Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. VU#337238 RHSA-2004:017 linux-ptrace-gain-privilege(14888) 9429 GLSA-200402-06 oval:org.mitre.oval:def:868 The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. http://lists.freebsd.org/pipermail/cvs-src/2004-January/016271.html Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." RHSA-2004:044 http://www.linuxcompatible.org/print25630.html RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 oval:org.mitre.oval:def:9204 linux-r128-gain-priviliges(15029) TLSA-2004-14 9570 RHSA-2004:166 RHSA-2004:106 MDKSA-2004:029 O-145 O-127 O-126 O-121 O-082 12075 11891 11464 11376 11370 11369 11362 11361 11202 10912 10911 10782 oval:org.mitre.oval:def:834 oval:org.mitre.oval:def:1017 The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users. VU#336446 9435 http://www.openca.org/news/CAN-2004-0004.txt openca-improper-signature-verification(14847) 3615 20040116 [OpenCA Advisory] Vulnerability in signature verification Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. VU#655974 VU#404470 VU#226974 VU#190366 DSA-434 http://security.e-matters.de/advisories/012004.html 20040126 Advisory 01/2004: 12 x Gaim remote overflows gaim-mime-decoder-oob(14944) gaim-mime-decoder-bo(14942) gaim-sscanf-oob(14938) gaim-yahoodecode-offbyone-bo(14935) SSA:2004-026 1008850 3736 SuSE-SA:2004:004 GLSA-200401-04 CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. VU#871838 VU#527142 VU#503030 VU#444158 VU#371382 VU#297198 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html RHSA-2004:045 RHSA-2004:033 SuSE-SA:2004:004 DSA-434 GLSA-200401-04 oval:org.mitre.oval:def:10222 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040201-01-U gaim-http-proxy-bo(14947) gaim-urlparser-bo(14945) gaim-yahoopacketread-keyname-bo(14943) gaim-login-value-bo(14941) gaim-login-name-bo(14940) gaim-yahoowebpending-cookie-bo(14939) SSA:2004-026 1008850 9489 3732 3731 MDKSA-2004:006 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:818 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#197142 RHSA-2004:033 DSA-434 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:032 GLSA-200401-04 oval:org.mitre.oval:def:9906 gaim-extractinfo-bo(14946) SSA:2004-026 1008850 9489 SuSE-SA:2004:004 3733 MDKSA-2004:006 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows oval:org.mitre.oval:def:819 Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. VU#779614 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:045 RHSA-2004:033 DSA-434 GLSA-200401-04 oval:org.mitre.oval:def:9469 20040201-01-U gaim-directim-bo(14937) 1008850 3734 MDKSA-2004:006 20040127 [slackware-security] GAIM security update (SSA:2004-026-01) 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:820 Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. 20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior apachessl-default-password(15065) 9590 http://www.apache-ssl.org/advisory-20040206.txt 3877 20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. 9691 RHSA-2004:069 DSA-479 linux-ncplookup-gain-privileges(15250) RHSA-2004:188 RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 oval:org.mitre.oval:def:11388 TLSA-2004-05 MDKSA-2004:015 O-082 FEDORA-2004-079 CLA-2004:820 oval:org.mitre.oval:def:835 oval:org.mitre.oval:def:1035 Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code. 9377 DSA-416 fsp-boundry-error-bo(14155) O-048 jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash). MDKSA-2004:005 DSA-414 jabber-ssl-connections-dos(14158) 9376 3345 10559 Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings. 9365 DSA-412 nd-long-string-bo(14141) 1008616 10550 10549 vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges. DSA-418 9381 vbox3-gain-privileges(14170) The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files. DSA-419 9387 phpgroupware-calendar-file-include(13489) 6860 Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations. DSA-419 9386 1008662 10591 jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands. DSA-420 9397 jitterbug-execute-code(14207) Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges. lotus-notes-insecure-permissions(14153) 9366 1008623 3424 http://www.excluded.org/advisories/advisory05.txt 10566 20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. phpgedview-pgvbasedirectory-file-include(14159) 9368 3343 10565 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 1008632 PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-modify-admin-password(14161) 3403 10565 Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-search-xss(14160) 9369 3402 10565 admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-admin-info-disclosure(14162) 9371 3404 10565 Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php. phorum-common-xss(14145) 9361 10567 http://phorum.org/ 20040105 Multiple Vulnerabilities in Phorum 3.4.5 1008633 3510 3506 3434 SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. phorum-register-sql-injection(14146) 9363 20040105 Multiple Vulnerabilities in Phorum 3.4.5 3508 10567 SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter. 20040105 vBulletin Forum 2.3.xx calendar.php SQL Injection vbulletin-calendar-sql-injection(14144) http://www.vbulletin.com/forum/showthread.php?postid=588825 9360 3344 FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages. firstclassclient-execute-code(14151) 9370 3442 10556 20040105 FirstClass Client 7.1: Command Execution via Email Web Link 1008609 McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81. epolicy-execute-commands(14166) 20040510 McAfee ePolicy Orchestrator Remote Compromise Vulnerability 10200 http://www.osvdb.org/5626 http://download.nai.com/products/patches/ePO/v2.x/Patch14.txt Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. VU#790771 TA04-036A fw1-format-string(14149) 9581 20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities O-072 http://www.checkpoint.com/techsupport/alerts/security_server.html 20040205 Two checkpoint fw-1/vpn-1 vulns Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. VU#873334 9582 vpn1-ike-bo(14150) 20040205 Two checkpoint fw-1/vpn-1 vulns 20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow 4432 3821 O-073 The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions. DSA-421 1008675 9404 3454 10612 vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames. 1008628 Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature. 9383 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow yahoo-messenger-filename-bo(14171) 1008651 3437 10573 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. 20040108 Cisco Personal Assistant User Password Bypass Vulnerability ciscopersonalassistant-config-file-access(14172) 9384 3430 Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code. VU#759020 9382 20040108 [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn) 20040107 [SECURITY] INN: Buffer overflow in control message handling inn-artpost-control-message-bo(14190) SSA:2004-014-02 10578 Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character. snapstream-quotation-xss(14164) 9375 3440 1008646 10575 20040106 SnapStream PVS LITE Cross Site Scripting Vulnerabillity Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. DSA-430 trr19-gain-privileges(14975) 9520 10744 1008875 3747 10745 Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port. http://service.real.com/help/faq/security/040112_dos/ 9421 http://service.real.com/help/faq/security/security022604.html 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow Verity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others. ultraseek-error-path-disclosure(16066) 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients. mime-contenttransfer-filter-bypass(17337) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients. mime-separator-filtering-bypass(17334) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME separator issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients. mime-rfc2047-filtering-bypass(17331) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 20040113 Vulnerabilities in H.323 Message Processing http://www.uniras.gov.uk/vuls/2004/006489/h323.htm oval:org.mitre.oval:def:4884 1008685 9406 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. VU#955526 7090 RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 DSA-425 12179 11032 11022 10718 10652 10644 10639 10636 oval:org.mitre.oval:def:9989 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008735 FLSA:1222 MDKSA-2004:008 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) CLSA-2003:832 20040202-01-U oval:org.mitre.oval:def:853 oval:org.mitre.oval:def:850 Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm 1008687 9406 The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. VU#174086 9423 RHSA-2004:007 DSA-425 tcpdump-rawprint-isakmp-dos(14837) 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 12179 11032 11022 10718 10668 10652 10644 10639 10636 oval:org.mitre.oval:def:11197 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 ESA-20040119-002 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008716 FLSA:1222 MDKSA-2004:008 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) 20040202-01-U oval:org.mitre.oval:def:854 oval:org.mitre.oval:def:851 Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file. antivir-tmpfile-insecure(14214) 1008702 3496 10620 20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity. 20040114 FishCart Integer Overflow / Rounding Error 1008731 The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number. http://www.ncipher.com/support/advisories/advisory8_payshield.html payshield-incorrect-request-verification(14832) 9422 3537 20040114 nCipher Advisory #8: payShield library may verify bad requests The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory. 9411 1008703 3460 10623 20040113 SuSE linux 9.0 YaST config Skribt [exploit] Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php. 20040112 More phpGedView Vulnerabilities 11925 11910 phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php. 20040112 More phpGedView Vulnerabilities phpgedview-path-disclosure(14215) 3464 Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. 20040112 More phpGedView Vulnerabilities phpgedview-login-xss(36285) phpgedview-multiple-xss(14212) ADV-2007-2995 11907 11906 11905 11904 11903 11894 11891 11890 11888 11882 11880 11868 20070827 PhpGedView login page multiple XSS 3479 3478 3477 3476 3475 3474 3473 1018613 26628 PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code. 9424 http://www.phpdig.net/showthread.php?s=58bcc71c822830ec3bbdaae6d56846e0&threadid=393 20040114 PhpDig 1.6.x: remote command execution phpdig-config-file-include(14826) Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function. 9385 20040113 exploit for HD Soft Windows FTP Server 1.6 20040108 Windows FTP Server Format String Vulnerability 1008658 PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code. ezcontents-php-file-include(14199) 9396 6878 http://www.ezcontents.org/forum/viewtopic.php?t=361 20040110 Remote Code Execution in ezContents Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php. manpagelookup-directory-traversal(14203) 9395 20040110 PHP Manpage lookup directory transversal / file disclosing 1008689 Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request. 9389 accipterdirectserver-directory-traversal(14198) 20040109 Directory Traversal in Accipiter Direct Server 6.0 20040109 Directory Traversal in Accipiter Direct Server 6.0 3433 10600 PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script. 9338 easydynamicpages-php-file-include(14136) 3408 3318 1008584 10535 20040102 include() vuln in EasyDynamicPages v.2.0 Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949. 9341 xsok-lang-bo(14910) xsok-long-xsokdir-bo(14906) 9352 20040103 xsok local games exploit (2) 20040102 xsok local games exploit The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. 9690 RHSA-2004:065 linux-vicam-dos(15246) RHSA-2005:293 SuSE-SA:2004:005 O-082 MDKSA-2004:015 CLA-2004:846 oval:org.mitre.oval:def:836 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none. The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. VU#981222 9686 DSA-439 GLSA-200403-02 linux-mremap-gain-privileges(15244) 20040218 Second critical mremap() bug found in all Linux kernels http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt SSA:2004-049 RHSA-2004:106 RHSA-2004:069 RHSA-2004:066 RHSA-2004:065 3986 SuSE-SA:2004:005 DSA-514 DSA-475 DSA-470 DSA-466 DSA-456 DSA-454 DSA-453 DSA-450 DSA-444 DSA-442 DSA-441 DSA-440 DSA-438 O-082 2004-0008 2004-0007 MDKSA-2004:015 FEDORA-2004-079 CLA-2004:820 20040218 Second critical mremap() bug found in all Linux kernels oval:org.mitre.oval:def:837 oval:org.mitre.oval:def:825 Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. 9641 RHSA-2004:051 RHSA-2004:050 mutt-index-menu-bo(15134) http://bugs.debian.org/126336 SSA:2004-043 3918 MDKSA-2004:010 20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt) 20040215 LNSA-#2004-0001: mutt remote crash 20040211 Mutt-1.4.2 fixes buffer overflow. CSSA-2004-013.0 oval:org.mitre.oval:def:838 oval:org.mitre.oval:def:811 The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. TA04-078A VU#288574 openssl-dochangecipherspec-dos(15505) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 SSA:2004-077 9899 RHSA-2005:830 RHSA-2005:829 RHSA-2004:139 RHSA-2004:121 RHSA-2004:120 FEDORA-2005-1042 http://www.openssl.org/news/secadv_20040317.txt SuSE-SA:2004:007 ESA-20040317-003 DSA-465 20040317 Cisco OpenSSL Implementation Vulnerability O-101 http://support.lexmark.com/index?page=content&id=TE88&locale=EN&userlocale=EN_US http://support.avaya.com/elmodocs2/security/ASA-2005-239.htm 57524 GLSA-200403-03 18247 17401 17398 17381 11139 oval:org.mitre.oval:def:9779 oval:org.mitre.oval:def:5770 SSRT4717 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 FEDORA-2004-095 http://docs.info.apple.com/article.html?artnum=61798 CLA-2004:834 SCOSA-2004.10 NetBSD-SA2004-005 FreeBSD-SA-04:05 MDKSA-2004:023 oval:org.mitre.oval:def:975 oval:org.mitre.oval:def:870 oval:org.mitre.oval:def:2621 The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. VU#801526 RHSA-2004:056 9558 utillinux-information-leak(15016) 3796 GLSA-200404-06 10773 20040408 LNSA-#2004-0010: login may leak sensitive data 20040331 OpenLinux: util-linux could leak sensitive data 20040406-01-U 20040201-01-U OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. TA04-078A VU#465542 openssl-tls-dos(15509) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 9899 RHSA-2004:139 RHSA-2004:121 RHSA-2004:120 ESA-20040317-003 DSA-465 20040317 Cisco OpenSSL Implementation Vulnerability 57524 GLSA-200403-03 11139 RHSA-2004:119 oval:org.mitre.oval:def:11755 20040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerability 20040317 Re: New OpenSSL releases fix denial of service attacks [17 March 2004] FEDORA-2004-095 CLA-2004:834 20040304-01-U SCOSA-2004.10 oval:org.mitre.oval:def:902 oval:org.mitre.oval:def:871 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. 