003:049 oval:org.mitre.oval:def:9423 http://linux.bkbits.net:8080/linux-2.4/diffs/kernel/kmod.c@1.6?nav=index.html|src/|src/kernel|hist/kernel/kmod.c 20040204-01-U CLSA-2004:820 Internet Explorer 5.x and 6.0 allows remote attackers to execute arbitrary programs via a modified directory traversal attack using a URL containing ".." (dot dot) sequences and a filename that ends in "::" which is treated as a .chm file even if it does not have a .chm extension. NOTE: this bug may overlap CVE-2004-0475. TA04-196A VU#187196 ie-showhelp-directory-traversal(14105) 9320 20031230 IE 5.x-6.0 allows executing arbitrary programs using showHelp() MS04-023 oval:org.mitre.oval:def:956 oval:org.mitre.oval:def:3514 oval:org.mitre.oval:def:1943 oval:org.mitre.oval:def:1186 SQL injection vulnerability in collectstats.pl for Bugzilla 2.16.3 and earlier allows remote authenticated users with editproducts privileges to execute arbitrary SQL via the product name. 8953 bugzilla-productname-sql-injection(13594) 20031103 [BUGZILLA] Security Advisory - SQL injection, information leak CLA-2003:774 http://bugzilla.mozilla.org/show_bug.cgi?id=214290 SQL injection vulnerability in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, allows remote authenticated users with editkeywords privileges to execute arbitrary SQL via the id parameter to editkeywords.cgi. 8953 bugzilla-url-sql-injection(13596) 20031103 [BUGZILLA] Security Advisory - SQL injection, information leak CLA-2003:774 http://bugzilla.mozilla.org/show_bug.cgi?id=219044 editproducts.cgi in Bugzilla 2.16.3 and earlier, when usebuggroups is enabled, does not properly remove group add privileges from a group that is being deleted, which allows users with those privileges to perform unauthorized additions to the next group that is assigned with the original group ID. 8953 bugzilla-groupid-gain-privileges(13597) 20031103 [BUGZILLA] Security Advisory - SQL injection, information leak http://bugzilla.mozilla.org/show_bug.cgi?id=219690 CLA-2003:774 votes.cgi in Bugzilla 2.16.3 and earlier, and 2.17.1 through 2.17.4, allows remote attackers to read a user's voting page when that user has voted on a restricted bug, which allows remote attackers to read potentially sensitive voting information by modifying the who parameter. 8953 http://bugzilla.mozilla.org/show_bug.cgi?id=209376 bugzilla-obtain-information(13600) 20031103 [BUGZILLA] Security Advisory - SQL injection, information leak CLA-2003:774 describecomponents.cgi in Bugzilla 2.17.3 and 2.17.4 does not properly verify group membership when bug entry groups are used, which allows remote attackers to list component descriptions for otherwise restricted products. 8953 bugzilla-describecomponents-obtain-info(13602) 20031103 [BUGZILLA] Security Advisory - SQL injection, information leak http://bugzilla.mozilla.org/show_bug.cgi?id=209742 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0540. Reason: This candidate is a duplicate of CVE-2004-0540. Notes: All CVE users should reference CVE-2004-0540 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Double free vulnerability in mshtml.dll for certain versions of Internet Explorer 6.x allows remote attackers to cause a denial of service (application crash) via a malformed GIF image. TA04-212A VU#685364 ie-mshtml-gif-bo(16804) 8530 MS04-025 O-191 20040903 Re: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll Denial of Service? 20040902 AW: [Full-Disclosure] New Microsoft Internet Explorer mshtml.dll 20030902 New Microsoft Internet Explorer mshtml.dll Denial of Service? oval:org.mitre.oval:def:517 oval:org.mitre.oval:def:509 oval:org.mitre.oval:def:236 oval:org.mitre.oval:def:212 oval:org.mitre.oval:def:2100 oval:org.mitre.oval:def:206 oval:org.mitre.oval:def:1793 IBM DB2 Universal Database 7 before FixPak 12 creates certain DMS directories with insecure permissions (777), which allows local users to modify or delete certain DB2 files. db2-dms-insecure-permissions(14030) 9243 IY44842 IY44841 Multiple buffer overflows in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via long command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. db2-multiple-binaries-bo(13633) 8990 20031108 SRT2003-11-06-0710 - IBM DB2 Multiple local security issues http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt Multiple format string vulnerabilities in IBM DB2 Universal Database 8.1 may allow local users to execute arbitrary code via certain command line arguments to (1) db2start, (2) db2stop, or (3) db2govd. db2-multiple-binaries-bo(13633) 8989 20031108 SRT2003-11-06-0710 - IBM DB2 Multiple local security issues http://www.secnetops.com/research/advisories/SRT2003-11-06-0710.txt IBM DB2 7.1 and 8.1 allow the bin user to gain root privileges by modifying the shared libraries that are used in setuid root programs. 8346 20030805 Slight privilege elevation from bin to root in IBM DB2 7.1 - 8.1 all binaries ibm-db2-gain-privileges(12826) Multiple buffer overflows in XShisen allow attackers to execute arbitrary code via a long (1) -KCONV command line option or (2) XSHISENLIB environment variable. 8776 8770 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=213957 xshisen-xshisenlib-bo(13359) xshisen-kconv-bo(13358) http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html 9950 mod_access_referer 1.0.2 allows remote attackers to cause a denial of service (crash) via a malformed Referer header that is missing a hostname, as parsed by the ap_parse_uri_components function in Apache, which triggers a null dereference. 7375 http://sourceforge.net/project/shownotes.php?release_id=151905 20030416 [VulnWatch] Apache mod_access_referer denial of service issue http://www.vuxml.org/freebsd/af747389-42ba-11d9-bd37-00065be4b5b6.html 8612 Buffer overflow in the nss_ldap.so.1 library for Sun Solaris 8 and 9 may allow local users to gain root access via a long hostname in an LDAP lookup. solaris-nssldapso1-bo(11641) 7064 N-113 52222 ESB-2003.0461 1006401 The ed editor for Sun Solaris 2.6, 7, and 8 allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. solaris-ed1-tmpfile-insecure(13952) 9199 ESB-2003.0851 57443 10411 2955 Unknown vulnerability in CDE Print Viewer (dtprintinfo) for Sun Solaris 2.6 through 9 may allow local users to execute arbitrary code. cde-dtprintinfo-gain-privileges(13914) 2924 O-035 ESB-2003.0844 57441 10384 9170 The Xsun server for Sun Solaris 2.6 through 9, when running in Direct Graphics Access (DGA) mode, allows local users to cause a denial of service (Xsun crash) or to create or overwrite arbitrary files on the system, probably via a symlink attack on temporary server files. solaris-xsun-gain-privileges(13890) 2892 O-033 57419 10346 9147 Unknown vulnerability in the libraries for the PGX32 frame buffer in Solaris 2.5.1 and 2.6 through 9 allows local users to gain root access. 9076 O-029 57360 10267 solaris-pgx32-gain-privileges(13792) 2839 The NFS Server for Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (UFS panic) via certain invalid UFS requests, which triggers a null dereference. solaris-nfs-ufs-dos(13547) 8929 57406 Race condition in Solaris 2.6 through 9 allows local users to cause a denial of service (kernel panic), as demonstrated via the namefs function, pipe, and certain STREAMS routines. solaris-race-dos(13434) 8836 57080 Unknown vulnerability in the sysinfo system call for Solaris for SPARC 2.6 through 9, and Solaris for x86 2.6, 7, and 8, allows local users to read kernel memory. solaris-sysinfo-read-memory(13435) 8831 57340 10006 The patches (1) 105693-13, (2) 108800-02, (3) 105694-13, and (4) 108801-02 for cachefs on Solaris 2.6 and 7 overwrite the inetd.conf file, which may silently reenable services and allow remote attackers to bypass the intended security policy. solaris-cachefs-inetdconf-overwrite(12942) 8461 N-134 56300 Solaris 8 with IPv6 enabled allows remote attackers to cause a denial of service (kernel panic) via a crafted IPv6 packet. VU#370060 8250 55301 solaris-ipv6-packet-dos(12680) Unknown vulnerability in patches 108993-14 through 108993-19 and 108994-14 through 108994-19 for Solaris 8 may allow local users to cause a denial of service (automountd crash). openssh-ldap-dos(19441) automountd-dos(19437) 8253 55340 Buffer overflow in the syslog daemon for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (syslogd crash) and possibly execute arbitrary code via long syslog UDP packets. 7820 8944 sun-syslogd-bo(12194) 20030604 Solaris syslogd overflow 55440 Multiple buffer overflows in the (1) dbm_open function, as used in ndbm and dbm, and the (2) dbminit function in Solaris 2.6 through 9 allow local users to gain root privileges via long arguments to Xsun or other programs that use these functions. sun-database-functions-bo(12379) 7991 N-108 55420 9088 Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local users to gain root privileges, as identified by Sun BugID 4659277, a different vulnerability than CVE-2003-1082. solaris-utmp-update-bo(11083) 55260 8957 7835 N-105 The Telnet daemon (in.telnetd) for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (CPU consumption by infinite loop). 7794 8935 sun-intelnetd-dos(12140) 54181 Unknown vulnerability in rpcbind for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (rpcbind crash). sun-rpcbind-dos(11906) 7455 50922 8685 rpc.walld (wall daemon) for Solaris 2.6 through 9 allows local users to send messages to logged on users that appear to come from arbitrary user IDs by closing stderr before executing wall, then supplying a spoofed from header. VU#944241 solaris-wall-message-spoofing(11608) 51980 20030103 Solaris 2.x /usr/sbin/wall Advisory 7825 1006682 1005882 6509 Memory leak in lofiadm in Solaris 8 allows local users to cause a denial of service (kernel memory consumption). 8686 sun-lofiadm-dos(11895) 54100 7454 A race condition in the at command for Solaris 2.6 through 9 allows local users to delete arbitrary files via the -r argument with .. (dot dot) sequences in the job name, then modifying the directory structure after at checks permissions to delete the file and before the deletion actually takes place. 7960 solaris-at-race-condition(11180) 50161 solaris-at-directory-traversal(11179) 1005994 6693 6692 20030127 Sun Microsystems Solaris at -r job name handling and race condition vulnerabilities N-070 http://isec.pl/vulnerabilities/isec-0008-sun-at.txt 20030127 Sun Microsystems Solaris at -r job name handling and race condition vulnerabilities Unknown vulnerability in newtask for Solaris 9 allows local users to gain root privileges. 8454 solaris-newtask-root-access(11657) 52111 1006411 7252 Unknown vulnerability in the FTP server (in.ftpd) for Solaris 2.6 through 9 allows remote attackers to cause a denial of service (temporary FTP server hang), which affects other active mode FTP clients. 50240 7968 solaris-ftpd-dos(11186) 1005996 6709 Unknown vulnerability in sendmail for Solaris 7, 8, and 9 allows local users to cause a denial of service (unknown impact) and possibly gain privileges via certain constructs in a .forward file. 8235 solaris-sendmail-forward-privileges(11496) N-050 50904 1006234 7033 Unknown vulnerability in UFS for Solaris 9 for SPARC, with logging enabled, allows local users to cause a denial of service (UFS file system hang). 51300 8234 solaris-ufs-logging-dos(11481) 1006233 7032 The FTP client for Solaris 2.6, 7, and 8 with the debug (-d) flag enabled displays the user password on the screen during login. solaris-ftp-plaintext-password(11436) 51081 8186 1006195 6989 Unknown vulnerability in UDP RPC for Solaris 2.5.1 through 9 for SPARC, and 2.5.1 through 8 for x86, allows remote attackers to cause a denial of service (memory consumption) via certain arguments in RPC calls that cause large amounts of memory to be allocated. solaris-udp-rpc-dos(11368) 50626 8092 1006131 6883 Unknown vulnerability in mail for Solaris 2.6 through 9 allows local users to read the email of other users. solaris-mail-unauthorized-access(11303) 50751 8058 1006084 6838 Aspppls for Solaris 8 allows local users to overwrite arbitrary files via a symlink attack on the .asppp.fifo temporary file. O-001 solaris-aspppls-tmpfile-symlink(10105) 46903 VU#464817 ESB-2003.0621 5698 Buffer overflow in utmp_update for Solaris 2.6 through 9 allows local users to gain root privileges, as identified by Sun BugID 4705891, a different vulnerability than CVE-2003-1068. VU#596748 solaris-utmp-update-bo(11083) N-105 50008 1005935 6639 7892 Stack-based buffer overflow in Monit 1.4 to 4.1 allows remote attackers to execute arbitrary code via a long HTTP request. VU#623854 monit-http-bo(13817) 9099 GLSA-200403-14 10280 http://www.tildeslash.com/monit/dist/CHANGES.txt 20031124 Monit 4.1 HTTP interface multiple security vulnerabilities Monit 1.4 to 4.1 allows remote attackers to cause a denial of service (daemon crash) via an HTTP POST request with a negative Content-Length field. VU#206382 monit-negative-content-dos(13818) 9098 20031124 Monit 4.1 HTTP interface multiple security vulnerabilities 10280 http://www.tildeslash.com/monit/dist/CHANGES.txt GLSA-200403-14 The HTTP server in the Thomson TWC305, TWC315, and TCW690 cable modem ST42.03.0a allows remote attackers to cause a denial of service (unstable service) via a long GET request, possibly caused by a buffer overflow. thomson-http-get-dos(13815) http://www.shellsec.net/leer_advisory.php?id=2 9091 20031123 Thomnson TCM315 Denial of service 14353 10286 20050219 Thomson TCW690 Denial Of Service Vulnerability 20050219 Re: [Full-Disclosure] Thomson TCW690 Denial Of Service Vulnerability 20031124 Thomnson TCM315 Denial of service 20031123 Thomnson TCM315 Denial of service PHP remote file inclusion vulnerability in pm/lib.inc.php in pMachine Free and pMachine Pro 2.2 and 2.2.1 allows remote attackers to execute arbitrary PHP code by modifying the pm_path parameter to reference a URL on a remote web server that contains the code. http://www.pmachine.com/forum/threads.php?id=7274_0_13_0_C 20030623 pMachine (PHP) : Include() Security Hole Unknown vulnerability in diagmond and possibly other applications in HP9000 Series 700/800 running HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows remote attackers to cause a denial of service (program failure) via certain network traffic. 7827 8971 SSRT3460 hp-diagmond-dos(12199) Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.4 and 3.5 allows remote attackers to inject arbitrary web script or HTML via the method parameter. zorum-index-xss(12867) 8388 1013365 9497 20030811 ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path Disclosure index.php for Zorum 3.4 allows remote attackers to determine the full path of the web root via invalid parameter names, which reveals the path in a PHP error message. zorum-index-path-disclosure(12868) 8396 1013365 20030811 ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path Disclosure Buffer overflow in AbsoluteTelnet before 2.12 RC10 allows remote attackers to execute arbitrary code via a long window title. VU#666073 absolutetelnet-title-bar-bo(11265) 6785 20030206 AbsoluteTelnet 2.00 buffer overflow. 16024 Integer overflow in MP3Broadcaster for Apple QuickTime/Darwin Streaming Server 4.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via malformed ID3 tags in MP3 files. VU#148564 darwin-mp3broadcaster-code-execution(12054) 7660 1006822 20030522 QuickTime/Darwin Streaming Server security issues Unknown vulnerability in the "Automatic File Content Type Recognition (AFCTR) Tool version of the file package before 3.41, related to "a memory allocation problem," has unknown impact. VU#100937 file-afctr-memory-allocation(11488) 7009 OpenPKG-SA-2003.017 BEA WebLogic Server 6.1, 7.0 and 7.0.0.1, when routing messages to a JMS target domain that is inaccessible, may leak the user's password when it throws a ResourceAllocationException. VU#331937 weblogic-error-password-disclosure(11057) 6586 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-24.jsp BEA WebLogic Server and Express version 7.0 SP3 may follow certain code execution paths that result in an incorrect current user, such as in the frequent use of JNDI initial contexts, which could allow remote authenticated users to gain privileges. VU#999788 8320 weblogic-gain-privileges(12799) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA03-35.jsp BEA WebLogic Server and Express 7.0 and 7.0.0.1, when using "memory" session persistence for web applications, does not clear authentication information when a web application is redeployed, which could allow users of that application to gain access without having to re-authenticate. VU#691153 weblogic-app-reauthentication-bypass(11555) 7130 The Cisco LEAP challenge/response authentication mechanism uses passwords in a way that is susceptible to dictionary attacks, which makes it easier for remote attackers to gain privileges via brute force password guessing attacks. VU#473108 cisco-leap-dictionary(12804) 8755 20031006 Weaknesses in LEAP Challenge/Response 20031003 Dictionary attack against Cisco's LEAP, Wireless LANs vulnerable 20030803 Dictionary Attack on Cisco LEAP Vulnerability 20040407 Release of Cisco Attack tool Asleap 15209 Buffer overflow in rexec on HP-UX B.10.20, B.11.00, and B.11.04, when setuid root, may allow local users to gain privileges via a long -l option. HPSBUX0304-257 VU#322540 7459 N-088 hp-rexec-command-bo(11890) oval:org.mitre.oval:def:5611 20030429 HPUX rexec buffer overflow vulnerability The Xserver for HP-UX 11.22 was not properly built, which introduced a vulnerability that allows local users to gain privileges. HPSBUX0301-238 VU#862401 6638 hp-xserver-gain-privileges(11094) oval:org.mitre.oval:def:5765 1005936 shar on HP-UX B.11.00, B.11.04, and B.11.11 creates temporary files with predictable names in /tmp, which allows local users to cause a denial of service and possibly execute arbitrary code via a symlink attack. HPSBUX0312-304 VU#509454 9141 O-032 10339 hp-shar-tmpfile-symlink(13882) oval:org.mitre.oval:def:5788 Multiple cross-site scripting (XSS) vulnerabilities in Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allow remote attackers to inject arbitrary web script or HTML via certain vectors. VU#488684 hummingbird-docsfusionserver-multiple-xss(13399) 9985 8815 http://www.procheckup.com/security_info/vuln_pr0305.html Hummingbird CyberDOCS 3.5.1, 3.9, and 4.0 allows remote attackers to obtain the full path of the DM Web Server via invalid login credentials, which reveals the path in an error message. VU#715548 Hummingbird-docsfusionserver-disclose-path(13398) 9985 8816 http://www.procheckup.com/security_info/vuln_pr0303.html Hummingbird CyberDOCS 3.5, 3.9, and 4.0, when running on IIS, uses insecure permissions for script source code files, which allows remote attackers to read the source code. VU#989580 9985 Hummingbird-docsfusionserver-file-access(13397) http://www.procheckup.com/security_info/vuln_pr0302.html SQL injection vulnerability in loginact.asp for Hummingbird CyberDOCS before 3.9 allows remote attackers to execute arbitrary SQL commands. VU#368300 hummingbird-docsfusionserver-sql-injection(13401) 9985 8800 http://www.procheckup.com/security_info/vuln_pr0304.html Buffer overflow in IBM Tivoli Firewall Toolbox (TFST) 1.2 allows remote attackers to execute arbitrary code via unknown vectors. VU#210937 7154 20030320 IBM Tivoli Firewall Security Toolbox buffer overflow vulnerability tivoli-tfst-relay-bo(11584) 8349 Unknown vulnerability in Internet Explorer 5.01 SP3 through 6.0 SP1 allows remote attackers to cause a denial of service (browser or Outlook Express crash) via HTML with certain input tags that are not properly rendered. VU#813208 ie-input-type-dos(13029) MS03-032 The SMTP service in Microsoft Windows 2000 before SP4 allows remote attackers to cause a denial of service (crash or hang) via an e-mail message with a malformed time stamp in the FILETIME attribute. VU#155252 330716 8195 The DHTML capability in Microsoft Windows Media Player (WMP) 6.4, 7.0, 7.1, and 9 may run certain URL commands from a security zone that is less trusted than the current zone, which allows attackers to bypass intended access restrictions. VU#222044 828026 mediaplayer-dhtml-code-execution(13375) The Session Initiation Protocol (SIP) implementation in Alcatel OmniPCX Enterprise 5.0 Lx allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 sip-invite(11379) 6904 http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ oval:org.mitre.oval:def:5831 The Session Initiation Protocol (SIP) implementation in multiple Cisco products including IP Phone models 7940 and 7960, IOS versions in the 12.2 train, and Secure PIX 5.2.9 to 6.2.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 6904 20030221 Multiple Product Vulnerabilities Found by PROTOS SIP Test Suite sip-invite(11379) http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ 1006145 1006144 1006143 The Session Initiation Protocol (SIP) implementation in Columbia SIP User Agent (sipc) 1.74 and other versions before sipc 2.0 build 2003-02-21 allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 http://www.cs.columbia.edu/~xiaotaow/sipc/ouspg.html 1006167 sip-invite(11379) 6904 http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The Session Initiation Protocol (SIP) implementation in multiple dynamicsoft products including y and certain demo products for AppEngine allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 sip-invite(11379) 6904 http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ http://www.dynamicsoft.com/support/advisory/ca-2003-06.php The Session Initiation Protocol (SIP) implementation in Ingate Firewall and Ingate SIParator before 3.1.