Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and modify device configuration data via the cable-docsis read-write community string used by the Data Over Cable Service Interface Specification (DOCSIS) standard. VU#840665 cisco-ios-cable-docsis(6180) 20041008 Cisco IOS Software Multiple SNMP Community String Vulnerabilities Buffer overflow in the web server of Webcam Watchdog 3.63 allows remote attackers to execute arbitrary code via a long HTTP GET request. 10527 webcam-watchdog-get-bo(14131) http://www.webcamsoft.com/en/watchdog_h.html 9351 20040103 Webcam Watchdog Stack Overflow Vulnerability 3312 http://www.elitehaven.net/webcamwatchdog.txt SQL injection vulnerability in calendar.php for Invision Power Board 1.3 allows remote attackers to execute arbitrary SQL commands via the m parameter, which sets the $this->chosen_month variable. 9353 3319 10530 20040103 [SCSA-025] Invision Power Board SQL Injection Vulnerability 1008589 PortalApp places user credentials under the web root with insufficient access control, which allows remote attackers to gain access to sensitive information via a direct request to 8275.mdb. portalapp-url-access-database(14169) 9354 1008627 lintian 1.23 and earlier removes the working directory even if it was not created by lintian, which may allow local users to delete arbitrary files or directories via a symlink attack. lintian-symlink(18808) 13771 Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities. chroot-jail-security-bypass(18970) SCOSA-2005.2 12300 15339 13915 SCOSA-2005.22 Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows local users to gain root privileges via unknown vectors. VU#406406 hp-libdtsvc-bo(14828) HPSBUX0401-308 O-057 oval:org.mitre.oval:def:5789 Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code. 9377 DSA-416 fsp-boundry-error-bo(14155) O-048 Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings. 9365 DSA-412 nd-long-string-bo(14141) 1008616 10550 10549 FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages. firstclassclient-execute-code(14151) 9370 3442 10556 20040105 FirstClass Client 7.1: Command Execution via Email Web Link 1008609 SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter. 20040105 vBulletin Forum 2.3.xx calendar.php SQL Injection vbulletin-calendar-sql-injection(14144) http://www.vbulletin.com/forum/showthread.php?postid=588825 9360 3344 SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. phorum-register-sql-injection(14146) 9363 20040105 Multiple Vulnerabilities in Phorum 3.4.5 3508 10567 Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php. phorum-common-xss(14145) 9361 10567 http://phorum.org/ 20040105 Multiple Vulnerabilities in Phorum 3.4.5 1008633 3510 3506 3434 admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-admin-info-disclosure(14162) 9371 3404 10565 Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-search-xss(14160) 9369 3402 10565 PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-modify-admin-password(14161) 3403 10565 PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. phpgedview-pgvbasedirectory-file-include(14159) 9368 3343 10565 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 1008632 Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges. lotus-notes-insecure-permissions(14153) 9366 1008623 3424 http://www.excluded.org/advisories/advisory05.txt 10566 20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions The default installation of NetScreen-Security Manager before Feature Pack 1 does not enable encryption for communication with devices running ScreenOS 5.0, which allows remote attackers to obtain sensitive information via sniffing. http://www.kb.cert.org/vuls/id/CRDY-5VEU8N VU#927630 netscreen-information-disclosure(14886) 9455 10675 3613 http://www.juniper.net/support/security/alerts/58290.txt Directory traversal vulnerability in Web Blog 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file variable. webblog-dotdot-directory-traversal(14978) http://www.zone-h.org/en/advisories/read/id=3822/ 9517 20040128 ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitrary 3739 10740 Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning. VU#721092 9469 20040121 Voice Product Vulnerabilities on IBM Servers 10696 ciscovoice-ibmservers-dos(14901) 1008814 3691 O-066 The default installation of Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, does not require authentication, which allows remote attackers to gain administrator privileges by connecting to TCP port 14247. VU#602734 ciscovoice-ibmservers-admin-access(14900) 9468 20040121 Voice Product Vulnerabilities on IBM Servers 10696 1008814 3692 O-066 Reptile Web Server allows remote attackers to cause a denial of service (CPU consumption) via multiple incomplete GET requests without the HTTP version. reptilewebserver-get-dos(14932) 9482 http://www.autistici.org/fdonato/advisory/reptilewsDailyVersion-adv.txt 1008842 20040124 Resources consumption in Reptile webserver daily version Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via malformed HTTP requests such as (1) a GET request without the HTTP version (HTTP/1.1), or (2) a request without GET or the HTTP version. tinyserver-string-dos(14928) 9485 http://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 3709 10707 Cross-site scripting (XSS) vulnerability in intraforum_db.cgi in Intra Forum allows remote attackers to inject arbitrary web script or HTML via the (1) use_last_read or (2) forum parameters. intraforum-intraforumcgi-xss(14933) 1008839 20040124 Inrtra Forum Cross Site Scripting Vulnerabillity Stack-based buffer overflow in ontape for IBM Informix Dynamic Server (IDS) 9.40.xC3 and earlier allows local users, with DSA privileges, to execute arbitrary code via a long ONCONFIG environment variable. 9512 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 20040129 ----------========== OPEN3S-2003-08-08-eng-informix-ontape informix-ontape-binary-bo(14970) 3759 10737 Oracle toplink mapping workBench uses a weak encryption algorithm for passwords, which allows local users to decrypt the passwords. 