9637 RHSA-2004:064 samba-mksmbpasswd-gain-access(15132) http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt 3919 O-078 oval:org.mitre.oval:def:827 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. VU#820006 9636 20040210 iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow xfree86-fontalias-bo(15130) http://www.xfree86.org/cvs/changes RHSA-2004:061 RHSA-2004:060 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=72 DSA-443 GLSA-200402-02 oval:org.mitre.oval:def:9612 SSA:2004-043 MDKSA-2004:012 57768 FLSA:2314 20040211 XFree86 vulnerability exploit CLA-2004:821 oval:org.mitre.oval:def:830 oval:org.mitre.oval:def:806 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. VU#667502 9652 RHSA-2004:061 RHSA-2004:060 xfree86-copyisolatin1lLowered-bo(15200) SSA:2004-043 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=73 DSA-443 oval:org.mitre.oval:def:10405 FLSA:2314 CLA-2004:821 MDKSA-2004:012 57768 20040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II oval:org.mitre.oval:def:831 oval:org.mitre.oval:def:807 Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. macosx-mail-undisclosed(14992) 9504 APPLE-SA-2004-01-26 Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. 9504 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. macosx-configd-file-manipulation(14997) 9504 6819 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. 9504 6820 APPLE-SA-2004-01-26 Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. VU#902374 9509 macosx-trublue-environmentvariable-bo(14968) 6821 A012704-1 APPLE-SA-2004-01-26 Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors. 9504 10723 ESB-2004.0072 APPLE-SA-2004-01-26 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." 1008780 20040123 RE: vBulletin Security Vulnerability 20040120 Re: vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. 9504 APPLE-SA-2004-01-26 XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-array-dos(15272) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-integer-dos(15273) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow. 9476 http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip epolicy-contentlength-post-dos(14989) 3744 Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. [mod_python] 20040122 [ANNOUNCE] Mod_python 2.7.10 RHSA-2004:063 RHSA-2004:058 GLSA-200401-03 Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 RHSA-2004:047 DSA-448 pwlib-message-dos(15202) oval:org.mitre.oval:def:10056 9406 oval:org.mitre.oval:def:826 oval:org.mitre.oval:def:803 mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. 9533 FreeBSD-SA-04:01 freebsd-mksnapffs-bypass-security(15005) 3790 crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. DSA-432 crawl-long-environment-bo(15032) 9566 10788 Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#518518 9692 RHSA-2004:073 metamail-printheader-format-string(15259) metamail-contenttype-format-string(15245) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#513062 RHSA-2004:073 metamail-splitmail-subject-bo(15258) metamail-printheader-nonascii-bo(15247) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 9692 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. SSA:2004-043 RHSA-2004:061 RHSA-2004:060 xfree86-multiple-font-improper-handling(15206) RHSA-2004:059 SuSE-SA:2004:006 DSA-443 oval:org.mitre.oval:def:11111 MDKSA-2004:012 FLSA:2314 CLA-2004:821 oval:org.mitre.oval:def:832 oval:org.mitre.oval:def:809 The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. 9838 RHSA-2004:053 20040302-01-U sysstat-post-trigger-symlink(15428) RHSA-2004:093 6884 O-097 oval:org.mitre.oval:def:10737 oval:org.mitre.oval:def:862 oval:org.mitre.oval:def:849 The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. 9844 RHSA-2004:053 20040302-01-U sysstat-isag-symlink(15437) DSA-460 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. ESA-20040428-004 RHSA-2004:166 2004-0020 20040405-01-U linux-iso9660-bo(15866) TLSA-2004-14 10141 RHSA-2004:183 RHSA-2004:106 RHSA-2004:105 SuSE-SA:2004:009 http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 O-127 O-121 GLSA-200407-02 12003 11986 11891 11861 11626 11518 11494 11486 11470 11469 11464 11373 11362 11361 oval:org.mitre.oval:def:10733 CLA-2004:846 20040504-01-U MDKSA-2004:029 oval:org.mitre.oval:def:940 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. VU#493966 libxml2-nanohttp-bo(15301) 9718 RHSA-2004:090 20040305 [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) libxml2-nanoftp-bo(15302) RHSA-2004:091 DSA-455 O-086 GLSA-200403-01 10958 oval:org.mitre.oval:def:11626 http://www.xmlsoft.org/news.html RHSA-2004:650 SUSE-SR:2005:001 20040306 TSLSA-2004-0010 - libxml2 oval:org.mitre.oval:def:875 oval:org.mitre.oval:def:833 gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. 9842 RHSA-2004:103 FLSA:2005 gdk-pixbuf-bitmap-dos(15426) RHSA-2004:102 MDKSA-2004:020 DSA-464 oval:org.mitre.oval:def:846 oval:org.mitre.oval:def:845 The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. TA04-078A VU#484726 openssl-kerberos-ciphersuites-dos(15508) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 SSA:2004-077 9899 RHSA-2004:121 RHSA-2004:120 http://www.openssl.org/news/secadv_20040317.txt SuSE-SA:2004:007 20040317 Cisco OpenSSL Implementation Vulnerability O-101 57524 GLSA-200403-03 11139 oval:org.mitre.oval:def:9580 SSRT4717 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 http://docs.info.apple.com/article.html?artnum=61798 CLA-2004:834 SCOSA-2004.10 NetBSD-SA2004-005 MDKSA-2004:023 oval:org.mitre.oval:def:928 oval:org.mitre.oval:def:1049 Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. 9826 apache-modssl-plain-dos(15419) http://www.apacheweek.com/features/security-20 [apache-cvs] 20040307 cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c 2004-0017 RHSA-2004:182 RHSA-2004:084 4182 MDKSA-2004:043 GLSA-200403-04 SSRT4717 APPLE-SA-2004-05-03 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://issues.apache.org/bugzilla/show_bug.cgi?id=27106 CLSA-2004:839 oval:org.mitre.oval:def:876 The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. bsd-shmat-gain-privileges(15061) 9586 FreeBSD-SA-04:02 http://www.pine.nl/press/pine-cert-20040201.txt 20040205 [PINE-CERT-20040201] reference count overflow in shmat() 3836 http://www.openbsd.org/errata33.html#sysvshm NetBSD-SA2004-004 VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. 9632 MS04-005 A021004-1 virtual-pc-gain-privileges(15113) 3893 O-076 An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. VU#417052 TA04-104A AD20040413A MS04-012 win-rpcss-rpcmessage-dos(15708) 10127 O-115 1009758 11065 oval:org.mitre.oval:def:958 oval:org.mitre.oval:def:957 oval:org.mitre.oval:def:955 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. VU#353956 TA04-104A MS04-011 win-h323-bo(15710) O-114 oval:org.mitre.oval:def:964 oval:org.mitre.oval:def:946 oval:org.mitre.oval:def:907 The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. VU#783748 TA04-104A MS04-011 AD20040413E 20040413 EEYE: Windows VDM TIB Local Privilege Escalation win-vdm-gain-privileges(15714) 10117 O-114 oval:org.mitre.oval:def:1718 oval:org.mitre.oval:def:1512 The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. VU#638548 TA04-104A MS04-011 20040414 NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding win-spp-bo(15715) 10113 O-114 oval:org.mitre.oval:def:1997 oval:org.mitre.oval:def:1962 oval:org.mitre.oval:def:1808 The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. VU#150236 TA04-104A MS04-011 ssl-message-dos(15712) 10115 O-114 oval:org.mitre.oval:def:892 oval:org.mitre.oval:def:886 oval:org.mitre.oval:def:885 Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. TA04-070A VU#305206 9827 MS04-009 20040309 Microsoft Outlook "mailto:" Parameter Passing Vulnerability outlook-ms04009-patch(15429) outlook-mailtourl-execute-code(15414) O-096 20040310 Outlook mailto: URL argument injection vulnerability oval:org.mitre.oval:def:843 Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. VU#688094 9828 MS04-010 msn-ms04010-patch(15427) msn-request-view-files(15415) oval:org.mitre.oval:def:844 Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#255924 TA04-104A win-asn1-double-free(15713) 10118 MS04-011 O-114 oval:org.mitre.oval:def:924 oval:org.mitre.oval:def:1076 oval:org.mitre.oval:def:1007 The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." VU#212892 TA04-104A win-objectidentifier-open-port(15711) 10121 MS04-012 O-115 11065 oval:org.mitre.oval:def:1072 oval:org.mitre.oval:def:1066 oval:org.mitre.oval:def:1062 oval:org.mitre.oval:def:1041 The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table. 10485 freebsd-jailed-table-modify(16342) FreeBSD-SA-04:12 The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. 9762 FreeBSD-SA-04:03 freebsd-jailattach-gain-privileges(15344) 4101 Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter. 9529 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-editconfig-directory-traversal(15129) 1008892 3768 10753 PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. 9531 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-gedfilconf-file-include(14987) 3769 http://sourceforge.net/project/shownotes.php?release_id=141517 10753 Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. 9564 20040203 Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior http://www.phpmyadmin.net/home_page/relnotes.php?rel=0 http://sourceforge.net/forum/forum.php?forum_id=350228 GLSA-200402-05 phpmyadmin-dotdot-directory-traversal(15021) 3800 10769 login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. http://www.securiteam.com/unixfocus/5NP0M1PBPQ.html phpgedview-loginphp-path-disclosure(15128) 6886 http://www.netvigilance.com/advisory0001 1008844 The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote atackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. VU#277396 radius-radprintrequest-dos(15046) 9578 http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gz 3824 20040204 GNU Radius Remote Denial of Service Vulnerability 10799 Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. 20040210 PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior ezcontents-multiple-file-include(15135) The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device. ESA-20040428-004 2004-0020 20040405-01-U GLSA-200407-02 linux-xfs-info-disclosure(15901) 10151 MDKSA-2004:029 11362 cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process. irix-cpr-gain-privileges(16259) 10418 20040507-01-P The syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory. irix-sgiioprobe-gain-privileges(16413) 20040601-01-P 7122 11872 The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary." irix-mapelf32exec-dos(16416) 10547 20040601-01-P 7123 11872 Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues." irix-page-dos(16417) 10549 20040601-01-P 7124 11872 The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped. DSA-1082 DSA-1070 DSA-1069 DSA-1067 20202 20163 20162 oval:org.mitre.oval:def:10123 http://linux.bkbits.net:8080/linux-2.4/cset@4021346f79nBb-4X_usRikR3Iyb4Vg http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes linux-kernel-elfloader-dos(43124) 18174 RHSA-2004:549 RHSA-2004:504 20338 http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25 Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors. 11276 irix-bsda-kernel(17547) 12682 20040905-01-P Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. nokia-obex-dos(15107) 9603 http://www.pentest.co.uk/documents/ptl-2004-01.html 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. 9832 RHSA-2004:096 DSA-457 wuftpd-restrictedgid-gain-access(15423) ADV-2006-1867 102356 20168 11055 SSRT4704 oval:org.mitre.oval:def:648 oval:org.mitre.oval:def:1637 oval:org.mitre.oval:def:1636 oval:org.mitre.oval:def:1147 Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges. DSA-451 xboing-bo(15347) 9764 Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS. 9836 DSA-458 python-getaddrinfo-bo(15409) 4172 MDKSA-2004:019 GLSA-200409-03 Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. xitalk-gain-privileges(15456) 9851 DSA-462 http://shellcode.org/Advisories/XITALK.txt 11114 Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. DSA-468 emil-email-bo(15601) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. DSA-468 emil-format-string(15602) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. nfs-utils-dns-dos(15418) 2004-0009 9813 RHSA-2004:072 oval:org.mitre.oval:def:9673 http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=114535 oval:org.mitre.oval:def:861 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. VU#552398 RHSA-2004:165 APPLE-SA-2004-05-03 20040407 CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections 10072 MDKSA-2004:069 GLSA-200406-17 11328 oval:org.mitre.oval:def:9291 SCOSA-2005.10 MDKSA-2004:027 oval:org.mitre.oval:def:945 Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code. DSA-485 GLSA-200404-18 ssmtp-die-logevent-format-string(15872) 10150 5361 5360 1009788 11571 11485 11384 11378 20040507 [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp) x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program. DSA-484 xonix-privilege-dropping(15873) 10149 5358 http://shellcode.org/Advisories/XONIX.txt 1009789 11382 Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c. breakout2-home-bo(15229) 9712 DSA-445 http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz 20040222 lbreakout2 < 2.4beta-2 local exploit Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command. 