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 6904 sip-invite(11379) http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The Session Initiation Protocol (SIP) implementation in IPTel SIP Express Router 0.8.9 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 6904 sip-invite(11379) http://www.iptel.org/ser/security/ http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The Session Initiation Protocol (SIP) implementation in Mediatrix Telecom VoIP Access Devices and Gateways running SIPv2.4 and SIPv4.3 firmware allows remote attackers to cause a denial of service or execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 sip-invite(11379) 6904 http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The Session Initiation Protocol (SIP) implementation in Nortel Networks Succession Communication Server 2000, when using SIP-T, allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted INVITE messages, as demonstrated by the OUSPG PROTOS c07-sip test suite. VU#528719 CA-2003-06 6904 sip-invite(11379) http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/ The communications protocol for the Report Review Agent (RRA), aka FND File Server (FNDFS) program, in Oracle E-Business Suite 10.7, 11.0, and 11.5.1 to 11.5.8 allows remote attackers to bypass authentication and obtain sensitive information from the Oracle Applications Concurrent Manager by spoofing requests to the TNS Listener. VU#168873 7325 1006550 http://otn.oracle.com/deploy/security/pdf/2003alert53.pdf oracle-rra-authentication-bypass(11768) http://www.integrigy.com/alerts/FNDFS_Vulnerability.htm 20030411 Integrigy Security Advisory - Oracle Applications FNDFS Vulnerability Buffer overflow in RealSystem Server 6.x, 7.x and 8.x, and RealSystem Proxy 8.x, related to URL error handling, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#143627 VU#912219 http://service.real.com/help/faq/security/bufferoverflow.html 1003604 realsystem-malformed-url-bo(11362) Buffer overflow in the SETI@home client 3.03 and other versions allows remote attackers to cause a denial of service (client crash) and execute arbitrary code via a spoofed server response containing a long string followed by a \n (newline) character. VU#146785 7292 seti@home-newline-bo(11731) 20030406 Seti@home information leakage and remote compromise SSH Secure Shell before 3.2.9 allows remote attackers to cause a denial of service via malformed BER/DER packets. VU#333980 http://www.ssh.com/company/newsroom/article/476/ Race condition in SSH Tectia Server 4.0.3 and 4.0.4 for Unix, when the password change plugin (ssh-passwd-plugin) is enabled, allows local users to obtain the server's private key. VU#814198 http://www.ssh.com/company/newsroom/article/520/ 9956 sshtectiaserver-passwdplugin-race-condition(15585) 4491 1009532 11193 Services in ScriptLogic 4.01, and possibly other versions before 4.14, process client requests at raised privileges, which allows remote attackers to (1) modify arbitrary registry entries via the ScriptLogic RPC service (SLRPC) or (2) modify arbitrary configuration via the RunAdmin services (SLRAserver.exe and SLRAclient.exe). http://www.kb.cert.org/vuls/id/CRDY-5EXQSV http://www.kb.cert.org/vuls/id/CRDY-5EXQRP VU#609137 VU#231705 7477 7475 scriptlogic-runadmin-admin-access(11921) scriptlogic-rpc-modify-registry(11920) ScriptLogic 4.01, and possibly other versions before 4.14, uses insecure permissions for the LOGS$ share, which allows users to modify log records and possibly execute arbitrary code. http://www.kb.cert.org/vuls/id/CRDY-5EXQT9 VU#813737 7476 scriptlogic-logs$-insecure-permissions(11922) Sun Java Runtime Environment (JRE) and SDK 1.4.0_01 and earlier allows untrusted applets to access certain information within trusted applets, which allows attackers to bypass the restrictions of the Java security model. VU#393292 7824 55100 sun-applet-access-information(12189) 1006935 8958 Unknown vulnerability in Sun Management Center (SunMC) 2.1.1, 3.0, and 3.0 Revenue Release (RR), when installed and run by root, allows local users to create or modify arbitrary files. VU#758932 7960 55141 9073 sunmc-files-writable-permissions(12343) Unknown vulnerability in ns-ldapd for Sun ONE Directory Server 4.16, 5.0, and 5.1 allows LDAP clients to cause a denial of service (service halt). VU#195644 52102 Unknown vulnerability in SunOne/iPlanet Web Server SP3 through SP5 on Windows platforms allows remote attackers to cause a denial of service. VU#636964 9541 56180 Whale Communications e-Gap 2.5 on Windows 2000 allows remote attackers to obtain the source code for the login page via the HTTP TRACE method, which bypasses the preprocessor. VU#371470 egap-url-information-disclosure(14869) 9431 http://www.procheckup.com/security_info/vuln_pr0307.html XMMS.pm in X2 XMMS Remote, as obtained from the vendor server between 4 AM 11 AM PST on May 7, 2003, allows remote attackers to execute arbitrary commands via shell metacharacters in a request to TCP port 8086. VU#583020 7534 8775 xmms-remote-command-execution(12139) http://www.x2studios.com/index.php?page=kb&id=16 Buffer overflow in the Yahoo! Audio Conferencing (aka Voice Chat) ActiveX control before 1,0,0,45 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a URL with a long hostname to Yahoo! Messenger or Yahoo! Chat. VU#272644 20030530 Yahoo! Security Advisory: Yahoo! Voice Chat 8924 yahoo-audio-bo(12130) 7561 http://help.yahoo.com/help/us/mesg/use/use-45.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-1071. Reason: This candidate is a duplicate of CVE-2003-1071. Notes: All CVE users should reference CVE-2003-1071 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. PHP remote file inclusion vulnerability in index.php in KnowledgeBuilder, referred to as KnowledgeBase, allows remote attackers to execute arbitrary PHP code by modifying the page parameter to reference a URL on a remote web server that contains the code. 9292 knowledgebuilder-indexphp-file-include(14078) 20031224 Remote Code Execution in Knowledge Builder. 10504 20050312 KnowledgeBase 3228 The DNS server for Cisco Content Service Switch (CSS) 11000 and 11500, when prompted for a nonexistent AAAA record, responds with response code 3 (NXDOMAIN or "Name Error") instead of response code 0 ("No Error"), which allows remote attackers to cause a denial of service (inaccessible domain) by forcing other DNS servers to send and cache a request for a AAAA record to the vulnerable server. VU#714121 20041008 Cisco Content Service Switch 11000 Series DNS Negative Cache of Information Denial-of-Service Vulnerability Rit Research Labs The Bat! 1.0.11 through 2.0 creates new accounts with insecure ACLs, which allows local users to read other users' email messages. 8891 20031025 Some serious security holes in 'The Bat!' 1008004 Sun Java 1.3.1, 1.4.1, and 1.4.2 allows local users to cause a denial of service (JVM crash), possibly by calling the ClassDepth function with a null parameter, which causes a crash instead of generating a null pointer exception. 8892 20031026 Java 1.4.2_02 InsecurityManager JVM crash Buffer overflow in Yahoo! Messenger 5.6 allows remote attackers to cause a denial of service (crash) via a file send request (sendfile) with a large number of "%" (percent) characters after the Yahoo ID. 8894 20031026 Buffer Overflow in Yahoo messenger Client Cross-site scripting (XSS) vulnerability in Chi Kien Uong Guestbook 1.51 allows remote attackers to inject arbitrary web script or HTML via (1) HTML in a posted message or (2) Javascript in an onmouseover attribute in an e-mail address or URL. guestbook-doublequotation-xss(13523) guestbook-html-xss(13522) 8896 8895 20031026 New Vulnerability 2718 1008006 10080 Charles Steinkuehler sh-httpd 0.3 and 0.4 allows remote attackers to read files or execute arbitrary CGI scripts via a GET request that contains an asterisk (*) wildcard character. 8897 20031028 Re: sh-httpd `wildcard character' vulnerability 20031027 sh-httpd `wildcard character' vulnerability shtttpd-get-information-disclosure(13519) The default configuration of Apache 2.0.40, as shipped with Red Hat Linux 9.0, allows remote attackers to list directory contents, even if auto indexing is turned off and there is a default web page configured, via a GET request containing a double slash (//). 8898 20031027 Root Directory Listing on RH default apache Musicqueue 1.2.0 allows local users to overwrite arbitrary files by triggering a segmentation fault and using a symlink attack on the resulting musicqueue.crash file. musicqueue-tmpfile-symlink(13520) 8899 20031027 Musicqueue multiple local vulnerabilities 1008014 10104 Buffer overflow in Musicqueue 1.2.0 allows local users to execute arbitrary code via a long language variable in the configuration file. musicqueue-getconf-bo(13521) 8903 20031027 Musicqueue multiple local vulnerabilities 1008014 10104 20031027 Musicqueue multiple local vulnerabilities Buffer overflow in NIPrint 4.10 allows remote attackers to execute arbitrary code via a long string to TCP port 515. niprint-bo(13591) 8968 20031104 NIPrint remote exploit 20031104 SRT2003-11-02-0115 - NIPrint LPD-LPR Remote overflow 2774 10143 Help in NIPrint LPD-LPR Print Server 4.10 and earlier executes Windows Explorer with SYSTEM privileges, which allows local users to gain privileges. niprint-helpapi-gain-privileges(13592) 8969 20031104 SRT2003-11-02-0218 - NIPrint LPD-LPR Local Help API SYSTEM exploit Croteam Serious Sam demo test 2 2.1a, Serious Sam: the First Encounter 1.05, and Serious Sam: the Second Encounter 1.05 allow remote attackers to cause a denial of service (crash or freeze) via a TCP packet with an invalid first parameter. serioussam-games-packet-dos(13618) 8936 20031030 Serious Sam is not so serious Buffer overflow in the log viewing interface in Perception LiteServe 1.25 through 2.2 allows remote attackers to execute arbitrary code via a GET request with a long file name. 2766 10136 liteserve-log-entry-bo(13599) 8971 20031104 Liteserve Buffer Overflow in Handling Server's Log. 1008093 Cross-site scripting (XSS) vulnerability in friendmail.php in OpenAutoClassifieds 1.0 allows remote attackers to inject arbitrary web script or HTML via the listing parameter. openautoclassifieds-friendmail-xss(13604) 8972 20031107 OpenAutoClassifieds XSS attack 2767 10138 Cross-site scripting (XSS) vulnerability in John Beatty Easy PHP Photo Album 1.0 allows remote attackers to inject arbitrary web script or HTML via the dir parameter. 8977 http://security.nnov.ru/docs5347.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0955. Reason: This candidate is a duplicate of CVE-2003-0955. Notes: All CVE users should reference CVE-2003-0955 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple PHP remote file inclusion vulnerabilities in J-Pierre DEZELUS Les Visiteurs 2.0.1, as used in phpMyConferences (phpMyConference) 8.0.2 and possibly other products, allow remote attackers to execute arbitrary PHP code via a URL in the lvc_include_dir parameter to (1) config.inc.php or (2) new-visitor.inc.php in common/visiteurs/include/. les-visiteurs-file-include(13529) 3586 1008011 20031026 Les Visiteurs v2.0.1 code injection vulnerability 8902 2717 1017065 10079 Cross-site scripting (XSS) vulnerability in Symantec Norton Internet Security 2003 6.0.4.34 allows remote attackers to inject arbitrary web script or HTML via a URL to a blocked site, which is displayed on the blocked sites error page. 8904 2714 norton-is-blocked-xss(13528) 20031027 Norton Internet Security 2003 XSS http://securityresponse.symantec.com/avcenter/security/Content/2003.10.27.html 10067 Buffer overflow in the portmapper service (PMAP.NLM) in Novell NetWare 6 SP3 and ZenWorks for Desktops 3.2 SP2 through 4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via unknown attack vectors. novell-portmapper-bo(13564) 8907 10100 Cross-site scripting (XSS) vulnerability in Fastream NETFile Server 6.0.3.588 allows remote attackers to inject arbitrary web script or HTML via the URL, which is displayed on a "404 Not Found" error page. fastream-nonexistent-url-xss(13535) 8908 20031028 Fastream NetFile FTP/WebServer 6.0 CSS Vulnerability 2732 1008020 10099 WebTide 7.04 allows remote attackers to list arbitrary directories via an HTTP request for %3f.jsp (encoded "?"). webtide-file-disclosure(13533) 8909 2719 1008016 10078 20031028 STG Security Advisory: [SSA-20031025-05] InfronTech WebTide 7.04 Directory and File Disclosure Vulnerability byteHoard 0.7 and 0.71 allows remote attackers to list arbitrary files and directories via a direct request to files.inc.php. 10082 bytehoard-view-file(13531) 8910 2700 20031027 Bytehoard File Disclosure VUlnerability Sequel MAILsweeper for SMTP 4.3 allows remote attackers to bypass virus protection via a mail message with a malformed zip attachment, as exploited by certain MIMAIL virus variants. 10148 mailsweeper-zip-virus-bypass(13611) 8982 2772 http://www.computerworld.co.nz/cw.nsf/0/BF9E8E6E2D313E5FCC256DD70016473F?OpenDocument&More= X-CD-Roast 0.98 alpha10 through alpha14 allows local users to overwrite arbitrary files via a symlink attack on an unknown file. 8983 1008094 10162 xcdroast-symlink(13612) http://www.xcdroast.org/xcdr098/changelog-a15.html 2786 Java Runtime Environment (JRE) and Software Development Kit (SDK) 1.4.2 through 1.4.2_02 allows local users to overwrite arbitrary files via a symlink attack on (1) unpack.log, as created by the unpack program, or (2) .mailcap1 and .mime.types1, as created by the RPM program. sun-jre-java-symlink(13570) 8937 20031031 Advisory: Sun's jre/jdk 1.4.2 multiple vulernabilities in linuxinstallers Cross-site scripting (XSS) vulnerability in login.asp in Citrix MetaFrame XP Server 1.0 allows remote attackers to inject arbitrary web script or HTML via the NFuse_Message parameter. 10127 citrix-webmanager-login-xss(40782) metaframe-error-message-xss(13569) 8939 27948 20031031 IRM 008: Citrix Metaframe XP is vulnerable to Cross Site Scripting 2762 Multiple buffer overflows in the FTP service in Plug and Play Web Server 1.0002c allow remote attackers to cause a denial of service (crash) via long (1) dir, (2) ls, (3) delete, (4) mkdir, (5) DELE, (6) RMD, or (7) MKD commands. plugandplaywebserver-multiple-commands-dos(13219) 8667 20030917 Denial Of Service in Plug & Play Web (FTP) Server Plug and Play Web Server Proxy 1.0002c allows remote attackers to cause a denial of service (server crash) via an invalid URI in an HTTP GET request to TCP port 8080. plugandplaywebserver-get-dos(13572) 8941 2764 10131 20031031 DoS in Plug and Play Web Server Proxy Server FlexWATCH Network video server 132 allows remote attackers to bypass authentication and gain administrative privileges via an HTTP request to aindex.htm that contains double leading slashes (//). 2842 flexwatch-slash-admin-access(13567) 8942 1008049 10132 http://packetstormsecurity.nl/0310-exploits/FlexWATCH.txt exit.c in Linux kernel 2.6-test9-CVS, as stored on kernel.bkbits.net, was modified to contain a backdoor, which could allow local users to elevate their privileges by passing __WCLONE|__WALL to the sys_wait4 function. [linux-kernel] 20031105 Re: BK2CVS problem [linux-kernel] 20031105 Re: BK2CVS problem [linux-kernel] 20031105 BK2CVS problem 8987 index.php in Tritanium Bulletin Board 1.2.3 allows remote attackers to read and reply to arbitrary messages by modifying the thread_id, forum_id, and sid parameters. tritanium-threadid-view-messages(13587) 8944 2770 10135 20031031 Virginity Security Advisory 2003-002 : Tritanium Bulletin Board - Read and write from/to internal (protected) Threads hash.c in Ganglia gmond 2.5.3 allows remote attackers to cause a denial of service (segmentation fault) via a UDP packet that contains a single-byte name string, which is used as an out-of-bounds array index. 10166 ganglia-gmond-dos(13631) 8988 20031106 DoS for Ganglia 2787 http://ganglia.sourceforge.net/ Cross-site scripting (XSS) vulnerability in Mldonkey 2.5-4 allows remote attackers to inject arbitrary web script or HTML via the URI, which is injected into the HTML error page. 10134 mldonkey-xss(13615) 8946 20031031 XSS In mldonkey - But.... Buffer overflow in BRS WebWeaver 1.06 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP request with a long User-Agent header. brswebweaver-useragent-bo(13571) 8947 20031101 BRS WebWeaver 1.06 remote DoS vulnerability Directory traversal vulnerability in (1) Openfile.aspx and (2) Html.aspx in HTTP Commander 4.0 allows remote attackers to view arbitrary files via a .. (dot dot) in the file parameter. http-commander-directory-traversal(13622) 8948 2780 http://www.http-com.com/Default.asp?section=Features 10125 misc.cpp in KPopup 0.9.1 trusts the PATH variable when executing killall, which allows local users to elevate their privileges by modifying the PATH variable to reference a malicious killall program. 8915 2742 10105 kpopup-systemcall-execute-code(13540) 20031028 Local root vuln in kpopup HTTP Commander 4.0 allows remote attackers to obtain sensitive information via an HTTP request that contains a . (dot) in the file parameter, which reveals the installation path in an error message. 10125 8949 DATEV Nutzungskontrolle 2.1 and 2.2 has insecure write permissions for critical registry keys, which alows local users to bypass access restrictions by importing NukoInfo values in certain DATEV keys, which disables Nutzungskontrolle. nutzungskontrolle-registry-security-bypass(13589) 8950 20031101 DATEV Nutzungskontrolle Bypassing (REG) Format string vulnerability in main.cpp in kpopup 0.9.1 and 0.9.5pre2 allows local users to cause a denial of service (segmentation fault) and possibly execute arbitrary code via format string specifiers in command line arguments. 20031028 Local root vuln in kpopup 10105 8918 3290 Heap-based buffer overflow in the sec_filter_out function in mod_security 1.7RC1 through 1.7.1 in Apache 2 allows remote attackers to execute arbitrary code via a server side script that sends a large amount of data. mod-security-secfilterout-bo(13543) 8919 20031028 mod_security 1.7RC1 to 1.7.1 vulnerability 1008025 10085 http://www.modsecurity.org/download/CHANGES http://adsystems.com.pl/adg-mod_security171.txt Directory traversal vulnerability in the view-source sample file in Apache Software Foundation Cocoon 2.1 and 2.2 allows remote attackers to access arbitrary files via a .. (dot dot) in the filename parameter. http://www.securiteam.com/securitynews/6W00L0U8KC.html apachecocoon-directory-traversal-bootini(13499) 8883 2749 1007993 10064 http://issues.apache.org/bugzilla/show_bug.cgi?id=23949 Centrinity FirstClass 7.1 allows remote attackers to access sensitive information by appending search to the end of the URL and checking all of the search option checkboxes and leaving the text field blank, which will return all files in the searched directory. firstclass-view-unauthorized-files(13546) 8920 10084 20031030 Re: FirstClass 7.1 HTTP Server: Remote Directory Listing 20031028 FirstClass 7.1 HTTP Server: Remote Directory Listing 2723 Buffer overflow in NullSoft Shoutcast Server 1.9.2 allows local users to cause a denial of service via (1) icy-name followed by a long server name or (2) icy-url followed by a long URL. shoutcast-long-icy-dos(13586) 8954 20031102 ShoutCast server 1.9.2/win32 2776 1008080 10146 Cross-site scripting (XSS) vulnerability in index.php in Sympoll 1.5 allows remote attackers to inject arbitrary web script or HTML via the vo parameter. sympoll-indexphp-xss(13630) 8956 2790 http://sourceforge.net/tracker/index.php?func=detail&aid=834374&group_id=64442&atid=507493 10165 post_message_form.asp in Web Wiz Forums 6.34 through 7.5, when quote mode is used, allows remote attackers to read or write to private forums by modifying the FID (forum ID) parameter. 20031104 Re: Unauthorized access in Web Wiz Forum webwizforums-quotemode-message-access(13581) 8957 20031102 Unauthorized access in Web Wiz Forum 2768 1008100 10137 Buffer overflow in the base64 decoder in MERCUR Mailserver 4.2 before SP3a allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long (1) AUTH command to the POP3 server or (2) AUTHENTICATE command to the IMAP server. 10038 mercur-auth-command-dos(13468) 8889 8861 http://www.securiteam.com/windowsntfocus/6U00N1P8KC.html 2688 20031024 Vulnerability in MERCUR Mail Server v4.2 SP3 and below http://www.atrium-software.com/mail%20server/pub/mcr42sp3a.html Eval injection vulnerability in comments.php in Advanced Poll 2.0.2 allows remote attackers to execute arbitrary PHP code via the (1) id, (2) template_set, or (3) action parameter. 10068 advanced-poll-comments-file-include(29396) advancedpoll-php-injection(13513) 8890 20061008 Advanced Poll v2.02 :) <= Remote File Inclusion 20031025 Advanced Poll : PHP Code Injection, File Include, Phpinfo 2743 Advanced Poll v2.02 :) <= Remote File Inclusion Multiple PHP remote file inclusion vulnerabilities in Advanced Poll 2.0.2 allow remote attackers to execute arbitrary PHP code via the include_path parameter in (1) booth.php, (2) png.php, (3) poll_ssi.php, or (4) popup.php, the (5) base_path parameter to common.inc.php. 10068 advancedpoll-php-file-include(13514) http://www.solpotcrew.org/adv/solpot-adv-02.txt 8890 19105 20060721 SolpotCrew Advisory #2 - Advanced Poll ver 2.02 (base_path) Remote File Inclusion 20031025 Advanced Poll : PHP Code Injection, File Include, Phpinfo http://www.phpsecure.info/v2/tutos/frog/AdvancedPoll2.0.2.txt 3291 28988 Directory traversal vulnerability in Advanced Poll 2.0.2 allows remote attackers to read arbitrary files or inject arbitrary local PHP files via .. sequences in the base_path or pollvars[lang] parameters to the admin files (1) index.php, (2) admin_tpl_new.php, (3) admin_tpl_misc_new.php, (4) admin_templates_misc.php, (5) admin_templates.php, (6) admin_stats.php, (7) admin_settings.php, (8) admin_preview.php, (9) admin_password.php, (10) admin_logout.php, (11) admin_license.php, (12) admin_help.php, (13) admin_embed.php, (14) admin_edit.php, or (15) admin_comment.php. 10068 advancedpoll-php-file-include(13514) 8890 20031025 Advanced Poll : PHP Code Injection, File Include, Phpinfo 3291 Advanced Poll 2.0.2 allows remote attackers to obtain sensitive information via an HTTP request to info.php, which invokes the phpinfo() function. 20031025 Advanced Poll : PHP Code Injection, File Include, Phpinfo advancedpoll-phpinfo-obtain-information(13515) 8890 3292 10068 Cross-site scripting (XSS) vulnerability in MPM Guestbook 1.2 allows remote attackers to inject arbitrary web script or HTML via the lng parameter. mpmguestbook-ing-xss(13575) 8958 2754 10122 The WebCache component in Oracle Files 9.0.3.1.0, 9.0.3.2.0, and 9.0.3.3.0 of Oracle Collaboration Suite Release 1 caches files despite the cacheability rules imposed by Oracle Files, which allows local users to gain access. 