9515 20040128 Re: Oracle toplink mapping workbench password algorithm http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=803&lngWId=5 20040128 Oracle toplink mapping workbench password algorithm 20040128 Re: Oracle toplink mapping workbench password algorithm Buffer overflow in the (1) WTHoster and (2) WebDriver modules in WildTangent Web Driver 4.0 allows remote attackers to execute arbitrary code via a long filename. wildtangent-wthoster-webdriver-bo(16266) 10421 6445 http://www.ngssoftware.com/advisories/wildtangent.txt 11727 20040527 WildTangent Web Driver Long FileName Stack Overflow Directory traversal vulnerability in PJreview_Neo.cgi in PJ CGI Neo review allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. pjcgineoreview-dotdot-directory-traversal(14980) http://www.zone-h.org/advisories/read/id=3824 9524 20040129 ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving 10734 3746 Certain third-party packages for CVSup 16.1h, such as SuSE Linux, contain untrusted paths in the ELF RPATH fields of certain executables, which could allow local users to execute arbitrary code by causing cvsup to link against malicious libraries that are created in world-writable directories such as /usr/src/packages. cvsup-rpath-gain-privileges(14994) 9523 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands. DSA-420 9397 jitterbug-execute-code(14207) Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations. DSA-419 9386 1008662 10591 The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files. DSA-419 9387 phpgroupware-calendar-file-include(13489) 6860 vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges. DSA-418 9381 vbox3-gain-privileges(14170) jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash). MDKSA-2004:005 DSA-414 jabber-ssl-connections-dos(14158) 9376 3345 10559 Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character. snapstream-quotation-xss(14164) 9375 3440 1008646 10575 20040106 SnapStream PVS LITE Cross Site Scripting Vulnerabillity Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code. VU#759020 9382 20040108 [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn) 20040107 [SECURITY] INN: Buffer overflow in control message handling inn-artpost-control-message-bo(14190) SSA:2004-014-02 10578 Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. 20040108 Cisco Personal Assistant User Password Bypass Vulnerability ciscopersonalassistant-config-file-access(14172) 9384 3430 Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature. 9383 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow yahoo-messenger-filename-bo(14171) 1008651 3437 10573 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames. 1008628 The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions. DSA-421 1008675 9404 3454 10612 mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials. macos-moddigest-response-replay(18347) 1012414 9571 P-049 APPLE-SA-2004-12-02 Multiple cross-site scripting (XSS) vulnerabilities in Brad Fears phpCodeCabinet 0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple parameters, including (1) the sid parameter to comments.php, (2) the cid, cf, or rfd parameters to category.php, or the cid parameter to (3) input.php, (4) browse.php, (5) themes/facade/header.php, or (6) themes/phpcc/header.php. phpcodecabinet-multiple-xss(15190) 9645 9601 3887 3886 3885 http://sourceforge.net/project/shownotes.php?release_id=214860 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6 16711 16710 1009012 10862 Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command. http://www.linux-vserver.org/index.php?page=ChangeLog linux-vserver-gain-privileges(15073) 9596 20040206 Linux 2.4.24 with vserver 1.24 exploit 3875 10816 Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a long query parameter. http://www.sambar.com/security.htm 5786 sambar-http-post-bo(15071) 9607 20040207 Sambar 6.0 stack overflow 1008979 Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command. matrixftp-login-list-dos(15075) 1008970 Cross-site scripting (XSS) vulnerability in search.php in JShop E-Commerce Server allows remote attackers to inject arbitrary web script or HTML via the xSearch parameter. jshop-searchphp-xss(15100) 3889 http://www.systemsecure.org/advisories/ssadvisory09022004.php 9609 1008988 10825 Microsoft Internet Explorer 5.0.1 through 6.0 allows remote attackers to determine the existence of arbitrary files via the VBScript LoadPicture method, which returns an error code if the file does not exist. ie-error-obtain-information(15078) 9611 10820 20040207 (no subject) Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." TA05-039A VU#259890 win-ms05kb890261-update(19096) MS05-009 oval:org.mitre.oval:def:2379 oval:org.mitre.oval:def:1568 oval:org.mitre.oval:def:1306 Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields. trackmania-dos(15081) 9604 20040209 Re: TrackMania Demo Denial of Service 20040208 TrackMania Demo Denial of Service http://www.securiteinfo.com/attaques/hacking/trackmaniados.shtml Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields. trackmania-dos(15081) 9604 20040209 Re: TrackMania Demo Denial of Service 20040208 TrackMania Demo Denial of Service http://www.securiteinfo.com/attaques/hacking/trackmaniados.shtml Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attackers to cause a denial of service (reboot and loss of logged events) via a long request to TCP port 80, possibly triggering a buffer overflow. 1009001 redalert-long-request-dos(15086) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html 3891 10832 http://genhex.org/releases/031003.txt 20040209 Red-M Red-Alert Multiple Vulnerabilities Red-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication to IP addresses, which allows remote attackers to bypass authentication by connecting from the same IP address as an active authenticated user. 1009001 redalert-gain-access(15088) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html http://genhex.org/releases/031003.txt 3952 20040209 Red-M Red-Alert Multiple Vulnerabilities Red-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spaces in a Service Set Identifier (SSID) to a single space, which prevents Red-Alert from correctly identifying the SSID. 1009001 redalert-bypass-security(15089) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html http://genhex.org/releases/031003.txt 3953 20040209 Red-M Red-Alert Multiple Vulnerabilities eTrust InoculateIT for Linux 6.0 uses insecure permissions for multiple files and directories, including the application's registry and tmp directories, which allows local users to delete, modify, or examine sensitive information. etrust-inoculateit-insecure-permissions(15103) 9616 3896 10833 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable. NOTE: since rsync is not setuid, this issue does not provide any additional privileges beyond those that are already available to the user. Therefore this issue may be REJECTED in the future. linux-rsync-opensocketout-bo(15108) 20040209 rsync <= 2.5.7 local buffer overflow (no root today:) Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly identify systems that have been patched but remain vulnerable to exploit until the system is rebooted, possibly giving the administrator a false sense of security. 9634 20040210 Another Low Blow From Microsoft: MBSA Failure! Opera Web Browser 7.0 through 7.23 allows remote attackers to trick users into executing a malicious file by embedding a CLSID in the file name, which causes the malicious file to appear as a trusted file type, aka "File Download Extension Spoofing." 