9715 DSA-447 hsftp-format-string(15276) 4029 20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file. synaesthesia-configuration-symlink-attack(15279) 9713 DSA-446 Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients. mime-tools-parameter-encoding(9274) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2231 encoding issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients. mime-rfc822-filtering-bypass(17332) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issue Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session. sse-replay-dos(16945) http://www.corsaire.com/advisories/c031120-002.txt 20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issue KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. 20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon openbsd-isakmp-initialcontact-delete-sa(14118) openbsd-isakmp-invalidspi-delete-sa(14117) 9417 oval:org.mitre.oval:def:9737 APPLE-SA-2004-02-23 NetBSD-SA2004-001 9416 20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon oval:org.mitre.oval:def:947 Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. VU#841742 9730 A022304-1 macos-pppd-format-string(15297) 6822 APPLE-SA-2004-02-23 Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar." VU#194238 macosx-safari-unknown(14993) 10959 APPLE-SA-2004-02-23 DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. VU#578886 macos-diskarbitration-unknown(15300) 9731 6824 10959 APPLE-SA-2004-02-23 Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." macos-corefoundation-unknown(15299) APPLE-SA-2004-02-23 10959 QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. VU#460350 9735 darwin-describe-request-dos(15291) 6837 6826 20040223 Darwin Streaming Server Remote Denial of Service Vulnerability APPLE-SA-2004-02-23 FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. VU#395670 9792 20040302 FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability freebsd-mbuf-dos(15369) 4124 APPLE-SA-2004-05-28 FreeBSD-SA-04:04 Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed. ltrace-searchforcommand-bo(13389) 8790 1007896 20031008 ltrace bug 20031008 ltrace bug Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. apache-cygwin-directory-traversal(15293) 9733 http://www.apacheweek.com/issues/04-03-12 10962 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability http://issues.apache.org/bugzilla/show_bug.cgi?id=26152 Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." VU#132110 apache-socket-starvation-dos(15540) RHSA-2004:405 2004-0017 20040319 [ANNOUNCE] Apache HTTP Server 2.0.49 Released (fwd) 2004-0027 GLSA-200405-22 11170 SSA:2004-133 1009495 9921 MDKSA-2004:046 http://www.apache.org/dist/httpd/CHANGES_1.3 57628 101555 SSRT4717 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) APPLE-SA-2004-05-03 oval:org.mitre.oval:def:1982 oval:org.mitre.oval:def:100110 Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. 9986 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147 openssh-scp-file-overwrite(16323) RHSA-2005:567 RHSA-2005:562 RHSA-2005:495 RHSA-2005:481 RHSA-2005:165 RHSA-2005:106 RHSA-2005:074 9550 SuSE-SA:2004:009 MDVSA-2008:191 MDKSA-2005:100 http://www.juniper.net/support/security/alerts/adv59739.txt O-212 19243 17135 oval:org.mitre.oval:def:10184 CLSA-2004:831 SCOSA-2006.11 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. VU#931588 VU#864884 VU#740188 VU#659140 VU#644886 VU#591820 VU#433596 VU#125156 VU#119876 DSA-511 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal ethereal-multiple-dissectors-bo(15569) RHSA-2004:137 RHSA-2004:136 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 http://security.e-matters.de/advisories/032004.html 11185 oval:org.mitre.oval:def:10187 20040323 Advisory 03/2004: Multiple (13) Ethereal remote overflows 6893 MDKSA-2004:024 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) CLA-2004:835 oval:org.mitre.oval:def:887 oval:org.mitre.oval:def:878 The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device. ESA-20040428-004 DSA-495 RHSA-2004:166 2004-0020 FLSA:2336 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 GLSA-200407-02 oval:org.mitre.oval:def:10556 http://linux.bkbits.net:8080/linux-2.4/cset@4056b368s6vpJbGWxDD_LhQNYQrdzQ linux-ext3-info-disclosure(15867) 10152 RHSA-2005:293 RHSA-2004:505 RHSA-2004:504 MDKSA-2004:029 O-127 O-126 O-121 CLA-2004:846 The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes. DSA-495 DSA-491 DSA-489 DSA-482 RHSA-2004:437 RHSA-2004:413 DSA-481 DSA-480 DSA-479 GLSA-200407-02 oval:org.mitre.oval:def:9427 http://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFA 20040804-01-U linux-sound-blaster-dos(15868) 9985 MDKSA-2004:029 O-193 O-127 O-121 CLA-2004:846 Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. FEDORA-2004-1552 RHSA-2004:160 RHSA-2004:159 RHSA-2004:158 RHSA-2004:157 DSA-487 GLSA-200405-04 GLSA-200405-01 11363 SuSE-SA:2004:008 SuSE-SA:2004:009 20040404-01-U 10136 5365 MDKSA-2004:032 oval:org.mitre.oval:def:10913 20040416 void.at - neon format string bugs 20040416 [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon) oval:org.mitre.oval:def:1065 The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. RHSA-2004:154 RHSA-2004:153 DSA-486 FreeBSD-SA-04:07 oval:org.mitre.oval:def:9462 20040404-01-U ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch cvs-rcs-create-files(15864) SSA:2004-108-02 MDKSA-2004:028 GLSA-200404-13 11548 11405 11400 11391 11380 11377 11375 11374 11371 11368 FEDORA-2004-1620 oval:org.mitre.oval:def:1042 The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device. ESA-20040428-004 2004-0020 ADV-2005-1878 GLSA-200407-02 oval:org.mitre.oval:def:10329 linux-jfs-info-disclosure(15902) TLSA-2004-14 10143 RHSA-2005:663 RHSA-2004:504 MDKSA-2004:029 17002 Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field. RHSA-2004:156 20040404-01-U TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#240790 DSA-478 FEDORA-2004-1468 tcpdump-isakmp-delete-bo(15680) http://www.tcpdump.org/tcpdump-changes.txt 10003 RHSA-2004:219 http://www.rapid7.com/advisories/R7-0017.html 1009593 11258 oval:org.mitre.oval:def:9971 2004-0015 11320 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities oval:org.mitre.oval:def:972 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#492558 DSA-478 FEDORA-2004-1468 tcpdump-isakmp-integer-underflow(15679) http://www.tcpdump.org/tcpdump-changes.txt 10004 RHSA-2004:219 http://www.rapid7.com/advisories/R7-0017.html 1009593 11258 oval:org.mitre.oval:def:9581 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities 2004-0015 oval:org.mitre.oval:def:976 Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name. http://www.securiteam.com/unixfocus/6X00Q1P8KC.html RHSA-2004:096 DSA-457 ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch wuftpd-skey-bo(13518) http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt 8893 smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted. samba-smbmnt-gain-privileges(15131) 9619 DSA-463 20040209 Samba 3.x + kernel 2.6.x local root vulnerability 3916 20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password. 9756 DSA-461 calife-long-password-bo(15335) 20040227 Calife heap corrupt / potential local root exploit 9776 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. http://www.squid-cache.org/Advisories/SQUID-2004_1.txt 9778 squid-urlregex-acl-bypass(15366) RHSA-2004:134 RHSA-2004:133 5916 MDKSA-2004:025 DSA-474 GLSA-200403-11 20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid) CLA-2004:838 20040404-01-U SCOSA-2005.16 oval:org.mitre.oval:def:941 oval:org.mitre.oval:def:877 Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. 9784 symantec-firewallvpn-password-plaintext(15212) 20040216 Symantec FireWall/VPN Appliance model 200 leak of security 4117 20040216 Symantec FireWall/VPN Appliance model 200 leak of security Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. mozilla-event-handler-xss(15322) 9747 20040225 Sandblad #13: Cross-domain exploit on zombie document with event handlers http://bugzilla.mozilla.org/show_bug.cgi?id=227417 RHSA-2004:112 RHSA-2004:110 4062 SSRT4722 oval:org.mitre.oval:def:937 oval:org.mitre.oval:def:874 Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. 9755 20040227 Symantec Gateway Security Management Service Cross Site Scripting symantecgateway-error-xss(15330) Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. VU#150326 20040226 Vulnerability in SMB Parsing in ISS Products http://www.eeye.com/html/Research/Upcoming/20040213.html pam-smb-protocol-bo(15207) 9752 4072 AD20040226 10988 20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data. 9802 http://www.nextgenss.com/advisories/adobexfdf.txt acrobatreader-xfdf-bo(15384) 4135 20040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability 20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. VU#740716 TA04-104A msjet-query-execute-code(15703) 10112 MS04-014 oval:org.mitre.oval:def:968 Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). VU#484814 win-hcp-code-execution(16095) 10321 MS04-015 20040512 MS04-015 - Windows Help Center - Dvdupgrade http://www.exploitlabs.com/files/advisories/EXPL-A-2004-001-helpctr.txt 20040512 MS04-015 - Windows Help Center - Dvdupgrade oval:org.mitre.oval:def:1032 oval:org.mitre.oval:def:1008 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. TA04-260A VU#297462 win-jpeg-bo(16304) MS04-028 20040914 Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow oval:org.mitre.oval:def:4307 oval:org.mitre.oval:def:4216 oval:org.mitre.oval:def:4003 oval:org.mitre.oval:def:3881 oval:org.mitre.oval:def:3810 oval:org.mitre.oval:def:3320 oval:org.mitre.oval:def:3082 oval:org.mitre.oval:def:3038 oval:org.mitre.oval:def:2706 oval:org.mitre.oval:def:1721 oval:org.mitre.oval:def:1105 Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. TA04-196A VU#920060 MS04-023 win-htmlhelp-execute-code(16586) 20040714 HtmlHelp - .CHM File Heap Overflow oval:org.mitre.oval:def:3179 oval:org.mitre.oval:def:2155 oval:org.mitre.oval:def:1530 oval:org.mitre.oval:def:1503 IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. 10487 MS04-016 ms-directx-directplay-dos(16306) 6742 11802 oval:org.mitre.oval:def:2705 oval:org.mitre.oval:def:2516 oval:org.mitre.oval:def:2413 oval:org.mitre.oval:def:2190 oval:org.mitre.oval:def:1027 Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query. VU#948750 MS04-026 exchange-owa-execute-code(16583) oval:org.mitre.oval:def:2016 Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. 10260 crystalreports-file-deletion(16044) MS04-017 http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp 6748 11800 20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reports 20040502 Crystal Reports Vulnerabilities oval:org.mitre.oval:def:1157 Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. TA04-196A VU#717748 iis-redirect-bo(16578) MS04-021 O-179 10706 7799 12061 oval:org.mitre.oval:def:2204 Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. VU#640488 win-ms04031-patch(17657) win-netdde-bo(16556) MS04-031 12803 11372 20041013 Microsoft Windows NetDDE Service Buffer Overflow oval:org.mitre.oval:def:6788 oval:org.mitre.oval:def:5074 oval:org.mitre.oval:def:4592 oval:org.mitre.oval:def:3242 oval:org.mitre.oval:def:3120 oval:org.mitre.oval:def:2394 oval:org.mitre.oval:def:1852 "Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions. VU#218526 win-ms04032-patch(17658) win-mngmt-api-gain-privileges(16579) MS04-032 20041013 SetWindowLong Shatter Attacks The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. VU#910998 win-ms04032-patch(17658) win-vdm-gain-privilege(16580) MS04-032 20041013 EEYE: Windows VDM #UD Local Privilege Escalation oval:org.mitre.oval:def:4762 oval:org.mitre.oval:def:4316 oval:org.mitre.oval:def:3953 oval:org.mitre.oval:def:3161 oval:org.mitre.oval:def:1751 Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." VU#806278 win-emf-bo(16581) MS04-032 20041019 [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow win-ms04032-patch(17658) 11375 oval:org.mitre.oval:def:2428 oval:org.mitre.oval:def:2114 oval:org.mitre.oval:def:1872 The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. TA04-196A VU#647436 win-posix-bo(16590) MS04-020 oval:org.mitre.oval:def:2847 oval:org.mitre.oval:def:2166 The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program. VU#119262 win-ms04032-patch(17658) win2k3-kernel-cpu-dos(16582) MS04-032 oval:org.mitre.oval:def:4893 Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. TA04-196A VU#228028 win-taskscheduler-bo(16591) http://www.ngssoftware.com/advisories/mstaskjob.txt MS04-022 20040714 Unchecked buffer in mstask.dll 12060 20040714 Microsoft Windows Task Scheduler '.job' Stack Overflow oval:org.mitre.oval:def:3428 oval:org.mitre.oval:def:1964 oval:org.mitre.oval:def:1781 oval:org.mitre.oval:def:1344 Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. TA04-196A VU#868580 MS04-019 20040713 Microsoft Window Utility Manager Local Elevation of Privileges win-utilitymanager-gain-privileges(16592) oval:org.mitre.oval:def:2495 Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. VU#616200 win-ms04037-patch(17662) win-long-fileshare-bo(15956) 10213 MS04-037 322857 1011647 11482 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. http://www.securiteam.com/windowsntfocus/5JP0M1PCKI.html 5687 oval:org.mitre.oval:def:5307 oval:org.mitre.oval:def:4345 oval:org.mitre.oval:def:2638 oval:org.mitre.oval:def:1749 oval:org.mitre.oval:def:1601 Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. TA04-196A VU#869640 outlook-malformed-email-header-dos(16585) MS04-018 oval:org.mitre.oval:def:3376 oval:org.mitre.oval:def:2657 oval:org.mitre.oval:def:2137 oval:org.mitre.oval:def:1950 Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. TA04-293A VU#637760 ie-installenginectl-setciffile-bo(17620) MS04-038 20041012 Microsoft Internet Explorer Install Engine Control Buffer Overflow ie-ms04038-patch(17651) http://www.ngssoftware.com/advisories/msinsengfull.txt 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) oval:org.mitre.oval:def:7865 oval:org.mitre.oval:def:7717 oval:org.mitre.oval:def:6600 oval:org.mitre.oval:def:6100 oval:org.mitre.oval:def:5329 oval:org.mitre.oval:def:5316 The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log. symantec-scanengine-race-condition(15215) 9662 20040216 Possible race condition in Symantec AntiVirus Scan Engine for Red isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#349113 openbsd-isakmp-zerolength-dos(15518) 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities 1009468 10028 11156 isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#785945 openbsd-isakmp-ipsec-dos(15628) 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 20040317 015: RELIABILITY FIX: March 17, 2004 1009468 9907 isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via a an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#223273 openbsd-isakmp-integer-underflow(15629) 20040317 015: RELIABILITY FIX: March 17, 2004 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities 1009468 9907 http://www.rapid7.com/advisories/R7-0018.html isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#524497 openbsd-isakmp-delete-dos(15630) 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 20040317 015: RELIABILITY FIX: March 17, 2004 1009468 9907 Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#996177 openbsd-isakmp-memory-leak(15519) 20040317 015: RELIABILITY FIX: March 17, 2004 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 1009468 10028 Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range." 