8923 http://www.oracle.com/technology/deploy/security/pdf/2003alert60.pdf 10088 oraclecollaborationsuite-file-access(13545) 2727 Multiple cross-site scripting (XSS) vulnerabilities in ThWboard Beta 2.8 and 2.81 allow remote attackers to inject arbitrary web script or HTML via (1) time in board.php, (2) the profile Homepage-Feld, (3) pictures, and (4) other "Diverse XSS Bugs." thwboard-multiple-fields-xss(13582) 8959 4829 4828 4827 4826 4825 3077 10120 http://sourceforge.net/project/shownotes.php?release_id=195009 Multiple SQL injection vulnerabilities in ThWboard before Beta 2.8.2 allow remote attackers to inject arbitrary SQL commands via various vectors including (1) Admin-Center, (2) Announcements, (3) admin/calendar.php, and (4) showevent.php. thwboard-multiple-sql-injection(13583) 8961 4841 4840 4838 10120 2758 http://sourceforge.net/project/shownotes.php?release_id=195009 Buffer overflow in TelCondex SimpleWebServer 2.12.30210 Build3285 allows remote attackers to execute arbitrary code via a long HTTP Referer header. This was fixed in version 2.13. 8925 20031029 TelCondex SimpleWebserver Buffer Overflow simplewebserver-referer-bo(13549) 10101 Cross-site scripting (XSS) vulnerability in include.php in PHPKIT 1.6.02 and 1.6.03 allows remote attackers to inject arbitrary web script or HTML via the contact_email parameter. phpkit-include-xss(13590) 8960 20031102 [bWM#017] Cross-Site-Scripting @ PHPKIT http://badwebmasters.net/advisory/017/ Unichat allows remote attackers to cause a denial of service (crash) by adding extra chat characters (avatars) and logging in to a chat room, as demonstrated using duplicate ACTOR entries in u2res000.rit. unichat-nonalphanumeric-character-dos(13610) 8962 20031102 Unichat Vulnerabilities 2844 10163 Unknown vulnerability in Nokia IPSO 3.7, configured as IP Clusters, allows remote attackers to cause a denial of service via unknown attack vectors. nokia-ipso-ipcluster-dos(13539) 8928 1007992 10083 2724 Cross-site scripting (XSS) vulnerability in PHPRecipeBook 1.24 through 2.17 allows remote attackers to inject arbitrary web script or HTML via a recipe. This was fixed in PHPRecipeBook 2.18. phprecipebook-recipe-xss(13574) 8963 10109 2755 http://sourceforge.net/project/shownotes.php?release_id=193940 chatbox.php in e107 0.554 and 0.603 allows remote attackers to cause a denial of service (pages fail to load) via HTML in the Name field, which prevents the main.php form from being loaded. 8930 e107chatboxdos(13553) 2753 10115 20031029 E107 DoS vulnerability Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request. iawebmailserver-get-bo(13580) 8965 http://www.securiteam.com/windowsntfocus/6B002158UQ.html 2757 20031103 IA WebMail Server 3.x Buffer Overflow Vulnerability 1008075 10107 Multiple SQL injection vulnerabilities in the Portal DB (1) List of Values (LOVs), (2) Forms, (3) Hierarchy, and (4) XML components packages in Oracle Oracle9i Application Server 9.0.2.00 through 3.0.9.8.5 allow remote attackers to execute arbitrary SQL commands via the URL. 20031105 Multiple SQL Injection Vulnerabilities in Oracle Application Server 9i and RDBMS (#NISR05112003) http://otn.oracle.com/deploy/security/pdf/2003alert61.pdf oracle-portal-sql-injection(13593) 8966 Cross-site scripting (XSS) vulnerability in Booby .1 through 0.2.3 allows remote attackers to inject arbitrary web script or HTML via the error message. This was fixed in version 0.2.4. 8932 1008056 10110 booby-error-message-xss(13557) http://sourceforge.net/project/shownotes.php?release_id=193878 SQL injection vulnerability in getmember.asp in VieBoard 2.6 Beta 1 allows remote attackers to execute arbitrary SQL commands via the msn variable. 4606 vieboard-getmember-sql-injection(13819) 20031123 VieNuke VieBoard SQL Injection Vulnerability... again SQL injection vulnerability in viewtopic.asp in VieBoard 2.6 allows remote attackers to execute arbitrary SQL commands via the forumid parameter. 8967 2789 vieboard-viewtopic-sql-injection(13629) Cross-site scripting (XSS) vulnerability in index.php for Ledscripts.com LedForums Beta 1 allows remote attackers to inject arbitrary web script or HTML via the (1) top_message parameter or (2) topic field of a new thread. ledforums-topicfield-redirect(13563) ledforums-indexphp-xss(13562) 8934 20031030 Multiple Vulnerabilities in Led-Forums 10113 connection.c in Cherokee web server before 0.4.6 allows remote attackers to cause a denial of service via an HTTP POST request without a Content-Length header field. This was fixed in version 0.4.6-20040101. 9345 10518 cherokee-post-request-dos(14119) http://freshmeat.net/redir/cherokee/20646/url_changelog/ChangeLog Cross-site scripting (XSS) vulnerability in MyProxy 20030629 allows remote attackers to inject arbitrary web script or HTML via the URL. myproxy-xss(15438) 9846 4202 11090 20030311 XSS in MyProxy 20030629 Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi. mdaemon-form2raw-from-bo(14097) 9317 20031229 [Hat-Squad] Remote buffer overflow in Mdaemon Raw message Handler 3255 10512 20040314 Rosiello Security's exploit for MDaemon ldbm_back_exop_passwd in the back-ldbm backend in passwd.c for OpenLDAP 2.1.12 and earlier, when the slap_passwd_parse function does not return LDAP_SUCCESS, attempts to free an uninitialized pointer, which allows remote attackers to cause a denial of service (segmentation fault). This was fixed in OpenLDAP version 2.1.17. 7656 http://www.openldap.org/its/index.cgi?findid=2390 GLSA-200403-12 9203 11261 CLSA-2003:685 openldap-back-ldbm-dos(12520) 17000 The checklogin function in omail.pl for omail webmail 0.98.4 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) password, (2) domainname, or (3) username. Fixed in version 0.98.5. However, there is a report that version 0.98.5 is still affected by this vulnerability. 8451 20030821 Re: Remote Execution of Commands in Omail Webmail 0.98.4 and earlier 20030821 Remote Execution of Commands in Omail Webmail 0.98.4 and earlier omailwebmail-checklogin-code-execution(12948) 9585 Cross-site scripting (XSS) vulnerability in index.php for Mambo Site Server 4.0.10 allows remote attackers to execute script on other clients via the ?option parameter. mambo-option-index-xss(11601) 7135 20030318 Some XSS vulns Multiple cross-site scripting (XSS) vulnerabilities in Mambo Site Server 4.0.12 BETA and earlier allow remote attackers to execute script on other clients via (1) the link parameter in sectionswindow.php, the directory parameter in (2) gallery.php, (3) navigation.php, or (4) uploadimage.php, the path parameter in (5) view.php, (6) the choice parameter in upload.php, (7) the sitename parameter in mambosimple.php, (8) the type parameter in upload.php, or the id parameter in (9) emailarticle.php, (10) emailfaq.php, or (11) emailnews.php. mambo-multiple-scripts-xss(11050) 6571 20030110 Mambo Site Server Remote Code Execution 7505 7504 7503 7502 7501 7500 7499 7498 7497 7496 7495 Crob FTP Server 2.60.1 allows remote authenticated users to cause a denial of service (crash) by renaming a file to the "con" MS-DOS device name. 9467 crob-rename-file-dos(12838) 2378 http://www.crob.net/studio/ftpserver/ 20030806 DoS Vulnerabilities in Crob FTP Server 2.60.1 Format string vulnerability in Crob FTP Server 2.60.1 allows remote attackers to cause a denial of service (crash) via "%s" or "%n" sequences in (1) the username during login, or other FTP commands such as (2) dir. 8929 crob-login-dos(12834) 20030807 Re: DoS Vulnerabilities in Crob FTP Server 2.60.1 http://www.crob.net/studio/ftpserver/ 20030806 DoS Vulnerabilities in Crob FTP Server 2.60.1 Crob FTP Server 3.5.1 allows remote authenticated users to cause a denial of service (crash) via a dir command with a large number of "." characters followed by a "/*" string. 9549 20040201 Vulnerabilities in Crob FTP Server V3.5.1 crob-dir-dos(15105) 1008908 10778 Multiple buffer overflows in Oracle 9i 9 before 9.2.0.3 allow local users to execute arbitrary code by (1) setting the TIME_ZONE session parameter to a long value, or providing long parameters to the (2) NUMTOYMINTERVAL, (3) NUMTODSINTERVAL or (4) FROM_TZ functions. This was fixed in Oracle 9i Database Release 2, version 9.2.0.3. VU#846582 VU#819126 VU#399806 VU#240174 oracle-multiple-function-bo(15060) 9587 3840 3839 3838 3837 http://www.nextgenss.com/advisories/ora_numtoyminterval.txt http://www.nextgenss.com/advisories/ora_numtodsinterval.txt http://www.nextgenss.com/advisories/ora_from_tz.txt O-093 10805 http://www.nextgenss.com/advisories/ora_time_zone.txt 20040205 Oracle Database 9ir2 Interval Conversion Functions Buffer Overflow The Post_Method function in Monkey HTTP Daemon before 0.6.2 allows remote attackers to cause a denial of service (crash) via a POST request without a Content-Type header. 7201 monkey-content-type-dos(11650) http://monkeyd.sourceforge.net/Changelog.txt Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 5.x through 6.5 allow remote attackers to execute arbitrary SQL commands via the (1) lid parameter to the getit function or the (2) min parameter to the search function. phpnuke-multiple-sql-injection(11984) 7588 20030513 More and More SQL injection on PHP-Nuke 6.5. Cross-site scripting (XSS) vulnerability in search.asp for MaxWebPortal 1.30 and possibly earlier versions allows remote attackers to inject arbitrary web script or HTML via the Search parameter. 7837 20030606 Critical Vulnerabilities In Max Web Portal maxwebportal-search-xss(12277) 3281 8979 MaxWebPortal 1.30 allows remote attackers to perform unauthorized actions by modifying hidden form fields, such as the (1) news, (2) lock, or (3) allmem fields in the 'start new topic' HTML page. 7837 20030606 Critical Vulnerabilities In Max Web Portal maxwebportal-form-field-modify(12278) 4933 8979 The default installation of MaxWebPortal 1.30 stores the portal database under the web document root with insecure access control, which allows remote attackers to obtain sensitive information via a direct request to database/db2000.mdb. 7837 20030606 Critical Vulnerabilities In Max Web Portal maxwebportal-database-access(12279) 8979 Unknown vulnerability in the server login for VisualShapers ezContents 2.02 and earlier allows remote attackers to bypass access restrictions and gain access to restricted functions. http://www.ezcontents.org/forum/viewtopic.php?t=361 10839 ezcontents-login-bypass(15136) SQL injection vulnerability in groupcp.php for phpBB 2.0.6 and earlier allows group moderators to perform unauthorized activities via the sql_in parameter. 9314 http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=161943 20031229 SQL Injection in phpBB's groupcp.php phpbb-groupcp-sql-injection(14096) SQL injection vulnerability in search.php for phpBB 2.0.6 and earlier allows remote attackers to execute arbitrary SQL and gain privileges via the search_id parameter. phpbb-searchphp-sql-injection(13867) 9122 http://www.phpbb.com/phpBB/viewtopic.php?t=153818 20031220 phpBB v2.06 search_id sql injection exploit 20031128 [Hat-Squad] phpBB search_id injection exploit 20031127 phpBB 2.06 search.php SQL injection Cross-site scripting (XSS) vulnerability in the tep_href_link function in html_output.php for osCommerce before 2.2-MS3 allows remote attackers to inject arbitrary web script or HTML via the osCsid parameter. 9238 20031217 osCommerce Malformed Session ID XSS Vuln http://www.oscommerce.com/community/bugs,1546 BEA WebLogic Server proxy plugin for BEA Weblogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (proxy plugin crash) via a malformed URL. 9034 BEA03-39.00 BEA WebLogic Express and Server 7.0 through 8.1 SP 1, under certain circumstances when a request to use T3 over SSL (t3s) is made to the insecure T3 port, may use a non-SSL connection for the communication, which could allow attackers to sniff sessions. 9034 BEA03-40.00 BEA Weblogic Express and Server 8.0 through 8.1 SP 1, when using a foreign Java Message Service (JMS) provider, echoes the password for the foreign provider to the console and stores it in cleartext in config.xml, which could allow attackers to obtain the password. 9034 BEA03-41.00 The Node Manager for BEA WebLogic Express and Server 6.1 through 8.1 SP 1 allows remote attackers to cause a denial of service (Node Manager crash) via malformed data to the Node Manager's port, as demonstrated by nmap. 9034 BEA03-42.00 Weblogic.admin for BEA WebLogic Server and Express 7.0 and 7.0.0.1 displays the JDBCConnectionPoolRuntimeMBean password to the screen in cleartext, which allows attackers to read a user's password by physically observing ("shoulder surfing") the screen. 7563 BEA03-30.00 The default CredentialMapper for BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores passwords in cleartext on disk, which allows local users to extract passwords. 7563 BEA03-30.00 BEA WebLogic Server and Express 7.0 and 7.0.0.1 stores certain secrets concerning password encryption insecurely in config.xml, filerealm.properties, and weblogic-rar.xml, which allows local users to learn those secrets and decrypt passwords. 7587 7563 BEA03-30.00 PHP remote file include vulnerability in index.php for Gallery 1.4 and 1.4-pl1, when running on Windows or in Configuration mode on Unix, allows remote attackers to inject arbitrary PHP code via a URL in the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. NOTE: this issue might be exploitable only during installation, or if the administrator has not run a security script after installation. 8814 20031011 Gallery 1.4 including file vulnerability gallery-indexphp-file-include(13419) 20031012 Re: Gallery 1.4 including file vulnerability 20031011 RE: Gallery 1.4 including file vulnerability Buffer overflow in the prepare_reply function in request.c for Mathopd 1.2 through 1.5b13, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via an HTTP request with a long path. mathopd-preparereply-bo(15474) 9871 http://www.securiteam.com/unixfocus/5FP0C1FCAW.html 10385 20031208 Re: [Fwd: Security Alert; possible buffer overflow in all Mathopd 20031205 [Fwd: Security Alert; possible buffer overflow in all Mathopd versions] X509TrustManager in (1) Java Secure Socket Extension (JSSE) in SDK and JRE 1.4.0 through 1.4.0_01, (2) JSSE before 1.0.3, (3) Java Plug-in SDK and JRE 1.3.0 through 1.4.1, and (4) Java Web Start 1.0 through 1.2 incorrectly calls the isClientTrusted method when determining server trust, which results in improper validation of digital certificate and allows remote attackers to (1) falsely authenticate peers for SSL or (2) incorrectly validate signed JAR files. sun-java-improper-validation(11182) 6682 50081 7943 HPSBUX0301-239 oval:org.mitre.oval:def:5883 http://java.sun.com/products/jsse/CHANGES.txt 20030128 Incorrect Certificate Validation in Java Secure Socket Extension 1006001 1007483 1006007 The implementation of SYN cookies (syncookies) in FreeBSD 4.5 through 5.0-RELEASE-p3 uses only 32-bit internal keys when generating syncookies, which makes it easier for remote attackers to conduct brute force ISN guessing attacks and spoof legitimate traffic. freebsd-syncookie-brute-force(11397) 6920 FreeBSD-SA-03:03 8142 19785 Cross-site scripting (XSS) vulnerability in index.php in ECW-Shop 5.5 allows remote attackers to inject arbitrary web script or HTML via the cat parameter. ecwshop-cat-xss(14032) 9244 http://www.securiteam.com/unixfocus/6D00F2A95C.html 1008522 10458 Emacs 21.2.1 does not prompt or warn the user before executing Lisp code in the local variables section of a text file, which allows user-assisted attackers to execute arbitrary commands, as demonstrated using the mode-name variable. http://lists.grok.org.uk/pipermail/full-disclosure/2003-May/005089.html 17496 http://groups.google.com/group/gnu.emacs.bug/browse_frm/thread/9424ec1b2fdae321/c691a2da8904db0f?hl=en&lr=&ie=UTF-8&oe=UTF-8&rnum=1&prev=/groups%3Fq%3Dguninski%2Bemacs%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dmailman.763.1041357806.19936.bug-gnu-emacs%2540gnu.org%26rnum%3D1#c691a2da8904db0f http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286183 15375 MDKSA-2005:208 Pedestal Software Integrity Protection Driver (IPD) 1.3 and earlier allows privileged attackers, such as rootkits, to bypass file access restrictions to the Windows kernel by using the NtCreateSymbolicLinkObject function to create a symbolic link to (1) \Device\PhysicalMemory or (2) to a drive letter using the subst command. ipd-ntcreatesymboliclinkobject-subs-symlink(10979) 6511 7816 20030103 Another way to bypass Integrity Protection Driver ('subst' vuln) 20030103 Pedestal Software Security Notice http://www.phrack.org/show.php?p=59&a=16 Integer overflow in the f_count counter in FreeBSD before 4.2 through 5.0 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via multiple calls to (1) fpathconf and (2) lseek, which do not properly decrement f_count through a call to fdrop. 6524 freebsd-kernel-integer-overflow(10993) 20030107 FreeBSD Security Advisory FreeBSD-SA-02:44.filedesc http://www.pine.nl/press/pine-cert-20030101.txt 20030106 PDS: Integer overflow in FreeBSD kernel FreeBSD-SA-02:44 1005898 20030106 PDS: Integer overflow in FreeBSD kernel 7821 BRW WebWeaver 1.03 allows remote attackers to obtain sensitive server environment information via a URL request for testcgi.exe, which lists the values of environment variables and the current working directory. 7283 webweaver-testcgi-info-disclosure(11686) 20030331 BRS WebWeaver: full disclosure Multiple format string vulnerabilities in the logger function in netzio.c for Tanne 0.6.17 allows remote attackers to execute arbitrary code via format string specifiers in syslog. 6553 20030107 [INetCop Security Advisory] Remote format string vulnerability in Tanne. http://tanne.fluxnetz.de/download/tanne-0.7.1.tar.bz2 20030107 [INetCop Security Advisory] Remote format string vulnerability in Tanne. 20030108 Tanne Remote format string exploit (Proof of Concept) tanne-logger-format-string(11006) 1005900 7831 Cross-site scripting vulnerability (XSS) in WWWBoard 2.0A2.1 and earlier allows remote attackers to inject arbitrary HTML or web script via a message post. 6918 wwwboard-message-xss(11383) 20030222 [SCSA-007] Cross Site Scripting Vulnerabilities in WWWBoard Cross-site scripting vulnerability (XSS) in Nuked-Klan 1.3 beta and earlier allows remote attackers to steal authentication information via cookies by injecting arbitrary HTML or script into op of the (1) Team, (2) News, and (3) Liens modules. 6916 nuked-klan-team-xss(11420) 20030318 Some XSS vulns 20030221 [SCSA-006] XSS & Function Execution Vulnerabilities in Nuked-Klan Directory traversal vulnerability in sendphoto.php in WihPhoto 0.86 allows remote attackers to read arbitrary files via .. specifiers in the album parameter, and the target filename in the pic parameter. 6929 20030223 WihPhoto (PHP) 20030223 WihPhoto (PHP) wihphoto-sendphoto-file-disclosure(11429) PHP remote file inclusion vulnerability in CuteNews 0.88 allows remote attackers to execute arbitrary PHP code via a URL in the cutepath parameter in (1) shownews.php, (2) search.php, or (3) comments.php. 6935 cutenews-php-file-include(11417) 20030225 PHP code injection in CuteNews Cross-site scripting vulnerability (XSS) in (1) admin_index.php, (2) admin_pass.php, (3) admin_modif.php, and (4) admin_suppr.php in MyGuestbook 3.0 allows remote attackers to execute arbitrary PHP code by modifying the location parameter to reference a URL on a remote web server that contains file.php via script injected into the pseudo, email, and message parameters. 20030221 Myguestbook (PHP) 20030221 Myguestbook (PHP) 6906 Sage 1.0 b3 allows remote attackers to obtain the root web server path via a URL request for a non-existent module, which returns the path in an error message. 6893 sage-module-path-disclosure(11372) 20030219 XSS and Path Disclosure in Sage Cross-site scripting vulnerability (XSS) in Sage 1.0 b3 allows remote attackers to insert arbitrary HTML or web script via the mod parameter. sage-mod-xss(11371) 6894 20030219 XSS and Path Disclosure in Sage SQL injection vulnerability in page_header.php in phpBB 2.0, 2.0.1 and 2.0.2 allows remote attackers to brute force user passwords and possibly gain unauthorized access to forums via the forum_id parameter to index.php. 6888 phpbb-pageheader-sql-injection(11376) 20030220 phpBB Security Bugs index2.php in Mambo 4.0.12 allows remote attackers to gain administrator access via a URL request where session_id is set to the MD5 hash of a session cookie. 6926 mambo-sessionid-gain-privileges(11398) 20030224 Mambo SiteServer exploit gains administrative privileges NtCreateSymbolicLinkObject in ntdll.dll in Integrity Protection Driver (IPD) 1.2 and 1.3 allows local users to create and overwrite arbitrary files via a symlink attack on \winnt\system32\drivers using the subst command. 6511 ipd-ntcreatesymboliclinkobject-subs-symlink(10979) 20030103 Another way to bypass Integrity Protection Driver ('subst' vuln) 20030103 Pedestal Software Security Notice Multiple buffer overflows in H-Sphere WebShell 2.3 allow remote attackers to execute arbitrary code via (1) a long URL content type in CGI::readFile, (2) a long path in diskusage, and (3) a long fname in flist. 6540 6538 6537 20030106 Remote root vuln in HSphere WebShell hsphere-webshell-flist-bo(11003) hsphere-webshell-diskusage-bo(11002) hsphere-webshell-readfile-bo(10999) http://psoft.net/misc/webshell_patch.html 1005893 6527 7832 H-Sphere WebShell 2.3 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) mode and (2) zipfile parameters in a URL request. 6539 6537 20030106 Remote root vuln in HSphere WebShell hsphere-webshell-encodefilename-execution(11001) http://psoft.net/misc/webshell_patch.html 1005893 WebIntelligence 2.7.1 uses guessable user session cookies, which allows remote attackers to hijack sessions. 