Unknown vulnerability in the eflags checking in the 32-bit ptrace emulation for the Linux kernel on AMD64 systems allows local users to gain privileges. VU#337238 RHSA-2004:017 linux-ptrace-gain-privilege(14888) 9429 GLSA-200402-06 oval:org.mitre.oval:def:868 The TCP MSS (maximum segment size) functionality in netinet allows remote attackers to cause a denial of service (resource exhaustion) via (1) a low MTU, which causes a large number of small packets to be produced, or (2) via a large number of packets with a small TCP payload, which cause a large number of calls to the resource-intensive sowakeup function. http://lists.freebsd.org/pipermail/cvs-src/2004-January/016271.html Unknown vulnerability in Linux kernel before 2.4.22 allows local users to gain privileges, related to "R128 DRI limits checking." RHSA-2004:044 http://www.linuxcompatible.org/print25630.html RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 oval:org.mitre.oval:def:9204 linux-r128-gain-priviliges(15029) TLSA-2004-14 9570 RHSA-2004:166 RHSA-2004:106 MDKSA-2004:029 O-145 O-127 O-126 O-121 O-082 12075 11891 11464 11376 11370 11369 11362 11361 11202 10912 10911 10782 oval:org.mitre.oval:def:834 oval:org.mitre.oval:def:1017 The libCheckSignature function in crypto-utils.lib for OpenCA 0.9.1.6 and earlier only compares the serial of the signer's certificate and the one in the database, which can cause OpenCA to incorrectly accept a signature if the certificate's chain is trusted by OpenCA's chain directory, allowing remote attackers to spoof requests from other users. VU#336446 9435 http://www.openca.org/news/CAN-2004-0004.txt openca-improper-signature-verification(14847) 3615 20040116 [OpenCA Advisory] Vulnerability in signature verification Multiple buffer overflows in Gaim 0.75 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) octal encoding in yahoo_decode that causes a null byte to be written beyond the buffer, (2) octal encoding in yahoo_decode that causes a pointer to reference memory beyond the terminating null byte, (3) a quoted printable string to the gaim_quotedp_decode MIME decoder that causes a null byte to be written beyond the buffer, and (4) quoted printable encoding in gaim_quotedp_decode that causes a pointer to reference memory beyond the terminating null byte. VU#655974 VU#404470 VU#226974 VU#190366 DSA-434 http://security.e-matters.de/advisories/012004.html 20040126 Advisory 01/2004: 12 x Gaim remote overflows gaim-mime-decoder-oob(14944) gaim-mime-decoder-bo(14942) gaim-sscanf-oob(14938) gaim-yahoodecode-offbyone-bo(14935) SSA:2004-026 1008850 3736 SuSE-SA:2004:004 GLSA-200401-04 CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows Multiple buffer overflows in Gaim 0.75 and earlier, and Ultramagnetic before 0.81, allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) cookies in a Yahoo web connection, (2) a long name parameter in the Yahoo login web page, (3) a long value parameter in the Yahoo login page, (4) a YMSG packet, (5) the URL parser, and (6) HTTP proxy connect. VU#871838 VU#527142 VU#503030 VU#444158 VU#371382 VU#297198 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html RHSA-2004:045 RHSA-2004:033 SuSE-SA:2004:004 DSA-434 GLSA-200401-04 oval:org.mitre.oval:def:10222 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040201-01-U gaim-http-proxy-bo(14947) gaim-urlparser-bo(14945) gaim-yahoopacketread-keyname-bo(14943) gaim-login-value-bo(14941) gaim-login-name-bo(14940) gaim-yahoowebpending-cookie-bo(14939) SSA:2004-026 1008850 9489 3732 3731 MDKSA-2004:006 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:818 Buffer overflow in the Extract Info Field Function for (1) MSN and (2) YMSG protocol handlers in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#197142 RHSA-2004:033 DSA-434 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:032 GLSA-200401-04 oval:org.mitre.oval:def:9906 gaim-extractinfo-bo(14946) SSA:2004-026 1008850 9489 SuSE-SA:2004:004 3733 MDKSA-2004:006 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows oval:org.mitre.oval:def:819 Integer overflow in Gaim 0.74 and earlier, and Ultramagnetic before 0.81, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a directIM packet that triggers a heap-based buffer overflow. VU#779614 RHSA-2004:032 http://ultramagnetic.sourceforge.net/advisories/001.html http://security.e-matters.de/advisories/012004.html 20040127 Ultramagnetic Advisory #001: Multiple vulnerabilities in Gaim code RHSA-2004:045 RHSA-2004:033 DSA-434 GLSA-200401-04 oval:org.mitre.oval:def:9469 20040201-01-U gaim-directim-bo(14937) 1008850 3734 MDKSA-2004:006 20040127 [slackware-security] GAIM security update (SSA:2004-026-01) 20040126 Advisory 01/2004: 12 x Gaim remote overflows CLA-2004:813 20040126 Advisory 01/2004: 12 x Gaim remote overflows 20040202-01-U oval:org.mitre.oval:def:820 Apache-SSL 1.3.28+1.52 and earlier, with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth enabled, allows remote attackers to forge a client certificate by using basic authentication with the "one-line DN" of the target user. 20040206 Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior apachessl-default-password(15065) 9590 http://www.apache-ssl.org/advisory-20040206.txt 3877 20040206 [apache-ssl] Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior Stack-based buffer overflow in the ncp_lookup function for ncpfs in Linux kernel 2.4.x allows local users to gain privileges. 9691 RHSA-2004:069 DSA-479 linux-ncplookup-gain-privileges(15250) RHSA-2004:188 RHSA-2004:065 SuSE-SA:2004:005 DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 oval:org.mitre.oval:def:11388 TLSA-2004-05 MDKSA-2004:015 O-082 FEDORA-2004-079 CLA-2004:820 oval:org.mitre.oval:def:835 oval:org.mitre.oval:def:1035 Buffer overflow in fsp before 2.81.b18 allows remote users to execute arbitrary code. 9377 DSA-416 fsp-boundry-error-bo(14155) O-048 jabber 1.4.2, 1.4.2a, and possibly earlier versions, does not properly handle SSL connections, which allows remote attackers to cause a denial of service (crash). MDKSA-2004:005 DSA-414 jabber-ssl-connections-dos(14158) 9376 3345 10559 Multiple buffer overflows in the nd WebDAV interface 0.8.2 and earlier allows remote web servers to execute arbitrary code via certain long strings. 9365 DSA-412 nd-long-string-bo(14141) 1008616 10550 10549 vbox3 0.1.8 and earlier does not properly drop privileges before executing a user-provided TCL script, which allows local users to gain privileges. DSA-418 9381 vbox3-gain-privileges(14170) The calendar module for phpgroupware 0.9.14 does not enforce the "save extension" feature for holiday files, which allows remote attackers to create and execute PHP files. DSA-419 9387 phpgroupware-calendar-file-include(13489) 6860 Multiple SQL injection vulnerabilities in the (1) calendar and (2) infolog modules for phpgroupware 0.9.14 allow remote attackers to perform unauthorized database operations. DSA-419 9386 1008662 10591 jitterbug 1.6.2 does not properly sanitize inputs, which allows remote authenticated users to execute arbitrary commands. DSA-420 9397 jitterbug-execute-code(14207) Lotus Notes Domino 6.0.2 on Linux installs the notes.ini configuration file with world-writable permissions, which allows local users to modify the Notes configuration and gain privileges. lotus-notes-insecure-permissions(14153) 9366 1008623 3424 http://www.excluded.org/advisories/advisory05.txt 10566 20040106 Lotus Notes Domino 6.0.2 (linux) faulty default permissions PHP remote file inclusion vulnerability in (1) functions.php, (2) authentication_index.php, and (3) config_gedcom.php for PHPGEDVIEW 2.61 allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains the code. phpgedview-pgvbasedirectory-file-include(14159) 9368 3343 10565 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem 1008632 PHPGEDVIEW 2.61 allows remote attackers to reinstall the software and change the administrator password via a direct HTTP request to editconfig.php. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-modify-admin-password(14161) 3403 10565 Cross-site scripting (XSS) vulnerability in search.php in PHPGEDVIEW 2.61 allows remote attackers to inject arbitrary HTML and web script via the firstname parameter. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-search-xss(14160) 9369 3402 10565 admin.php in PHPGEDVIEW 2.61 allows remote attackers to obtain sensitive information via an action parameter with a phpinfo command. 20040106 Vuln in PHPGEDVIEW 2.61 Multi-Problem phpgedview-admin-info-disclosure(14162) 9371 3404 10565 Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.4.5 and earlier allow remote attackers to inject arbitrary HTML or web script via (1) the phorum_check_xss function in common.php, (2) the EditError variable in profile.php, and (3) the Error variable in login.php. phorum-common-xss(14145) 9361 10567 http://phorum.org/ 20040105 Multiple Vulnerabilities in Phorum 3.4.5 1008633 3510 3506 3434 SQL injection vulnerability in register.php for Phorum 3.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. phorum-register-sql-injection(14146) 9363 20040105 Multiple Vulnerabilities in Phorum 3.4.5 3508 10567 SQL injection vulnerability in calendar.php for vBulletin Forum 2.3.x before 2.3.4 allows remote attackers to steal sensitive information via the eventid parameter. 20040105 vBulletin Forum 2.3.xx calendar.php SQL Injection vbulletin-calendar-sql-injection(14144) http://www.vbulletin.com/forum/showthread.php?postid=588825 9360 3344 FirstClass Desktop Client 7.1 allows remote attackers to execute arbitrary commands via hyperlinks in FirstClass RTF messages. firstclassclient-execute-code(14151) 9370 3442 10556 20040105 FirstClass Client 7.1: Command Execution via Email Web Link 1008609 McAfee ePolicy Orchestrator (ePO) 2.5.1 Patch 13 and 3.0 SP2a Patch 3 allows remote attackers to execute arbitrary commands via certain HTTP POST requests to the spipe/file handler on ePO TCP port 81. epolicy-execute-commands(14166) 20040510 McAfee ePolicy Orchestrator Remote Compromise Vulnerability 10200 http://www.osvdb.org/5626 http://download.nai.com/products/patches/ePO/v2.x/Patch14.txt Multiple format string vulnerabilities in HTTP Application Intelligence (AI) component in Check Point Firewall-1 NG-AI R55 and R54, and Check Point Firewall-1 HTTP Security Server included with NG FP1, FP2, and FP3 allows remote attackers to execute arbitrary code via HTTP requests that cause format string specifiers to be used in an error message, as demonstrated using the scheme of a URI. VU#790771 TA04-036A fw1-format-string(14149) 9581 20040204 Checkpoint Firewall-1 HTTP Parsing Format String Vulnerabilities O-072 http://www.checkpoint.com/techsupport/alerts/security_server.html 20040205 Two checkpoint fw-1/vpn-1 vulns Stack-based buffer overflow in Check Point VPN-1 Server 4.1 through 4.1 SP6 and Check Point SecuRemote/SecureClient 4.1 through 4.1 build 4200 allows remote attackers to execute arbitrary code via an ISAKMP packet with a large Certificate Request packet. VU#873334 9582 vpn1-ike-bo(14150) 20040205 Two checkpoint fw-1/vpn-1 vulns 20040204 Checkpoint VPN-1/SecureClient ISAKMP Buffer Overflow 4432 3821 O-073 The mod_auth_shadow module 1.4 and earlier does not properly enforce the expiration of a user account and password, which could allow remote authenticated users to bypass intended access restrictions. DSA-421 1008675 9404 3454 10612 vsftpd 1.1.3 generates different error messages depending on whether or not a valid username exists, which allows remote attackers to identify valid usernames. 1008628 Buffer overflow in Yahoo Instant Messenger 5.6.0.1351 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long filename in the download feature. 9383 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow yahoo-messenger-filename-bo(14171) 1008651 3437 10573 20040108 Yahoo Instant Messenger Long Filename Downloading Buffer Overflow Cisco Personal Assistant 1.4(1) and 1.4(2) disables password authentication when "Allow Only Cisco CallManager Users" is enabled and the Corporate Directory settings refer to the directory service being used by Cisco CallManager, which allows remote attackers to gain access with a valid username. 20040108 Cisco Personal Assistant User Password Bypass Vulnerability ciscopersonalassistant-config-file-access(14172) 9384 3430 Buffer overflow in the ARTpost function in art.c in the control message handling code for INN 2.4.0 may allow remote attackers to execute arbitrary code. VU#759020 9382 20040108 [OpenPKG-SA-2004.001] OpenPKG Security Advisory (inn) 20040107 [SECURITY] INN: Buffer overflow in control message handling inn-artpost-control-message-bo(14190) SSA:2004-014-02 10578 Cross-site scripting (XSS) vulnerability in SnapStream PVS LITE allows remote attackers to inject arbitrary web script or HTML via a GET request containing a terminating '"' (double quote) character. snapstream-quotation-xss(14164) 9375 3440 1008646 10575 20040106 SnapStream PVS LITE Cross Site Scripting Vulnerabillity Multiple programs in trr19 1.0 do not properly drop privileges before executing a system command, which could allow local users to gain privileges. DSA-430 trr19-gain-privileges(14975) 9520 10744 1008875 3747 10745 Helix Universal Server/Proxy 9 and Mobile Server 10 allow remote attackers to cause a denial of service via certain HTTP POST messages to the Administration System port. http://service.real.com/help/faq/security/040112_dos/ 9421 http://service.real.com/help/faq/security/security022604.html 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow 20040318 ptl-2004-02: RealNetworks Helix Server 9 Administration Server Buffer Overflow Verity Ultraseek before 5.2.2 allows remote attackers to obtain the full pathname of the document root via an MS-DOS device name in the web search option, such as (1) NUL, (2) CON, (3) AUX, (4) COM1, (5) COM2, and others. ultraseek-error-path-disclosure(16066) 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue 20040505 Corsaire Security Advisory - Verity Ultraseek path disclosure issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard but frequently supported Content-Transfer-Encoding values such as (1) uuencode, (2) mac-binhex40, and (3) yenc, which may be interpreted differently by mail clients. mime-contenttransfer-filter-bypass(17337) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME Content-Transfer-Encoding mechanism issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use non-standard separator characters, or use standard separators incorrectly, within MIME headers, fields, parameters, or values, which may be interpreted differently by mail clients. mime-separator-filtering-bypass(17334) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME separator issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use fields that use RFC2047 encoding, which may be interpreted differently by mail clients. mime-rfc2047-filtering-bypass(17331) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2047 encoding issue Multiple vulnerabilities in the H.323 protocol implementation for Cisco IOS 11.3T through 12.2T allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 20040113 Vulnerabilities in H.323 Message Processing http://www.uniras.gov.uk/vuls/2004/006489/h323.htm oval:org.mitre.oval:def:4884 1008685 9406 The print_attr_string function in print-radius.c for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via a RADIUS attribute with a large length value. VU#955526 7090 RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 DSA-425 12179 11032 11022 10718 10652 10644 10639 10636 oval:org.mitre.oval:def:9989 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008735 FLSA:1222 MDKSA-2004:008 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) CLSA-2003:832 20040202-01-U oval:org.mitre.oval:def:853 oval:org.mitre.oval:def:850 Multiple vulnerabilities in the H.323 protocol implementation for Nortel Networks Business Communications Manager (BCM), Succession 1000 IP Trunk and IP Peer Networking, and 802.11 Wireless IP Gateway allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 http://www.uniras.gov.uk/vuls/2004/006489/h323.htm 1008687 9406 The rawprint function in the ISAKMP decoding routines (print-isakmp.c) for tcpdump 3.8.1 and earlier allows remote attackers to cause a denial of service (segmentation fault) via malformed ISAKMP packets that cause invalid "len" or "loc" values to be used in a loop, a different vulnerability than CVE-2003-0989. VU#174086 9423 RHSA-2004:007 DSA-425 tcpdump-rawprint-isakmp-dos(14837) 20040119 [ESA-20040119-002] 'tcpdump' multiple vulnerabilities. RHSA-2004:008 [fedora-announce-list] 20040311 Re: [SECURITY] Fedora Core 1 Update: tcpdump-3.7.2-8.fc1.1 FEDORA-2004-092 FEDORA-2004-090 12179 11032 11022 10718 10668 10652 10644 10639 10636 oval:org.mitre.oval:def:11197 [tcpdump-workers] multiple vulnerabilities in tcpdump 3.8.1 ESA-20040119-002 2004-0004 APPLE-SA-2004-02-23 20040103-01-U SCOSA-2004.9 CSSA-2004-008.0 1008716 FLSA:1222 MDKSA-2004:008 20040131 [FLSA-2004:1222] Updated tcpdump resolves security vulnerabilites (resend with correct paths) 20040202-01-U oval:org.mitre.oval:def:854 oval:org.mitre.oval:def:851 Antivir / Linux 2.0.9-9, and possibly earlier versions, allows local users to overwrite arbitrary files via a symlink attack on the .pid_antivir_$$ temporary file. antivir-tmpfile-insecure(14214) 1008702 3496 10620 20040113 symlink vul for Antivir / Linux Version 2.0.9-9 (maybe lower) Directory traversal vulnerability in upload capability of WWW File Share Pro 2.42 and earlier allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in the filename parameter of a Content-Disposition: header. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to cause a denial of service (crash) via a large POST request. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 WWW File Share Pro 2.42 and earlier allows remote attackers to bypass directory access restrictions via (1) a URL with a trailing . (dot), or (2) a URI with a leading slash or backslash character. 1008779 20040114 Multiple vulnerabilities in WWW Fileshare Pro <= 2.42 Integer overflow in the rnd arithmetic rounding function for various versions of FishCart before 3.1 allows remote attackers to "cause negative totals" via an order with a large quantity. 20040114 FishCart Integer Overflow / Rounding Error 1008731 The SPP_VerifyPVV function in nCipher payShield SPP library 1.3.12, 1.5.18 and 1.6.18 returns a Status_OK value even if the HSM returns a different status code, which could cause applications to make incorrect security-critical decisions, e.g. by accepting an invalid PIN number. http://www.ncipher.com/support/advisories/advisory8_payshield.html payshield-incorrect-request-verification(14832) 9422 3537 20040114 nCipher Advisory #8: payShield library may verify bad requests The SuSEconfig.gnome-filesystem script for YaST in SuSE 9.0 allows local users to overwrite arbitrary files via a symlink attack on files within the tmp.SuSEconfig.gnome-filesystem.$RANDOM temporary directory. 9411 1008703 3460 10623 20040113 SuSE linux 9.0 YaST config Skribt [exploit] Multiple SQL injection vulnerabilities in phpGedView before 2.65 allow remote attackers to execute arbitrary SQL via (1) timeline.php and (2) placelist.php. 20040112 More phpGedView Vulnerabilities 11925 11910 phpGedView before 2.65 allows remote attackers to obtain the absolute path of the web server via malformed parameters to (1) indilist.php, (2) famlist.php, (3) placelist.php, (4) imageview.php, (5) timeline.php, (6) clippings.php, (7) login.php, and (8) gdbi.php. 20040112 More phpGedView Vulnerabilities phpgedview-path-disclosure(14215) 3464 Multiple cross-site scripting (XSS) vulnerabilities in phpGedView before 2.65 allow remote attackers to inject arbitrary HTML or web script via (1) descendancy.php, (2) index.php, (3) individual.php, (4) login.php, (5) relationship.php, (6) source.php, (7) imageview.php, (8) calendar.php, (9) gedrecord.php, (10) login.php, and (11) gdbi_interface.php. NOTE: some aspects of vector 10 were later reported to affect 4.1. 20040112 More phpGedView Vulnerabilities phpgedview-login-xss(36285) phpgedview-multiple-xss(14212) ADV-2007-2995 11907 11906 11905 11904 11903 11894 11891 11890 11888 11882 11880 11868 20070827 PhpGedView login page multiple XSS 3479 3478 3477 3476 3475 3474 3473 1018613 26628 PHP remote file inclusion vulnerability in config.php for PhpDig 1.6.5 and earlier allows remote attackers to execute arbitrary PHP code by modifying the $relative_script_path parameter to reference a URL on a remote web server that contains the code. 9424 http://www.phpdig.net/showthread.php?s=58bcc71c822830ec3bbdaae6d56846e0&threadid=393 20040114 PhpDig 1.6.x: remote command execution phpdig-config-file-include(14826) Format string vulnerability in HD Soft Windows FTP Server 1.6 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the username, which is processed by the wscanf function. 