9845 11087 http://sourceforge.net/project/shownotes.php?release_id=5767 courier-codeset-converter-bo(15434) Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. RHSA-2004:172 midnight-commander-local-privileges(16016) SuSE-SA:2004:012 DSA-497 GLSA-200405-21 MDKSA-2004:039 Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string. zoneminder-zms-bo(16136) 10340 http://www.zoneminder.com/index.php?id=20&type=0&backPID=20&tt_news=29 Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges. SuSE-SA:2004:010 GLSA-200407-02 linux-cpufreq-info-disclosure(15951) MDKSA-2004:050 11683 11491 11486 11464 11429 FEDORA-2004-111 CLA-2004:852 The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact. linux-framebuffer(15974) 10211 SuSE-SA:2004:010 GLSA-200407-02 MDKSA-2004:037 CLA-2004:852 TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. TA04-111A VU#415294 tcp-rst-dos(15886) ADV-2006-3983 http://www.uniras.gov.uk/vuls/2004/236929/index.htm 10183 SSRT061264 MS05-019 http://www.juniper.net/support/alert.html 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products oval:org.mitre.oval:def:5711 20040425 Perl code exploting TCP not checking RST ACK. 20040403-01-A SCOSA-2005.14 SCOSA-2005.9 SCOSA-2005.3 NetBSD-SA2004-006 SSRT061264 4030 MS06-064 22341 11458 11440 SSRT4696 oval:org.mitre.oval:def:4791 oval:org.mitre.oval:def:3508 oval:org.mitre.oval:def:270 oval:org.mitre.oval:def:2689 Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." DSA-497 midnight-commander-insecure-files(16020) RHSA-2004:172 SuSE-SA:2004:012 GLSA-200405-21 MDKSA-2004:039 Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. midnight-commander-format-string(16021) RHSA-2004:172 SuSE-SA:2004:012 DSA-497 GLSA-200405-21 MDKSA-2004:039 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. 10178 RHSA-2004:174 utemper-symlink(15904) SSA:2004-110 RHSA-2004:175 1000752 GLSA-200405-05 oval:org.mitre.oval:def:10115 MDKSA-2004:031 oval:org.mitre.oval:def:979 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. 10243 20040510 [Ulf Harnhammar]: LHA Advisory + Patch FLSA:1833 lha-multiple-bo(16012) ADV-2006-1220 RHSA-2004:179 RHSA-2004:178 FEDORA-2004-119 5754 5753 http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt DSA-515 1015866 GLSA-200405-02 19514 oval:org.mitre.oval:def:9881 20040502 Lha local stack overflow Proof Of Concept Code 20040501 LHa buffer overflows and directory traversal problems CLA-2004:840 20060403 Barracuda LHA archiver security bug leads to remote compromise oval:org.mitre.oval:def:977 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). 10243 20040510 [Ulf Harnhammar]: LHA Advisory + Patch FLSA:1833 lha-directory-traversal(16013) RHSA-2004:179 RHSA-2004:178 FEDORA-2004-119 DSA-515 GLSA-200405-02 oval:org.mitre.oval:def:10409 20040501 LHa buffer overflows and directory traversal problems CLA-2004:840 oval:org.mitre.oval:def:978 SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field. thephototool-login-sql-injection(15007) 9884 6727 1008906 20040131 Advisory ! Directory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter. aproxphpportal-index-directory-traversal(15014) 9540 20040131 Directory Traversal in Aprox PHP Portal. 10859 1008915 Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function. overkill-server-parsecommandline-bo(15000) overkill-client-multiple-bo(14999) 9550 http://www.securiteam.com/securitynews/5AP010KC0C.html 20040202 0verkill - little simple vulnerability. 20040202 0verkill - little simple vulnerability. SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable. photopostphp-sql-injection(15008) 9557 http://www.securiteam.com/securitynews/5KP010UC0W.html 20040202 ZH2004-03SA (security advisory): Photopost PHP Pro 4.6 Sql Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php. xcart-dotdot-directory-traversal(15033) 20040203 X-Cart vulnerability X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php. 9560 xcart-perlbinary-execute-commands(15034) 20040203 X-Cart vulnerability X-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command. 9563 xcart-generalphp-obtain-information(15036) 20040203 X-Cart vulnerability AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. aix-password-enumeration(15172) 20040203 Re: sqwebmail web login 20040206 AIX password enumeration possible Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. VU#810062 cisco-malformed-frame-dos(15013) 9562 20040203 Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability 10780 oval:org.mitre.oval:def:5828 Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero. 20040203 Web Crossing 4.x/5.x Denial of Service Vulnerability webcrossing-contentlength-post-dos(15022) 9576 Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter. 20040203 Les Commentaires (PHP) Include file lescommentaires-multiple-file-include(15010) 9536 10768 The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory. chaser-memory-dos(15031) 9567 20040203 Remote crash of Chaser game <= 1.50 Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum. This vulnerability is addressed in the following product release: PHPX, PHPX, 3.2.4 phpx-main-help-xss(15051) phpx-subject-html-injection(15050) 9569 10797 20040203 Multiple Vulnerabilities in PHPX PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID. 9569 phpx-cookie-account-hijacking(15052) 20040203 Multiple Vulnerabilities in PHPX phpx-session-hijack(15512) 10797 20040316 PHPX 2.x - 3.2.4 SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php. 20040204 ZH2004-04SA (security advisory): Multiple Sql Injection photopostphp-sql-injection(15008) http://www.zone-h.org/en/advisories/read/id=3864/ 9557 Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter. 20040204 rxgoogle.cgi XSS Vulnerability. rxgoogle-query-xss(15043) 9575 TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name. typsoft-empty-username-dos(15048) 9573 20040204 TYPSoft FTP Server 1.10 may be crashed 1008943 IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability. cloudscape-sql-injection(15067) 9583 20040205 IBM cloudscape SQL Database (DB2J) vulnerable to remote command Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag. discuzboard-image-tag-xss(15066) 9584 20040205 Possible Cross Site Scripting in Discuz! Board Xlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow. xlight-long-string-dos(15064) 9585 20040205 Remote crash Xlight ftp server 1.52 GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. 9530 libtool-insecure-temp-directory(15017) 20040130 Symlink Vulnerability in GNU libtool <1.5.2 3795 http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 10777 CLA-2004:811 OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port. 9577 openbsd-ipv6-dos(15044) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c http://www.guninski.com/obsdmtu.html 20040205 OpenBSD IPv6 remote kernel crash 3825 20040204 Remote openbsd crash with ip6, yet still openbsd much better than windows NetBSD-SA2004-002 Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files. VU#473814 9579 20040204 Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer realoneplayer-multiple-file-bo(15040) http://www.service.real.com/help/faq/security/040123_player/EN/ http://www.nextgenss.com/advisories/realone.txt O-075 20040204 [VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue. jack-formmail-file-upload(15079) 9591 20040206 formmail (PHP) Upload file using CSS The AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||. cactushoplite-backdoor(15063) 9589 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter. 9598 openjournal-uid-admin-access(15069) http://www.grohol.com/downloads/oj/latest/changelog.txt 20040206 Open Journal Blog Authenticaion Bypassing Vulnerability 3872 Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string. palace-server-address-bo(15074) 9602 http://www.elitehaven.net/thepalace.txt 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information. php-virtualhost-info-disclosure(15072) 9599 3878 GLSA-200402-01 palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue. 9608 20040208 PalmOS httpd accept() queue overflow DoS vulnerability. palmhttpd-accept-bo(15090) Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. phpnuke-mulitple-xss(15076) 9613 9605 20040208 [waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers obtain the administrator password via the c_mid parameter. phpnuke-publicmessage-sql-injection(15080) 9615 20040208 [waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0 The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust InoculateIT for Linux 6.0 allow local users to overwrite arbitrary files via a symlink attack on files in /tmp. etrust-inoculateit-symlink(15102) 9616 4856 4855 4735 http://www.excluded.org/advisories/advisory10.txt 10833 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote attackers to cause a denial of service (hang) via (1) a long cd command to the FTP server, or (2) a long dir command to the telnet server. evolutionx-command-line-dos(15104) 9631 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. 9630 20040210 [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple module phpnuke-modules-sql-injection(15115) http://www.scan-associates.net/papers/phpnuke69.txt libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a denial of service (crash) via a uuencoded e-mail message with an invalid line length (e.g., a lowercase character), which causes an assert error in clamd that terminates the calling program. 9610 20040209 clamav 0.65 remote DOS exploit clam-antivirus-uuencoded-dos(15077) http://www.freebsd.org/cgi/query-pr.cgi?pr=62586 GLSA-200402-07 3894 Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form. This vulnerability is addressed in the following product release: MaxWebPortal, MaxWebPortal, 1.32 maxwebportal-register-xss(15122) maxwebportal-multiple-xss(15120) 9625 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages. maxwebportal-personalmesssages-sql-injection(15121) 9625 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal Directory traversal vulnerability in RealOne Player, RealOne Player 2.0, and RealOne Enterprise Desktop allows remote attackers to upload arbitrary files via an RMP file that contains .. (dot dot) sequences in a .rjs skin file. VU#514734 9580 http://service.real.com/help/faq/security/040123_player/EN/ 20040210 Directory traversal in RealPlayer allows code execution realoneplayer-rmp-directory-traversal(15123) Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistakenly assign STAT_OFFERED status to a bot that is not a sharebot, which allows remote attackers to use STAT_OFFERED to promote a bot to a sharebot and conduct unauthorized activities. 20040210 Re: Eggrop bug 20040208 Eggrop bug eggdrop-sharemod-gain-access(15084) 9606 http://mogan.nonsoloirc.com/egg_advisory.txt 3928 http://www.eggheads.org/news/2004/04/10/26 SQL injection vulnerability in calendar_download.php in BosDates 3.2 and earlier allows remote attackers to obtain sensitive information and gain access via the calendar parameter. bosdates-calendar-sql-injection(15133) http://www.zone-h.org/en/advisories/read/id=3925/ 9639 20040211 ZH2004-05SA (security advisory): Sql Injection Vulnerability in BosDates The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. 9642 monkey-getrealstring-dos(15187) 3921 http://monkeyd.sourceforge.net/ 20040211 Denial of Service in Monkey httpd <= 0.8.1 http://aluigi.altervista.org/poc/monkeydos.zip Format string vulnerability in Dream FTP 1.