6569 20030109 WebIntelligence session hijacking vulnerability 20030109 WebIntelligence session hijacking vulnerability webintelligence-session-hijacking(11026) 1005906 7846 Efficient Networks 5861 DSL router, when running firmware 5.3.80 configured to block incoming TCP SYN, packets allows remote attackers to cause a denial of service (crash) via a flood of TCP SYN packets to the WAN interface using a port scanner such as nmap. 6573 20030123 5861 IP Filtering issues 20030110 Efficient Networks 5861 DSL Router efficient-dsl-portscan-dos(11032) 20030110 Efficient Networks 5861 DSL Router 1005910 1005980 The (1) menu.inc.php, (2) datasets.php and (3) mass_operations.inc.php (mistakenly referred to as mass_opeations.inc.php) scripts in N/X 2002 allow remote attackers to execute arbitrary PHP code via a c_path that references a URL on a remote web server that contains the code. 20030102 N/X (PHP) 6500 nx-file-include(10969) 7808 register.php in S8Forum 3.0 allows remote attackers to execute arbitrary PHP commands by creating a user whose name ends in a .php extension and entering the desired commands into the E-mail field, which creates a web-accessible .php file that can be called by the attacker, as demonstrated using a "system($cmd)" E-mail address with a "any_name.php" username. 6547 20030105 A security vulnerability in S8Forum s8forum-register-command-execution(10974) 20030105 A security vulnerability in S8Forum 1005881 7819 PHP remote file inclusion vulnerability in Bookmark4U 1.8.3 allows remote attackers to execute arbitrary PHP code viaa URL in the prefix parameter to (1) dbase.php, (2) config.php, or (3) common.load.php. bookmark4u-file-include(11009) 20030106 Bookmar4U and Active PHP Bookmarks Vulnerabilities Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to execute arbitrary PHP code via (1) head.php, (2) apb_common.php, or (3) apb_view_class.php by modifying the APB_SETTINGS parameter to reference a URL on a remote web server that contains the code. 20030106 Bookmar4U and Active PHP Bookmarks Vulnerabilities 6545 apb-apbsettings-file-include(11010) add_bookmark.php in Active PHP Bookmarks (APB) 1.1.01 allows remote attackers to add arbitrary bookmarks as other users using a modified auth_user_id parameter. apb-addbookmark-authentication-bypass(11011) 6546 20030106 Bookmar4U and Active PHP Bookmarks Vulnerabilities aff_liste_langue.php in E-theni allows remote attackers to execute arbitrary PHP code by modifying the rep_include parameter to reference a URL on a remote web server that contains para_langue.php. Successful exploitation requires that "register_globals" is enabled. 20030106 E-theni (PHP) 20030106 E-theni (PHP) 6970 etheni-afflistelangue-file-include(11013) find_theni_home.php in E-theni allows remote attackers to obtain sensitive system information via a URL request which executes phpinfo. 20030106 E-theni (PHP) 20030106 E-theni (PHP) etheni-findthenihome-information-disclosure(11012) activate.php in versatileBulletinBoard (vBB) 0.9.5 and 0.9.6 allows remote attackers to gain unauthorized administrative access via a URL request with the uid parameter set to the webmaster uid. 20030110 vulnerability in versatile BulletinBoard Allows Gaining Administrative Privileges. vbb-unauthorized-privileges(11044) Buffer overflow in CuteFTP 4.2 and 5.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. 20030618 Re: CuteFTP 5.0 XP, Buffer Overflow 6518 cuteftp-ftp-banner-bo(10984) 20030104 CuteFTP: buffer overflow Buffer overflow in CuteFTP 5.0 allows remote attackers to execute arbitrary code via a long response to a LIST command. 20030618 Re: CuteFTP 5.0 XP, Buffer Overflow 6642 cuteftp-list-command-bo(11093) 20030118 CuteFTP 5.0 XP, Buffer Overflow 2181 7898 20030107 CuteFTP 5.0 XP, Buffer Overflow 20030205 Re: CuteFTP 5.0 XP, Buffer Overflow Buffer overflow in CuteFTP 5.0 and 5.0.1 allows local users to cause a denial of service (crash) by copying a long URL into a clipboard. 6786 cuteftp-url-clipboard-bo(11275) 20030206 Re: CuteFTP 5.0 XP, Buffer Overflow 20030618 Re: CuteFTP 5.0 XP, Buffer Overflow 20030205 Re: CuteFTP 5.0 XP, Buffer Overflow Buffer overflow in the http_fetch function of HTTP Fetcher 1.0.0 and 1.0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL request via a long (1) host, (2) referer, or (3) userAgent value. 6531 20030106 [INetCop Security Advisory] Buffer Overflow vulnerability in HTTP Fetcher Library. 20030107 GLSA: http-fetcher http-fetcher-httpfetch-bo(11000) GLSA-200301-6 7823 ICAL.EXE in iCal 3.7 allows remote attackers to cause a denial of service (crash) via a malformed HTTP request, possibly due to an invalid method name. 6506 ical-icalexe-port-dos(10973) 20030103 ical 3.7 remote dos 6505 TFTP server in Longshine Wireless Access Point (WAP) LCS-883R-AC-B, and in D-Link DI-614+ 2.0 which is based on it, allows remote attackers to obtain the WEP secret and gain administrator privileges by downloading the configuration file (config.img) and other files without authentication. 6533 20030106 Re: Longshine WLAN Access-Point LCS-883R VU#310201 20030106 Longshine WLAN Access-Point LCS-883R VU#310201 longshine-ap-tftp-access(10997) 1005897 Netscape 7.0 and Mozilla 5.0 do not immediately delete messages in the trash folder when users select the 'Empty Trash' option, which could allow local users to access deleted messages. 6499 netscape-email-deletion-failure(10963) 20030101 Potential disclosure of sensitive information in Netscape 7.0 email client 1005871 The (1) FTP, (2) POP3, (3) SMTP, and (4) NNTP servers in EServer 2.92 through 2.97, and possibly 2.98, allow remote attackers to cause a denial of service (crash) via a large amount of data. 6522 6521 6520 6519 eserv-remote-data-dos(10975) 20030104 EServ/2.97 remote DoS GuildFTPd 0.999 allows remote attackers to cause a denial of service (crash) via a GET request for MS-DOS device names such as lpt1. http://www.securiteam.com/windowsntfocus/5SP030A8UO.html guildftpd-aux-port-dos(10964) 1005864 Multiple SQL injection vulnerabilities in (1) addcustomer.asp, (2) addprod.asp, and (3) process.asp in a.shopKart 2.0.3 allow remote attackers to execute arbitrary SQL and obtain sensitive information via the zip, state, country, phone, and fax parameters. 6558 20030108 a.shopKart Shopping Cart remote vulnerabilities ashopkart-multiple-sql-injection(11029) http://www.centaura.com.ar/infosec/adv/ashopkart.txt 1005903 37038 37037 37036 7838 AN HTTP 1.41e allows remote attackers to obtain the root web server path via an HTTP request with a long argument to a script, which leaks the path in an error message. 6528 20030104 AN HTTPd v.1.41e: DoS, CSS, real patch attack an-http-path-disclosure(10976) AN HTTP 1.41e allows remote attackers to cause a denial of service (borken pipe) via an HTTP request to aux.cgi with a long argument, possibly triggering a buffer overflow or MS-DOS device vulnerability. 20030104 AN HTTPd v.1.41e: DoS, CSS, real patch attack an-http-script-dos(10978) Cross-site scripting vulnerability (XSS) in AN HTTP 1.41e allows remote attackers to execute arbitrary web script or HTML as other users via a URL containing the script. 6529 20030104 AN HTTPd v.1.41e: DoS, CSS, real patch attack an-http-script-xss(10977) Multiple buffer overflows in Winamp 3.0 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a .b4s file containing (1) a long playlist name or (2) a long path in a file: argument to the Playstring parameter. winamp-b4s-path-bo(10981) 6516 6515 winamp-b4s-playlistname-bo(10980) 20030104 WinAmp v.3.0: buffer overflow Winamp 3.0 allows remote attackers to cause a denial of service (crash) via a .b4s file with a playlist name that contains some non-English characters, e.g. Cyrillic characters. winamp-b4s-playlistname-dos(10982) 6517 6517 20030104 WinAmp v.3.0: buffer overflow Winamp 3.0 allows remote attackers to cause a denial of service (crash) via .b4s file with a file: argument to the Playstring parameter that contains MS-DOS device names such as aux. winamp-b4s-path-dos(10983) 20030104 WinAmp v.3.0: buffer overflow Pocket Internet Explorer (PIE) 3.0 allows remote attackers to cause a denial of service (crash) via a Javascript function that uses the object.innerHTML function to recursively call that function. 6507 pie-javascript-objectinnerhtml-dos(11004) 20030103 JS Bug makes it possible to deliberately crash Pocket PC IE Netfone.exe of NetTelephone 3.5.6 uses weak encryption for user PIN's and stores user account numbers in plaintext in the HKEY_CURRENT_USER\Software\MediaRing.com\SDK\NetTelephone\settings registry key, which could allow local users to gain unauthorized access to NetTelephone accounts. nettelephone-insecure-account-information(11007) 20030103 Multiple Issues in Nettelephone Dialer Cross-site scripting (XSS) vulnerabilities in Yet Another Bulletin Board (YaBB) 1.5.0 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into (1) news_icon of news_template.php, and (2) threadid and subject of index.html http://www.securiteam.com/unixfocus/5BP061F8US.html http://www.securiteam.com/unixfocus/5BP051F8VE.html yabb-se-index-xss(10990) yabb-newstemplate-xss(10989) Cross-site scripting vulnerability (XSS) in OpenTopic 2.3.1 allows remote attackers to execute arbitrary script as other users and possibly steal authentication information via cookies by injecting arbitrary HTML or script into IMG tags. 6523 20030104 OpenTopic security hole opentopic-img-xss(10985) S-PLUS 6.0 allows local users to overwrite arbitrary files and possibly elevate privileges via a symlink attack on (1) /tmp/__F8499 by Sqpe, (2) /tmp/PRINT.$$.out by PRINT, (3) /tmp/SUBST$PID.TXT and /tmp/ed.cmds$PID by mustfix.hlinks, (4) /tmp/file.1 and /tmp/file.2 by sas_get, (5) /tmp/file.1 by sas_vars, and (6) /tmp/sgml2html$$tmp /tmp/sgml2html$$tmp1 /tmp/sgml2html$$tmp2 by sglm2html. 6530 20030105 S-plus /tmp usage splus-tmp-file-symlink(11005) 1005896 7833 Directory traversal vulnerability in cgihtml 1.69 allows remote attackers to overwrite and create arbitrary files via a .. (dot dot) in multipart/form-data uploads. 6550 20030107 Multiple cgihtml vulnerabilities cgihtml-dotdot-directory-traversal(11022) cgihtml 1.69 allows local users to overwrite arbitrary files via a symlink attack on certain temporary files. 6552 20030107 Multiple cgihtml vulnerabilities cgihtml-tmpfile-symlink(11023) IBM Net.Data allows remote attackers to obtain sensitive information such as path names, server names and possibly user names and passwords by causing the (1) $(DTW_CURRENT_FILENAME), (2) $(DATABASE), (3) $(LOGIN), (4) $(PASSWORD), and possibly other predefined variables that can be echoed back to the user via a web form. http://www.securiteam.com/securitynews/5CP061F8VS.html ibm-netdata-view-variables(11016) 1005890 KaZaA Media Desktop (KMD) 2.0 launches advertisements in the Internet Explorer (IE) local security zone, which could allow remote attackers to view local files and possibly execute arbitrary code. 6543 kazaa-ad-local-zone(11031) 20030107 KaZaA - Bad Zone Sambar Server before 6.0 beta 6 allows remote attackers to obtain sensitive information via direct requests to the default scripts (1) environ.pl and (2) testcgi.exe. sambar-multiple-vulnerabilities(13305) 1007819 http://www.sambar.com/security.htm 20030925 Sambar Server Multiple Vulnerabilities 9578 Multiple cross-site scripting (XSS) vulnerabilities in Sambar Server before 6.0 beta 6 allow remote attackers to inject arbitrary web script or HTML via the query string to (1) isapi/testisa.dll, (2) testcgi.exe, (3) environ.pl, (4) the query parameter to samples/search.dll, (5) the price parameter to mortgage.pl, (6) the query string in dumpenv.pl, (7) the query string to dumpenv.pl, and (8) the E-Mail field of the guestbook script (book.pl). sambar-multiple-xss(16056) sambar-multiple-vulnerabilities(13305) 5805 5785 5784 5783 5782 1007819 9578 http://www.sambar.com/security.htm 20030925 Sambar Server Multiple Vulnerabilities HTTP Proxy in Sambar Server before 6.0 beta 6, when security.ini lacks a 127.0.0.1 proxydeny entry, allows remote attackers to send proxy HTTP requests to the Sambar Server's administrative interface and external web servers, by making a "Connection: keep-alive" request before the proxy requests. sambar-http-gain-access(16054) 10256 1007819 http://www.sambar.com/security.htm 20030925 Sambar Server Multiple Vulnerabilities 9578 20040430 SECURITY.NNOV: Sambar security quest Sambar Server before 6.0 beta 3 allows attackers with physical access to execute arbitrary code via a request with an MS-DOS device name such as com1.pl, con.pl, or aux.pl, which causes Perl to read the code from the associated device. sambar-post-code-execution(16059) 5781 1007819 http://www.sambar.com/security.htm 20030925 Sambar Server Multiple Vulnerabilities 9578 20040430 SECURITY.NNOV: Sambar security quest Multiple race conditions in Linux-VServer 1.22 with Linux kernel 2.4.23 and SMP allow local users to cause a denial of service (kernel oops) via unknown attack vectors related to the (1) s_info and (2) ip_info data structures and the (a) forget_original_parent, (b) goodness, (c) schedule, (d) update_process_times, and (e) vc_new_s_context functions. 7587 [Vserver] 20031220 Re: SMP oops 2.4.23 v1.22 [Vserver] 20031219 Re: SMP oops 2.4.23 v1.22 [Vserver] 20031218 SMP oops 2.4.23 v1.22 http://linux-vserver.org/ChangeLog The iBCS2 system call translator for statfs in NetBSD 1.5 through 1.5.3 and FreeBSD 4 up to 4.8-RELEASE-p2 and 5 up to 5.1-RELEASE-p1 allows local users to read portions of kernel memory (memory disclosure) via a large length parameter, which copies additional kernel memory into userland memory. freebsd-ibcs2-kernel-memory(12892) 2406 1007460 9504 FreeBSD-SA-03:10 BEA WebLogic Server and WebLogic Express 6.1, 7.0, and 8.1, with RMI and anonymous admin lookup enabled, allows remote attackers to obtain configuration information by accessing MBeanHome via the Java Naming and Directory Interface (JNDI). 9034 10218 weblogic-mbeanhome-obtain-information(13752) 16215 3064 18396 BEA03-43.00 VMware ESX Server 1.5.2 before Patch 4 allows local users to execute arbitrary programs as root via certain modified VMware ESX Server environment variables. http://www.vmware.com/download/esx/esx152-patch4.html 21585 http://www.vmware.com/support/kb/enduser/std_adp.php?p_sid=dsxk*BWh&p_lva=&p_faqid=1108 PHP remote file include vulnerability in Derek Ashauer ashNews 0.83 allows remote attackers to include and execute arbitrary remote files via a URL in the pathtoashnews parameter to (1) ashnews.php and (2) ashheadlines.php. 18248 16436 20030720 sorry, wrong file 1864 9331 http://forums.ashwebstudio.com/viewtopic.php?t=353&start=0 20060131 Re: ashnews Cross-Site Scripting Vulnerability 20060131 Re: ashnews Cross-Site Scripting Vulnerability 20060130 Re: ashnews Cross-Site Scripting Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in NukedWeb GuestBookHost allow remote attackers to inject arbitrary web script or HTML via the (1) Name, (2) Email and (3) Message fields when signing the guestbook. 8025 20030724 GuestBookHost : Cross Site Scripting Xscreensaver before 4.15 creates temporary files insecurely in (1) driver/passwd-kerberos.c, (2) driver/xscreensaver-getimage-video, (3) driver/xscreensaver.kss.in, and the (4) vidwhacker and (5) webcollage screensavers, which allows local users to overwrite arbitrary files via a symlink attack. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=182286 https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=124968 ADV-2006-1948 9125 http://www.novell.com/linux/download/updates/90_i386.html oval:org.mitre.oval:def:10848 http://jwz.livejournal.com/310943.html RHSA-2006:0498 http://support.avaya.com/elmodocs2/security/ASA-2006-107.htm 20782 20456 20226 20224 20060602-01-U Unspecified vulnerability in xscreensaver 4.12, and possibly other versions, allows attackers to cause xscreensaver to crash via unspecified vectors "while verifying the user-password." http://www.novell.com/linux/download/updates/90_i386.html 9125 Easy File Sharing (EFS) Web Server 1.2 allows remote authenticated users to cause a denial of service via (1) an "empty symbol" in the Title field or (2) certain data in the Your Message field, possibly a long argument. easyfilesharing-title-dos(13360) 20031004 Vulnerabilities in Easy File Sharing Web Server (1.2 NEW) Easy File Sharing (EFS) Web Server 1.2 stores the (1) option.ini (aka options.ini) file and (2) log directory under the web root with insufficient access control, which allows remote attackers to obtain sensitive information including an SMTP account username and password hash, the server configuration, and server log files. 23795 23794 20031004 Vulnerabilities in Easy File Sharing Web Server (1.2 NEW) Multiple directory traversal vulnerabilities in siteman.php3 in AnyPortal(php) 12 MAY 00 allow remote attackers to (1) create, (2) delete, (3) save, and (4) upload files by navigating to the root directory and entering a filename beginning with "./.." (dot slash dot dot). anyportalphp-siteman-directory-traversal(25396) ADV-2006-1053 17197 23984 19359 http://nger.org/anyportal/forum/read.php?f=1&i=152&t=152#reply_152 Directory traversal vulnerability in Baby FTP Server 1.2, and possibly other versions before May 31, 2003 allows remote authenticated users to list arbitrary directories and possibly read files via "..." (triple dot) manipulations to the CWD command. http://www.pablosoftwaresolutions.com/html/baby_ftp_server.html 24538 http://packetstormsecurity.org/0305-exploits/baby.txt Baby FTP Server (BabyFTP) 1.2, and possibly other versions before May 31, 2003, allows remote attackers to cause a denial of service via a large number of connections from the same IP address, which triggers an access violation. http://www.pablosoftwaresolutions.com/html/baby_ftp_server.html 24539 http://packetstormsecurity.org/0305-exploits/baby.txt Sun Java Runtime Environment (JRE) 1.x before 1.4.2_11 and 1.5.x before 1.5.0_06, and as used in multiple web browsers, allows remote attackers to cause a denial of service (application crash) via deeply nested object arrays, which are not properly handled by the garbage collector and trigger invalid memory accesses. 20060521 Generic Browser Crash with Java 1.4.2_11, Java 1.5.0_06 http://www.illegalaccess.org/exploit/ObjectStackOverflow.html http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4944300 http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=4396719 18058 The IMAP functionality in PHP before 4.3.1 allows remote attackers to cause a denial of service via an e-mail message with a (1) To or (2) From header with an address that contains a large number of "\" (backslash) characters. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040 http://bugs.php.net/bug.php?id=22048 Buffer overflow in the imap_fetch_overview function in the IMAP functionality (php_imap.c) in PHP before 4.3.3 allows remote attackers to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long e-mail address in a (1) To or (2) From header. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=175040 oval:org.mitre.oval:def:10346 http://bugs.php.net/bug.php?id=24150 EarlyImpact ProductCart 1.0 through 2.0 stores database/EIPC.mdb under the web root with insufficient access control, which allows remote attackers to obtain sensitive database information via a direct request. shopping-cart-database-access(9816) 8112 20060622 productcart soltan_defacer http://www.earlyimpact.com/pdf/ProductCart_Security_Tips.pdf 9195 20030705 [Vulnerability] : ProductCart database file can be downloaded remotely Microsoft Internet Explorer allows remote attackers to cause a denial of service (resource consumption) via a Javascript src attribute that recursively loads the current web page. 2291 20030707 Internet Explorer Crash Microsoft URLScan 2.5, with the RemoveServerHeader option enabled, allows remote attackers to obtain sensitive information (server name and version) via an HTTP request that generates certain errors such as 400 "Bad Request," which leak the Server header in the response. Successful exploitation requires that the RemoveServerHeader option is enabled. 29370 9194 [WWW-Mobile-Code] 20030706 can - IIS Version Disclosure ** DISPUTED ** The mod_php module for the Apache HTTP Server allows local users with write access to PHP scripts to send signals to the server's process group and use the server's file descriptors, as demonstrated by sending a STOP signal, then intercepting incoming connections on the server's TCP port. NOTE: the PHP developer has disputed this vulnerability, saying "The opened file descriptors are opened by Apache. It is the job of Apache to protect them ... Not a bug in PHP." 9302 20061020 Re: PHP "exec", "system", "popen" (+small POC) 20061019 PHP "exec", "system", "popen" problem 20031226 Hijacking Apache https by mod_php http://hackerdom.ru/~dimmo/phpexpl.c http://bugs.php.net/38915 CRLF injection vulnerability in fvwm-menu-directory for fvwm 2.5.x before 2.5.10 and 2.4.x before 2.4.18 allows local users to execute arbitrary commands via carriage returns in a filename. 9161 http://www.fvwm.org/news/ The DeviceIoControl function in the TrueVector Device Driver (VSDATANT) in ZoneAlarm before 3.7.211, Pro before 4.0.146.029, and Plus before 4.0.146.029 allows local users to gain privileges via certain signals (aka "Device Driver Attack"). device-driver-gain-privileges(12824) 4362 2375 9459 8342 http://download.zonelabs.com/bin/free/information/znalm/zaReleaseHistory.html 20030805 Local ZoneAlarm Firewall (probably all versions - tested on v3.1) The DeviceIoControl function in the Norton Device Driver (NAVAP.sys) in Symantec Norton AntiVirus 2002 allows local users to gain privileges by overwriting memory locations via certain control codes (aka "Device Driver Attack"). device-driver-gain-privileges(12824) 8329 4362 9460 siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder does not ensure that the TARGET parameter names a valid redirection resource, which allows remote attackers to construct a URL that might trick users into visiting an arbitrary web site referenced by this parameter. 