9385 20040113 exploit for HD Soft Windows FTP Server 1.6 20040108 Windows FTP Server Format String Vulnerability 1008658 PHP remote file inclusion vulnerability in module.php for ezContents allows remote attackers to execute arbitrary PHP code by modifying the link parameter to reference a URL on a remote web server that contains the code. ezcontents-php-file-include(14199) 9396 6878 http://www.ezcontents.org/forum/viewtopic.php?t=361 20040110 Remote Code Execution in ezContents Directory traversal vulnerability in buildManPage in class.manpagelookup.php for PHP Man Page Lookup 1.2.0 allows remote attackers to read arbitrary files via the command parameter ($cmd variable) to index.php. manpagelookup-directory-traversal(14203) 9395 20040110 PHP Manpage lookup directory transversal / file disclosing 1008689 Directory traversal vulnerability in Accipiter Direct Server 6.0 allows remote attackers to read arbitrary files via encoded \.. (backslash .., "%5c%2e%2e") sequences in an HTTP request. 9389 accipterdirectserver-directory-traversal(14198) 20040109 Directory Traversal in Accipiter Direct Server 6.0 20040109 Directory Traversal in Accipiter Direct Server 6.0 3433 10600 PHP remote file inclusion vulnerability in (1) config.php and (2) config_page.php for EasyDynamicPages 2.0 allows remote attackers to execute arbitrary PHP code by modifying the edp_relative_path parameter to reference a URL on a remote web server that contains a malicious serverdata.php script. 9338 easydynamicpages-php-file-include(14136) 3408 3318 1008584 10535 20040102 include() vuln in EasyDynamicPages v.2.0 Multiple buffer overflows in xsok 1.02 allows local users to gain privileges via (1) a long LANG environment variable, or (2) a long -xsokdir command line argument, a different vulnerability than CVE-2003-0949. 9341 xsok-lang-bo(14910) xsok-long-xsokdir-bo(14906) 9352 20040103 xsok local games exploit (2) 20040102 xsok local games exploit The Vicam USB driver in Linux before 2.4.25 does not use the copy_from_user function when copying data from userspace to kernel space, which crosses security boundaries and allows local users to cause a denial of service. 9690 RHSA-2004:065 linux-vicam-dos(15246) RHSA-2005:293 SuSE-SA:2004:005 O-082 MDKSA-2004:015 CLA-2004:846 oval:org.mitre.oval:def:836 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was removed from consideration by its Candidate Numbering Authority. Notes: none. The do_mremap function for the mremap system call in Linux 2.2 to 2.2.25, 2.4 to 2.4.24, and 2.6 to 2.6.2, does not properly check the return value from the do_munmap function when the maximum number of VMA descriptors is exceeded, which allows local users to gain root privileges, a different vulnerability than CAN-2003-0985. VU#981222 9686 DSA-439 GLSA-200403-02 linux-mremap-gain-privileges(15244) 20040218 Second critical mremap() bug found in all Linux kernels http://isec.pl/vulnerabilities/isec-0014-mremap-unmap.txt SSA:2004-049 RHSA-2004:106 RHSA-2004:069 RHSA-2004:066 RHSA-2004:065 3986 SuSE-SA:2004:005 DSA-514 DSA-475 DSA-470 DSA-466 DSA-456 DSA-454 DSA-453 DSA-450 DSA-444 DSA-442 DSA-441 DSA-440 DSA-438 O-082 2004-0008 2004-0007 MDKSA-2004:015 FEDORA-2004-079 CLA-2004:820 20040218 Second critical mremap() bug found in all Linux kernels oval:org.mitre.oval:def:837 oval:org.mitre.oval:def:825 Buffer overflow in the index menu code (menu_pad_string of menu.c) for Mutt 1.4.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via certain mail messages. 9641 RHSA-2004:051 RHSA-2004:050 mutt-index-menu-bo(15134) http://bugs.debian.org/126336 SSA:2004-043 3918 MDKSA-2004:010 20040309 [OpenPKG-SA-2004.005] OpenPKG Security Advisory (mutt) 20040215 LNSA-#2004-0001: mutt remote crash 20040211 Mutt-1.4.2 fixes buffer overflow. CSSA-2004-013.0 oval:org.mitre.oval:def:838 oval:org.mitre.oval:def:811 The do_change_cipher_spec function in OpenSSL 0.9.6c to 0.9.6k, and 0.9.7a to 0.9.7c, allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that triggers a null dereference. TA04-078A VU#288574 openssl-dochangecipherspec-dos(15505) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 SSA:2004-077 9899 RHSA-2005:830 RHSA-2005:829 RHSA-2004:139 RHSA-2004:121 RHSA-2004:120 FEDORA-2005-1042 http://www.openssl.org/news/secadv_20040317.txt SuSE-SA:2004:007 ESA-20040317-003 DSA-465 20040317 Cisco OpenSSL Implementation Vulnerability O-101 http://support.lexmark.com/index?page=content&id=TE88&locale=EN&userlocale=EN_US http://support.avaya.com/elmodocs2/security/ASA-2005-239.htm 57524 GLSA-200403-03 18247 17401 17398 17381 11139 oval:org.mitre.oval:def:9779 oval:org.mitre.oval:def:5770 SSRT4717 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 FEDORA-2004-095 http://docs.info.apple.com/article.html?artnum=61798 CLA-2004:834 SCOSA-2004.10 NetBSD-SA2004-005 FreeBSD-SA-04:05 MDKSA-2004:023 oval:org.mitre.oval:def:975 oval:org.mitre.oval:def:870 oval:org.mitre.oval:def:2621 The login program in util-linux 2.11 and earlier uses a pointer after it has been freed and reallocated, which could cause login to leak sensitive data. VU#801526 RHSA-2004:056 9558 utillinux-information-leak(15016) 3796 GLSA-200404-06 10773 20040408 LNSA-#2004-0010: login may leak sensitive data 20040331 OpenLinux: util-linux could leak sensitive data 20040406-01-U 20040201-01-U OpenSSL 0.9.6 before 0.9.6d does not properly handle unknown message types, which allows remote attackers to cause a denial of service (infinite loop), as demonstrated using the Codenomicon TLS Test Tool. TA04-078A VU#465542 openssl-tls-dos(15509) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 9899 RHSA-2004:139 RHSA-2004:121 RHSA-2004:120 ESA-20040317-003 DSA-465 20040317 Cisco OpenSSL Implementation Vulnerability 57524 GLSA-200403-03 11139 RHSA-2004:119 oval:org.mitre.oval:def:11755 20040508 [FLSA-2004:1395] Updated OpenSSL resolves security vulnerability 20040317 Re: New OpenSSL releases fix denial of service attacks [17 March 2004] FEDORA-2004-095 CLA-2004:834 20040304-01-U SCOSA-2004.10 oval:org.mitre.oval:def:902 oval:org.mitre.oval:def:871 The mksmbpasswd shell script (mksmbpasswd.sh) in Samba 3.0.0 and 3.0.1, when creating an account but marking it as disabled, may overwrite the user password with an uninitialized buffer, which could enable the account with a more easily guessable password. 9637 RHSA-2004:064 samba-mksmbpasswd-gain-access(15132) http://www.vuxml.org/freebsd/3388eff9-5d6e-11d8-80e3-0020ed76ef5a.html http://us1.samba.org/samba/ftp/WHATSNEW-3.0.2a.txt 3919 O-078 oval:org.mitre.oval:def:827 Buffer overflow in ReadFontAlias from dirfile.c of XFree86 4.1.0 through 4.3.0 allows local users and remote attackers to execute arbitrary code via a font alias file (font.alias) with a long token, a different vulnerability than CVE-2004-0084 and CVE-2004-0106. VU#820006 9636 20040210 iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow xfree86-fontalias-bo(15130) http://www.xfree86.org/cvs/changes RHSA-2004:061 RHSA-2004:060 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=72 DSA-443 GLSA-200402-02 oval:org.mitre.oval:def:9612 SSA:2004-043 MDKSA-2004:012 57768 FLSA:2314 20040211 XFree86 vulnerability exploit CLA-2004:821 oval:org.mitre.oval:def:830 oval:org.mitre.oval:def:806 Buffer overflow in the ReadFontAlias function in XFree86 4.1.0 to 4.3.0, when using the CopyISOLatin1Lowered function, allows local or remote authenticated users to execute arbitrary code via a malformed entry in the font alias (font.alias) file, a different vulnerability than CVE-2004-0083 and CVE-2004-0106. VU#667502 9652 RHSA-2004:061 RHSA-2004:060 xfree86-copyisolatin1lLowered-bo(15200) SSA:2004-043 RHSA-2004:059 SuSE-SA:2004:006 http://www.idefense.com/application/poi/display?id=73 DSA-443 oval:org.mitre.oval:def:10405 FLSA:2314 CLA-2004:821 MDKSA-2004:012 57768 20040212 iDEFENSE Security Advisory 02.11.04: XFree86 Font Information File Buffer Overflow II oval:org.mitre.oval:def:831 oval:org.mitre.oval:def:807 Unknown vulnerability in the Mail application for Mac OS X 10.1.5 and 10.2.8 with unknown impact, a different vulnerability than CVE-2004-0086. macosx-mail-undisclosed(14992) 9504 APPLE-SA-2004-01-26 Unknown vulnerability in the Mail application for Mac OS X 10.3.2 has unknown impact and attack vectors, a different vulnerability than CVE-2004-0085. 