9640 http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/ 10760 opera-cslid-extension-spoof(21698) 3917 http://www.opera.com/docs/changelogs/windows/750b1/ Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message. sophos-email-virus-undetected(15192) http://www.sophos.com/support/news/#mime-378 9650 1009042 10855 The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authenticated users to cause a denial of service (pmsystem.exe crash) via a GET request wit a large number of leading "/" (slash) characters. http://www.karja.com/samiftp/news.html sami-cd-get-dos(15204) 9657 20040213 Sami FTP Server 1.1.3 multiple vulnerabilities Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on little endian architectures, allows remote attackers to cause a denial of service (application crash). DSA-678 MDKSA-2005:039 14309 Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. VU#337238 RHSA-2004:017 linux-ptrace-gain-privilege(14888) 9429 GLSA-200402-06 oval:org.mitre.oval:def:868 The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users. VU#336446 9435 http://www.openca.org/news/CAN-2004-0004.txt openca-improper-signature-verification(14847) 3615 20040116 [OpenCA Advisory] Vulnerability in signature verification Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 20040113 Vulnerabilities in H.323 Message Processing http://www.uniras.gov.uk/vuls/2004/006489/h323.htm oval:org.mitre.oval:def:4884 1008685 9406 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. VU#955526 7090 RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 DSA-425 12179 11032 11022 10718 10652 10644 10639 10636 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008735 FLSA:1222 MDKSA-2004:008 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) CLSA-2003:832 20040202-01-U oval:org.mitre.oval:def:853 oval:org.mitre.oval:def:850 Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm 1008687 9406 The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. VU#174086 9423 RHSA-2004:007 DSA-425 tcpdump-rawprint-isakmp-dos(14837) 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 12179 11032 11022 10718 10668 10652 10644 10639 10636 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 ESA-20040119-002 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008716 FLSA:1222 MDKSA-2004:008 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) 20040202-01-U oval:org.mitre.oval:def:854 oval:org.mitre.oval:def:851 Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file. antivir-tmpfile-insecure(14214) 1008702 3496 10620 20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity. 20040114 FishCart Integer Overflow / Rounding Error 1008731 The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number. http://www.ncipher.com/support/advisories/advisory8_payshield.html payshield-incorrect-request-verification(14832) 9422 3537 20040114 nCipher Advisory #8: payShield library may verify bad requests The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory. 9411 1008703 3460 10623 20040113 SuSE linux 9.0 YaST config Skribt [exploit] Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php. 20040112 More phpGedView Vulnerabilities 11925 11910 phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php. 20040112 More phpGedView Vulnerabilities phpgedview-path-disclosure(14215) 3464 Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. 20040112 More phpGedView Vulnerabilities phpgedview-login-xss(36285) phpgedview-multiple-xss(14212) 11907 11906 11905 11904 11903 11894 11891 11890 11888 11882 11880 11868 20070827 PhpGedView login page multiple XSS 3479 3478 3477 3476 3475 3474 3473 ADV-2007-2995 1018613 26628 PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code. 9424 http://www.phpdig.net/showthread.php?s=58bcc71c822830ec3bbdaae6d56846e0&threadid=393 20040114 PhpDig 1.6.x: remote command execution phpdig-config-file-include(14826) Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function. 9385 20040113 exploit for HD Soft Windows FTP Server 1.6 20040108 Windows FTP Server Format String Vulnerability 1008658 PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code. ezcontents-php-file-include(14199) 9396 6878 http://www.ezcontents.org/forum/viewtopic.php?t=361 20040110 Remote Code Execution in ezContents Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php. manpagelookup-directory-traversal(14203) 9395 20040110 PHP Manpage lookup directory transversal / file disclosing 1008689 Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request. 9389 accipterdirectserver-directory-traversal(14198) 20040109 Directory Traversal in Accipiter Direct Server 6.0 20040109 Directory Traversal in Accipiter Direct Server 6.0 3433 10600 PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script. 9338 easydynamicpages-php-file-include(14136) 3408 3318 1008584 10535 20040102 include() vuln in EasyDynamicPages v.2.0 Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949. 9341 xsok-lang-bo(14910) xsok-long-xsokdir-bo(14906) 9352 20040103 xsok local games exploit (2) 20040102 xsok local games exploit Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port. http://service.real.com/help/faq/security/040112_dos/ 9421 http://service.real.com/help/faq/security/security022604.html 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow. 9476 http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip epolicy-contentlength-post-dos(14989) 3744 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." 1008780 20040123 RE: vBulletin Security Vulnerability 20040120 Re: vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption. http://www.securiteam.com/exploits/5UP0P1PFPM.html http://mareichelt.de/pub/notmine/diskenc.pdf [linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.* WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1. http://www.kb.cert.org/vuls/id/JSHA-69FVMM VU#552561 webconnect-device-name-dos(19393) 14006 http://www.cirt.dk/advisories/cirt-29-advisory.pdf 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed. xmb-multiple-scripts-xss(15292) 9726 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 xmb-bbcode-execute-code(15294) http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $. confirm-header-gain-access(15290) 9728 20040223 Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command execution Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. VU#412566 solaris-covfix-gain-privileges(15331) O-089 ESB-2004.0169 57509 10991 4071 9759 oval:org.mitre.oval:def:1732 The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 generates easily predictable web session IDs, which allows remote attackers to hijack other sessions via the parentsessionid cookie. http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en http://www.mitel.com/DocController?documentId=14223 http://www.corsaire.com/advisories/c040817-002.txt Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. 9504 APPLE-SA-2004-01-26 The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. VU#801526 RHSA-2004:056 9558 utillinux-information-leak(15016) 3796 GLSA-200404-06 10773 20040408 LNSA-#2004-0010: login may leak sensitive data 20040331 OpenLinux: util-linux could leak sensitive data 20040406-01-U 20040201-01-U The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. bsd-shmat-gain-privileges(15061) 9586 FreeBSD-SA-04:02 http://www.pine.nl/press/pine-cert-20040201.txt 20040205 [PINE-CERT-20040201] reference count overflow in shmat() 3836 http://www.openbsd.org/errata33.html#sysvshm NetBSD-SA2004-004 VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. 