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the username. dreamftp-username-format-string(15070) 9600 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1722 20040211 Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow 20040207 DreamFTP Server 1.02 Buffer Overflow Ratbag game engine, as used in products such as Dirt Track Racing, Leadfoot, and World of Outlaws Spring Cars, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet that specifies the length of data to read and then sends a second TCP packet that contains less data than specified, which causes Ratbag to repeatedly check the socket for more data. ratbag-data-length-dos(15188) 9644 20040211 Denial of Service in Ratbag's game engine AIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary files via a symlink attack on /tmp/AS.log. 9653 20040212 aimSniff.pl file "deletion" (local) aim-sniff-symlink(15199) Caucho Technology Resin 2.1.12 allows remote attackers to view JSP source via an HTTP request to a .jsp file that ends in a "%20" (encoded space character), e.g. index.jsp%20. resin-source-disclosure(15085) 9614 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") Caucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for "WEB-INF..", which is equivalent to "WEB-INF" in Windows. resin-dotdot-directory-traversal(15087) 9617 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") Crob FTP daemon 3.5.2 allows remote attackers to cause a denial of service (crash) by repeatedly connecting to and disconnecting from the server. crob-multiple-connections-dos(15201) 9651 6621 10882 20040212 crob ftpd Denial of Service Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/mailmgr.unsort, (2) /tmp/mailmgr.tmp, or (3) /tmp/mailmgr.sort. mailmgr-insecure-temp-directory (15203) 9654 20040212 Symlink vulnerabilities in mailmgr Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name. 9629 20040210 ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS ie-host-null-dos(15127) PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. 9664 allmyvisitors-file-include(15228) allmyguests-php-file-include(15227) allmylinks-file-include(15226) 6721 20040214 AllMyLinks PHP Code Injection vulnerability 20040214 AllMyVisitors PHP Code Injection vulnerability 20040214 AllMyGuests PHP Code Injection vulnerability Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long username. robot-username-bo(15225) 9672 20040215 buffer overflow in Robot FTP Server Xlight FTP server 1.52 allows remote authenticated users to cause a denial of service (crash) via a RETR command with a long argument containing a large number of / (slash) characters, possibly triggering a buffer overflow. xlight-retr-dos(15220) 9668 20040215 Xlight ftp server 1.52 RETR bug Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 through 3.2.15 could allow remote attackers to execute arbitrary code by indexing a large document. 9667 20040215 Buffer overflow in mnoGoSearch mnogosearch-udmdoctotextbuf-bo(15209) Buffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to cause a denial of service (segmentation fault) via a database file that contains a large key parameter. signaturedb-sdbscan-bo(15217) 9661 20040215 problems with database files in 'SignatureDB' Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game servers to execute arbitrary code via an information packet that contains large (1) battle type and (2) map name fields. purge-battletype-map-bo(15216) 9671 http://purge.worthplaying.com/phpbb/viewtopic.php?t=1167 20040216 Broadcast client buffer-overflow in Purge Jihad <= 2.0.1 SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 allows remote attackers to obtain hashed passwords via the quote parameter. 9674 yabb-post-sql-injection(15224) 20040216 Another YabbSE SQL Injection Buffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. sami-http-get-bo(15237) 9679 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746 20040217 KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow Directory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi. shopcartcgi-dotdot-directory-traversal(14982) http://www.zone-h.org/en/advisories/read/id=3962/ 9670 20040217 ZH2004-06SA (security advisory): ShopCartCGI v2.3 Remote YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. yabb-invalidmessage-obtain-information(15236) 9677 20040217 YABB information leakage on failed login TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a denial of service (CPU consumption) via an open idle connection. broker-ftp-tsftpsrv-dos(15242) 9680 http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 20040217 Broker FTP DoS (Message Server) TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a TsFtpSrv.exe to exit with an exception by opening and immediately closing a connection. broker-ftp-dos(15241) 9680 http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 20040217 Broker FTP DoS (Message Server) Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. VU#972334 9682 imail-ldap-tag-bo(15243) http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html 3984 20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow CesarFTP 0.99e allows remote attackers to cause a denial of service (CPU consumption) via a long RETR parameter. cesarftp-userpass-dos(15252) 9666 20040217 CesarFTP 0.99 : 100% employment of computer resources Buffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters. smallftpd-forwardslash-dos(15262) 9684 20040217 Smallftpd 1.0.3 DoS SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php. onlinestorekit-more-sql-injection(15232) http://www.zone-h.org/en/advisories/read/id=3972/ http://www.systemsecure.org/advisories/ssadvisory16022004.php 9687 9676 10902 20040218 ZH2004-07SA (security advisory): Multiple Sql injection 3973 1009092 Cross-site scripting (XSS) vulnerability in more.php for Online Store Kit 3.0 allows remote attackers to inject arbitrary HTML via the id parameter. onlinestorekit-more-xss(15235) http://www.systemsecure.org/advisories/ssadvisory16022004.php 9676 1009079 10902 Directory traversal vulnerability in OWLS 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter in index.php, (2) editfile in glossary.php, or (3) editfile in newmultiplechoice.php. owls-file-retrieval(15249) http://www.zone-h.org/en/advisories/read/id=3973/ 9689 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files OWLS 1.0 allows remote attackers to retrieve arbitrary files via absolute pathnames in (1) the file parameter in /glossaries/index.php, (2) the filename parameter in /readings/index.php, or (3) the filename parameter in /multiplechoice/resultsignore.php, as demonstrated using /etc/passwd. owls-file-retrieval(15249) http://www.zone-h.org/en/advisories/read/id=3973/ 9689 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files SQL injection vulnerability in browse_items.asp in WebCortex WebStores 2000 6.0 allows remote attackers to gain unauthorized access and execute arbitrary commands via the Search_Text parameter. webstores-browseitems-sql-injection(15253) 7766 http://www.s-quadra.com/advisories/Adv-20040218.txt 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Cross-site scripting (XSS) vulnerability in error.asp in WebCortex WebStores 2000 6.0 allows remote attackers to execute arbitrary script as other users and steal session IDs via the Message_id parameter. webstores-error-xss(15254) 9693 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-file-upload(15264) Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-ack-dos(15265) 4009 Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-gain-access(15266) 4010 Stack-based buffer overflow in the SMTP service support in vsmon.exe in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client 4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote attackers to execute arbitrary code via a long RCPT TO argument. VU#619982 20040219 EEYE: ZoneLabs SMTP Processing Buffer Overflow zonelabs-multiple-products-bo(14991) 9696 http://download.zonelabs.com/bin/free/securityAlert/8.html 3991 O-084 Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 allows remote attackers to execute Javascript as other users via the stylesheet, which does not strip the semicolon or parentheses, as demonstrated using a background:url. livejournal-url-xss(15268) 9700 20040219 LiveJournal XSS American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access. 9681 apc-smartslot-default-password(15238) http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129 20040219 Re: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor" 20040216 APC 9606 SmartSlot Web/SNMP management card "backdoor" Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. linksys-snmp-strings-disclosure(15257) 9688 20040219 Re: SNMP community string disclosure in Linksys WAP55AG 20040217 SNMP community string disclosure in Linksys WAP55AG Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name. psoproxy-long-get-bo(15275) 9706 20040220 Remote Buffer Overflow in PSOProxy 0.91 Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 and earlier allows remote attackers to execute arbitrary script as other users via the message parameter. webzedit-done-xss(15289) 20040221 Cross Site Scripting in WebzEdit Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080. avirt-voice-get-bo(15288) 9721 20040223 Remote Buffer Overflow in Avirt Voice 4.0 Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a denial of service (crash) via (1) a large GET request to port 1080 or (2) a large GET request of % characters to port 8080. avirt-soho-multiple-bo(15286) 9723 9722 20030223 Multiple Remote Buffer Overflow in Avirt Soho 4.3 Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x allows local users or remote attackers within the LSF cluster to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long LSF_From_PC parameter. 9719 20040223 Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads to remote code execution lsf-eauth-execute-code(15282) Load Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges. 9724 20040223 Lam3rZ Security Advisory #2/2004: LSF eauth vulnerability leads to a possibility of controlling cluster jobs on behalf of other users lsf-eauth-process-hijack(15278) Cross-site scripting (XSS) vulnerability in the font tag in ezBoard 7.3u allows remote attackers to execute arbitrary script as other users, as demonstrated using the background:url in a (1) font color or (2) font face argument. ezboard-font-xss(15287) 9725 20040223 ezBoard Cross Site Scripting Vulnerability Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands. 20040223 nCipher Advisory #9: Host-side attackers can access secret data ncipher-hsm-obtain-info(15281) 9717 4055 Team Factor 1.25 and earlier allows remote attackers to cause a denial of service (crash) via a packet that uses a negative number to specify the size of the data block that follows, which causes Team Factor to read unallocated memory. 20040223 Remote server crash in Team Factor <= 1.25 teamfactor-packet-dos(15274) http://www.zone-h.org/advisories/read/id=4006 9708 Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed. xmb-multiple-scripts-xss(15292) 9726 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 xmb-bbcode-execute-code(15294) http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta. xmb-multiple-sql-injection(15295) 9726 http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $. confirm-header-gain-access(15290) 9728 20040223 Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command execution TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty". typsoft-ftp-command-dos(15306) 9702 20040223 TYPSoft FTP Server 1.10 multiple vulnerabilities Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request. gatekeeper-long-get-bo(15277) 9716 20040222 GateKeeper Pro 4.7 buffer overflow 20040222 GateKeeper Pro 4.7 buffer overflow Directory traversal vulnerability in functions.php in PhpNewsManager 1.46 allows remote attackers to retrieve arbitrary files via .. (dot dot) sequences in the clang parameter. phpnewsmanager-dotdot-directory-traversal(15283) http://www.zone-h.org/advisories/read/id=4024 9720 20040223 ZH2004-09SA (security advisory): PhpNewsManager Remote arbitrary Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 allows local users on the same local network as the router to bypass authentication by using a copy of the router's html menu on a separate system. gigabyte-gnb46b-bypass-authentication(15313) 9740 20040224 Gigabyte Broadband Router - Multiple Vulnerabilities FreeChat 1.1.1a allows remote attackers to cause a denial of service (crash) via certain unexpected strings, as demonstrated using "aaaaa". freechat-string-dos(15321) 9744 20040226 Denial Of Service in FreeChat 1.1.1a Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. servu-mdtm-bo(15323) 9751 http://www.cnhonker.com/advisory/serv-u.mdtm.txt 20040226 [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable. 9750 dell-openmanage-ocsgetoeminpathfile-bo(15325) http://sh0dan.org/files/domadv.txt 20040226 Dell OpenManage Web Server Heap Overflow (Pre-Auth) Extremail 1.5.9 does not check passwords correctly when they are all digits or begin with a digit, which allows remote attackers to gain privileges. extremail-password-gain-access(15329) 9754 20040226 Extremail Security Problem Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters. This was fixed in WinZip 8.1 SR-2 in March of 2004. You can find more information on the subject on the following pages of the winzip site: http://www.winzip.com/wz81sr2.htm http://www.winzip.com/fmwz90.htm VU#116182 9758 uudeview-multiple-bo(15490) winzip-mime-bo(15336) http://www.winzip.com/fmwz90.htm 4119 http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html 20040227 WinZip MIME Parsing Buffer Overflow Vulnerability O-092 11019 10995 InnoMedia VideoPhone allows remote attackers to bypass Basic Authorization via an HTTP request to (1) videophone_admindetail.asp, (2) videophone_syscfg.asp, (3) videophone_upgrade.asp, or (4) videophone_sysctrl.asp that contains a trailing / (slash). NOTE: the original report mentioned AXIS 2100 Network Camera, but this was likely a cut-and-paste error. InnoMedia-videophone-bypass-authentication(15636) 4809 1009522 20040227 InnoMedia VideoPhone Authorization Bypass LAN SUITE Web Mail 602Pro, when configured to use the "Directory browsing" feature, allows remote attackers to obtain a directory listing via an HTTP request to (1) index.html, (2) cgi-bin/, or (3) users/. 