9504 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 and 10.3.2 allows local users to modify network settings, a different vulnerability than CVE-2004-0088. macosx-configd-file-manipulation(14997) 9504 6819 APPLE-SA-2004-01-26 The System Configuration subsystem in Mac OS 10.2.8 allows local users to modify network settings, a different vulnerability than CVE-2004-0087. 9504 6820 APPLE-SA-2004-01-26 Buffer overflow in TruBlueEnvironment in Mac OS X 10.3.x and 10.2.x allows local users to gain privileges via a long environment variable. VU#902374 9509 macosx-trublue-environmentvariable-bo(14968) 6821 A012704-1 APPLE-SA-2004-01-26 Unknown vulnerability in Windows File Sharing for Mac OS X 10.1.5 through 10.3.2 does not "shutdown properly," which has unknown impact and attack vectors. 9504 10723 ESB-2004.0072 APPLE-SA-2004-01-26 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in register.php for unknown versions of vBulletin allows remote attackers to inject arbitrary HTML or web script via the reg_site (or possibly regsite) parameter. NOTE: the vendor has disputed this issue, saying "There is no hidden field called 'reg_site', nor any $reg_site variable anywhere in the vBulletin 2 or vBulletin 3 source code or templates, nor has it ever existed. We can only assume that this vulnerability was found in a site running code modified from that supplied by Jelsoft." 1008780 20040123 RE: vBulletin Security Vulnerability 20040120 Re: vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability 20040120 vBulletin Security Vulnerability Unknown vulnerability in Safari web browser in Mac OS X 10.2.8 and 10.3.2, with unknown impact. 9504 APPLE-SA-2004-01-26 XFree86 4.1.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an out-of-bounds array index when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-array-dos(15272) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U Integer signedness errors in XFree86 4.1.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code when using the GLX extension and Direct Rendering Infrastructure (DRI). DSA-443 xfree86-glx-integer-dos(15273) 9701 RHSA-2004:152 CLSA-2004:824 20040406-01-U McAfee ePolicy Orchestrator agent allows remote attackers to cause a denial of service (memory consumption and crash) and possibly execute arbitrary code via an HTTP POST request with an invalid Content-Length value, possibly triggering a buffer overflow. 9476 http://download.nai.com/products/patches/ePO/v3.1.0/EPO3013.zip epolicy-contentlength-post-dos(14989) 3744 Unknown vulnerability in mod_python 2.7.9 allows remote attackers to cause a denial of service (httpd crash) via a certain query string, a variant of CAN-2003-0973. [mod_python] 20040122 [ANNOUNCE] Mod_python 2.7.10 RHSA-2004:063 RHSA-2004:058 GLSA-200401-03 Multiple vulnerabilities in PWLib before 1.6.0 allow remote attackers to cause a denial of service and possibly execute arbitrary code, as demonstrated by the NISCC/OUSPG PROTOS test suite for the H.225 protocol. VU#749342 CA-2004-01 RHSA-2004:047 DSA-448 pwlib-message-dos(15202) oval:org.mitre.oval:def:10056 9406 oval:org.mitre.oval:def:826 oval:org.mitre.oval:def:803 mksnap_ffs in FreeBSD 5.1 and 5.2 only sets the snapshot flag when creating a snapshot for a file system, which causes default values for other flags to be used, possibly disabling security-critical settings and allowing a local user to bypass intended access restrictions. 9533 FreeBSD-SA-04:01 freebsd-mksnapffs-bypass-security(15005) 3790 crawl before 4.0.0 beta23 does not properly "apply a size check" when copying a certain environment variable, which may allow local users to gain privileges, possibly as a result of a buffer overflow. DSA-432 crawl-long-environment-bo(15032) 9566 10788 Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#518518 9692 RHSA-2004:073 metamail-printheader-format-string(15259) metamail-contenttype-format-string(15245) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code. VU#513062 RHSA-2004:073 metamail-splitmail-subject-bo(15258) metamail-printheader-nonascii-bo(15247) DSA-449 10908 20040218 metamail format string bugs and buffer overflows SSA:2004-049 9692 MDKSA-2004:014 O-083 20040218 metamail format string bugs and buffer overflows Multiple unknown vulnerabilities in XFree86 4.1.0 to 4.3.0, related to improper handling of font files, a different set of vulnerabilities than CVE-2004-0083 and CVE-2004-0084. SSA:2004-043 RHSA-2004:061 RHSA-2004:060 xfree86-multiple-font-improper-handling(15206) RHSA-2004:059 SuSE-SA:2004:006 DSA-443 oval:org.mitre.oval:def:11111 MDKSA-2004:012 FLSA:2314 CLA-2004:821 oval:org.mitre.oval:def:832 oval:org.mitre.oval:def:809 The (1) post and (2) trigger scripts in sysstat 4.0.7 and earlier allow local users to overwrite arbitrary files via symlink attacks on temporary files, a different vulnerability than CVE-2004-0108. 9838 RHSA-2004:053 20040302-01-U sysstat-post-trigger-symlink(15428) RHSA-2004:093 6884 O-097 oval:org.mitre.oval:def:10737 oval:org.mitre.oval:def:862 oval:org.mitre.oval:def:849 The isag utility, which processes sysstat data, allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CAN-2004-0107. 9844 RHSA-2004:053 20040302-01-U sysstat-isag-symlink(15437) DSA-460 Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry. ESA-20040428-004 RHSA-2004:166 2004-0020 20040405-01-U linux-iso9660-bo(15866) TLSA-2004-14 10141 RHSA-2004:183 RHSA-2004:106 RHSA-2004:105 SuSE-SA:2004:009 http://www.idefense.com/application/poi/display?id=101&type=vulnerabilities DSA-495 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 O-127 O-121 GLSA-200407-02 12003 11986 11891 11861 11626 11518 11494 11486 11470 11469 11464 11373 11362 11361 oval:org.mitre.oval:def:10733 CLA-2004:846 20040504-01-U MDKSA-2004:029 oval:org.mitre.oval:def:940 Buffer overflow in the (1) nanohttp or (2) nanoftp modules in XMLSoft Libxml 2 (Libxml2) 2.6.0 through 2.6.5 allow remote attackers to execute arbitrary code via a long URL. VU#493966 libxml2-nanohttp-bo(15301) 9718 RHSA-2004:090 20040305 [OpenPKG-SA-2004.003] OpenPKG Security Advisory (libxml) libxml2-nanoftp-bo(15302) RHSA-2004:091 DSA-455 O-086 GLSA-200403-01 10958 oval:org.mitre.oval:def:11626 http://www.xmlsoft.org/news.html RHSA-2004:650 