9632 MS04-005 A021004-1 virtual-pc-gain-privileges(15113) 3893 O-076 Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter. 9529 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-editconfig-directory-traversal(15129) 1008892 3768 10753 PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. 9531 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-gedfilconf-file-include(14987) 3769 http://sourceforge.net/project/shownotes.php?release_id=141517 10753 Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. 9564 20040203 Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior http://www.phpmyadmin.net/home_page/relnotes.php?rel=0 http://sourceforge.net/forum/forum.php?forum_id=350228 GLSA-200402-05 phpmyadmin-dotdot-directory-traversal(15021) 3800 10769 login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. http://www.securiteam.com/unixfocus/5NP0M1PBPQ.html phpgedview-loginphp-path-disclosure(15128) 6886 http://www.netvigilance.com/advisory0001 1008844 The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote atackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. VU#277396 radius-radprintrequest-dos(15046) 9578 http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gz 3824 20040204 GNU Radius Remote Denial of Service Vulnerability 10799 Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. 20040210 PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior ezcontents-multiple-file-include(15135) Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. nokia-obex-dos(15107) 9603 http://www.pentest.co.uk/documents/ptl-2004-01.html 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. 20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon openbsd-isakmp-initialcontact-delete-sa(14118) openbsd-isakmp-invalidspi-delete-sa(14117) 9417 APPLE-SA-2004-02-23 NetBSD-SA2004-001 9416 20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon oval:org.mitre.oval:def:947 Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. [mod_python] 20040122 [ANNOUNCE] Mod_python 2.7.10 RHSA-2004:063 RHSA-2004:058 GLSA-200401-03 Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 RHSA-2004:047 DSA-448 pwlib-message-dos(15202) 9406 oval:org.mitre.oval:def:826 oval:org.mitre.oval:def:803 mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. 9533 FreeBSD-SA-04:01 freebsd-mksnapffs-bypass-security(15005) 3790 crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. DSA-432 crawl-long-environment-bo(15032) 9566 10788 Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#518518 9692 RHSA-2004:073 metamail-printheader-format-string(15259) metamail-contenttype-format-string(15245) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#513062 RHSA-2004:073 metamail-splitmail-subject-bo(15258) metamail-printheader-nonascii-bo(15247) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 9692 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. SSA:2004-043 RHSA-2004:061 RHSA-2004:060 xfree86-multiple-font-improper-handling(15206) RHSA-2004:059 SuSE-SA:2004:006 DSA-443 MDKSA-2004:012 FLSA:2314 CLA-2004:821 oval:org.mitre.oval:def:832 oval:org.mitre.oval:def:809 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. 9637 RHSA-2004:064 samba-mksmbpasswd-gain-access(15132) http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt 3919 O-078 oval:org.mitre.oval:def:827 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. VU#820006 9636 20040210 iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow xfree86-fontalias-bo(15130) http://www.xfree86.org/cvs/changes RHSA-2004:061 RHSA-2004:060 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=72 DSA-443 GLSA-200402-02 SSA:2004-043 MDKSA-2004:012 57768 FLSA:2314 20040211 XFree86 vulnerability exploit CLA-2004:821 oval:org.mitre.oval:def:830 oval:org.mitre.oval:def:806 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. VU#667502 9652 RHSA-2004:061 RHSA-2004:060 xfree86-copyisolatin1lLowered-bo(15200) SSA:2004-043 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=73 DSA-443 FLSA:2314 CLA-2004:821 MDKSA-2004:012 57768 20040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II oval:org.mitre.oval:def:831 oval:org.mitre.oval:def:807 Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. macosx-mail-undisclosed(14992) 9504 APPLE-SA-2004-01-26 Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. 9504 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. macosx-configd-file-manipulation(14997) 9504 6819 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. 9504 6820 APPLE-SA-2004-01-26 Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. VU#902374 9509 macosx-trublue-environmentvariable-bo(14968) 6821 A012704-1 APPLE-SA-2004-01-26 Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. VU#790771 TA04-036A fw1-format-string(14149) 9581 20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities O-072 http://www.checkpoint.com/techsupport/alerts/security_server.html 20040205 Two checkpoint fw-1/vpn-1 vulns 20040205 Two checkpoint fw-1/vpn-1 vulns Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. VU#873334 9582 vpn1-ike-bo(14150) 20040205 Two checkpoint fw-1/vpn-1 vulns 20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow 4432 3821 O-073 The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. VU#981222 9686 DSA-439 GLSA-200403-02 linux-mremap-gain-privileges(15244) 20040218 Second critical mremap() bug found in all Linux kernels http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt SSA:2004-049 RHSA-2004:106 RHSA-2004:069 RHSA-2004:066 RHSA-2004:065 3986 SuSE-SA:2004:005 DSA-514 DSA-475 DSA-470 DSA-466 DSA-456 DSA-454 DSA-453 DSA-450 DSA-444 DSA-442 DSA-441 DSA-440 DSA-438 O-082 2004-0008 2004-0007 MDKSA-2004:015 FEDORA-2004-079 CLA-2004:820 20040218 Second critical mremap() bug found in all Linux kernels oval:org.mitre.oval:def:837 oval:org.mitre.oval:def:825 Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. 