30741 [curl-users] 20030529 Re: https, redirection and authentication using POST siteminderagent/SmMakeCookie.ccc in Netegrity SiteMinder places a session ID string in the value of the SMSESSION parameter in a URL, which might allow remote attackers to obtain the ID by sniffing, reading Referer logs, or other methods. 30741 [curl-users] 20030529 Re: https, redirection and authentication using POST Multiple PHP remote file inclusion vulnerabilities in EternalMart Mailing List Manager (EMLM) 1.32 allow remote attackers to execute arbitrary PHP code via a URL in (1) the emml_admin_path parameter to admin/auth.php or (2) the emml_path parameter to emml_email_func.php. 8767 20031004 EMML, EMGB : Include() hole 1007884 PHP remote file inclusion vulnerability in admin/auth.php in EternalMart Guestbook (EMGB) 1.1 allows remote attackers to execute arbitrary PHP code via a URL in the emgb_admin_path parameter. 8767 21720 20031004 EMML, EMGB : Include() hole 1007885 2980 SQL injection vulnerability in auth.php in Land Down Under (LDU) v601 and earlier allows remote attackers to execute arbitrary SQL commands. landdownunder-auth-sql-injection(13922) 9168 2943 http://www.neocrome.net/page.php?id=1250 http://www.neocrome.net/index.php?m=single&id=76 1008416 10396 mod.php in eNdonesia 8.2 allows remote attackers to obtain sensitive information via a ' (quote) value in the lng parameter, which reveals the path in an error message. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. endonesia-mod-path-disclosure(13042) 8507 3666 1007592 9622 Cross-site scripting (XSS) vulnerability in mod.php in eNdonesia 8.2 allows remote attackers to inject arbitrary web script or HTML via the mod parameter. NOTE: The provenance of this information is unknown; the details are obtained solely from third party information. endonesia-mod-xss(13041) 8506 2480 1007592 9622 Twilight Webserver 1.3.3.0 allows remote attackers to cause a denial of service (application crash) via a GET request for a long URI, a different vulnerability than CVE-2004-2376. http://www.tripbit.org/advisories/twilight_advisory.txt 22090 20030713 TA-2003-07 Denial of Service Attack against Twilight WebServer v1.3.3.0 Multiple buffer overflows in SmartFTP 1.0.973, and other versions before 1.0.976, allow remote attackers to execute arbitrary code via (1) a long response to a PWD command, which triggers a stack-based overflow, and (2) a long line in a response to a file LIST command, which triggers a heap-based overflow. smartftp-long-list-bo(12231) smartftp-pwd-directory-bo(12228) 7861 7858 8998 1006956 http://security.nnov.ru/docs4679.html 20030608 [SmartFTP] Two Buffer Overflow Vulnerabilities SonicWALL firmware before 6.4.0.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted Internet Key Exchange (IKE) response packets, possibly including (1) a large Security Parameter Index (SPI) field, (2) a large number of payloads, or (3) a long payload. VU#287771 http://www.kb.cert.org/vuls/id/AAMN-5L74VD Buffer overflow in Avant Browser 8.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long URL in an HTTP request. avantbrowser-http-bo(12974) 8471 20030821 Buffer overflow in Avant Browser 8.02 Multiple stack-based buffer overflows in Atrium MERCUR IMAPD in MERCUR Mailserver before 4.2.15.0 allow remote attackers to execute arbitrary code via a long (1) EXAMINE, (2) DELETE, (3) SUBSCRIBE, (4) RENAME, (5) UNSUBSCRIBE, (6) LIST, (7) LSUB, (8) STATUS, (9) LOGIN, (10) CREATE, or (11) SELECT command. 20030606 Multiple Buffer Overflow Vulnerabilities Found in MERCUR Mail server v.4.2 (SP2) - IMAP protocol 7842 mercur-multiple-bo(12203) Elm ME+ 2.4 before PL109S, when installed setgid mail and the operating system lacks POSIX saved ID support, allows local users to read and modify certain files with the privileges of the mail group via unspecified vectors. http://www.elmme-mailer.org/elm-2.4ME+PL109S.patch.gz Race condition in the can_open function in Elm ME+ 2.4, when installed setgid mail and the operating system lacks POSIX saved ID support, allows local users to read and modify certain files with the privileges of the mail group. http://www.elmme-mailer.org/elm-2.4ME+PL109S.patch.gz The SV_CheckForDuplicateNames function in Valve Software Half-Life CSTRIKE Dedicated Server 1.1.1.0 and earlier allows remote authenticated users to cause a denial of service (infinite loop and daemon hang) via a certain connection string to UDP port 27015 that represents "absence of player informations," a related issue to CVE-2006-0734. http://packetstormsecurity.org/0304-exploits/hl-headnut.c http://aluigi.altervista.org/adv/csdos.txt Microsoft Internet Explorer 5.5 and 6.0 allows remote attackers to bypass the cross-domain security model to run malicious script or arbitrary programs via dialog boxes, aka "Improper Cross Domain Security Validation with dialog box." MS03-004 ie-dialog-zone-bypass(11258) 6779 N-038 oval:org.mitre.oval:def:49 oval:org.mitre.oval:def:178 oval:org.mitre.oval:def:126 Buffer overflow in the SockPrintf function in wu-ftpd 2.6.2 and earlier, when compiled with MAIL_ADMIN option enabled on a system that supports very long pathnames, might allow remote anonymous users to execute arbitrary code by uploading a file with a long pathname, which triggers the overflow when wu-ftpd constructs a notification message to the administrator. Successful exploitation requires that the option "MAIL_ADMIN" has been enabled (not default), that anonymous users have write permissions on a folder, and that the program has been compiled on a system where very long paths are permitted. wuftp-mailadmin-sockprintf-bo(13269) SSA:2003-259-03 8668 2594 1007775 9835 20030922 Wu_ftpd all versions (not) vulnerability. The showHelp() function in Microsoft Internet Explorer 5.01, 5.5, and 6.0 supports certain types of pluggable protocols that allow remote attackers to bypass the cross-domain security model and execute arbitrary code, aka "Improper Cross Domain Security Validation with ShowHelp functionality." VU#400577 MS03-004 ie-showhelp-zone-bypass(11259) 6780 N-038 20030206 showHelp("file:") disables security in IE - Sandblad advisory #11 oval:org.mitre.oval:def:57 ftpd.c in wu-ftpd 2.6.2, when running on "operating systems that only allow one non-connected socket bound to the same local address," does not close failed connections, which allows remote attackers to cause a denial of service. ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/connect-dos.patch 34670 Clearswift MAILsweeper for SMTP 4.3.6 SP1 does not execute custom "on strip unsuccessful" hooks, which allows remote attackers to bypass e-mail attachment filtering policies via an attachment that MAILsweeper can detect but not remove. mailsweeper-onstrip-bypass-filter(11745) 7226 Stack-based buffer overflow in the mysql_real_connect function in the MySql client library (libmysqlclient) 4.0.13 and earlier allows local users to execute arbitrary code via a long socket name, a different vulnerability than CVE-2001-1453. mysql-mysqlrealconnect-bo(12337) 7887 http://bugs.mysql.com/bug.php?id=564 20030612 libmysqlclient 4.x and below mysql_real_connect() buffer overflow. Stack-based buffer overflow in the reply_nttrans function in Samba 2.2.7a and earlier allows remote attackers to execute arbitrary code via a crafted request, a different vulnerability than CVE-2003-0201. samba-reply-nttrans-bo(12749) http://www.securiteam.com/exploits/5TP0M2AAKS.html RHSA-2003:096 Unspecified vulnerability in the Cache' Server Page (CSP) implementation in InterSystems Cache' 4.0.3 through 5.0.5 allows remote attackers to "gain complete control" of a server. http://groups.google.com/group/intersystems-public-cache/browse_thread/thread/8bdc0e496226edd1/60e9179edb4a4d43 Cross-site scripting (XSS) vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://www.bitfolge.de/snif-en.html Directory traversal vulnerability in Kai Blankenhorn Bitfolge simple and nice index file (aka snif) before 1.2.5 allows remote attackers to download files from locations above the snif directory. http://www.bitfolge.de/snif-en.html Buffer overflow in mIRC before 6.11 allows remote attackers to execute arbitrary code via a long irc:// URL. 8819 http://www.securiteam.com/windowsntfocus/6M00B0U8KE.html 9996 20031015 mIRC Buffer Overflow in irc protocol handler mirc-ircprotocol-execute-code(13405) 2665 Heap-based buffer overflow in Aprelium Abyss Web Server 1.1.2 and earlier allows remote attackers to execute arbitrary code via a long HTTP GET request. abyss-http-get-bo(12466) 8062 20030629 Aprelium Abyss webserver X1 arbitrary code execution and header injection CRLF injection vulnerability in Aprelium Abyss Web Server 1.1.2 and earlier allows remote attackers to inject arbitrary HTTP headers and possibly conduct HTTP Response Splitting attacks via CRLF sequences in the Location header. Per: http://cwe.mitre.org/data/definitions/93.html 'http://cwe.mitre.org/data/definitions/93.html' 20030629 Aprelium Abyss webserver X1 arbitrary code execution and header injection Stack-based buffer overflow in eZnet.exe, as used in eZ (a) eZphotoshare, (b) eZmeeting, (c) eZnetwork, and (d) eZshare allows remote attackers to cause a denial of service (crash) or execute arbitrary code, as demonstrated via (1) a long GET request and (2) a long operation or autologin parameter to SwEzModule.dll. 133 http://www.governmentsecurity.org/archive/t5390.html 1008412 20031211 eZ and eZphotoshare fixes 20031207 eZ Multiple Packages Stack Overflow Vulnerability Multiple SQL injection vulnerabilities in Francisco Burzi PHP-Nuke 5.6 and 6.5 allow remote authenticated users to execute arbitrary SQL commands via (1) a uid (user) cookie to modules.php; and allow remote attackers to execute arbitrary SQL commands via an aid (admin) cookie to the Web_Links module in a (2) viewlink, (3) MostPopular, or (4) NewLinksDate action, different vectors than CVE-2003-0279. 20070927 Re: [waraxe-2007-SA#056] - Another Sql Injection in NukeSentinel 2.5.11 20030530 Php-Nuke:users and admins password hashes vulnerability 3185 The default installation of Trend Micro OfficeScan 3.0 through 3.54 and 5.x allows remote attackers to bypass authentication from cgiChkMasterPasswd.exe and gain access to the web management console via a direct request to cgiMasterPwd.exe. 6616 officescan-cgichkmasterpwd-auth-bypass(11059) 6181 7881 http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13353 20030114 Assorted Trend Vulns Rev 2.0 Trend Micro Virus Control System (TVCS) 1.8 running with IIS allows remote attackers to cause a denial of service (memory consumption) in IIS via multiple URL requests for ActiveSupport.exe. trend-vcs-activesupport-dos(11060) 6617 6185 7881 20030114 RE: [VulnWatch] Assorted Trend Vulns Rev 2.0 20030114 Assorted Trend Vulns Rev 2.0 Trend Micro ScanMail for Exchange (SMEX) before 3.81 and before 6.1 might install a back door account in smg_Smxcfg30.exe, which allows remote attackers to gain access to the web management interface via the vcc parameter, possibly "3560121183d3". 6619 scanmail-smgsmxcfg30-password-bypass(11061) 7881 http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=13352 20030114 RE: [VulnWatch] Assorted Trend Vulns Rev 2.0 Trend Micro Virus Control System (TVCS) Log Collector allows remote attackers to obtain usernames, encrypted passwords, and other sensitive information via a URL request for getservers.exe with the action parameter set to "selects1", which returns log files. trend-vcs-weak-encryption(11063) 6618 7881 20030114 RE: [VulnWatch] Assorted Trend Vulns Rev 2.0 Directory traversal vulnerability in s.dll in WebCollection Plus 5.00 allows remote attackers to view arbitrary files in c:\ via a full pathname in the d parameter. webcollection-plus-directory-traversal(11064) 6574 20030114 Vulnerability in WebCollection Plus (TM) D-Link wireless access point DWL-900AP+ 2.2, 2.3 and possibly 2.5 allows remote attackers to set factory default settings by upgrading the firmware using AirPlus Access Point Manager. dlink-airplus-restore-default(11074) 1005926 6609 20030116 Re: D-Link DWL-900AP+ Security Hole 20030114 D-Link DWL-900AP+ Security Hole Multiple cross-site scripting (XSS) vulnerabilities in Geeklog 1.3.7 allow remote attackers to inject arbitrary web script or HTML via the (1) cid parameter to comment.php, (2) uid parameter to profiles.php, (3) uid to users.php, and (4) homepage field. http://www.geeklog.net/filemgmt/visit.php?lid=101 geeklog-php-scripts-xss(11075) 6604 6603 6602 6601 20030114 Multiple XSS in Geeklog 1.3.7 3226 Cross-site scripting (XSS) vulnerability in guestbook.cgi in ftls.org Guestbook 1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) comment, (2) name, or (3) title field. guestbook-multiple-field-xss(11155) 6686 20030125 ftls.org Guestbook 1.1 Script Injection 3227 Directory traversal vulnerability in NITE ftp-server (NiteServer) 1.83 allows remote attackers to list arbitrary directories via a "\.." (backslash dot dot) in the CD (CWD) command. niteserver-dotdot-directory-traversal(11062) 1005923 6648 7879 20030115 Directory traversal vulnerabilities found in NITE ftp-server version 1.83 List Site Pro 2.0 allows remote attackers to hijack user accounts by inserting a "|" (pipe), which is used as a field delimiter, into the bannerurl field. listsitepro-account-hijacking(11156) 6685 20030124 List Site Pro v2 user account Hijacking vulnerablity 3230 Directory traversal vulnerability in edittag.cgi in EditTag 1.1 allows remote attackers to read arbitrary files via a "%2F.." (encoded slash dot dot) in the file parameter. edittag-dotdot-directory-traversal(11159) 6675 20030124 Vulnerability in edittag.pl 3231 Gabber 0.8.7 sends an email to a specific address during user login and logout, which allows remote attackers to obtain user session activity and Gabber version number by sniffing. gabber-information-leak(11115) 6624 20030115 Gabber 0.8.7 leaks presence information without user authorization Multiple cross-site scripting (XSS) vulnerabilities in Outreach Project Tool (OPT) 0.946b allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the news field. opt-news-post-xss(11096) 6631 20030116 Outreach Project Tool Multiple GameSpy 3D 2.62 compatible gaming servers generate very large UDP responses to small requests, which allows remote attackers to use the servers as an amplifier in DDoS attacks with spoofed UDP query packets, as demonstrated using Battlefield 1942. battlefield-udp-query-dos(11084) 6636 http://www.securiteam.com/securitynews/5EP0O0K8UO.html http://www.pivx.com/kristovich/adv/mk001/ 20030122 PivX Multi-Vendor Game Server dDoS Advisory Buffer overflow in the remote console (rcon) in Battlefield 1942 1.2 and 1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long user name and password. battlefield-remoteconsole-username-dos(11426) 6967 20030226 [VSA0307] Battlefield 1942 remote DoS The "file handling" in sort in HP-UX 10.01 through 10.20, and 11.00 through 11.11 is "incorrect," which allows attackers to gain access or cause a denial of service via unknown vectors. hpux-sort-file-handling(11107) 6640 oval:org.mitre.oval:def:5758 SSRT3454 SSRT3454 ProxyView has a default administrator password of Administrator for Embedded Windows NT, which allows remote attackers to gain access. proxyview-administrator-default-password(11185) 6708 20030128 ProxyView default undocumented password 3228 rs.F300 for HP-UX 10.0 through 11.22 uses the PATH environment variable to find and execute programs such as rm while operating at raised privileges, which allows local users to gain privileges by modifying the path to point to a malicious rm program. hp-rsf3000-daemon-access(11312) 6837 20030710 [LSD] HP-UX security vulnerabilities HPSBUX0302-240 3236 Buffer overflow in stmkfont utility of HP-UX 10.0 through 11.22 allows local users to gain privileges via a long command line argument. hp-stmkfont-bo(11313) 6836 20030610 [LSD] HP-UX security vulnerabilities HPSBUX0302-241 oval:org.mitre.oval:def:5587 3236 Buffer overflow in the setupterm function of (1) lanadmin and (2) landiag programs of HP-UX 10.0 through 10.34 allows local users to execute arbitrary code via a long TERM environment variable. hp-landiag-lanadmin-bo(11314) 6834 20030610 [LSD] HP-UX security vulnerabilities HPSBUX0302-243 3236 Unknown vulnerability in VERITAS Bare Metal Restore (BMR) of Tivoli Storage Manager (TSM) 3.1.0 through 3.2.1 allows remote attackers to gain root privileges on the BMR Main Server. 6928 http://seer.support.veritas.com/docs/252933.htm veritas-bmr-root-access(11418) http://seer.support.veritas.com/docs/254442.htm 20030225 VERITAS Software Technical Advisory (fwd) Bastille B.02.00.00 of HP-UX 11.00 and 11.11 does not properly configure the (1) NOVRFY and (2) NOEXPN options in the sendmail.cf file, which could allow remote attackers to verify the existence of system users and expand defined sendmail aliases. 6878 hp-bastille-info-disclosure(11366) HPSBUX0302-245 The remote web management interface of Aprelium Technologies Abyss Web Server 1.1.2 and earlier does not log connection attempts to the web management port (9999), which allows remote attackers to mount brute force attacks on the administration console without detection. 6842 abyss-web-admin-bruteforce(11310) 20030212 Abyss WebServer Brute Force Vulnerability Aprelium Technologies Abyss Web Server 1.1.2, and possibly other versions before 1.1.4, allows remote attackers to cause a denial of service (crash) via an HTTP GET message with empty (1) Connection or (2) Range fields. 7287 abyss-http-get-dos(11718) 20030405 Abyss X1 1.1.2 remote crash The escape_dangerous_chars function in CGI::Lite 2.0 and earlier does not correctly remove special characters including (1) "\" (backslash), (2) "?", (3) "~" (tilde), (4) "^" (carat), (5) newline, or (6) carriage return, which could allow remote attackers to read or write arbitrary files, or execute arbitrary commands, in shell scripts that rely on CGI::Lite to filter such dangerous inputs. cgilite-shell-command-execution(11308) 6833 20030211 Security bug in CGI::Lite::escape_dangerous_chars() function http://use.perl.org/~cbrooks/journal/10542 http://search.cpan.org/~smylers/CGI-Lite-2.02/Lite.pm 20030211 Security bug in CGI::Lite::escape_dangerous_chars() function 3237 chpass in OpenBSD 2.0 through 3.2 allows local users to read portions of arbitrary files via a hard link attack on a temporary file used to store user database information. openbsd-chpass-information-disclosure(11233) 6748 20030203 ASA-0001: OpenBSD chpass/chfn/chsh file content leak 1006035 3238 The which_access variable for Majordomo 2.0 through 1.94.4, and possibly earlier versions, is set to "open" by default, which allows remote attackers to identify the email addresses of members of mailing lists via a "which" command. majordomo-whichaccess-email-disclosure(11243) 6761 20030204 Majordomo info leakage, all versions 3235 Buffer overflow in the 32bit FTP client 9.49.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. 32bit-ftp-banner-bo(11234) 6764 20030204 Banner Buffer Overflows found in Multible FTP Clients Buffer overflow in ByteCatcher FTP client 1.04b allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long FTP server banner. bytecatcher-ftp-banner-bo(11235) 6762 20030204 Banner Buffer Overflows found in Multible FTP Clients Multiple cross-site scripting (XSS) vulnerabilities in Nuked-Klan 1.2b allow remote attackers to inject arbitrary HTML or web script via (1) the Author field in the Guestbook module, (2) the Titre or Pseudo fields in the Forum module, or (3) "La Tribune Libre" in the Shoutbox module. 6700 6697 nuked-klan-index-xss(11176) 6699 20030127 [SCSA-003] Multiple Cross Site Scripting & Script Injection Vulnerabilities in Nuked-Klan Nuked-Klan 1.3b, and possibly earlier versions, allows remote attackers to obtain sensitive server information via an op parameter set to phpinfo for the (1) Team, (2) News, or (3) Liens modules. nukedklan-information-disclosure(11424) 6917 20030221 [SCSA-006] XSS & Function Execution Vulnerabilities in Nuked-Klan Cross-site scripting (XSS) vulnerability in links.php script in myPHPNuke 1.8.8, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the (1) ratenum or (2) query parameters. phpbb-index-sql-injection(11376) 6892 20030219 myphpnuke xss 3931 8125 Directory traversal vulnerability in auth.php for PhpBB 1.4.0 through 1.4.4 allows remote attackers to read and include arbitrary files via .. (dot dot) sequences followed by NULL (%00) characters in CGI parameters, as demonstrated using the lang parameter in prefs.php. phpbb-auth-read-files(11407) 6889 20030220 phpBB Security Bugs Buffer overflow in disable of HP-UX 11.0 may allow local users to execute arbitrary code via a long argument to the (1) -r or (2)-c options. hp-lp-disable-bo(11316) 6845 20030213 HPUX disable buffer overflow vulnerability Buffer overflow in wall for HP-UX 10.20 through 11.11 may allow local users to execute arbitrary code by calling wall with a large file as an argument. 6800 hp-wall-bo(11272) 20030207 HPUX Wall Buffer Overflow HPSBUX0305-258 oval:org.mitre.oval:def:5439 3264 WinZip 8.0 uses weak random number generation for password protected ZIP files, which allows local users to brute force the encryption keys and extract the data from the zip file by guessing the state of the stream coder. winzip-pkzip-weak-encryption(11296) 6805 20030208 Yet another plaintext attack to ZIP encryption scheme. 3265 Buffer overflow in the reverse DNS lookup of Smart IRC Daemon (SIRCD) 0.4.0 and 0.4.4 allows remote attackers to execute arbitrary code via a client with a long hostname. sircd-reverse-dns-bo(11409) 6924 20030223 sircd proof-of-concept / advisory Microsoft Outlook Express 6.0 and Outlook 2000, with the security zone set to Internet Zone, allows remote attackers to execute arbitrary programs via an HTML email with the CODEBASE parameter set to the program, a vulnerability similar to CAN-2002-0077. outlook-codebase-execute-programs(11411) 6923 20030224 Re: O UT LO OK E XPRE SS 6 .00 : broken 20030223 O UT LO OK E XPRE SS 6 .00 : broken clarkconnectd in ClarkConnect Linux 1.2 allows remote attackers to obtain sensitive information about the server via the characters (1) A, which reveals the date and time, (2) F, (3) M, which reveals 'ifconfig' information, (4) P, which lists the processes, (5) Y, which reveals the snort log files, or (6) b, which reveals /var/log/messages. 