SUSE-SR:2005:001 20040306 TSLSA-2004-0010 - libxml2 oval:org.mitre.oval:def:875 oval:org.mitre.oval:def:833 gdk-pixbuf before 0.20 allows attackers to cause a denial of service (crash) via a malformed bitmap (BMP) file. 9842 RHSA-2004:103 FLSA:2005 gdk-pixbuf-bitmap-dos(15426) RHSA-2004:102 MDKSA-2004:020 DSA-464 oval:org.mitre.oval:def:846 oval:org.mitre.oval:def:845 The SSL/TLS handshaking code in OpenSSL 0.9.7a, 0.9.7b, and 0.9.7c, when using Kerberos ciphersuites, does not properly check the length of Kerberos tickets during a handshake, which allows remote attackers to cause a denial of service (crash) via a crafted SSL/TLS handshake that causes an out-of-bounds read. TA04-078A VU#484726 openssl-kerberos-ciphersuites-dos(15508) http://www.uniras.gov.uk/vuls/2004/224012/index.htm 2004-0012 SSA:2004-077 9899 RHSA-2004:121 RHSA-2004:120 http://www.openssl.org/news/secadv_20040317.txt SuSE-SA:2004:007 20040317 Cisco OpenSSL Implementation Vulnerability O-101 57524 GLSA-200403-03 11139 oval:org.mitre.oval:def:9580 SSRT4717 20040317 New OpenSSL releases fix denial of service attacks [17 March 2004] http://lists.apple.com/mhonarc/security-announce/msg00045.html APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 http://docs.info.apple.com/article.html?artnum=61798 CLA-2004:834 SCOSA-2004.10 NetBSD-SA2004-005 MDKSA-2004:023 oval:org.mitre.oval:def:928 oval:org.mitre.oval:def:1049 Memory leak in ssl_engine_io.c for mod_ssl in Apache 2 before 2.0.49 allows remote attackers to cause a denial of service (memory consumption) via plain HTTP requests to the SSL port of an SSL-enabled server. 9826 apache-modssl-plain-dos(15419) http://www.apacheweek.com/features/security-20 [apache-cvs] 20040307 cvs commit: httpd-2.0/modules/ssl ssl_engine_io.c 2004-0017 RHSA-2004:182 RHSA-2004:084 4182 MDKSA-2004:043 GLSA-200403-04 SSRT4717 APPLE-SA-2004-05-03 20040325 LNSA-#2004-0006: bug workaround for Apache 2.0.48 http://issues.apache.org/bugzilla/show_bug.cgi?id=27106 CLSA-2004:839 oval:org.mitre.oval:def:876 The shmat system call in the System V Shared Memory interface for FreeBSD 5.2 and earlier, NetBSD 1.3 and earlier, and OpenBSD 2.6 and earlier, does not properly decrement a shared memory segment's reference count when the vm_map_find function fails, which could allow local users to gain read or write access to a portion of kernel memory and gain privileges. bsd-shmat-gain-privileges(15061) 9586 FreeBSD-SA-04:02 http://www.pine.nl/press/pine-cert-20040201.txt 20040205 [PINE-CERT-20040201] reference count overflow in shmat() 3836 http://www.openbsd.org/errata33.html#sysvshm NetBSD-SA2004-004 VirtualPC_Services in Microsoft Virtual PC for Mac 6.0 through 6.1 allows local attackers to truncate and overwrite arbitrary files, and execute arbitrary code, via a symlink attack on the VPCServices_Log temporary file. 9632 MS04-005 A021004-1 virtual-pc-gain-privileges(15113) 3893 O-076 An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field. VU#417052 TA04-104A AD20040413A MS04-012 win-rpcss-rpcmessage-dos(15708) 10127 O-115 1009758 11065 oval:org.mitre.oval:def:958 oval:org.mitre.oval:def:957 oval:org.mitre.oval:def:955 Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code. VU#353956 TA04-104A MS04-011 win-h323-bo(15710) O-114 oval:org.mitre.oval:def:964 oval:org.mitre.oval:def:946 oval:org.mitre.oval:def:907 The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code. VU#783748 TA04-104A MS04-011 AD20040413E 20040413 EEYE: Windows VDM TIB Local Privilege Escalation win-vdm-gain-privileges(15714) 10117 O-114 oval:org.mitre.oval:def:1718 oval:org.mitre.oval:def:1512 The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection. VU#638548 TA04-104A MS04-011 20040414 NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding win-spp-bo(15715) 10113 O-114 oval:org.mitre.oval:def:1997 oval:org.mitre.oval:def:1962 oval:org.mitre.oval:def:1808 The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages. VU#150236 TA04-104A MS04-011 ssl-message-dos(15712) 10115 O-114 oval:org.mitre.oval:def:892 oval:org.mitre.oval:def:886 oval:org.mitre.oval:def:885 Argument injection vulnerability in Microsoft Outlook 2002 does not sufficiently filter parameters of mailto: URLs when using them as arguments when calling OUTLOOK.EXE, which allows remote attackers to use script code in the Local Machine zone and execute arbitrary programs. TA04-070A VU#305206 9827 MS04-009 20040309 Microsoft Outlook "mailto:" Parameter Passing Vulnerability outlook-ms04009-patch(15429) outlook-mailtourl-execute-code(15414) O-096 20040310 Outlook mailto: URL argument injection vulnerability oval:org.mitre.oval:def:843 Microsoft MSN Messenger 6.0 and 6.1 does not properly handle certain requests, which allows remote attackers to read arbitrary files. VU#688094 9828 MS04-010 msn-ms04010-patch(15427) msn-request-view-files(15415) oval:org.mitre.oval:def:844 Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code. VU#255924 TA04-104A win-asn1-double-free(15713) 10118 MS04-011 O-114 oval:org.mitre.oval:def:924 oval:org.mitre.oval:def:1076 oval:org.mitre.oval:def:1007 The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability." VU#212892 TA04-104A win-objectidentifier-open-port(15711) 10121 MS04-012 O-115 11065 oval:org.mitre.oval:def:1072 oval:org.mitre.oval:def:1066 oval:org.mitre.oval:def:1062 oval:org.mitre.oval:def:1041 The jail system call in FreeBSD 4.x before 4.10-RELEASE does not verify that an attempt to manipulate routing tables originated from a non-jailed process, which could allow local users to modify the routing table. 10485 freebsd-jailed-table-modify(16342) FreeBSD-SA-04:12 The jail_attach system call in FreeBSD 5.1 and 5.2 changes the directory of a calling process even if the process doesn't have permission to change directory, which allows local users to gain read/write privileges to files and directories within another jail. 9762 FreeBSD-SA-04:03 freebsd-jailattach-gain-privileges(15344) 4101 Directory traversal vulnerability in editconfig_gedcom.php for phpGedView 2.65.1 and earlier allows remote attackers to read arbitrary files or execute arbitrary PHP programs on the server via .. (dot dot) sequences in the gedcom_config parameter. 9529 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-editconfig-directory-traversal(15129) 1008892 3768 10753 PHP remote file inclusion vulnerability in the GEDCOM configuration script for phpGedView 2.65.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the PGV_BASE_DIRECTORY parameter to reference a URL on a remote web server that contains a malicious theme.php script. 9531 20040129 PHP Code Injection Vulnerabilities in phpGedView 2.65.1 and prior phpgedview-gedfilconf-file-include(14987) 3769 http://sourceforge.net/project/shownotes.php?release_id=141517 10753 Directory traversal vulnerability in export.php in phpMyAdmin 2.5.5 and earlier allows remote attackers to read arbitrary files via .. (dot dot) sequences in the what parameter. 