9641 RHSA-2004:051 RHSA-2004:050 mutt-index-menu-bo(15134) http://bugs.debian.org/126336 SSA:2004-043 3918 MDKSA-2004:010 20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt) 20040215 LNSA-#2004-0001: mutt remote crash 20040211 Mutt-1.4.2 fixes buffer overflow. CSSA-2004-013.0 oval:org.mitre.oval:def:838 oval:org.mitre.oval:def:811 Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. DSA-430 trr19-gain-privileges(14975) 9520 10744 1008875 3747 10745 Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. VU#655974 VU#404470 VU#226974 VU#190366 DSA-434 http://security.e-matters.de/advisories/012004.html 20040126 Advisory 01/2004: 12 x Gaim remote overflows gaim-mime-decoder-oob(14944) gaim-mime-decoder-bo(14942) gaim-sscanf-oob(14938) gaim-yahoodecode-offbyone-bo(14935) SSA:2004-026 1008850 3736 SuSE-SA:2004:004 GLSA-200401-04 CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. VU#871838 VU#527142 VU#503030 VU#444158 VU#371382 VU#297198 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html RHSA-2004:045 RHSA-2004:033 SuSE-SA:2004:004 DSA-434 GLSA-200401-04 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040201-01-U gaim-http-proxy-bo(14947) gaim-urlparser-bo(14945) gaim-yahoopacketread-keyname-bo(14943) gaim-login-value-bo(14941) gaim-login-name-bo(14940) gaim-yahoowebpending-cookie-bo(14939) SSA:2004-026 1008850 9489 3732 3731 MDKSA-2004:006 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:818 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#197142 RHSA-2004:033 DSA-434 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:032 GLSA-200401-04 gaim-extractinfo-bo(14946) SSA:2004-026 1008850 9489 SuSE-SA:2004:004 3733 MDKSA-2004:006 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows oval:org.mitre.oval:def:819 Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. VU#779614 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:045 RHSA-2004:033 DSA-434 GLSA-200401-04 20040201-01-U gaim-directim-bo(14937) 1008850 3734 MDKSA-2004:006 20040127 [slackware-security] GAIM security update (SSA:2004-026-01) 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:820 Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. 20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior apachessl-default-password(15065) 9590 http://www.apache-ssl.org/advisory-20040206.txt 3877 20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. 9691 RHSA-2004:069 DSA-479 linux-ncplookup-gain-privileges(15250) RHSA-2004:188 RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 TLSA-2004-05 MDKSA-2004:015 O-082 FEDORA-2004-079 CLA-2004:820 oval:org.mitre.oval:def:835 oval:org.mitre.oval:def:1035 The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. http://lists.freebsd.org/pipermail/cvs-src/2004-January/016271.html Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." RHSA-2004:044 http://www.linuxcompatible.org/print25630.html RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 linux-r128-gain-priviliges(15029) TLSA-2004-14 9570 RHSA-2004:166 RHSA-2004:106 MDKSA-2004:029 O-145 O-127 O-126 O-121 O-082 12075 11891 11464 11376 11370 11369 11362 11361 11202 10912 10911 10782 oval:org.mitre.oval:def:834 oval:org.mitre.oval:def:1017 Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request. aweb-path-disclosure(16047) 10262 http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt 11542 20040503 Multible_Vulnerabilites_in_Aldos_Webserver 5880 Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. solaris-uucp-multiple-bo(15425) ESB-2004.0201 57508 9837 oval:org.mitre.oval:def:1127 The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass. VU#831534 cpanel-resetpass-execute-commands(15443) 9848 20040311 Cpanel 8.*.* have a problem ? 11111 20040311 cPanel Secuirty Advisory CPANEL-2004:01-01 The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. VU#831534 cpanel-login-execute-commands(15486) 9855 11124 20040312 Cpanel 9.1.0 have a problem ? The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged. solaris-patches-disable-bsm(14918) 9852 O-099 ESB-2004.0069 57478 oval:org.mitre.oval:def:3567 The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. 9690 RHSA-2004:065 linux-vicam-dos(15246) RHSA-2005:293 SuSE-SA:2004:005 O-082 MDKSA-2004:015 CLA-2004:846 oval:org.mitre.oval:def:836 Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. VU#841742 9730 A022304-1 macos-pppd-format-string(15297) 6822 APPLE-SA-2004-02-23 Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar." VU#194238 macosx-safari-unknown(14993) macosx-safari-unknown(14993) 10959 APPLE-SA-2004-02-23 DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. VU#578886 macos-diskarbitration-unknown(15300) macos-diskarbitration-unknown(15300) 9731 6824 10959 APPLE-SA-2004-02-23 Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." macos-corefoundation-unknown(15299) macos-corefoundation-unknown(15299) APPLE-SA-2004-02-23 10959 QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. VU#460350 9735 darwin-describe-request-dos(15291) 6837 6826 20040223 Darwin Streaming Server Remote Denial of Service Vulnerability APPLE-SA-2004-02-23 FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. VU#395670 9792 20040302 FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability freebsd-mbuf-dos(15369) 4124 APPLE-SA-2004-05-28 FreeBSD-SA-04:04 Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed. ltrace-searchforcommand-bo(13389) 8790 1007896 20031008 ltrace bug 20031008 ltrace bug Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command. 9715 DSA-447 hsftp-format-string(15276) 4029 20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name. http://www.securiteam.com/unixfocus/6X00Q1P8KC.html RHSA-2004:096 DSA-457 ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch wuftpd-skey-bo(13518) http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt 8893 smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted. samba-smbmnt-gain-privileges(15131) 9619 DSA-463 20040209 Samba 3.x + kernel 2.6.x local root vulnerability 3916 20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password. 9756 DSA-461 calife-long-password-bo(15335) 20040227 Calife heap corrupt / potential local root exploit 9776 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. http://www.squid-cache.org/Advisories/SQUID-2004_1.txt 9778 squid-urlregex-acl-bypass(15366) RHSA-2004:134 RHSA-2004:133 5916 MDKSA-2004:025 DSA-474 GLSA-200403-11 20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid) CLA-2004:838 20040404-01-U SCOSA-2005.16 oval:org.mitre.oval:def:941 oval:org.mitre.oval:def:877 Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. 9784 symantec-firewallvpn-password-plaintext(15212) 20040216 Symantec FireWall/VPN Appliance model 200 leak of security 4117 20040216 Symantec FireWall/VPN Appliance model 200 leak of security Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. mozilla-event-handler-xss(15322) 9747 20040225 Sandblad #13: Cross-domain exploit on zombie document with event handlers http://bugzilla.mozilla.org/show_bug.cgi?id=227417 RHSA-2004:112 RHSA-2004:110 4062 SSRT4722 oval:org.mitre.oval:def:937 oval:org.mitre.oval:def:874 Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. 