6934 clarkconnect-clarkconnectd-info-disclosure(11419) 20030225 clarkconnect(d) information disclosure Directory traversal vulnerability in BisonFTP Server 4 release 2 allows remote attackers to (1) list directories above the root via an 'ls @../' command, or (2) list files above the root via a "mget @../FILE" command. bisonftp-ls-view-files(11347) 6873 20030217 [immune advisory] Mulitple vulnerabilities found in BisonFTP Format string vulnerability in AMX 0.9.2 and earlier, a plugin for Valve Software's Half-Life Server, allows remote attackers to execute arbitrary commands via format string specifiers in the amx_say command. amx-amxsay-format-string(11427) 6968 20030226 [VSA0308] Half-Life AMX-Mod remote (root) hole 3258 Buffer overflow in ISMail 1.4.3 and earlier allow remote attackers to execute arbitrary code via long domain names in (1) MAIL FROM or (2) RCPT TO fields. ismail-smtp-domain-bo(11432) 20030227 ISMAIL (All Versions) Remote Buffer Overrun 6972 3254 WEB-ERP 0.1.4 and earlier allows remote attackers to obtain sensitive information via an HTTP request for the logicworks.ini file, which contains the MySQL database username and password. weberp-logicworks-ini-access(11443) 6996 20030301 web-erp 0.1.4 database access vulnerability 3257 Cross-site scripting (XSS) vulnerability in index.php in PY-Livredor 1.0 allows remote attackers to insert arbitrary web script or HTML via the (1) titre, (2) Votre pseudo, (3) Votre e-mail, or (4) Votre message fields. pylivredor-guestbook-xss(11448) 6997 20030302 [SCSA-008] Cross Site Scripting & Script Injection Vulnerability in PY-Livredor 20030302 [SCSA-008] Cross Site Scripting & Script Injection Vulnerability in PY-Livredor 20030302 [SCSA-008] Cross Site Scripting & Script Injection Vulnerability in PY-Livredor ipchat.php in Invision Power Board 1.1.1 allows remote attackers to execute arbitrary PHP code, if register_globals is enabled, by modifying the root_path parameter to reference a URL on a remote web server that contains the code. invision-ipchat-file-include(11435) 6976 20030227 Invision Power Board (PHP) 3357 8182 AXIS 2400 Video Server 2.00 through 2.33 allows remote attackers to obtain sensitive information via an HTTP request to /support/messages, which displays the server's /var/log/messages file. axis-messages-unauth-access(11440) http://www.websec.org/adv/axis2400.txt.html 6980 20030325 Axis Video and Camera Servers - System log access and file access/overwrite via HTTP/CGI 20030228 axis2400 webcams Buffer overflow in Opera 6.05 and 6.06, and possibly other versions, allows remote attackers to execute arbitrary code via a URL with a long username. 6811 opera-username-url-bo(11281) 20030320 Opara 6.06 Released, Security-Hole Left 20030209 Opera Username Buffer Overflow Vulnerability 3253 Buffer overflow in Opera 7.02 Build 2668 allows remote attackers to crash Opera via a long HTTP request ending in a .ZIP extension. opera-long-url-bo(11740) 20030407 Unchecked Buffer in Opera 7.02 RTS CryptoBuddy 1.2 and earlier truncates long passphrases without warning the user, which may make it easier to conduct certain brute force guessing attacks. cryptobuddy-truncate-weak-security(11294) 6815 20030210 RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities RTS CryptoBuddy 1.2 and earlier stores bytes 53 through 55 of a 55-byte passphrase in plaintext, which makes it easier for local users to guess the passphrase. cryptobuddy-plaintext-password-bytes(11297) 20030210 RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities RTS CryptoBuddy 1.0 and 1.2 uses a weak encryption algorithm for the passphrase and generates predictable keys, which makes it easier for attackers to guess the passphrase. cryptobuddy-password-dictionary(11298) 6810 20030210 RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities CryptoBuddy 1.0 and 1.2 does not use the user-supplied passphrase to encrypt data, which could allow local users to use their own passphrase to decrypt the data. cryptobuddy-password-information-disclosure(11317) 6812 20030210 RTS CryptoBuddy Multiple Encryption Implementation Vulnerabilities Buffer overflow in Gupta SQLBase 8.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long EXECUTE command. sqlbase-execute-long-bo(11269) 6808 20030308 NII Advisory - Buffer Overflow in SQLBase (Revised) 20030210 Buffer OverFlow in SQLBase 8.1.0 - NII Advisory 8023 3256 CoffeeCup Software Password Wizard 4.0 stores sensitive information such as usernames and passwords in a .apw file under the web document root with insufficient access control, which allows remote attackers to obtain that information via a direct request for the file. coffeecup-password-file-retrieval(11447) 6995 20030228 Easy obtaining User+Pass+More on CoffeeCup Password Wizard All Versions 3259 Buffer overflow in KaZaA Media Desktop 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a response to the ad server. kazaa-automated-ad-bo(11228) 6747 20030202 Denial of service against Kazaa Media Desktop v2 3252 Heap-based buffer overflow in Opera 6.05 through 7.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a filename with a long extension. 7450 opera-file-extension-bo(11894) 20030427 [Opera 7/6] Long File Extension Heap Buffer Overrun Vulnerability in Download. The PluginContext object of Opera 6.05 and 7.0 allows remote attackers to cause a denial of service (crash) via an HTTP request containing a long string that gets passed to the ShowDocument method. opera-plugincontextshowdocument-bo(11280) 6814 20030210 Java-Applet crashes Opera 6.05 and 7.01 3255 Cisco IOS 12.0 through 12.2, when IP routing is disabled, accepts false ICMP redirect messages, which allows remote attackers to cause a denial of service (network routing modification). cisco-ios-icmp-redirect(11306) 6823 1006075 20030211 Field Notice - IOS Accepts ICMP Redirects in Non-default Configuration Settings eject 2.0.10, when installed setuid on systems such as SuSE Linux 7.3, generates different error messages depending on whether a specified file exists or not, which allows local users to obtain sensitive information. 6914 linux-eject-information-disclosure(11380) 20030222 eject 2.0.10 vulnerability Cross-site scripting (XSS) vulnerability in the Your_Account module for PHP-Nuke 5.0 through 6.0 allows remote attackers to inject arbitrary web script or HTML via the user_avatar parameter. phpnuke-avatar-code-execution(11229) 6750 20030204 Re: PHP-Nuke Avatar Code injection vulnerability 20030203 PHP-Nuke Avatar Code injection vulnerability login.php in php-Board 1.0 stores plaintext passwords in $username.txt with insufficient access control under the web document root, which allows remote attackers to obtain sensitive information via a direct request. phpboard-login-plaintext-passwords(11338) 6862 20030215 php-Board (php) PHP remote file inclusion vulnerability in hit.php for Kietu 2.0 and 2.3 allows remote attackers to execute arbitrary PHP code via the url_hit parameter, a different vulnerability than CVE-2006-5015. kietu-hit-file-include(11341) 6863 10754 20030215 Kietu ( PHP ) 3777 foo.php3 in DotBr 0.1 allows remote attackers to obtain sensitive information via a direct request, which calls the phpinfo function. dotbr-foo-info-disclosure(11353) 6864 20030215 DotBr (PHP) 5091 DotBr 0.1 stores config.inc with insufficient access control under the web document root, which allows remote attackers to obtain sensitive information such as SQL usernames and passwords. dotbr-config-info-disclosure(11354) 6865 20030215 DotBr (PHP) 5092 DotBr 0.1 allows remote attackers to execute arbitrary shell commands via the cmd parameter to (1) exec.php3 or (2) system.php3. dotbr-exec-execute-commands(11355) 6867 6866 20030215 DotBr (PHP) 5090 5089 PHP remote file inclusion vulnerability in D-Forum 1.00 through 1.11 allows remote attackers to execute arbitrary PHP code via a URL in the (1) my_header parameter to header.php3 or (2) my_footer parameter to footer.php3. dform-header-file-include(11342) 6879 20030216 D-Forum (PHP) Buffer overflow in cmd.exe in Windows NT 4.0 may allow local users to execute arbitrary code via a long pathname argument to the cd command. win-cmd-cd-bo(11329) 6829 20030211 SECURITY.NNOV: Windows NT 4.0/2000 cmd.exe long path buffer overflow/DoS 3251 Lotus Domino Server 5.0 and 6.0 allows remote attackers to read the source code for files via an HTTP request with a filename with a trailing dot. lotus-domino-dot-file-download(11311) 6841 20030213 Re: Lotus Domino DOT Bug Allows for Source Code Viewing 20030212 Lotus Domino DOT Bug Allows for Source Code Viewing TOPo 1.43 allows remote attackers to obtain sensitive information by sending an HTTP request with an invalid parameter to (1) in.php or (2) out.php, which reveals the path to the TOPo directory in the error message. 20030204 TOPo 1.43 and prior - Path Disclosure (in.php, out.php) topo-path-disclosure(11248) 6768 8008 PHP remote file inclusion vulnerability in email.php (aka email.php3) in Cedric Email Reader 0.2 and 0.3 allows remote attackers to execute arbitrary PHP code via the cer_skin parameter. cedric-email-file-include(11278) 6818 20030209 Cedric Email Reader (PHP) 5487 8024 PHP remote file inclusion vulnerability in emailreader_execute_on_each_page.inc.php in Cedric Email Reader 0.4 allows remote attackers to execute arbitrary PHP code via the emailreader_ini parameter. cedric-email-file-include(11278) 6820 20030209 Cedric Email Reader (PHP) 5900 8024 PHP remote file inclusion vulnerability in index.php for GONiCUS System Administrator (GOsa) 1.0 allows remote attackers to execute arbitrary PHP code via the plugin parameter to (1) 3fax/1blocklists/index.php; (2) 6departamentadmin/index.php, (3) 5terminals/index.php, (4) 4mailinglists/index.php, (5) 3departaments/index.php, and (6) 2groupd/index.php in 2administration/; or (7) the base parameter to include/help.php. gosa-plugin-file-include(11408) 6922 20030223 GOnicus System Administrator php injection 1006162 20030224 GOnicus System Administrator php injection 8120 parse_xml.cgi in Apple Darwin Streaming Server 4.1.1 allows remote attackers to determine the existence of arbitrary files by using ".." sequences in the filename parameter and comparing the resulting error messages. darwin-dotdot-file-existence(11445) 6992 20030228 Re: QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities 3260 Directory traversal vulnerability in parse_xml.cg Apple Darwin Streaming Server 4.1.2 and Apple Quicktime Streaming Server 4.1.1 allows remote attackers to read arbitrary files via a ... (triple dot) in the filename paramter. darwin-dotdotdot-directory-traversal(11446) 6990 20030228 Re: QuickTime/Darwin Streaming Administration Server Multiple vulnerabilities 3260 NetCharts XBRL Server 4.0.0 allows remote attackers to obtain sensitive information via an HTTP request with an invalid chunked transfer encoding specification. netcharts-chunked-encoding-bo(11345) 6877 20030218 [SecurityOffice] Netcharts XBRL Server v4.0.0 Information Leakage Vulnerability 8091 3261 BisonFTP Server 4 release 2 allows remote attackers to cause a denial of service (CPU consumption) via a long (1) ls or (2) cwd command. bisonftp-ls-cwd-dos(11346) 6869 20030217 [immune advisory] Mulitple vulnerabilities found in BisonFTP nCipher Support Software 6.00, when using generatekey KeySafe to import keys, does not delete the temporary copies of the key, which may allow local users to gain access to the key by reading the (1) key.pem or (2) key.der files. ncipher-duplicate-keys(11422) 6927 20030225 nCipher Advisory #7: Unexpected copies of imported software keys Apache HTTP Server 1.3.22 through 1.3.27 on OpenBSD allows remote attackers to obtain sensitive information via (1) the ETag header, which reveals the inode number, or (2) multipart MIME boundary, which reveals child proccess IDs (PID). 6943 apache-mime-information-disclosure(11438) 6939 [3.2] 008: SECURITY FIX: February 25, 2003 Netscape 7.0 allows remote attackers to cause a denial of service (crash) via a web page with an invalid regular expression argument to the JavaScript reformatDate function. netscape-javascript-reformatdate-dos(11444) 6959 20030225 Re: Netscape 6/7 crashes by a simple stylesheet... Cross-site scripting (XSS) vulnerability in Opera 6.0 through 7.0 with automatic redirection disabled allows remote attackers to inject arbitrary web script or HTML via the HTTP Location header. 6962 opera-automatic-redirection-xss(11423) 20030226 Secunia Research: Opera browser Cross Site Scripting Unspecified vulnerability in mod_mysql_logger shared object in SuckBot 0.006 allows remote attackers to cause a denial of service (seg fault) via unknown attack vectors. 6854 suckbot-modmysqllogger-dos(11340) Multiple unspecified vulnerabilities in the installer for SYSLINUX 2.01, when running setuid root, allow local users to gain privileges via unknown vectors. 6876 syslinux-gain-privileges(11351) http://syslinux.zytor.com/history.php 8077 Petitforum stores the liste.txt data file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as e-mail addresses and encrypted passwords. petitforum-liste-info-disclosure(11358) 1006117 message.php in Petitforum does not properly authenticate users, which allows remote attackers to impersonate forum users via a modified connect cookie. petitforum-message-auth-bypass(11359) 1006117 guestbook.cgi in cPanel 5.0 allows remote attackers to execute arbitrary commands via the template parameter. cpanel-guestbook-command-execution(11356) 6882 20030218 Cpanel 5 and below remote command execution and local root vulnerabilities Openwebmail in cPanel 5.0, when run using suid Perl, adds the directory in the SCRIPT_FILENAME environment variable to Perl's @INC include array, which allows local users to execute arbitrary code by modifying SCRIPT_FILENAME to reference a directory containing a malicious openwebmail-shared.pl executable. cpanel-scriptfilename-gain-privileges(11357) 6885 20030218 Cpanel 5 and below remote command execution and local root vulnerabilities Directory traversal vulnerability in the web configuration interface in Netgear FM114P 1.4 allows remote attackers to read arbitrary files, such as the netgear.cfg coniguration file, via a hex-encoded (%2e%2e%2f) ../ (dot dot slash) in the port parameter. netgear-fm114p-directory-traversal(11279) 6807 20030209 Bug in Netgear FM114P Wireless Router firmware Gallery 1.3.3 creates directories with insecure permissions, which allows local users to read, modify, or delete photos. gallery-album-insecure-directory(11284) 6809 20030210 Gallery 1.3.3 Buffer overflow in Proxomitron Naoko 4.4 allows remote attackers to execute arbitrary code via a long request. proxomitron-parameter-length-bo(11364) 20030219 [SCSA-005] Proxomitron Naoko Long Path Buffer Overflow/DoS Directory traversal vulnerability in Unreal Tournament Server 436 and earlier allows remote attackers to access known files via a ".." (dot dot) in an unreal:// URL. ut-file-directory-traversal(11299) 6775 20030211 Re: Epic Games threatens to sue security researchers 20030205 Unreal engine: results of my research Buffer overflow in Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (crash) via a long host string in the Unreal URL. ut-url-memory-corruption(11301) 6774 20030211 Re: Epic Games threatens to sue security researchers 20030205 Unreal engine: results of my research Epic Games Unreal Engine 226f through 436 allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via (1) a packet with a negative size value, which is treated as a large positive number during memory allocation, or (2) a negative size value in a package file. ut-negative-udp-dos(12012) ut-negative-memory-corruption(11305) ut-packet-dos(11302) 6772 6770 20030513 UT2003 client passive DoS exploit 20030211 Re: Epic Games threatens to sue security researchers 20030205 Unreal engine: results of my research Epic Games Unreal Engine 226f through 436 does not validate the challenge key, which allows remote attackers to exhaust the player limit by joining the game multiple times. ut-join-request-dos(11304) 6771 20030211 Re: Epic Games threatens to sue security researchers 20030205 Unreal engine: results of my research login_ldap 3.1 and 3.2 allows remote attackers to initiate unauthenticated bind requests if (1) bind_anon_dn is on, which allows a bind with no password provided, (2) bind_anon_cred is on, which allows a bind with no DN, or (3) bind_anon is on, which allows a bind with no DN or password. 6903 loginldap-password-bypass(11374) 20030220 login_ldap security announcement SQL injection vulnerability in PHP-Nuke 5.6 and 6.0 allows remote attackers to execute arbitrary SQL commands via the days parameter to the search module. phpnuke-search-sql-injection(11375) 6887 20030220 PHPNuke SQL Injection PHP remote file inclusion vulnerability in nukebrowser.php in Nukebrowser 2.1 to 2.5 allows remote attackers to execute arbitrary PHP code via the filhead parameter. 1006031 nukebrowser-php-file-include(11217) 6731 7986 BEA WebLogic Express and WebLogic Server 7.0 and 7.0.0.1, stores passwords in plaintext when a keystore is used to store a private key or trust certificate authorities, which allows local users to gain access. BEA03-25.00 weblogic-keystore-plaintext-passwords(11220) 6719 Race condition in BEA WebLogic Server and Express 5.1 through 7.0.0.1, when using in-memory session replication or replicated stateful session beans, causes the same buffer to be provided to two users, which could allow one user to see session data that was intended for another user. BEA03-26.01 weblogic-clustered-race-condition(11221) 6717 1006018 Secure Internet Live Conferencing (SILC) 0.9.11 and 0.9.12 stores passwords and sessions in plaintext in memory, which could allow local users to obtain sensitive information. silc-plaintext-account-information(11244) 6743 20030201 silc question - insecure memory 20030201 Re: silc question - insecure memory SpamProbe 0.8a allows remote attackers to cause a denial of service (crash) via HTML e-mail with newline characters within an href tag, which is not properly handled by certain regular expressions. 6739 spamprobe-newlines-href-dos(11247) http://sourceforge.net/project/shownotes.php?release_id=137128 7994 1006038 Posadis 0.50.4 through 0.50.8 allows remote attackers to cause a denial of service (crash) via a DNS message without a question section, which triggers null dereference. 6799 posadis-dns-packet-dos(11285) 3522 8018 The web administration page for the Ericsson HM220dp ADSL modem does not require authentication, which could allow remote attackers to gain access from the LAN side. 6824 ericsson-hm220dp-auth-bypass(11290) 20030225 RE: Ericsson HM220dp ADSL modem Insecure Web Administration Vulne 20030211 Ericsson HM220dp ADSL modem Insecure Web Administration Vulnerability Kaspersky Antivirus (KAV) 4.0.9.0 does not detect viruses in files with MS-DOS device names in their filenames, which allows local users to bypass virus protection, as demonstrated using aux.vbs and aux.com. kav-device-name-bypass(11292) 20030211 SECURITY.NNOV: Kaspersky Antivirus DoS Kaspersky Antivirus (KAV) 4.0.9.0 allows local users to cause a denial of service (CPU consumption or crash) and prevent malicious code from being detected via a file with a long pathname. kav-long-path-dos(11291) 20030211 SECURITY.NNOV: Kaspersky Antivirus DoS Stack-based buffer overflow in Far Manager 1.70beta1 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long pathname. far-long-path-bo(11293) 6822 20030211 SECURITY.NNOV: Far buffer overflow 3281 Buffer overflow in the save_into_file function in save.c for Rogue 5.2-2 allows local users to execute arbitrary code with games group privileges by setting a long HOME environment variable and invoking the save game function with a ~ (tilde). rogue-saveintofile-bo(11382) 6912 20030221 Rogue buffer overflow IBM WebSphere Advanced Server Edition 4.0.4 uses a weak encryption algorithm (XOR and base64 encoding), which allows local users to decrypt passwords when the configuration file is exported to XML. websphere-xml-weak-encryption(11245) 6758 20030206 Re: Weak password protection in WebSphere 4.0.4 XML configuration export 20030204 Weak password protection in WebSphere 4.0.4 XML configuration export 3277 Memory leak in the Windows 2000 kernel allows remote attackers to cause a denial of service (SMB request hang) via a NetBIOS continuation packet. win2k-netbios-continuation-dos(11274) 6766 http://www.immunitysec.com/downloads/advantages_of_block_based_analysis.html Aladdin Knowlege Systems eSafe Gateway 3.5.126.0 does not check the entire stream of Content Vectoring Protocol (CVP) data, which allows remote attackers to bypass virus protection. esafe-gateway-filter-bypass(11295) 6787 20030206 FW-1 NG FP3 Bug - Data flow problem when transferring large files BitchX 75p3 and 1.0c16 through 1.0c20cvs allows remote attackers to cause a denial of service (segmentation fault) via a malformed RPL_NAMREPLY numeric 353 message. bitchx-irc-namreply-dos(11363) 6880 20030217 [argv] BitchX-353 Vulnerability 200302-11 20030217 [argv] BitchX-353 Vulnerability 3279 Buffer overflow in Symantec Norton AntiVirus 2002 allows remote attackers to execute arbitrary code via an e-mail attachment with a compressed ZIP file that contains a file with a long filename. nav-email-filename-bo(11365) 6886 http://www.lac.co.jp/security/english/snsadv_e/61_e.html 20030219 [SNS Advisory No.61] Symantec Norton AntiVirus 2002 Buffer Overflow Vulnerability http://securityresponse.symantec.com/avcenter/security/Content/2003.02.28.html Untrusted search path vulnerability in Qualcomm qpopper 4.0 through 4.05 allows local users to execute arbitrary code by modifying the PATH environment variable to reference a malicious smbpasswd program. qpopper-poppassd-root-access(11877) 7447 20030428 Qpopper v4.0.x poppassd local root exploit 20030429 [INetCop Security Advisory] Qpopper v4.0.x poppassd local root 3268 Cross-site scripting (XSS) vulnerability in the MytextSanitizer function in XOOPS 1.3.5 through 1.3.9 and XOOPS 2.0 through 2.0.1 allows remote attackers to inject arbitrary web script or HTML via a javascript: URL in an IMG tag. 7434 xoops-mytextsanitizer-xss(11872) 20030425 XOOPS MyTextSanitizer CSS 1.3x & 2.x 3269 Invision Power Services Invision Board 1.0 through 1.1.1, when a forum is password protected, stores the administrator password in a cookie in plaintext, which could allow remote attackers to gain access. invision-admin-plaintext-password(11871) 7440 20030425 Invision Power Board Plaintext Password Disclosure Vuln 3276 Multiple buffer overflows in the launch_bcrelay function in pptpctrl.c in PoPToP 1.1.4-b1 through PoPToP 1.1.4-b3 allow local users to execute arbitrary code. 7590 7582 http://sourceforge.net/project/shownotes.php?release_id=138437 poptop-launchbcrelay-pptpctrlc-bo(12101) Album.pl 6.1 allows remote attackers to execute arbitrary commands, when an alternative configuration file is used, via unknown attack vectors. 