9564 20040203 Arbitrary File Disclosure Vulnerability in phpMyAdmin 2.5.5-pl1 and prior http://www.phpmyadmin.net/home_page/relnotes.php?rel=0 http://sourceforge.net/forum/forum.php?forum_id=350228 GLSA-200402-05 phpmyadmin-dotdot-directory-traversal(15021) 3800 10769 login.php in phpGedView 2.65 and earlier allows remote attackers to obtain sensitive information via an HTTP request to login.php that does not contain the required username or password parameters, which causes the information to be leaked in an error message. http://www.securiteam.com/unixfocus/5NP0M1PBPQ.html phpgedview-loginphp-path-disclosure(15128) 6886 http://www.netvigilance.com/advisory0001 1008844 The rad_print_request function in logger.c for GNU Radius daemon (radiusd) before 1.2 allows remote atackers to cause a denial of service (crash) via a UDP packet with an Acct-Status-Type attribute without a value and no Acct-Session-Id attribute, which causes a null dereference. VU#277396 radius-radprintrequest-dos(15046) 9578 http://ftp.gnu.org/gnu/radius/radius-1.2.tar.gz 3824 20040204 GNU Radius Remote Denial of Service Vulnerability 10799 Multiple PHP remote file inclusion vulnerabilities in ezContents 2.0.2 and earlier allow remote attackers to execute arbitrary PHP code from a remote web server, as demonstrated using (1) the GLOBALS[rootdp] parameter to db.php, or (2) the GLOBALS[language_home] parameter to archivednews.php, and a malicious version of lang_admin.php. 20040210 PHP Code Injection Vulnerabilities in ezContents 2.0.2 and prior ezcontents-multiple-file-include(15135) The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device. ESA-20040428-004 2004-0020 20040405-01-U GLSA-200407-02 linux-xfs-info-disclosure(15901) 10151 MDKSA-2004:029 11362 cpr (libcpr) in SGI IRIX before 6.5.25 allows local users to gain privileges by loading a user provided library while restarting the checkpointed process. irix-cpr-gain-privileges(16259) 10418 20040507-01-P The syssgi SGI_IOPROBE system call in IRIX 6.5.20 through 6.5.24 allows local users to gain privileges by reading and writing to kernel memory. irix-sgiioprobe-gain-privileges(16413) 20040601-01-P 7122 11872 The mapelf32exec function call in IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system crash) via a "corrupted binary." irix-mapelf32exec-dos(16416) 10547 20040601-01-P 7123 11872 Unknown vulnerability in init for IRIX 6.5.20 through 6.5.24 allows local users to cause a denial of service (system panic) as a result of "page invalidation issues." irix-page-dos(16417) 10549 20040601-01-P 7124 11872 The ELF loader in Linux kernel 2.4 before 2.4.25 allows local users to cause a denial of service (crash) via a crafted ELF file with an interpreter with an invalid arch (architecture), which triggers a BUG() when an invalid VMA is unmapped. DSA-1082 DSA-1070 DSA-1069 DSA-1067 20202 20163 20162 oval:org.mitre.oval:def:10123 http://linux.bkbits.net:8080/linux-2.4/cset@4021346f79nBb-4X_usRikR3Iyb4Vg http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes linux-kernel-elfloader-dos(43124) 18174 RHSA-2004:549 RHSA-2004:504 20338 http://kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.25 Unknown vulnerability in the bsd.a kernel networking for SGI IRIX 6.5.22 through 6.5.25, and possibly earlier versions, in which "t_unbind changes t_bind's behavior," has unknown impact and attack vectors. 11276 irix-bsda-kernel(17547) 12682 20040905-01-P Multiple vulnerabilities in Nokia 6310(i) Mobile phones allow remote attackers to cause a denial of service (reset) via malformed Bluetooth OBject EXchange (OBEX) messages, probably triggering buffer overflows. nokia-obex-dos(15107) 9603 http://www.pentest.co.uk/documents/ptl-2004-01.html 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones 20040209 ptl-2004-01: Multiple vulnerabilities in Nokia phones wu-ftpd 2.6.2 and earlier, with the restricted-gid option enabled, allows local users to bypass access restrictions by changing the permissions to prevent access to their home directory, which causes wu-ftpd to use the root directory instead. 9832 RHSA-2004:096 DSA-457 wuftpd-restrictedgid-gain-access(15423) ADV-2006-1867 102356 20168 11055 SSRT4704 oval:org.mitre.oval:def:648 oval:org.mitre.oval:def:1637 oval:org.mitre.oval:def:1636 oval:org.mitre.oval:def:1147 Multiple buffer overflows in xboing before 2.4 allow local users to gain privileges. DSA-451 xboing-bo(15347) 9764 Buffer overflow in the getaddrinfo function in Python 2.2 before 2.2.2, when IPv6 support is disabled, allows remote attackers to execute arbitrary code via an IPv6 address that is obtained using DNS. 9836 DSA-458 python-getaddrinfo-bo(15409) 4172 MDKSA-2004:019 GLSA-200409-03 Unknown vulnerability in xitalk 1.1.11 and earlier allows local users to execute arbitrary commands. xitalk-gain-privileges(15456) 9851 DSA-462 http://shellcode.org/Advisories/XITALK.txt 11114 Multiple stack-based buffer overflows in (1) the encode_mime function, (2) the encode_uuencode function, (3) or the decode_uuencode function for emil 2.1.0 and earlier allow remote attackers to execute arbitrary code via e-mail messages containing attachments with filenames. DSA-468 emil-email-bo(15601) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities Multiple format string vulnerabilities in emil 2.1.0 and earlier may allow remote attackers to execute arbitrary code by triggering certain error messages. DSA-468 emil-format-string(15602) 20040325 Re: [SECURITY] [DSA 468-1] New emil packages fix multiple vulnerabilities rpc.mountd in nfs-utils after 1.0.3 and before 1.0.6 allows attackers to cause a denial of service (crash) via an NFS mount of a directory from a client whose reverse DNS lookup name is different from the forward lookup name. nfs-utils-dns-dos(15418) 2004-0009 9813 RHSA-2004:072 oval:org.mitre.oval:def:9673 http://bugzilla.redhat.com/bugzilla/long_list.cgi?buglist=114535 oval:org.mitre.oval:def:861 The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate. VU#552398 RHSA-2004:165 APPLE-SA-2004-05-03 20040407 CAN-2004-0155: The KAME IKE Daemon Racoon does not verify RSA Signatures during Phase 1, allows man-in-the-middle attacks and unauthorized connections 10072 MDKSA-2004:069 GLSA-200406-17 11328 oval:org.mitre.oval:def:9291 SCOSA-2005.10 MDKSA-2004:027 oval:org.mitre.oval:def:945 Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code. DSA-485 GLSA-200404-18 ssmtp-die-logevent-format-string(15872) 10150 5361 5360 1009788 11571 11485 11384 11378 20040507 [OpenPKG-SA-2004.020] OpenPKG Security Advisory (ssmtp) x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program. DSA-484 xonix-privilege-dropping(15873) 10149 5358 http://shellcode.org/Advisories/XONIX.txt 1009789 11382 Buffer overflow in lbreakout2 allows local users to gain 'games' group privileges via a large HOME environment variable to (1) editor.c, (2) theme.c, (3) manager.c, (4) config.c, (5) game.c, (6) levels.c, or (7) main.c. breakout2-home-bo(15229) 9712 DSA-445 http://security.debian.org/pool/updates/main/l/lbreakout2/lbreakout2_2.2.2-1woody1.diff.gz 20040222 lbreakout2 < 2.4beta-2 local exploit Format string vulnerability in hsftp 1.11 allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via file names containing format string characters that are not properly handled when executing an "ls" command. 