9755 20040227 Symantec Gateway Security Management Service Cross Site Scripting symantecgateway-error-xss(15330) Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. VU#150326 20040226 Vulnerability in SMB Parsing in ISS Products http://www.eeye.com/html/Research/Upcoming/20040213.html pam-smb-protocol-bo(15207) 9752 4072 AD20040226 10988 20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. VU#493966 libxml2-nanohttp-bo(15301) 9718 RHSA-2004:090 20040305 [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) libxml2-nanoftp-bo(15302) RHSA-2004:091 DSA-455 O-086 GLSA-200403-01 10958 http://www.xmlsoft.org/news.html RHSA-2004:650 SUSE-SR:2005:001 20040306 TSLSA-2004-0010 - libxml2 oval:org.mitre.oval:def:875 oval:org.mitre.oval:def:833 XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-array-dos(15272) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-integer-dos(15273) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U Unknown vulnerability in ColdFusion MX 6.0 and 6.1, and JRun 4.0, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). soap-array-dos(15473) 9877 http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html 11132 20040315 Multiple Vendor SOAP server array DoS Unknown vulnerability in Sun Java System Application Server 7.0 Update 2 and earlier, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). soap-array-dos(15473) 9877 57517 11130 20040315 Multiple Vendor SOAP server array DoS Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field. phpnuke-multiple-parameters-xss(15491) 9879 11135 20040315 [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2] Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injecting arbitrary script into the z parameter. 4nalbum-nmimagephp-xss(15497) 9881 4293 11134 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to obtain sensitive information via a direct request to displaycategory.php, which reveals the path in an error message. 4nalbum-error path-disclosure(15493) 9881 4291 11134 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] PHP remote file inclusion vulnerability in displaycategory.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary PHP code by modifying the basepath parameter to reference a URL on a remote web server that contains fileFunctions.php. 11134 4nalbum-displaycategory-file-include(15496) 9881 4292 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to gain privileges or perform unauthorized database operations via the gid parameter. 11134 4nalbum-modulesphp-SQL-injection(15498) 9881 4294 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.1 through 5.0.3 beta allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_REFERER parameter to login.php, (2) HTTP_REFERER parameter to register.php, or (3) target parameter to profile.php. 9882 11157 phorum-register-xss(15494) http://phorum.org/changelog.txt 20040315 Phorum 5.0.3 Beta && Earlier XSS Issues 4335 4334 4333 1009433 Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaBB SE 1.5.1 Final allows remote attackers to inject arbitrary web script via the background:url property in (1) glow or (2) shadow tags. 9873 11128 yabb-glow-shadow-xss(15488) http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 1009427 20040316 RE: YaBB/YaBBse Cross Site Scripting Vulnerability 20040314 YaBB/YaBBse Cross Site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) return or (2) mos_change_template parameters. 4665 11140 20040316 Mambo Open Source Multiple Vulnerabilities mambo-return-moschangetemplate-xss(15499) 9890 4308 SQL injection vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 4307 11140 20040316 Mambo Open Source Multiple Vulnerabilities mambo-id-sql-injection(15500) 9891 Multiple cross-site scripting (XSS) vulnerabilities in error.php in Gijza.net Error Manager 2.1 for PHP-Nuke 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) pagetitle or (2) error parameters, or (3) certain parameters in the error log. errormanager-error-command-execution(15530) errormanager-error-xss(15529) 9911 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager 4384 11164 error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message. errormanager-error-path-disclosure(15524) 9911 4386 11164 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager Buffer overflow in Terminator 3: War of the Machines 1.0 allows remote attackers to cause a denial of service via a long ServerInfo variable. 1009498 11182 http://aluigi.altervista.org/adv/t3cbof-adv.txt terminator3-bo(15542) 9918 4447 20040323 Broadcast client buffer-overflow in Terminator 3 1.0 The admin.ib file in Borland Interbase 7.1 for Linux has default world writable permissions, which allows local users to gain database administrative privileges. 9929 1009500 11172 interbase-admin-gain-privileges(15546) 4381 20040319 Borland Interbase admin.ib Administrative Access Vulnerability mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information. apache-moddiskcache-obtain-info(15547) 9933 4446 1009509 11176 20040319 Apache mod_disk_cache stores client authentication credentials on disk RHSA-2004:562 ADV-2006-0789 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 19072 SQL injection vulnerability in Member Management System 2.1 allows remote attackers to execute arbitrary SQL via the ID parameter to (1) resend.asp or (2) news_view.asp. 9931 1009508 11179 20040322 Vulnerabilities in Member Management System 2.1 mms-id-sql-injection(15551) Multiple SQL injection vulnerabilities in News Manager Lite 2.5 allow remote attackers to execute arbitrary SQL code via the (1) ID parameter to more.asp, (2) ID parameter to category_news.asp, or (3) filter parameter to news_sort.asp. 9935 1009507 news-manager-sql-injection(15549) 4497 4496 4495 11180 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration News Manager Lite 2.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN parameter in the NEWS_LOGIN cookie. 9935 news-manager-admin-access(15550) 1009507 11180 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL. 9937 http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt 1009514 11186 20040322 directory traversal in xweb 1.0 xweb-dotdot-directory-traversal(15567) 4460 MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message. 9946 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. msanalysis-modules-title-xss(15575) 9947 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] The Rage 1.01 and earlier allows remote attackers to cause a denial of service (infinite loop) via a TCP packet with the port and IP address set to zero. therage-packet-dos(15584) 9961 1009540 http://aluigi.altervista.org/adv/ragefreeze-adv.txt 20040323 Server freeze in The Rage 1.01 Dark Age of Camelot before 1.68 live patch does not sign the RSA public key, which could allow remote malicious servers to gain sensitive information via a man-in-the-middle attack. daoc-login-mitm(15597) 9960 20040324 Dark Age of Camelot login client vulnerability to man in the middle 20040323 Dark Age of Camelot login client vulnerability to man in the middle attack http://capnbry.net/daoc/advisory20040323/ ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1848. Reason: This candidate is a duplicate of CVE-2004-1848. Notes: All CVE users should reference CVE-2004-1848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access. 