602pro-directory-listing(15349) 9780 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive information via the mail login form, which contains the path to the mail directory. 602pro-path-disclosure(15350) 9781 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro allows remote attackers to execute arbitrary script or HTML as other users via a URL to index.html, followed by a / (slash) and the desired script. NOTE: the vendor states that this bug could not be reproduced, so this issue may be REJECTed in the future. 602pro-index-xss(15351) 9777 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities SQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter. 20040228 Invision Power Board SQL injection! invision-search-sql-injection(15343) 9766 Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter. This vulnerability is addressed in the following product release: phpBB Group, phpBB, 2.0.7 9765 phpbb-viewtopicphp-xss(15348) 20040228 New phpBB ViewTopic.php Cross Site Scripting Vulnerability Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Server 3.20 Release 2, Server 3.21 Release 1, and Server 3.10 allows local users to execute arbitrary code via long (1) LIST, (2) NLST, or (3) STAT commands. 9767 wftpd-ftp-commands-bo(15340) 20040228 Critical WFTPD buffer overflow vulnerability 11001 WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a 0Ah byte (newline) is sent, which allows local users to cause a denial of service (CPU consumption) by continuing to send a long command that does not contain a newline. 9767 wftpd-string-0Ahbyte-dos(15341) 20040228 Multiple WFTPD Denial of Service vulnerabilities 4115 11001 WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error. 9767 wftpd-ftp-command-dos(15342) 20040228 Multiple WFTPD Denial of Service vulnerabilities 4116 11001 Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php. 9774 yabb-multiple-sql-injection(15354) 20040301 YabbSE (3 on 1) Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter. 9774 20040301 YabbSE (3 on 1) Buffer overflow in Red Faction client 1.20 and earlier allows remote servers to execute arbitrary code via a long server name. redfaction-bo(15353) 9775 20040301 Clients broadcast buffer overflow in Red Faction <= 1.20 Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command. proftpd-offbyone-bo(15387) 9782 20040302 The Cult of a Cardinal Number Cross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797) allows remote authenticated users to execute arbitrary script as other users via the row parameter. VU#114070 9791 20040304 NetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance netscreen-delhomepagecgi-xss(15368) 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance SQL injection vulnerability in viewCart.asp in SpiderSales shopping cart software allows remote attackers to execute arbitrary SQL via the userId parameter. spidersales-userid-sql-injection(15371) 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt 20040303 Spider Sales shopping cart software multiple security vulnerabilities Directory traversal vulnerability in GWeb HTTP Server 0.6 allows remote attackers to view arbitrary files via a .. (dot dot) in the URL. 20040303 directory traversal in GWeb 0.6 gweb-dotdot-directory-traversal(15381) 9742 SpiderSales shopping cart does not enforce a minimum length for the private key, which can make it easier for local users to obtain the private key by factoring. spidersales-weak-encryption(15370) 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities Spider Sales shopping cart stores the private key in the same database and table as the public key, which allows local users with access to the database to decrypt data. spidersales-weak-encryption(15370) 9799 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002. VU#363374 9806 20040304 Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability cisco-css-udp-dos(15388) Multiple buffer overflows in auth_ident() function in auth.c for GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to gain privileges via a long string. 9772 anubis-ident-bo(15345) 20040310 GNU Anubis 3.6.2 remote root exploit 20040304 GNU Anubis buffer overflows and format string bugs [bug-anubis] 20040228 Important security update Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c. 9772 anubis-format-string(15346) 20040304 GNU Anubis buffer overflows and format string bugs [bug-anubis] 20040228 Important security update Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message. invision-invalid-path-disclosure(15400) 9810 20040305 Invision Power Board 1.3 Final Path Disclosure Vulnerability Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. slmail-src-stack-bo(15398) 9809 http://www.nextgenss.com/advisories/slmailsrc.txt 20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a) http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attackers to execute arbitrary code via (1) user.dll, (2) loadpageadmin.dll or (3) loadpageuser.dll. 9808 slmail-slwebmail-bo(15399) http://www.nextgenss.com/advisories/slmailwm.txt 20040305 SLWebMail Multiple Buffer Overflow Vulnerabilities (#NISR05022004b) http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php. virtuanews-multiple-xss(15402) 9819 9812 20040305 VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity 20040307 RE: VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters. invision-xss(15403) 9768 4154 11053 20040305 Invision Power Board v1.3 Final Cross Site Scripting Vulnerabillity Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors. VU#694782 9757 solaris-passwd-gain-privileges(15327) O-088 57454 200470305 O-088: Sun passwd(1) Command Vulnerability The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array. safari-array-dos(15413) 9815 http://www.insecure.ws/article.php?story=2004021918172533 20040306 Safari javascript array overflow Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. VU#947254 20040318 Vulnerability in ICQ Parsing in ISS Products 9913 20040318 EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability witty-worm-propagation(15543) pam-icq-parsing-bo(15442) 4355 AD20040318 O-104 11073 Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method. VU#344718 http://www.nextgenss.com/advisories/antispam.txt nas-launchcustomrulewizard-bo(15536) 9916 http://www.sarc.com/avcenter/security/Content/2004.03.19.html 11169 20040319 Norton AntiSpam Remote Buffer Overrun (#NISR19042004a) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method. VU#549054 http://www.nextgenss.com/advisories/nisrce.txt norton-is-launchurl-command-execution(15538) 9915 http://www.sarc.com/avcenter/security/Content/2004.03.19.html 11168 20040319 Norton Internet Security Remote Command Execution (#NISR19042004b) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. VU#124454 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal ethereal-radius-dos(15571) RHSA-2004:137 RHSA-2004:136 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 11185 oval:org.mitre.oval:def:9196 [ethereal-dev] 20040318 ethereal radius dissector vulnerability MDKSA-2004:024 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) CLA-2004:835 oval:org.mitre.oval:def:891 oval:org.mitre.oval:def:879 SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements. pam-pgsql-sql-injection(15651) DSA-469 10266 11237 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. VU#792286 RHSA-2004:137 ethereal-zero-presentation-dos(15570) RHSA-2004:136 [Ethereal-dev] 20040416 Possibly incorrect CVE entry CAN-2004-0367 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 11185 oval:org.mitre.oval:def:11071 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal CLA-2004:835 MDKSA-2004:024 oval:org.mitre.oval:def:905 oval:org.mitre.oval:def:880 Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. VU#179804 cde-dtlogin-double-free(15581) 9958 http://www.immunitysec.com/downloads/dtlogin.sxw.pdf O-129 HPSBUX01038 57539 101478 11614 11495 11214 11210 [Dailydave] 20040323 dtlogin advisory 20040323 how much fun can you have with UDP? 20040801-01-P oval:org.mitre.oval:def:1436 Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. isakmp-spi-size-bo(15669) 20040826 Entrust LibKmp Library Buffer Overflow 11039 O-206 ESB-2004.0538 http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic. freebsd-ipv6-dos(15662) 9992 11233 FreeBSD-SA-04:06 Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path. heimdal-cross-realm-spoofing(15701) DSA-476 http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ GLSA-200404-09 20040530 009: SECURITY FIX: May 30, 2004 FreeBSD-SA-04:08 xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts. xine-xinebugreport-xinecheck-symlink(15564) DSA-477 9939 GLSA-200404-20 20040320 xine-check/xine-bugreport symlink vulnerability. Interchange before 5.0.1 allows remote attackers to "expose the content of arbitrary variables" and read or modify sensitive SQL information via an HTTP request ending with the "__SQLUSER__" string. interchange-url-obtain-information(15670) DSA-471 10005 11234 http://ftp.icdevgroup.org/interchange/5.0/WHATSNEW [interchange-announce] 20040329 Security Problem in Interchange SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. symantec-firewall-tcp-dos(15936) norton-firewalls-dos(15433) http://www.symantec.com/avcenter/security/Content/2004.04.20.html 9912 http://www.eeye.com/html/Research/Upcoming/20040309.html 1009380 1009379 20040423 EEYE: Symantec Multiple Firewall TCP Options Denial of Service oftpd 0.3.6 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command with a large value. 9980 DSA-473 oftpd-port-dos(15622) http://www.time-travellers.org/oftpd/oftpd-dos.html GLSA-200403-08 11220 Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character. VU#722414 perl-win32stat-bo(15732) 20040405 iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function http://public.activestate.com/cgi-bin/perlbrowse?patch=22552 http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities 20040405 [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Multiple cross-site scripting (XSS) vulnerabilities in Microsoft SharePoint Portal Server 2001 allow remote attackers to process arbitrary web content and steal cookies via certain server scripts. 20040405 Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server 2001 sharepoint-portal-xss(15729) The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." VU#323070 TA04-104A 20040328 IE ms-its: and mk:@MSITStore: vulnerability 20040219 Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658) MS04-013 outlook-mhtml-execute-code(15705) 9658 http://www.k-otik.net/bugtraq/02.18.InternetExplorer.php 9105 10523 oval:org.mitre.oval:def:990 oval:org.mitre.oval:def:882 oval:org.mitre.oval:def:1028 oval:org.mitre.oval:def:1010 mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file. 9976 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) mysql-mysqlbug-symlink(15617) RHSA-2004:597 RHSA-2004:569 DSA-483 P-018 GLSA-200405-20 oval:org.mitre.oval:def:11557 20040324 mysqlbug tmpfile/symlink vulnerability. MDKSA-2004:034 Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting. macos-cups-configuration-unknown(15769) http://lists.apple.com/mhonarc/security-announce/msg00047.html http://docs.info.apple.com/article.html?artnum=61798 Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email." macos-mail-unknown(15768) http://lists.apple.com/mhonarc/security-announce/msg00047.html http://docs.info.apple.com/article.html?artnum=61798 Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities." VU#413006 http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf oracle-web-cache-vulnerabilities(15463) 9868 http://www.inaccessnetworks.com/ian/services/secadv01.txt 20040316 new security alert #66 issued in Oracle web cache 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache 4249 11118 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header. VU#723910 mplayer-header-bo(15675) 10008 20040330 Heap overflow in MPlayer GLSA-200403-13 11259 20040330 MPlayer Security Advisory #002 - HTTP parsing vulnerability http://www.mplayerhq.hu/homepage/design6/news.html MDKSA-2004:026 Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file. realplayer-r3t-bo(15774) http://www.service.real.com/help/faq/security/040406_r3t/en/ http://www.ngssoftware.com/advisories/realr3t.txt 20040307 REAL One Player R3T File Format Stack Overflow 10070 4977 11314 20040307 REAL One Player R3T File Format Stack Overflow The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack. DSA-483 mysql-mysqldmulti-symlink(15883) 10142 RHSA-2004:597 RHSA-2004:569 6421 P-018 1009784 GLSA-200405-20 11223 oval:org.mitre.oval:def:10559 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) http://dev.mysql.com/doc/mysql/en/news-4-1-2.html MDKSA-2004:034 RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests. 20040415 RealNetworks Helix Universal Server Denial of Service Vulnerability helix-get-dos(15880) 10157 11395 SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods. openserver-x-session-insecure(16113) SCOSA-2004.5 20040510 OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration. VU#659228 cisco-default-password(15773) 20040407 A Default Username and Password in WLSE and HSE Devices O-111 10076 racoon before 20040407b allows remote attackers to cause a denial of service (infinite loop and dropped connections) via an IKE message with a malformed Generic Payload Header containing invalid (1) "Security Association Next Payload" and (2) "RESERVED" fields. racoon-isakmp-dos(15893) http://www.vuxml.org/freebsd/40fcf20f-8891-11d8-90d1-0020ed76ef5a.html SCOSA-2005.10 http://orange.kame.net/dev/query-pr.cgi?pr=555 Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function. rlpr-msg-format-string(16453) 10578 DSA-524 20040624 Rlpr Advisory A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic. linux-panic-bo(15953) SuSE-SA:2004:010 ESA-20040428-004 GLSA-200407-02 [fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel) CLA-2004:846 20040505-01-U 20040504-01-U 10233 MDKSA-2004:037 