20030426 Album.pl Vulnerability - Remote Command Execution http://perl.bobbitt.ca/yabbse/index.php?board=2;action=display;threadid=720 albumpl-command-execution(11878) 7444 3270 Auerswald COMsuite CTI ControlCenter 3.1 creates a default "runasositron" user account with an easily guessable password, which allows local users or remote attackers to gain access. comsuite-runasositron-backdoor-account(11923) 7458 20030429 Auerswald COMsuite/ Back Door 3282 SQL injection vulnerability in Profile.php in ttCMS 2.2 and ttForum allows remote attackers to execute arbitrary SQL commands via the member name. ttcms-profile-sql-injection(12273) 7543 20030509 ttcms and ttforum exploits 3278 Multiple PHP remote file inclusion vulnerabilities in ttCMS 2.2 and ttForum allow remote attackers to execute arbitrary PHP code via the (1) template parameter in News.php or (2) installdir parameter in install.php. ttcms-ttforum-file-include(12271) 7542 20030509 ttcms and ttforum exploits 3278 Worker Filemanager 1.0 through 2.7 sets the permissions on the destination directory to world-readable and executable while copying data, which could allow local users to obtain sensitive information. 7460 http://www.boomerangsworld.de/worker/wchanges.php3?lang=en Buffer overflow in rwrite for HP-UX 11.0 could allow local users to execute arbitrary code via a long argument. NOTE: the vendor was unable to reproduce the problem on a system that had been patched for an lp vulnerability (CVE-2002-1473). 7489 hp-rwrite-bo(11919) 20030503 rwrite buffer overflow in hp-ux 20030502 HP-UX 11.0 /usr/lbin/rwrite oval:org.mitre.oval:def:4897 3283 mod_survey 3.0.0 through 3.0.15-pre6 does not check whether a survey exists before creating a subdirectory for it, which allows remote attackers to cause a denial of service (disk consumption and possible crash). 7498 modsurvey-nonexistent-survey-dos(11861) http://gathering.itm.mh.se/modsurvey/SA20030504.txt 20030504 Mod_Survey SYSBASE vulnerability Absolute path traversal vulnerability in Alt-N Technologies WebAdmin 2.0.0 through 2.0.2 allows remote attackers with administrator privileges to (1) determine the installation path by reading the contents of the Name parameter in a link, and (2) read arbitrary files via an absolute path in the Name parameter. webadmin-webadmindll-view-files(11875) webadmin-webadmindll-path-disclosure(11874) 7439 7438 20030425 Path disclosure and file access on WebAdmin 3286 Buffer overflow in Siemens 45 series mobile phones allows remote attackers to cause a denial of service (disconnect and unavailable inbox) via a Short Message Service (SMS) message with a long image name. siemens-sms-image-bo(11950) 7507 20030506 Siemens Mobile Phone - Buffer Overflow 3287 Directory traversal vulnerability in download.php in Phorum 3.4 through 3.4.2 allows remote attackers to read arbitrary files. 7569 phorum-download-directory-traversal(12482) 20030513 Phorum Vulnerabilities 3288 Unspecified vulnerability in Phorum 3.4 through 3.4.2 allows remote attackers to use Phorum as a connection proxy to other sites via (1) register.php or (2) login.php. 7581 7583 20030513 Phorum Vulnerabilities 3288 Multiple cross-site scripting (XSS) vulnerabilities in (1) login.php, (2) register.php, (3) post.php, and (4) common.php in Phorum before 3.4.3 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors. 7584 7573 7572 phorum-register-html-injection(12502) phorum-multiple-xss(12487) 7577 7576 20030513 Phorum Vulnerabilities 3288 The Web_Links module in PHP-Nuke 6.0 through 6.5 final allows remote attackers to obtain the full web server path via an invalid cid parameter that is non-numeric or null, which leaks the pathname in an error message. phpnuke-weblinks-path-disclosure(12436) 7589 20030512 Re: Lot of SQL injection on PHP-Nuke 6.5 (secure weblog!) The default configuration of ColdFusion MX has the "Enable Robust Exception Information" option selected, which allows remote attackers to obtain the full path of the web server via a direct request to CFIDE/probe.cfm, which leaks the path in an error message. coldfusion-mx-path-disclosure(11879) 7443 20030426 NII Advisory - Path Disclosure in Cold Fusion MX Server http://www.nii.co.in/vuln/pdmac.html 3307 Buffer overflow in IMAP service in MDaemon 6.7.5 and earlier allows remote authenticated users to cause a denial of service (crash) and execute arbitrary code via a CREATE command with a long mailbox name. mdaemon-imap-create-bo(11896) 7446 20030427 MDaemon SMTP/POP/IMAP server =>v.6.7.5: IMAP buffer overflow 3296 MDaemon POP server 6.0.7 and earlier allows remote authenticated users to cause a denial of service (crash) via a (1) DELE or (2) UIDL with a negative number. mdaemon-pop3-negative-dos(11882) 20030428 RE: MDaemon SMTP/POP/IMAP server: =>6.0.7: POP remote DoS 20030428 MDaemon SMTP/POP/IMAP server: =>6.0.7: POP remote DoS Buffer overflow in 3D-FTP client 4.0 allows remote FTP servers to cause a denial of service (crash) and possibly execute arbitrary code via a long banner. 3dftp-ftp-banner-bo(11883) 7451 20030428 Buffer overflow in 3D-ftp 3297 Buffer overflow in LTris 1.0.1 of FreeBSD Ports Collection 2003-02-25 and earlier allows local users to execute arbitrary code with gid "games" permission via a long HOME environment variable. ltris-bo(11978) 7537 20030508 ltris-and-slashem-tty possible trouble 20030509 ltris-and-slashem-tty possible trouble slashem-tty in the FreeBSD Ports Collection is installed with write permissions for the games group, which allows local users with group games privileges to modify slashem-tty and execute arbitrary code as other users, as demonstrated using a separate vulnerability in LTris. 20030508 ltris-and-slashem-tty possible trouble slashem-tty-insecure-permissions(11979) 20030509 ltris-and-slashem-tty possible trouble Netbus 1.5 through 1.7 allows more than one client to be connected at the same time, but only prompts the first connection for authentication, which allows remote attackers to gain access. netbus-password-authentication-bypass(11982) 7538 20030509 Netbus 1.x exploit 3289 Cerberus FTP Server 2.1 stores usernames and passwords in plaintext, which could allow local users to gain access. 7556 http://www.cerberusftp.com/cerberus-releasenotes.htm#KnownIssues MAILsweeper for SMTP 4.3.6 and 4.3.7 allows remote attackers to cause a denial of service (CPU consumption) via a PowerPoint attachment that either (1) is corrupt or (2) contains "embedded objects." mailsweeper-powerpoint-file-dos(12052) 7562 Konqueror in KDE 3.0.3 allows remote attackers to cause a denial of service (core dump) via a web page that begins with a "xFFxFE" byte sequence and a large number of CRLF sequences, as demonstrated using freeze.htm. kde-konqueror-dos(11971) 7486 20030502 Re: April appeared to be a month of IE bugs. Here Cross-site scripting (XSS) vulnerability in webcamXP 1.02.432 and 1.02.535 allows remote attackers to inject arbitrary web script or HTML via the message field. webcamxp-multiple-xss(11952) 7490 20030502 Code Injection Vulnerabilities in WebcamXP Chat Feature http://www.frame4.com/content/advisories/FSA-2003-002.txt 3304 MySQL 3.20 through 4.1.0 uses a weak algorithm for hashed passwords, which makes it easier for attackers to decrypt the password via brute force methods. 7500 http://www.securiteam.com/tools/5WP031FA0U.html 8753 CommuniGate Pro 3.1 through 4.0.6 sends the session ID in the referer field for an HTTP request for an image, which allows remote attackers to hijack mail sessions via an e-mail with an IMG tag that references a malicious URL that captures the referer. 7501 communigate-pro-session-hijacking(11932) 20030504 CommuniGatePro 4.0.6 [EXPLOIT] 3290 The backup configuration file for Microsoft MN-500 wireless base station stores administrative passwords in plaintext, which allows local users to gain access. 7496 1006691 FlashFXP 1.4 uses a weak encryption algorithm for user passwords, which allows attackers to decrypt the passwords and gain access. flashfxp-weak-password-encryption(12298) 7499 1006730 http://downloads.securityfocus.com/vulnerabilities/exploits/flashfxp_decrypt.c Microsoft Internet Explorer 6.0 SP1 allows remote attackers to cause a denial of service (crash) by creating a DHTML link that uses the AnchorClick "A" object with a blank href attribute. ie-anchorclick-dos(11946) 7502 20030505 Crash in Internet Explorer 6.0 Sp1 3292 Clearswift MAILsweeper 4.0 through 4.3.7 allows remote attackers to bypass filtering via a file attachment that contains "multiple extensions combined with large blocks of white space." 7568 Phorum 3.4 through 3.4.2 allows remote attackers to obtain the full path of the web server via an incorrect HTTP request to (1) smileys.php, (2) quick_listrss.php, (3) purge.php, (4) news.php, (5) memberlist.php, (6) forum_listrss.php, (7) forum_list_rdf.php, (8) forum_list.php, or (9) move.php, which leaks the information in an error message. 7571 phorum-multiple-path-disclosure(12499) 20030513 Phorum Vulnerabilities 3288 Multiple "command injection" vulnerabilities in Phorum 3.4 through 3.4.2 allow remote attackers to execute arbitrary commands and modify the Phorum configuration files via the (1) UserAdmin program, (2) Edit user profile, or (3) stats program. 7579 7578 7574 phorum-command-execution(12500) 20030513 Phorum Vulnerabilities 3288 The (1) verif_admin.php and (2) check_admin.php scripts in Truegalerie 1.0 allow remote attackers to gain administrator access via a request to admin.php without the connect parameter and with the loggedin parameter set to any value, such as 1. truegalerie-verifadmin-admin-access(11886) 7427 8683 20030425 True Galerie 1.0 : Admin Access & File Copy upload.php in Truegalerie 1.0 allows remote attackers to read arbitrary files by specifying the target filename in the file cookie in form.php, then downloading the file from the image gallery. 8683 20030425 True Galerie 1.0 : Admin Access & File Copy SonicWall Pro running firmware 6.4.0.1 allows remote attackers to cause a denial of service (device reset) via a long HTTP POST to the internal interface, possibly due to a buffer overflow. sonicwallpro-http-post-dos(11876) 7435 20030424 SonicWall Pro DoS? 3291 Kerio Personal Firewall (KPF) 2.1.4 has a default rule to accept incoming packets from DNS (UDP port 53), which allows remote attackers to bypass the firewall filters via packets with a source port of 53. kerio-pf-firewall-bypass(11880) 7436 http://www.securiteam.com/securitynews/5FP0N1P9PI.html 20030422 UDP bypassing in Kerio Firewall 2.1.4 Netscape Navigator 7.0.2 and Mozilla allows remote attackers to access cookie information in a different domain via an HTTP request for a domain with an extra . (dot) at the end. netscape-domain-obtain-info(11924) 7456 20030429 "netscape navigator" is cracked. Memory leak in HP OpenView Network Node Manager (NNM) 6.2 and 6.4 allows remote attackers to cause a denial of service (memory exhaustion) via crafted TCP packets. 8859 openview-nnm-packet-dos(13467) HPSBUX0310-291 Unspecified vulnerability in HP OpenView Network Node Manager (NNM) 6.2 and 6.4 allows remote attackers to cause a denial of service (CPU consumption) via a crafted TCP packet. 8859 openview-nnm-packet-dos(13467) HPSBUX0310-291 Unspecified vulnerability in the non-SSL web agent in various HP Management Agent products allows local users or remote attackers to gain privileges or cause a denial of service via unknown attack vectors. 8878 hp-management-gain-privileges(13496) Unspecified vulnerability in CDE dtmailpr of HP Tru64 4.0F through 5.1B allows local users to gain privileges via unknown attack vectors. NOTE: due to lack of details in the vendor advisory, it is not clear whether this is the same issue as CVE-1999-0840. tru64-dtmailpr-gain-privileges(13418) 8813 SSRT3589 9990 Buffer overflow in the system log viewer of Linksys BEFSX41 1.44.3 allows remote attackers to cause a denial of service via an HTTP request with a long Log_Page_Num variable. linksys-etherfast-logpagenum-dos(13436) 8834 20031015 LinkSys EtherFast Router Denial of Service Attack http://www.linksys.com/download/vertxt/befsx41_1453.txt 3298 Cross-site scripting (XSS) vulnerability in search.php for WRENSOFT Zoom Search Engine 2.0 Build 1018 and earlier allows remote attackers to inject arbitrary web script or HTML via the zoom_query parameter. 8823 20031014 Cross-Site Scripting Vulnerability in Wrensoft Zoom Search Engine zoom-search-xss(13431) Directory traversal vulnerability in index.php in Bytehoard 0.7 allows remote attackers to read arbitrary files via a .. (dot dot) in the infolder parameter. 8850 bytehoard-dotdot-directory-traversal(13456) http://www.securiteam.com/unixfocus/6L00L008KE.html 20031019 ByteHoard Directory Traversal Vulnerability 20031019 ByteHoard Directory Traversal Vulnerability PHP remote file inclusion vulnerability in _functions.php in cpCommerce 0.5f allows remote attackers to execute arbitrary code via the prefix parameter. cpCommerce-functionsphp-file-include(13457) 8851 20031019 ZH2003-31SA (security advisory): file inclusion vulnerability in cpCommerce http://www.securiteam.com/unixfocus/6H00E2K8KG.html http://cpcommerce.org/forums/index.php?board=2;action=display;threadid=864 3301 Directory traversal vulnerability in the file upload CGI of Gast Arbeiter 1.3 allows remote attackers to write arbitrary files via a .. (dot dot) in the req_file parameter. gast-arbeiter-file-upload(13469) 8858 20031020 Gast Arbeiter Privilege Escalation mod_throttle 3.0 allows local users with Apache privileges to access shared memory that points to a file that is writable by the apache user, which could allow local users to gain privileges. 8822 20031015 Mod-Throttle [was: client attacks server - XSS] Buffer overflow in AOL Instant Messenger (AIM) 5.2.3292 allows remote attackers to execute arbitrary code via an aim:getfile URL with a long screen name. 8825 aim-getfile-screenname-bo(13443) 20031015 Buffer Overflow in AOL Instant Messager SQL injection vulnerability in variables.php in Goldlink 3.0 allows remote attackers to execute arbitrary SQL commands via the (1) vadmin_login or (2) vadmin_pass cookie in a request to goldlink.php. goldlink-variables-gain-access(13465) 8847 20031018 Get admin level on Goldlink script v3.0 3302 Microsoft Internet Explorer 6.0 allows remote attackers to cause a denial of service (crash) by creating a web page or HTML e-mail with a textarea in a div element whose scrollbar-base-color is modified by a CSS style, which is then moved. ie-scrollbarbasecolor-dos(13809) 8874 20031022 IE6 CSS-Crash 3295 Cross-site scripting (XSS) vulnerability in dansguardian.pl in Adelix CensorNet 3.0 through 3.2 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the DENIEDURL parameter. censornet-cgi-xss(13507) 8876 20031027 Re: CensorNet: Cross Site Scripting Vulnerability 20031027 Re: CensorNet: Cross Site Scripting Vulnerability 20031022 CensorNet: Cross Site Scripting Vulnerability 3299 Planet Technology WGSD-1020 and WSW-2401 Ethernet switches use a default "superuser" account with the "planet" password, which allows remote attackers to gain administrative access. wgsd-default-admin-account(13446) 8837 20031015 Few issues previously unpublished in English 1007924 Buffer overflow in mIRC 6.12, when the DCC get dialog window has been minimized and the user opens the minimized window, allows remote attackers to cause a denial of service (crash) via a long filename. 8880 20031023 (Fw) : mIRC 6.12 (latest) DCC Exploit http://www.irchelp.org/irchelp/mirc/exploit.html 3303 Real Networks RealOne Enterprise Desktop 6.0.11.774, RealOne Player 2.0, and RealOne Player 6.0.11.818 through RealOne Player 6.0.11.853 allows remote attackers to execute arbitrary script in the local security zone by embeding script in a temp file before the temp file is executed by the default web browser. 8839 realoneplayer-temporary-script-execution(13445) http://service.real.com/help/faq/security/securityupdate_october2003.html TinyWeb 1.9 allows remote attackers to cause a denial of service (CPU consumption) via a ".%00." in an HTTP GET request to the cgi-bin directory. tinyweb-httpget-dos(13402) 8810 http://www.securiteam.com/windowsntfocus/6S0052K8LQ.html Cross-site scripting (XSS) vulnerability in Bajie Java HTTP Server 0.95 through 0.95zxv4 allows remote attackers to inject arbitrary web script or HTML via (1) the query string to test.txt, (2) the guestName parameter to the custMsg servlet, or (3) the cookiename parameter to the CookieExample servlet. 8841 20031016 CSS Vulnerability in Bajie HTTP JServer 3306 10023 http://www.geocities.com/gzhangx/websrv/docs/security.html Buffer overflow in mIRC 6.1 and 6.11 allows remote attackers to cause a denial of service (crash) via a long DCC SEND request. 8818 Multiple cross-site scripting (XSS) vulnerabilities in example scripts in Caucho Technology Resin 2.0 through 2.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) env.jsp, (2) form.jsp, (3) session.jsp, (4) the move parameter to tictactoe.jsp, or the (5) name or (6) comment fields to guestbook.jsp. resin-name-comment-xss(13460) 8852 10031 20031019 Caucho Resin 2.x - Cross Site Scripting eMule 0.29c allows remote attackers to cause a denial of service (crash) via a long password, possibly due to a buffer overflow. emule-long-password-dos(13464) 8854 20031019 eMule 2.2 [0.29c] - Web Control Panel - DOS(Denial Of Service) 3294 Origo ASR-8100 ADSL Router 3.21 has an administration service running on port 254 that does not require a password, which allows remote attackers to cause a denial of service by restoring the factory defaults. origo-default-settings-restore(13463) 8855 20031012 Origo ASR-8100 ADSL router remote factory reset 3300 The org.apache.xalan.processor.XSLProcessorVersion class in Java Plug-in 1.4.2_01 allows signed and unsigned applets to share variables, which violates the Java security model and could allow remote attackers to read or write data belonging to a signed applet. 8857 20031020 Cross Site Java applets cart.pl in Dansie shopping cart allows remote attackers to obtain the installation path via an invalid db parameter, which leaks the path in an error message. dansie-cartpl-path-disclosure(13461) 8860 http://www.securiteam.com/securitynews/6T00T008KG.html Adiscon WinSyslog 4.21 SP1 allows remote attackers to cause a denial of service (CPU consumption) via a long syslog message. 8821 winsyslog-long-syslog-dos(13428) http://www.securiteam.com/windowsntfocus/6L00F158KE.html http://www.adiscon.com/Common/en/advisory/2003-09-15.asp Cross-site scripting (XSS) vulnerability in Vivisimo clustering engine allows remote attackers to inject arbitrary web script or HTML via the query parameter to the search program. vívísimo-clustering-engine-xss(13452) 8862 1007955 SQL injection vulnerability in FuzzyMonkey My Classifieds 2.11 allows remote attackers to execute arbitrary SQL commands via the email parameter. 8863 20031021 SQL Injection Vulnerability in FuzzyMonkey MyClassifieds SQL Version 3293 Sun Java Plug-In 1.4 through 1.4.2_02 allows remote attackers to repeatedly access the floppy drive via the createXmlDocument method in the org.apache.crimson.tree.XmlDocument class, which violates the Java security model. 8867 20031021 IE6 & Java 1.4.2_02 applet: Hardware stress on floppy drive Cross-site scripting (XSS) vulnerability in PSCS VPOP3 Web Mail server 2.0e and 2.0f allows remote attackers to inject arbitrary web script or HTML via the redirect parameter to the admin/index.html page. 8869 http://www.securiteam.com/windowsntfocus/6S00S008KW.html http://www.pscs.co.uk/products/vpop3/whatsnew.html SQL injection vulnerability in the IMAP daemon in dbmail 1.1 allows remote attackers to execute arbitrary SQL commands via the (1) login username, (2) mailbox name, and possibly other attack vectors. 8829 10001 PGPi PGPDisk 6.0.2i does not unmount a PGP partition when the switch user function in Windows XP is used, which could allow local users to access data on another user's PGP partition. pgpdisk-obtain-information(13490) 8870 http://www.securiteam.com/windowsntfocus/6M00L0K8KI.html Unspecified vulnerability in My Photo Gallery 3.5, and possibly earlier versions, has unknown impact and attack vectors. myphotogallery-unknown-vulnerabilities(13498) 8872 PHP-Nuke 7.0 allows remote attackers to obtain the installation path via certain characters such as (1) ", (2) ', or (3) > in the search field, which reveals the path in an error message. 8848 20031018 PHP-Nuke Path Disclosure Vulnerability BlackICE Defender 2.9.cap and Server Protection 3.5.cdf, when configured to automatically block attacks, allows remote attackers to block IP addresses and cause a denial of service via spoofed packets. 