11206 wftp-site-gain-priviliege(15558) 9953 20040323 Open the WS_FTP Server backdoor to SYSTEM DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information. dameware-encryption-key-plaintext(15586) 9959 http://www.dameware.com/support/security/bulletin.asp?ID=SB3 11205 4547 1009557 20040323 Dameware Passes Weak File Encryption Key in the Clear Buffer overflow in Mollensoft Lightweight FTP Server 3.6 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long CWD command, as demonstrated in one example by using the "cd" command in an interactive FTP client. mollensoft-cwd-command-bo(16237) 6412 mollensoft-cd-bo(16303) 10429 10409 20040601 Mollensoft Lightweight FTP Server CWD Buffer Overflow 20040528 Mollensoft ftp Server ver 3.6 Buffer overflow 1010328 devices_update_printer_fw_upload.hts in HP Web JetAdmin 7.5.2546, when no password is set, allows remote attackers to upload arbitrary files to the printer directory. hp-jetadmin-file-upload(15605) 9971 SSRT4700 http://sh0dan.org/files/hpjadmadv.txt 20040324 HP Web JetAdmin vulnerabilities. Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot) in the setinclude parameter. hp-jetadmin-setinfo-directory-traversal(15606) 9972 SSRT4700 20040324 HP Web JetAdmin vulnerabilities. Dameware Mini Remote Control 4.1.0.0 uses insufficiently random data to create the encryption key, which makes it easier for remote attackers to obtain sensitive information via brute force guessing. 11205 dameware-random-generator-weak(15587) 9957 4547 1009557 20030323 Dameware Passes Weak File Encryption Key in the Clear Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html. cpanel-dodelautores-addhandle-xss(15517) 9965 4530 4529 1009541 20040323 More Cpanel Vuls (cross site scripting) Buffer overflow in the logging function in Picophone 1.63 and earlier allows remote attackers to execute arbitrary code via a large packet. picophone-logging-function-bo(15595) 9969 1009551 11209 http://aluigi.altervista.org/adv/picobof-adv.txt 4550 20040324 Buffer overflow in PicoPhone 1.63 Directory traversal vulnerability in Trend Micro Interscan Web Viruswall in InterScan VirusWall 3.5x allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. interscan-dotdot-directory-traversal(15590) 11215 http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=19257 9966 4549 1009550 20040324 TrendMacro Interscan Viruswall Directory Traversal Invision NetSupport School Pro uses a weak encryption algorithm to encrypt passwords, which allows local users to obtain passwords. netsupportschoolpro-weak-encryption(15621) 9981 20040326 NetSupport School Pro: Password Encryption Weaknesses Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allows remote attackers to execute arbitrary code via a long STREAMQUOTE tag. esignal-specs-bo(15624) 9978 11222 20040406 Re: eSignal v7 remote buffer overflow http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt 20040325 eSignal v7 remote buffer overflow (exploit) Multiple cross-site scripting (XSS) vulnerabilities in Extreme Messageboard (XMB) 1.8 SP3 and 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) xmbuser parameter to xmb.php, (2) folder parameter to u2u.php, (3) viewmost, replymost, or latest parameter to stats.php, (4) message or icons parameter to post.php, (5) threadlist, pagelinks, forumlist, navigation, or (6) forumdisplay parameter to forumdisplay.php. xmb-forum-multiple-xss(15654) 9983 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] 11230 14988 14987 14986 14985 14983 SQL injection vulnerability in Extreme Messageboard (XMB) 1.9 beta allows remote attackers to execute arbitrary SQL commands via the restrict parameter to (1) member.php, (2) misc.php, or (3) today.php. xmb-forum-sql-injection(15655) 9983 16886 1009561 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability. bblog-name-xss(15635) 1009564 20040326 bblog 0.7.2 cross site scripting 13397 10510 nstxd in Nstx 1.1 beta3 and earlier allows remote attackers to cause a denial of service (crash) via a large packet, which triggers a null dereference. nstx-null-dos(15638) 9989 1009567 http://nstx.dereference.de/nstx/nstx-1.1-beta4.tgz 20040326 Nstxd vulnerability Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. 9826 apache-modssl-plain-dos(15419) http://www.apacheweek.com/features/security-20 [apache-cvs] 20040307 cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c 2004-0017 RHSA-2004:182 RHSA-2004:084 4182 MDKSA-2004:043 GLSA-200403-04 SSRT4717 APPLE-SA-2004-05-03 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://issues.apache.org/bugzilla/show_bug.cgi?id=27106 CLSA-2004:839 oval:org.mitre.oval:def:876 The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. 9762 FreeBSD-SA-04:03 freebsd-jailattach-gain-privileges(15344) 4101 Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data. 9802 http://www.nextgenss.com/advisories/adobexfdf.txt acrobatreader-xfdf-bo(15384) 4135 20040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability 20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c. breakout2-home-bo(15229) 9712 DSA-445 http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz 20040222 lbreakout2 < 2.4beta-2 local exploit Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file. synaesthesia-configuration-symlink-attack(15279) 9713 DSA-446 Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php. photopost-php-sql-injection(15642) 9994 1009571 11241 20040328 PhotoPost PHP Pro Multiple Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields. 9994 11241 20040328 PhotoPost PHP Pro Multiple Vulnerabilities photopost-php-xss(15643) 1009571 Cross-site scripting (XSS) vulnerability in WebCT Campus Edition 4.1.1.5 allows remote attackers to inject arbitrary web script or HTML via the @import URL function in a CSS style tag. webct-import-xss(15652) 9999 20040329 WebCT Campus Edition 4.1 - Cross site scripting using CSS @import 11242 Multiple cross-site scripting (XSS) vulnerabilities in (1) deliver.asp and (2) billing.asp in A-CART Pro and A-CART 2.0 allow remote attackers to inject arbitrary web script or HTML via the user information forms. acart-deliverasp-billingasp-xss(15660) 9997 11236 20040329 A-CART Pro & A-CART 2.0 Input Validation Holes Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10. cpanel-multiple-scripts-xss(15671) http://www.cirt.net/advisories/cpanel_xss.shtml 11244 20040330 Exensive cPanel Cross Site Scripting 21142 10002 4243 4215 4214 4213 4212 4211 4210 4209 4208 ADV-2006-4658 http://www.aria-security.com/forum/showthread.php?t=30 22984 The "%f" feature in the VirusEvent directive in Clam AntiVirus daemon (clamd) before 0.70 allows local users to execute arbitrary commands via shell metacharacters in a file name. clamantivirus-virusevent-gain-privileges(15692) 10007 GLSA-200405-03 11253 20040330 clamd - NEVER use "%f" in your "VirusEvent" The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and password. oracle-sso-login-spoofing(15676) 10009 20040330 Problem with customized login pages for Oracle SSO LINBOX LIN:BOX allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). linbox-slashslash-security-bypass(15677) 10010 11264 http://www.websec.org/adv/linbit.txt.html 20040330 Linbit linbox Multiple Vulnerabilities Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via the PORT mode. irix-ftpd-port-dos(15723) 10037 20040401-01-P Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter. coppermine-modulesphp-directory-traversal(16042) http://www.waraxe.us/index.php?modname=sa&id=26 10253 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 5758 1010001 The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities. VU#737548 solaris-sshd-log-bypass(15784) 10080 ESB-2004.0263 57538 11316 oval:org.mitre.oval:def:3505 Buffer overflow in the parse_all_client_messages function in LCDproc 0.4.x up to 0.4.4 allows remote attackers to execute arbitrary code via a large number of arguments. lcdproc-parseallclientmessages-bo(15803) 10085 GLSA-200404-19 11333 20040408 PSR - #2004-001 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x versions up to 0.4.4, allows remote attackers to execute arbitrary code via (1) a long invalid command to parse_all_client_messages function, or (2) long argv command to test_func_func function. 