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call. gatos-xatitv-gain-privileges(16273) 10437 DSA-509 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. VU#192038 TA04-147A RHSA-2004:190 DSA-505 20040519 Advisory 07/2004: CVS remote vulnerability GLSA-200405-12 http://security.e-matters.de/advisories/072004.html oval:org.mitre.oval:def:9058 SuSE-SA:2004:013 NetBSD-SA2004-008 FreeBSD-SA-04:10 cvs-entry-line-bo(16193) SSA:2004-140-01 10384 6305 MDKSA-2004:048 O-147 11674 11652 11651 11647 11641 20040520 cvs server buffer overflow vulnerability FEDORA-2004-1620 20040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) 20040519 Advisory 07/2004: CVS remote vulnerability 20040519 Advisory 07/2004: CVS remote vulnerability oval:org.mitre.oval:def:970 Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command. subversion-date-parsing-command-execution(16191) 10386 20040519 [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion) FLSA:1748 FEDORA-2004-128 http://security.e-matters.de/advisories/082004.html 20040519 Advisory 08/2004: Subversion remote vulnerability 20040519 Advisory 08/2004: Subversion remote vulnerability 6301 GLSA-200405-14 http://subversion.tigris.org/svn-sscanf-advisory.txt 11675 11642 Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client. FEDORA-2004-1552 neon-library-nerfc1036parse-bo(16192) 10385 RHSA-2004:191 DSA-507 DSA-506 GLSA-200405-15 GLSA-200405-13 11673 11650 11638 6302 O-148 CLA-2004:841 20040519 Advisory 06/2004: libneon date parsing vulnerability MDKSA-2004:049 20040519 [OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon) 20040519 Advisory 06/2004: libneon date parsing vulnerability Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification. exim-requireverify-bo(16079) http://www.guninski.com/exim1.html DSA-502 DSA-501 20040506 Buffer overflows in exim, yet still exim much better than windows 11558 Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check. exim-headerschecksyntax-bo(16077) http://www.guninski.com/exim1.html DSA-502 DSA-501 20040506 Buffer overflows in exim, yet still exim much better than windows Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. libtasn1-der-parsing(16157) http://www.backports.org/changelog.html 10360 15126 1010159 http://packages.debian.org/changelogs/pool/main/libt/libtasn1-2/libtasn1-2_0.2.13-1/changelog Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code. 10403 DSA-508 xpcd-svga-pcdopen-bo(16236) MDKSA-2004:053 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. RHSA-2004:165 APPLE-SA-2004-05-03 http://www.vuxml.org/freebsd/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html MDKSA-2004:069 http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&r2=1.181 GLSA-200404-17 oval:org.mitre.oval:def:11220 20040506-01-U SCOSA-2005.10 racoon-isakmp-dos(15893) 10172 5491 http://sourceforge.net/project/shownotes.php?release_id=232288 1009937 11877 11410 oval:org.mitre.oval:def:984 logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp. logcheck-directory-symlink(15888) 10162 DSA-488 11399 MDKSA-2004:155 CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. DSA-486 FEDORA-2004-1620 20040404-01-U FreeBSD-SA-04:07 oval:org.mitre.oval:def:10818 cvs-dotdot-directory-traversal(15891) SSA:2004-108-02 GLSA-200404-13 oval:org.mitre.oval:def:1060 The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish. http://www.macromedia.com/devnet/security/security_zone/mpsb04-06.html 20040416 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted] coldfusion-upload-file-dos(15882) 10158 5402 1009825 11392 Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code. ident2-childservice-bo(15938) 10192 DSA-494 Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code. http://www.xchat.org/ RHSA-2004:177 DSA-493 [xchat-announce] 20040405 xchat 2.0.x Socks5 Vulnerability RHSA-2004:585 GLSA-200404-15 oval:org.mitre.oval:def:11312 FLSA:123013 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. http://www.kde.org/info/security/advisory-20040517-1.txt 20040513 Opera Telnet URI Handler Vulnerability also applies to other browsers RHSA-2004:222 SuSE-SA:2003:014 DSA-518 GLSA-200405-11 kde-url-handler-gain-access(16163) SSA:2004-238 10358 FEDORA-2004-122 FEDORA-2004-121 6107 O-146 11602 20040517 KDE Security Advisory: URI Handler Vulnerabilities CLA-2004:843 oval:org.mitre.oval:def:954 Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server. 10412 FEDORA-2004-1734 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 MDKSA-2004:051 GLSA-200406-04 [Mailman-Announce] 20040515 RELEASED Mailman 2.1.5 CLA-2004:842 mailman-obtain-password(16256) 11701 libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. subversion-svn-bo(16396) 10519 FLSA:1748 FEDORA-2004-165 SuSE-SA:2004:018 GLSA-200406-07 http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt 20041012 [FMADV] Subversion <= 1.04 Heap Overflow CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. DSA-517 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:10575 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U MDKSA-2004:058 oval:org.mitre.oval:def:993 Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. RHSA-2004:418 linux-pointer-info-disclosure(16877) RHSA-2004:413 MDKSA-2004:087 GLSA-200408-24 oval:org.mitre.oval:def:9965 20040804-01-U CLA-2004:879 Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 MDKSA-2004:058 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:10070 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U oval:org.mitre.oval:def:994 Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:11145 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U MDKSA-2004:058 oval:org.mitre.oval:def:1001 serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:11242 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U MDKSA-2004:058 oval:org.mitre.oval:def:1003 XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions. 10423 MDKSA-2004:073 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900 20040526 008: SECURITY FIX: May 26, 2004 GLSA-200407-05 oval:org.mitre.oval:def:10161 http://bugs.xfree86.org/show_bug.cgi?id=1376 xdm-socket-gain-access(16264) RHSA-2004:478 P-001 1010306 12019 The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. TA04-196A VU#106324 9510 20040127 GOOROO CROSSING: File Spoofing Internet Explorer 6 20040127 RE: GOOROO CROSSING: File Spoofing Internet Explorer 6 MS04-024 ie-clsid-file-extension-spoofing(14964) 10736 oval:org.mitre.oval:def:3604 oval:org.mitre.oval:def:3533 oval:org.mitre.oval:def:3386 oval:org.mitre.oval:def:2894 oval:org.mitre.oval:def:2381 oval:org.mitre.oval:def:2245 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. 10244 RHSA-2004:180 libpng-png-dos(16022) RHSA-2004:181 DSA-498 oval:org.mitre.oval:def:11710 FEDORA-2004-106 FEDORA-2004-105 2004-0025 20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png) APPLE-SA-2004-09-09 MDKSA-2006:213 MDKSA-2006:212 MDKSA-2004:040 22958 22957 oval:org.mitre.oval:def:971 flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. flim-insecure-temporary-file(16027) DSA-500 RHSA-2004:344 The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file. 20040418 ssmtp insecure file creation Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. linux-ipsetsockopt-integer-bo(15907) 10179 ESA-20040428-004 http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt 20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflow SuSE-SA:2004:010 oval:org.mitre.oval:def:11214 20040504-01-U SSA:2004-119 RHSA-2004:183 MDKSA-2004:037 CLA-2004:852 oval:org.mitre.oval:def:939 Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows remote attackers to execute arbitrary code via a large SMPROFILE cookie. siteminder-affiliate-smprofile-bo(15950) 10198 A042204-1 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. RHSA-2004:192 DSA-499 20040521 [OpenPKG-SA-2004.025] OpenPKG Security Advisory (rsync) rsync-write-files(16014) TSL-2004-0024 SSA:2004-124-01 10247 GLSA-200407-10 O-212 O-134 12054 11993 11688 11669 11583 11537 11523 11515 11514 http://rsync.samba.org/ oval:org.mitre.oval:def:9495 MDKSA-2004:042 oval:org.mitre.oval:def:967 The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. [linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leak 20040505-01-U 20040504-01-U RHSA-2004:255 SuSE-SA:2004:010 GLSA-200407-02 oval:org.mitre.oval:def:10297 http://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726A http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHA FEDORA-2004-111 CLA-2004:846 linux-dofork-memory-leak(16002) TLSA-2004-14 10221 RHSA-2004:327 RHSA-2004:260 MDKSA-2004:037 DSA-1082 DSA-1070 DSA-1069 DSA-1067 O-164 20338 20202 20163 20162 11892 11891 11861 11541 11486 11464 11429 oval:org.mitre.oval:def:2819 Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact. macos-corefoundation-environment(16051) 10270 ESB-2004.0314 1010045 11539 APPLE-SA-2004-05-03 Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors. ESB-2004.0314 1010045 11539 20040503 [product-security@apple.com: APPLE-SA-2004-05-03 Security Update 2004-05-03] APPLE-SA-2004-05-03 macos-radmin-large-request(16053) O-138 Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. VU#648406 applefileserver-afp-pathname-bo(16049) A050304-1 http://www.securiteam.com/securitynews/5QP0115CUO.html 1010039 11539 APPLE-SA-2004-05-03 Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. VU#782958 quicktime-heap-bo(16026) 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow APPLE-SA-2004-04-30 ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions. 10252 proftpd-cidr-acl-bypass(16038) 11527 2004-0025 http://bugs.proftpd.org/show_bug.cgi?id=2267 MDKSA-2004:041 20040430 [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd) Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets. mplayer-rtsp-rdt-bo(16019) http://www.xinehq.de/index.php/security/XSA-2004-3 GLSA-200405-24 k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow. heimdal-kadmind-bo(16071) DSA-504 GLSA-200405-23 20040505 Advisory: Heimdal kadmind version4 remote heap overflow 20040506 Advisory: Heimdal kadmind version4 remote heap overflow FreeBSD-SA-04:09 Certain "programming errors" in the msync system call for FreeBSD 5.2.1 and earlier, and 4.10 and earlier, do not properly handle the MS_INVALIDATE operation, which leads to cache consistency problems that allow a local user to prevent certain changes to files from being committed to disk. FreeBSD-SA-04:11 freebsd-msync-gain-privileges(16254) 10416 11714 Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket. titan-list-command-dos(16057) http://www.securiteam.com/windowsntfocus/5RP0215CUU.html 20040505 Titan FTP Server Aborted LIST DoS 20040505 Titan FTP Server Aborted LIST DoS Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. VU#634414 VU#294998 VU#637318 10335 10334 10333 http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html 11066 20040512 EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption 20040512 EEYE: Symantec Multiple Firewall Remote DNS KERNEL Overflow 20040512 EEYE: Symantec Multiple Firewall NBNS Response Processing Stack Overflow symantec-dns-response-bo(16137) symantec-firewalls-nbns-bo(16135) symantec-nbns-response-bo(16134) 6102 6101 6099 O-141 1010146 1010145 1010144 The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. VU#682110 http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html symantec-firewall-dns-dos(16132) 10336 11066 20040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service 6100 O-141 1010146 1010145 1010144 Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS. 10783 linux-ia64-dos(16661) RHSA-2004:413 DSA-1082 DSA-1070 DSA-1069 DSA-1067 O-193 GLSA-200407-16 20338 20202 20163 20162 oval:org.mitre.oval:def:10918 [owl-users] 20040619 Linux 2.4.26-ow2 20040804-01-U Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages. jftpgw-log-format-string(16271) 10438 DSA-510 Format string vulnerability in the printlog function in log2mail before 0.2.5.2 allows local users or remote attackers to execute arbitrary code via format string specifiers in a logfile monitored by log2mail. 10460 DSA-513 log2mail-syslog-format-string(16311) 11769 11768 6711 http://felinemenace.org/~jaguar/advisories/log2mail.txt Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog. sup-format-string(16459) 10571 DSA-521 1010539 Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. RHSA-2005:103 GLSA-200501-38 DSA-620 20050111 [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl) perl-filepathrmtree-insecure-permissions(18650) oval:org.mitre.oval:def:9938 USN-44-1 12072 RHSA-2005:105 18517 12991 FLSA-2006:152845 20060101-01-U Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string. 10543 vice-memory-dump-format-string(16404) 20040614 VICE emulator format string vulnerability Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code. rlpr-msg-bo(16454) 10578 DSA-524 Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql. wwwsql-cgi-command-execution(16455) 10577 DSA-523 Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header. pavuk-location-bo(16551) 10633 DSA-527 GLSA-200406-22 20040702 pavuk buffer overflow The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files. mysql-mysqlhotcopy-insecure-file(17030) RHSA-2004:597 DSA-540 P-018 oval:org.mitre.oval:def:10693 mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. mah-jong-null-dos(16143) 10343 DSA-503 The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. VU#106678 AA-2004.02 ieee80211-cca-dos(16138) 10342 16034 http://support.avaya.com/elmodocs2/security/ASA-2004-009.pdf 1010152 20040513 802.11b (others) single packet DoS Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. TA04-174A VU#317350 10590 dhcp-ascii-log-bo(16475) SuSE-SA:2004:019 20040628 ISC DHCP overflows http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf MDKSA-2004:061 23265 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) 20040622 DHCP Vuln // no code 0day // The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. TA04-174A VU#654390 10591 dhcp-c-include-bo(16476) SuSE-SA:2004:019 20040628 ISC DHCP overflows http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf MDKSA-2004:061 23265 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) 20040622 DHCP Vuln // no code 0day // The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server. VU#546483 network-device-secure-plaintext(17702) Directory traversal vulnerability in jretest.html in WebConnect 6.5 and 6.4.4, and possibly earlier versions, allows remote attackers to read keys within arbitrary INI formatted files via "..