5917 firewall-autoblock-spoofing-dos(10314) 20021008 Multiple Vendor PC firewall remote denial of services Vulnerability nsr_shutdown in Fujitsu Siemens NetWorker 6.0 allows local users to overwrite arbitrary files via a symlink attack on the nsrsh[PID] temporary file. 1008801 9446 20040119 Networker 6.0 - possible symlink attack 3353 Directory traversal vulnerability in Seagull Software Systems J Walk application server 3.2C9, and other versions before 3.3c4, allows remote attackers to read arbitrary files via a ".%252e" (encoded dot dot) in the URL. jwalk-dotdot-directory-traversal(11623) 1006378 7160 4927 8411 20030325 IRM 005: JWalk Application Server Version 3.2c9 Directory Traversal Vulnerability SQL injection vulnerability in privmsg.php in phpBB 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the mark[] parameter. 6634 20030117 phpBB SQL Injection vulnerability 4277 7887 20030116 phpBB SQL Injection vulnerability Cross-site scripting (XSS) vulnerability in testcgi.exe in Lilikoi Software Ceilidh 2.70 and earlier allows remote attackers to inject arbitrary web script or HTML via the query string. ceilidh-textcgi-xss(11638) 1006391 7214 8456 20030327 [SCSA-013] Cross Site Scripting vulnerability in testcgi.exe SQL injection vulnerability in compte.php in PhpMyShop 1.00 allows remote attackers to execute arbitrary SQL commands via the (1) identifiant and (2) password parameters. 1006030 6746 20030203 phpMyShop (php) 3348 7990 SQL injection vulnerability in accesscontrol.php in PhpPass 2 allows remote attackers to execute arbitrary SQL commands via the (1) uid and (2) pwd parameters. 1005948 6594 20030113 phpPass (PHP) 3349 Cross-site scripting (XSS) vulnerability in jgb.php3 in Justice Guestbook 1.3 allows remote attackers to inject arbitrary web script or HTML via the (1) name, (2) homepage, (3) aim, (4) yim, (5) location, and (6) comment variables. 1006412 7233 20030329 Justice Guestbook 1.3 vulnerabilities 3347 8475 Justice Guestbook 1.3 allows remote attackers to obtain the full installation path via a direct request to cfooter.php3, which leaks the path in an error message. 1006412 7234 20030329 Justice Guestbook 1.3 vulnerabilities 3347 8475 Multiple cross-site scripting (XSS) vulnerabilities in Codeworx Technologies DCP-Portal 5.3.1 allow remote attackers to inject arbitrary web script or HTML via (1) the q parameter to search.php and (2) the year parameter to calendar.php. dcpportal-search-calendar-xss(11602) 7144 7141 7022 7021 8358 20030318 Some XSS vulns Directory traversal vulnerability in PostNuke 0.723 and earlier allows remote attackers to include arbitrary files named theme.php via the theme parameter to index.php. 20030309 Postnuke v 0.723 SQL injection and directory traversing susehelp in SuSE Linux 8.1, Enterprise Server 8, Office Server, and Openexchange Server 4 does not properly filter shell metacharacters, which allows remote attackers to execute arbitrary commands via CGI queries. 1005954 7906 SUSE-SA:2003:005 Cross-site scripting (XSS) vulnerability in ONEdotOH Simple File Manager (SFM) before 0.21 allows remote attackers to inject arbitrary web script or HTML via (1) file names and (2) directory names. 7035 8257 http://sourceforge.net/tracker/index.php?func=detail&aid=695597&group_id=60333&atid=493842 http://sourceforge.net/project/shownotes.php?release_id=144274 WF-Chat 1.0 Beta stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain authentication information via a direct request to (1) !pwds.txt and (2) !nicks.txt. wf-chat-plaintext-passwords(11571) 7147 20030319 WF-Chat 1006352 8396 3645 PlanetMoon Guestbook tr3.a stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain the admin script password, and other passwords, via a direct request to files/passwd.txt. guestbooktr3a-plaintext-password-disclosure(11609) 1006360 7167 20030321 Guestbook tr3.a 8392 3653 Directory traversal vulnerability in plugins/file.php in phpWebFileManager before 0.4.4 allows remote attackers to read arbitrary files via a .. (dot dot) in the fm_path parameter. http://platon.sk/projects/release_view_page.php?release_id=2 6933 8183 Cross-site scripting (XSS) vulnerability in Bajie Http Web Server 0.95zxe, 0.95zxc, and possibly others, allows remote attackers to inject arbitrary web script or HTML via the query string, which is reflected in an error message. bajie-error-message-xss(11687) 7344 http://www.securiteam.com/securitynews/5LP10009FC.html http://www.lucaercoli.it/advs/bajie.txt http://www.geocities.com/gzhangx/websrv/docs/security.html 1006428 8477 Unrestricted critical resource lock in Terminal Services for Windows 2000 before SP4 and Windows XP allows remote authenticated users to cause a denial of service (reboot) by obtaining a read lock on msgina.dll, which prevents msgina.dll from being loaded. win2k-terminal-msgina-permissions(11816) win2k-terminal-msgina-dos(11141) 1005986 6672 20030124 RE: DoS attack on Windows 2000 Terminal Server 20030123 DoS attack on Windows 2000 Terminal Server 815225 7959 3654 Absolute path traversal vulnerability in nukestyles.com viewpage.php addon for PHP-Nuke allows remote attackers to read arbitrary files via a full pathname in the file parameter. NOTE: This was originally reported as an issue in PHP-Nuke 6.5, but this is an independent addon. 1006377 7191 20030327 Re: PHPNuke viewpage.php allows Remote File retrieving 20030325 Re: PHPNuke viewpage.php and another SQL injections 20030325 PHPNuke viewpage.php allows Remote File retrieving 20030325 Re: PHPNuke viewpage.php allows Remote File retrieving 20030326 Re: PHPNuke viewpage.php allows Remote File retrieving 20030325 Re: PHPNuke viewpage.php allows Remote File retrieving 20030325 Re: PHPNuke viewpage.php allows Remote File retrieving Cross-site scripting (XSS) vulnerability in gbook.php in Filebased guestbook 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the comment section. filebased-guestbook-gbook-xss(11540) 1006289 7104 8317 20030314 Guestbook v1.1.3 CSS Vuln Cross-site scripting (XSS) vulnerability in block-Forums.php in the Splatt Forum module for PHP-Nuke 6.x allows remote attackers to inject arbitrary web script or HTML via the subject parameter. phpnuke-blockforums-subject-xss(11675) 7248 20030401 Re: PHP-Nuke block-Forums.php subject vulnerabilities 20030331 PHP-Nuke block-Forums.php subject vulnerabilities 3718 8478 MyABraCaDaWeb 1.0.2 and earlier allows remote attackers to obtain sensitive information via an invalid IDAdmin or other parameter, which reveals the installation path in an error message. myabracadaweb-index-path-disclosure(11556) 1006308 7126 20030317 [SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb 3717 8320 Cross-site scripting (XSS) vulnerability in header.php in MyABraCaDaWeb 1.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the ma_kw parameter. myabracadaweb-index-makw-xss(11557) 1006308 7127 20030317 [SCSA-010] Path Disclosure & Cross Site Scripting Vulnerability in MyABraCaDaWeb 3717 8320 XOOPS 2.0, and possibly earlier versions, allows remote attackers to obtain sensitive information via an invalid xoopsOption parameter, which reveals the installation path in an error message. xoops-xoopsoption-path-disclosure(11587) 7149 8353 20030328 Re: [SCSA-011] Path Disclosure Vulnerability in XOOPS 20030320 [SCSA-011] Path Disclosure Vulnerability in XOOPS Unspecified vulnerability in Novell GroupWise 6 SP3 WebAccess before Revision F has unknown impact and attack vectors related to "malicious script." groupwise-script-execution(11394) 1006171 6896 8133 Unrestricted file upload vulnerability in uploader.php in Uploader 1.1 allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in uploads/. uploader-uploads-file-upload(11467) 20030304 uploader.php script 20030304 uploader.php vulnerability Haakon Nilsen Simple Internet Publishing System (SIPS) 0.2.2 stores sensitive information under the web root with insufficient access control, which allows remote attackers to obtain password and other user information via a direct request to a user-specific configuration directory. sips-user-obtain-information(11572) 7134 20030318 SIPS (PHP) 3780 Cross-site scripting (XSS) vulnerability in scozbook/add.php in ScozNet ScozBook 1.1 BETA allows remote attackers to inject arbitrary web script or HTML via the (1) username, (2) useremail, (3) aim, (4) msn, (5) sitename and (6) siteaddy variables. scozbook-add-xss(11658) 1006413 7235 20030329 ScozBook BETA 1.1 vulnerabilities 8476 3781 ScozNet ScozBook 1.1 BETA allows remote attackers to obtain sensitive information via an invalid PG parameter in view.php, which reveals the installation path in an error message. scozbook-view-path-disclosure(11659) 1006413 7236 20030329 ScozBook BETA 1.1 vulnerabilities 8476 3781 Cross-site scripting (XSS) vulnerability in cc_guestbook.pl in CGI City CC GuestBook allows remote attackers to inject arbitrary web script or HTML via the (1) name and (2) homepage_title (webpage title) parameters. 7237 20030329 CGI-City's CCGuestBook Script Injection Vulns 3796 Off-by-one buffer overflow in spamc of SpamAssassin 2.40 through 2.43, when using BSMTP mode ("-B"), allows remote attackers to execute arbitrary code via email containing headers with leading "." characters. 6679 spamassassin-spamc-offbyone-bo(11154) 20030204 Re: GLSA: Mail-SpamAssasin GLSA-200302-01 7983 20030123 SpamAssassin / spamc+BSMTP remote buffer overflow Buffer overflow in httpd.c of fnord 1.6 allows remote attackers to create a denial of service (crash) and possibly execute arbitrary code via a long CGI request passed to the do_cgi function. 6635 fnord-httpdc-cgi-bo(11121) 20030117 GLSA: fnord http://www.fefe.de/fnord/ 7893 Microsoft Internet Explorer 5.22, and other 5 through 6 SP1 versions, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. The only versions confirmed with this vulnerability are the ones listed in the CPE entry. Other IE Versions may, and probably are, affected but have not been confirmed yet. 9295 20031230 RE: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page 20031224 IE 5.22 on Mac Transmitting HTTP Referer from Secure Page http://www.gadgetopia.com/2003/12/23/OutlookWebAccessPrivacyHole.html 3989 Netscape 4 sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. 20031230 RE: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page 4004 Opera, probably before 7.50, sends Referer headers containing https:// URLs in requests for http:// URLs, which allows remote attackers to obtain potentially sensitive information by reading Referer log data. 20031230 RE: IE 5.22 on Mac Transmitting HTTP Referer from Secure Page 4004 sshd in OpenSSH 3.6.1p2 and earlier, when PermitRootLogin is disabled and using PAM keyboard-interactive authentication, does not insert a delay after a root login attempt with the correct password, which makes it easier for remote attackers to use timing differences to determine if the password step of a multi-step authentication is successful, a different vulnerability than CVE-2003-0190. 7482 20030505 Re: OpenSSH/PAM timing attack allows remote users identification 20030501 Re: OpenSSH/PAM timing attack allows remote users identification 20030501 Re: OpenSSH/PAM timing attack allows remote users identification http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=248747 Sun Cluster 2.2 through 3.2 for Oracle Parallel Server / Real Application Clusters (OPS/RAC) allows local users to cause a denial of service (cluster node panic or abort) by launching a daemon listening on a TCP port that would otherwise be used by the Distributed Lock Manager (DLM), possibly involving this daemon responding in a manner that spoofs a cluster reconfiguration. ESB-2003.0843 9137 57428 200810 101393 libxml2, possibly before 2.5.0, does not properly detect recursion during entity expansion, which allows context-dependent attackers to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, aka the "billion laughs attack." http://xmlsoft.org/news.html [xml-dev] 20030202 Re: Elliotte Rusty Harold on Web Services RHSA-2008:0886 http://www.reddit.com/r/programming/comments/65843/time_to_upgrade_libxml2 31868 [xml] 20080820 Security fix for libxml2 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2002-1565. Reason: This candidate is a duplicate of CVE-2002-1565. Notes: All CVE users should reference CVE-2002-1565 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Microsoft Internet Information Services (IIS) 5.0 does not log requests that use the TRACK method, which allows remote attackers to obtain sensitive information without detection. iis-improper-httptrack-logging(14077) 9313 4864 http://www.aqtronix.com/Advisories/AQ-2003-02.txt 20031227 AQ-2003-02: Microsoft IIS Logging Failure The undocumented TRACK method in Microsoft Internet Information Services (IIS) 5.0 returns the content of the original request in the body of the response, which makes it easier for remote attackers to steal cookies and authentication credentials, or bypass the HttpOnly protection mechanism, by using TRACK to read the contents of the HTTP headers that are returned in the response, a technique that is similar to cross-site tracing (XST) using HTTP TRACE. VU#288308 5648 http://www.aqtronix.com/Advisories/AQ-2003-02.txt 20031227 AQ-2003-02: Microsoft IIS Logging Failure GoAhead WebServer before 2.1.6 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an invalid URL, related to the websSafeUrl function. http://data.goahead.com/Software/Webserver/2.1.8/release.htm#null-pointer-crash-in-webssafeurl GoAhead WebServer before 2.1.5 on Windows 95, 98, and ME allows remote attackers to cause a denial of service (daemon crash) via an HTTP request with a (1) con, (2) nul, (3) clock$, or (4) config$ device name in a path component, different vectors than CVE-2001-0385. http://data.goahead.com/Software/Webserver/2.1.8/release.htm#windows-95-98-me-aux-denial-of-service The server in IBM Tivoli Storage Manager (TSM) 5.1.x, 5.2.x before 5.2.1.2, and 6.x before 6.1 does not require credentials to observe the server console in some circumstances, which allows remote authenticated administrators to monitor server operations by establishing a console mode session, related to "session exposure." tsm-consolemode-info-disclosure(49536) ADV-2009-0881 34285 IC37554 http://www-01.ibm.com/support/docview.wss?uid=swg21375360 1021947 34498 Web Wiz Guestbook 6.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download the database and obtain sensitive information via a direct request for database/WWGguestbook.mdb. NOTE: it was later reported that 8.21 is also affected. 2492 7488 http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=25863 9639 Sun Java Media Framework (JMF) 2.1.1 through 2.1.1c allows unsigned applets to cause a denial of service (JVM crash) and read or write unauthorized memory locations via the ReadEnv class, as demonstrated by reading environment variables using modified .data and .size fields. http://www.illegalaccess.org/java/jmf.php 1006777 20030625 Privilege escalation applet, Java Media Framework The PointBase 4.6 database component in the J2EE 1.4 reference implementation (J2EE/RI) allows remote attackers to execute arbitrary programs, conduct a denial of service, and obtain sensitive information via a crafted SQL statement, related to "inadequate security settings and library bugs in sun.* and org.apache.* packages." j2ee-pointbase-sql-injection(14008) pointbase-command-execution(14883) pointbase-information-disclosure(14882) pointbase-insecure-permissions-dos(14881) 9230 1008491 10460 20031216 J2EE 1.4 reference implementation: database component allows remote code execution 20040118 Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB 20040118 Proof-Of-Concept Denial-Of-Service Pointbase 4.6 Java SQL-DB TikiWiki 1.6.1 allows remote attackers to bypass authentication by entering a valid username with an arbitrary password, possibly related to the Internet Explorer "Remember Me" feature. NOTE: some of these details are obtained from third party information. 14170 http://sourceforge.net/tracker/index.php?func=detail&aid=748739&group_id=64258&atid=506846 tikiwiki-username-security-byass(40347) VERITAS File System (VxFS) 3.3.3, 3.4, and 3.5 before MP1 Rolling Patch 02 for Sun Solaris 2.5.1 through 9 does not properly implement inheritance of default ACLs in certain circumstances related to the characteristics of a directory inode, which allows local users to bypass intended file permissions by accessing a file on a VxFS filesystem. 200161 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113207-05-1 Buffer overflow in pamverifier in Change Manager (CM) 1.0 for Sun Management Center (SunMC) 3.0 on Solaris 8 and 9 on the sparc platform allows remote attackers to execute arbitrary code via unspecified vectors. Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-201231-1 * "SunMC Change Manager" 1.0 is an unbundled Sun Management Center (SunMC) 3.0 add-on. It is not a part of the SunMC "base" product. * Solaris 2.6 and 7 are not affected. Solaris on the x86 platform is not affected. 201231 http://sunsolve.sun.com/search/document.do?assetkey=1-21-113105-01-1 Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files, and conduct cross-site scripting (XSS) attacks involving the iPlanet Log Analyzer, via an HTTP request in conjunction with a crafted DNS response, related to an "Inverse Lookup Log Corruption (ILLC)" issue, a different vulnerability than CVE-2002-1315 and CVE-2002-1316. 201453 sunone-iplanetlog-xss(56632) 20030304 Log corruption on multiple webservers, log analyzers,... Sun ONE (aka iPlanet) Web Server 4.1 through SP12 and 6.0 through SP5, when DNS resolution is enabled for client IP addresses, allows remote attackers to hide HTTP requests from the log-preview functionality by accompanying the requests with crafted DNS responses specifying a domain name beginning with a "format=" substring, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 7012 201453 iplanet-logpreview-security-bypass(56633) 20030304 Log corruption on multiple webservers, log analyzers,... Sun ONE (aka iPlanet) Web Server 6 on Windows, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, uses a logging format that does not identify whether a dotted quad represents an unresolved IP address, which allows remote attackers to spoof IP addresses via crafted DNS responses containing numerical top-level domains, as demonstrated by a forged 123.123.123.123 domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... The Apache HTTP Server 2.0.44, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Microsoft Internet Information Services (IIS) 6.0, when DNS resolution is enabled for client IP addresses, allows remote attackers to inject arbitrary text into log files via an HTTP request in conjunction with a crafted DNS response, as demonstrated by injecting XSS sequences, related to an "Inverse Lookup Log Corruption (ILLC)" issue. 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebTrends allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. webtrends-domain-name-xss(56650) 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in SurfStats allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. surfstats-domain-name-xss(56649) 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebLogExpert allows remote attackers to inject arbitrary web script or HTML via a crafted client domain name, related to an "Inverse Lookup Log Corruption (ILLC)" issue. weblogexpert-domain-name-xss(56647) 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in WebExpert allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. webexpert-useragent-xss(56646) 20030304 Log corruption on multiple webservers, log analyzers,... Cross-site scripting (XSS) vulnerability in LoganPro allows remote attackers to inject arbitrary web script or HTML via a crafted User-Agent HTTP header. loganpro-useragent-xss(56645) 20030304 Log corruption on multiple webservers, log analyzers,... Sun Cluster 2.2, when HA-Oracle or HA-Sybase DBMS services are used, stores database credentials in cleartext in a cluster configuration file, which allows local users to obtain sensitive information by reading this file. suncluster-haoracle-information-disclosure(56617) 201460 Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 4.1 before SP13 and 6.0 before SP6 on Windows allows attackers to cause a denial of service (daemon crash) via unknown vectors. 201454 iplanet-unspecified-dos(56616) Unspecified vulnerability in Sun ONE (aka iPlanet) Web Server 6.0 SP3 through SP5 on Windows allows remote attackers to cause a denial of service (daemon crash) via unknown vectors. 201451 sunone-unspecified-dos(56615) NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 allows user-assisted remote attackers to cause a denial of service (console hang) via a large number of FTP sessions, which are not properly handled during an NLM unload. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 Multiple buffer overflows in NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 allow remote attackers to cause a denial of service (abend) via a long (1) username or (2) password. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 NWFTPD.nlm in the FTP server in Novell NetWare 6.0 before SP4 and 6.5 before SP1 does not enforce domain-name login restrictions, which allows remote attackers to bypass intended access control via an FTP connection. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly enforce FTPREST.TXT settings, which allows remote attackers to bypass intended access restrictions via an FTP session. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 NWFTPD.nlm before 5.04.05 in the FTP server in Novell NetWare 6.5 does not properly perform "intruder detection," which has unspecified impact and attack vectors. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1 NWFTPD.nlm before 5.03.12 in the FTP server in Novell NetWare does not properly restrict filesystem use by anonymous users with NFS Gateway home directories, which allows remote attackers to bypass intended access restrictions via an FTP session. http://www.novell.com/support/viewContent.do?externalId=3238588&sliceId=1