10085 11333 lcdproc-testfuncfunc-bo(15814) GLSA-200404-19 20040408 PSR - #2004-002 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Format string vulnerability in test_func_func in LCDProc 0.4.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the str variable. 10085 GLSA-200404-19 11333 lcdproc-testfuncfunc-format-string(15817) 20040408 PSR - #2004-002 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html RSniff 1.0 allows remote attackers to cause a denial of service (connection exhaustion) via a large number of connections with a command other than AUTHENTICATE, or without any data, which prevents the socket from being closed properly. 10093 rsniff-connection-dos(15823) 11339 http://aluigi.altervista.org/adv/rsniff-adv.txt 20040409 DoS in Rsniff 1.0 The hash_strcmp function in hasch.c in Crackalaka 1.0.8 allows remote attackers to cause a denial of service (crash) via large malformed strings. crackalaka-hashstrcmp-dos(15824) 10092 11340 20040409 DoS in Crackalaka 1.0.8 X-Micro WLAN 11b Broadband Router 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0 has a hardcoded "super" username and password, which could allow remote attackers to gain access. 10095 20040410 Backdoor in X-Micro WLAN 11b Broadband Router xmicro-router-default-account(15829) 11342 X-Micro WLAN 11b Broadband Router 1.6.0.1 has a hardcoded "1502" username and password, which could allow remote attackers to gain access. xmicro-router-default-login(15890) 10095 20040416 NEW backdoor in X-Micro WLAN 11b Broadband Router 11342 20040416 Re: Backdoor in X-Micro WLAN 11b Broadband Router Microsoft Internet Explorer 5.5 and 6.0 allocates memory based on the memory size written in the BMP file instead of the actual BMP file size, which allows remote attackers to cause a denial of service (memory consumption) via a small BMP file with has a large memory size. 20040411 Microsoft Internet Explorer BMP file memory DoS vulnerability Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an error message. tikiwiki-path-disclosure(15847) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] 11344 Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php. tikiwiki-xss(15846) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation. 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter. tikiwiki-tikimap-file-disclosure(15848) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. MS05-019 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 20050412 Crafted ICMP Messages Can Cause Denial of Service oval:org.mitre.oval:def:5386 13124 HPSBUX01164 57 19 18317 SSRT4884 SCOSA-2006.4 oval:org.mitre.oval:def:899 oval:org.mitre.oval:def:780 oval:org.mitre.oval:def:651 oval:org.mitre.oval:def:405 oval:org.mitre.oval:def:3826 oval:org.mitre.oval:def:2188 oval:org.mitre.oval:def:196 oval:org.mitre.oval:def:181 The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL. tikiwiki-file-upload(15849) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie. phpnuke-cookiedecode-xss(15842) http://www.waraxe.us/index.php?modname=sa&id=16 10128 11347 20040412 [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3] SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter. phpnuke-admin-bypass-authentication(15835) http://www.waraxe.us/index.php?modname=sa&id=18 20040412 [waraxe-2004-SA#018 - Admin-level authentication bypass in phpnuke 6.x-7.2] Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages. citadel-database-insecure-permissions(15850) 10102 20040412 Citadel/UX 6.20 fixes local permissions vulnerability Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php. tikiwiki-sql-injection(15845) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040411 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter. phpnuke-bypass-authentication(15839) http://www.waraxe.us/index.php?modname=sa&id=17 10135 11347 20040412 [waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2] BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers. VU#566390 weblogic-trust-certificate-spoofing(15862) 10132 1009765 11358 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_54.00.jsp BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges. VU#920238 bea-configxml-plaintext-password(15860) 10131 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp 5297 1009764 11357 ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters. zonealarm-email-bypass-security(15884) 10148 20040420 Re: ZA Security Hole 20040414 ZA Security Hole Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter. zaep-antispam-xss(15858) 10139 http://www.securiteam.com/windowsntfocus/5EP0I15CKK.html 11388 20040419 Zaep AntiSpam Cross Site Scripting Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message. eudora-mime-message-dos(15857) 10137 11360 20040419 Eudora 6.1 is evil 20040414 Eudora 6.0.3 nested MIME DoS Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS. 9836 DSA-458 python-getaddrinfo-bo(15409) 4172 MDKSA-2004:019 GLSA-200409-03 Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. xitalk-gain-privileges(15456) 9851 DSA-462 http://shellcode.org/Advisories/XITALK.txt 11114 Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. DSA-468 emil-email-bo(15601) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. DSA-468 emil-format-string(15602) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. apache-cygwin-directory-traversal(15293) 9733 http://www.apacheweek.com/issues/04-03-12 10962 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability http://issues.apache.org/bugzilla/show_bug.cgi?id=26152 wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. 9832 RHSA-2004:096 DSA-457 wuftpd-restrictedgid-gain-access(15423) ADV-2006-1867 102356 20168 11055 SSRT4704 oval:org.mitre.oval:def:648 oval:org.mitre.oval:def:1637 oval:org.mitre.oval:def:1636 oval:org.mitre.oval:def:1147 gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. 9842 RHSA-2004:103 FLSA:2005 gdk-pixbuf-bitmap-dos(15426) RHSA-2004:102 MDKSA-2004:020 DSA-464 oval:org.mitre.oval:def:846 oval:org.mitre.oval:def:845 Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. TA04-070A VU#305206 9827 MS04-009