//" sequences in the WCP_USER parameter. http://www.kb.cert.org/vuls/id/JSHA-69HVPK VU#628411 webconnect-wcpuser-directory-traversal(19394) http://www.cirt.dk/advisories/cirt-29-advisory.pdf 14006 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1. http://www.kb.cert.org/vuls/id/JSHA-69FVMM VU#552561 webconnect-device-name-dos(19393) 14006 http://www.cirt.dk/advisories/cirt-29-advisory.pdf 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed. http://www.kb.cert.org/vuls/id/JSHA-68ZJCQ VU#409555 junos-dos(19094) 12379 http://www.niscc.gov.uk/niscc/docs/al-20050126-00067.html?lang=en RHSA-2005:081 1013039 14049 Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets. VU#658859 juniper-ipv6-dos(16548) http://www.kb.cert.org/vuls/id/JSHA-6253CC http://www.jpcert.or.jp/at/2004/at040009.txt Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. vpn1-isakmp-bo(16060) 10273 20040504 ISAKMP Vulnerability BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. VU#950070 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp weblogic-application-unauth-access(16123) 10328 6076 1010128 11593 BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown). http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp weblogic-server-policy-bypass(16121) 10327 6077 1010129 11594 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a reservation duplicate of CVE-2004-0434. Notes: All CVE users should reference CVE-2004-0434 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux. http://www.opera.com/linux/changelogs/750/index.dml GLSA-200405-19 opera-telnet-file-overwrite(16139) 10341 20040512 Opera Telnet URI Handler File Creation/Truncation Vulnerability 1010142 Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue. winxp-helpctr-hcp-xss(15101) 9621 20040207 HelpCtr - allow open any page or run 20040211 Re: HelpCtr - allow open any page or run 20040213 Re: HelpCtr - allow open any page or run 20040210 Re: HelpCtr - allow open any page or run 20040210 Re: HelpCtr - allow open any page or run The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. NOTE: this bug may overlap CVE-2003-1041. ie-showhelp-chm-execution(16147) 10348 20040513 Showhelp() local CHM file execution Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 allows remote attackers to cause a denial of service (reboot or packet loss) via a long string containing Telnet escape characters to the Telnet port. 10419 20040526 OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability 3com-officeconnect-telnet-bo(16257) 11716 Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. NOTE: this identifier was inadvertently re-used for another issue due to a typo; that issue was assigned CVE-2004-0447. This candidate is ONLY for the ADSL router bypass. 10426 20040527 iDEFENSE Security Advisory 05.27.04: 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability 3com-officeconnect-gain-access(16267) 11716 Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U. mozilla-javascript-dos(16225) [Dailydave] 20040514 Mozilla bug might even get fixed! http://bugzilla.mozilla.org/show_bug.cgi?id=243540 Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference. 20040516 Re: IE Crash - Anyone Seen This Before? 20040514 IE Crash - Anyone Seen This Before? 20040514 IE Crash - Anyone Seen This Before? Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe. lotus-notes-xss(16496) 10600 http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities http://www-1.ibm.com/support/docview.wss?rs=475/context=SSKTWP&uid=swg21169510 20040627 Lotus Notes URL argument injection vulnerability The logging feature in kcms_configure in the KCMS package on Solaris 8 and 9, and possibly other versions, allows local users to corrupt arbitrary files via a symlink attack on the KCS_ClogFile file. 20050223 Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability 57706 Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities. [openbsd-security-announce] 20040513 procfs vulnerability ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch openbsd-procfs-gain-privileges(16226) 6114 20040513 [3.5] 006: SECURITY FIX: May 13, 2004 20040513 [3.4] 020: SECURITY FIX: May 13, 2004 http://www.deprotect.com/advisories/DEPROTECT-20041305.txt 11605 20040517 OpenBSD procfs Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests. 10372 11628 rpcmountd-rpc-dos(16175) 6201 1010185 20040503-01-P mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference. ie-css-dos(16189) 10382 20040518 Unknown IE bug with css-styles The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. VU#210606 11622 macos-runscript-code-execution(16166) APPLE-SA-2004-05-21 http://fundisom.com/owned/warning APPLE-SA-2004-05-28 HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler. VU#578798 10356 11622 macos-runscript-code-execution(16166) http://www.fundisom.com/owned/warning APPLE-SA-2004-05-21 6184 1010167 20040516 Vuln. MacOSX/Safari: Remote help-call, execute scripts A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. VU#312510 nav-activex-code-execution(16220) http://www.symantec.com/avcenter/security/Content/2004.05.20.html 10392 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/72_e.html O-149 11676 6303 20040521 [SNS Advisory No.72] Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. 10355 FLSA:1888 apache-modssl-uuencode-bo(16214) 2004-0031 RHSA-2004:405 RHSA-2004:342 DSA-532 GLSA-200406-05 RHSA-2004:245 oval:org.mitre.oval:def:11458 SSRT4788 SSRT4777 20040601 TSSA-2004-008 - apache 20040517 mod_ssl ssl_util_uuencode_binary potential problem 20040605-01-U RHSA-2005:816 MDKSA-2004:055 MDKSA-2004:054 20040527 [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache) Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option. macos-ssh-code-execution(16242) http://www.insecure.ws/article.php?story=200405222251133 20040524 SSH URI handler remote arbitrary code execution cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. cpanel-modphpsuexec-execute-commands(16239) 10407 20040524 cPanel mod_phpsuexec Vulnerability http://www.securiteam.com/tools/5TP0N15CUA.html http://www.a-squad.com/audit/explain10.html http://bugzilla.cpanel.net/show_bug.cgi?id=664 http://bugzilla.cpanel.net/show_bug.cgi?id=283 The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. [linux-kernel] 20040402 Re: disable-cap-mlock oval:org.mitre.oval:def:10672 13769 RHSA-2005:472 19607 20060402-01-U oval:org.mitre.oval:def:1117 Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. VU#541310 DSA-525 RHSA-2004:245 20040611 [OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache) FLSA:1737 apache-modproxy-contentlength-bo(16387) http://www.guninski.com/modproxy1.html 57628 101841 101555 11841 20040610 Buffer overflow in apache mod_proxy,yet still apache much better than windows SSRT090208 HPSBOV02683 20040605-01-U MDKSA-2004:065 oval:org.mitre.oval:def:4863 oval:org.mitre.oval:def:100112 The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters. 10619 apache-apgetmimeheaderscore-dos(16524) 2004-0039 RHSA-2004:342 http://www.guninski.com/httpd1.html http://www.apacheweek.com/features/security-20 GLSA-200407-03 oval:org.mitre.oval:def:10605 SSRT4777 20040628 DoS in apache httpd 2.0.49, yet still apache much better than windows MDKSA-2004:064 20040629 TSSA-2004-012 - apache Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. RHSA-2004:373 FLSA:1944 gnome-vfs-extfs-gain-access(16897) oval:org.mitre.oval:def:9854 http://rpmfind.net/linux/RPM/suse/9.3/i386/suse/i586/gnome-vfs-1.0.5-816.2.i586.html Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. 10566 RHSA-2004:255 linux-drivers-gain-privileges(16449) RHSA-2004:260 SUSE-SA:2004:020 MDKSA-2004:066 GLSA-200407-02 oval:org.mitre.oval:def:10155 FEDORA-2004-186 CLA-2004:846 CLA-2004:845 oval:org.mitre.oval:def:2961 Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool. linux-gain-privileges(16625) SUSE-SA:2004:020 Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. linux-fchown-groupid-modify(16599) RHSA-2004:354 MDKSA-2004:066 CLA-2004:852 RHSA-2004:360 SUSE-SA:2004:020 oval:org.mitre.oval:def:9867 The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en http://www.stonesoft.com/support/Security_Advisories/6735.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. gaim-msn-bo(16920) 10865 GLSA-200408-12 RHSA-2004:400 SUSE-SA:2004:025 MDKSA-2004:081 GLSA-200408-27 FEDORA-2004-279 FEDORA-2004-278 oval:org.mitre.oval:def:9429 http://gaim.sourceforge.net/security/?id=0 Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information. outlook-vml-obtain-information(16116) 10323 20040511 PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI. outlook-file-location-predictable(16104) 10307 11572 20040604 RE: PING: Outlook 2003 Spam 20040509 OUTLOOK 2003: OuchLook 20040604 RE: PING: Outlook 2003 Spam Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502. 10369 outlook-ole-restriction-bypass(16173) 20040517 ROCKET SCIENCE: Outllook 2003 6217 11629 20040517 ROCKET SCIENCE: Outllook 2003 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. 10347 RHSA-2004:234 [Ethereal-users] 20040503 Re: HotSIP sip-messages crasching ethereal http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9769 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-sip-packet-dos(16148) 6131 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:982 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. 10347 RHSA-2004:234 http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9433 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-aim-dissector-dos(16150) 6132 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:986 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. 10347 RHSA-2004:234 http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9695 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-spnego-dos(16151) O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:987 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 RHSA-2004:234 oval:org.mitre.oval:def:11026 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-mmse-bo(16152) 10347 6134 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:988 Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program. openserver-mmdf-bo(16738) 10758 http://www.deprotect.com/advisories/DEPROTECT-20040206.txt SCOSA-2004.7 20041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86 Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference. openserver-mmdf-name-dos(16739) 10758 SCOSA-2004.7 Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump. openserver-mmdf-dos(16740) 10758 SCOSA-2004.7 Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls." macosx-nfs-logging(16291) 1010329 10432 APPLE-SA-2004-05-28 Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups." VU#174790 10432 macosx-loginwindow-gain-privileges(16289) 1010330 APPLE-SA-2004-05-28 Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files." 10432 macosx-loginwindow-gain-privileges(16289) 1010330 APPLE-SA-2004-05-28 Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. 10432 macosx-package-installation(16290) 1010331 APPLE-SA-2004-05-28 Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. 10432 macosx-package-installation(16290) 1010331 APPLE-SA-2004-05-28 Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. applefileserver-reporting-error(16288) 1010333 APPLE-SA-2004-05-28 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. FEDORA-2004-1733 10246 FEDORA-2004-160 DSA-535 12289 11870 11686 11531 RHSA-2004:240 20040604-01-U squirrel-composephp-xss(16025) 20040430 Re: SquirrelMail Cross Scripting Attacks.... SUSE-SR:2005:019 GLSA-200405-16 oval:org.mitre.oval:def:10274 20040429 SquirrelMail Cross Scripting Attacks.... CLA-2004:858 oval:org.mitre.oval:def:1006 Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. FEDORA-2004-1733 10439 FEDORA-2004-160 DSA-535 12289 11870 RHSA-2004:240 20040604-01-U http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt GLSA-200406-08 oval:org.mitre.oval:def:10766 [squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability CLA-2004:858 oval:org.mitre.oval:def:1012 SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. 10397 FEDORA-2004-1733 DSA-535 GLSA-200405-16 RHSA-2004:240 oval:org.mitre.oval:def:11446 [squirrelmail-cvs] 20040427 [SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2 20040604-01-U squirrelmail-sql-injection(16235) APPLE-SA-2004-09-07 FEDORA-2004-160 6841 O-212 12289 11870 11686 11685 [squirrelmail-devel] 20040511 [SM-DEVEL] SquirrelMail 1.4.3-RC1 Release CLA-2004:858 oval:org.mitre.oval:def:1033 Gallery 1.4.3 and earlier allows remote attackers to bypass authentication and obtain Gallery administrator privileges. 10451 DSA-512 gallery-user-bypass-authentication(16301) GLSA-200406-10 11752 Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. VU#686862 DSA-520 Kerberos-krb5anametolocalname-bo(16268) 10448 RHSA-2004:236 MDKSA-2004:056 GLSA-200406-21 101512 oval:org.mitre.oval:def:10295 2004-0032 20040602 TSSA-2004-009 - kerberos5 20040601 MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname FEDORA-2004-149 CLA-2004:860 20040605-01-U 20040604-01-U oval:org.mitre.oval:def:991 oval:org.mitre.oval:def:724 oval:org.mitre.oval:def:2002 Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name. 10166 20040427 Re: Squirrelmail Chpasswod bof squirrelmail-chpasswd-binary-bo(15889) http://www.squirrelmail.org/plugin_view.php?id=117 11415 20040417 Squirrelmail Chpasswod bof HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service