9715 DSA-447 hsftp-format-string(15276) 4029 20040223 Re: [SECURITY] [DSA 447-1] New hsftp packages fix format string vulnerability Synaesthesia 2.2 and earlier allows local users to execute arbitrary code via a symlink attack on the configuration file. synaesthesia-configuration-symlink-attack(15279) 9713 DSA-446 Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME messages that use RFC2231 encoding, which may be interpreted differently by mail clients. mime-tools-parameter-encoding(9274) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC2231 encoding issue Multiple content security gateway and antivirus products allow remote attackers to bypass content restrictions via MIME encapsulation that uses RFC822 comment fields, which may be interpreted as other fields by mail clients. mime-rfc822-filtering-bypass(17332) http://www.uniras.gov.uk/vuls/2004/380375/mime.htm 20040914 Corsaire Security Advisory - Multiple vendor MIME RFC822 comment issue Sygate Secure Enterprise (SSE) 3.5MR3 and earlier does not change the key used to encrypt data, which allows remote attackers to cause a denial of service (resource exhaustion) by capturing a session and repeatedly replaying the session. sse-replay-dos(16945) http://www.corsaire.com/advisories/c031120-002.txt 20040810 Corsaire Security Advisory - Sygate Secure Enterprise replay issue KAME IKE daemon (racoon) does not properly handle hash values, which allows remote attackers to delete certificates via (1) a certain delete message that is not properly handled in isakmp.c or isakmp_inf.c, or (2) a certain INITIAL-CONTACT message that is not properly handled in isakmp_inf.c. 20040114 Re: unauthorized deletion of IPsec (and ISAKMP) SAs in racoon openbsd-isakmp-initialcontact-delete-sa(14118) openbsd-isakmp-invalidspi-delete-sa(14117) 9417 oval:org.mitre.oval:def:9737 APPLE-SA-2004-02-23 NetBSD-SA2004-001 9416 20040113 unauthorized deletion of IPsec (and ISAKMP) SAs in racoon oval:org.mitre.oval:def:947 Format string vulnerability in Point-to-Point Protocol (PPP) daemon (pppd) 2.4.0 for Mac OS X 10.3.2 and earlier allows remote attackers to read arbitrary pppd process data, including PAP or CHAP authentication credentials, to gain privileges. VU#841742 9730 A022304-1 macos-pppd-format-string(15297) 6822 APPLE-SA-2004-02-23 Unknown vulnerability in Safari web browser for Mac OS X 10.2.8 related to "the display of URLs in the status bar." VU#194238 macosx-safari-unknown(14993) 10959 APPLE-SA-2004-02-23 DiskArbitration in Mac OS X 10.2.8 and 10.3.2 does not properly initialize writeable removable media. VU#578886 macos-diskarbitration-unknown(15300) 9731 6824 10959 APPLE-SA-2004-02-23 Unknown vulnerability in CoreFoundation for Mac OS X 10.3.2, related to "notification logging." macos-corefoundation-unknown(15299) APPLE-SA-2004-02-23 10959 QuickTime Streaming Server in MacOS X 10.2.8 and 10.3.2 allows remote attackers to cause a denial of service (crash) via DESCRIBE requests with long User-Agent fields, which causes an Assert error to be triggered in the BufferIsFull function. VU#460350 9735 darwin-describe-request-dos(15291) 6837 6826 20040223 Darwin Streaming Server Remote Denial of Service Vulnerability APPLE-SA-2004-02-23 FreeBSD 5.1 and earlier, and Mac OS X before 10.3.4, allows remote attackers to cause a denial of service (resource exhaustion of memory buffers and system crash) via a large number of out-of-sequence TCP packets, which prevents the operating system from creating new connections. VU#395670 9792 20040302 FreeBSD Memory Buffer Exhaustion Denial of Service Vulnerability freebsd-mbuf-dos(15369) 4124 APPLE-SA-2004-05-28 FreeBSD-SA-04:04 Heap-based buffer overflow in the search_for_command function of ltrace 0.3.10, if it is installed setuid, could allow local users to execute arbitrary code via a long filename. NOTE: It is unclear whether there are any packages that install ltrace as a setuid program, so this candidate might be REJECTed. ltrace-searchforcommand-bo(13389) 8790 1007896 20031008 ltrace bug 20031008 ltrace bug Directory traversal vulnerability in Apache 1.3.29 and earlier, and Apache 2.0.48 and earlier, when running on Cygwin, allows remote attackers to read arbitrary files via a URL containing "..%5C" (dot dot encoded backslash) sequences. apache-cygwin-directory-traversal(15293) 9733 http://www.apacheweek.com/issues/04-03-12 10962 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin 20040224 STG Security Advisory: [SSA-20040217-06] Apache for cygwin directory traversal vulnerability http://issues.apache.org/bugzilla/show_bug.cgi?id=26152 Apache 1.4.x before 1.3.30, and 2.0.x before 2.0.49, when using multiple listening sockets on certain platforms, allows remote attackers to cause a denial of service (blocked new connections) via a "short-lived connection on a rarely-accessed listening socket." VU#132110 apache-socket-starvation-dos(15540) RHSA-2004:405 2004-0017 20040319 [ANNOUNCE] Apache HTTP Server 2.0.49 Released (fwd) 2004-0027 GLSA-200405-22 11170 SSA:2004-133 1009495 9921 MDKSA-2004:046 http://www.apache.org/dist/httpd/CHANGES_1.3 57628 101555 SSRT4717 20040512 [OpenPKG-SA-2004.021] OpenPKG Security Advisory (apache) APPLE-SA-2004-05-03 oval:org.mitre.oval:def:1982 oval:org.mitre.oval:def:100110 Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992. 9986 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=120147 openssh-scp-file-overwrite(16323) RHSA-2005:567 RHSA-2005:562 RHSA-2005:495 RHSA-2005:481 RHSA-2005:165 RHSA-2005:106 RHSA-2005:074 9550 SuSE-SA:2004:009 MDVSA-2008:191 MDKSA-2005:100 http://www.juniper.net/support/security/alerts/adv59739.txt O-212 19243 17135 oval:org.mitre.oval:def:10184 CLSA-2004:831 SCOSA-2006.11 Multiple buffer overflows in Ethereal 0.8.13 to 0.10.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via the (1) NetFlow, (2) IGAP, (3) EIGRP, (4) PGM, (5) IrDA, (6) BGP, (7) ISUP, or (8) TCAP dissectors. VU#931588 VU#864884 VU#740188 VU#659140 VU#644886 VU#591820 VU#433596 VU#125156 VU#119876 DSA-511 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal ethereal-multiple-dissectors-bo(15569) RHSA-2004:137 RHSA-2004:136 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 http://security.e-matters.de/advisories/032004.html 11185 oval:org.mitre.oval:def:10187 20040323 Advisory 03/2004: Multiple (13) Ethereal remote overflows 6893 MDKSA-2004:024 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) CLA-2004:835 oval:org.mitre.oval:def:887 oval:org.mitre.oval:def:878 The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device. ESA-20040428-004 DSA-495 RHSA-2004:166 2004-0020 FLSA:2336 DSA-491 DSA-489 DSA-482 DSA-481 DSA-480 DSA-479 GLSA-200407-02 oval:org.mitre.oval:def:10556 http://linux.bkbits.net:8080/linux-2.4/cset@4056b368s6vpJbGWxDD_LhQNYQrdzQ linux-ext3-info-disclosure(15867) 10152 RHSA-2005:293 RHSA-2004:505 RHSA-2004:504 MDKSA-2004:029 O-127 O-126 O-121 CLA-2004:846 The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes. DSA-495 DSA-491 DSA-489 DSA-482 RHSA-2004:437 RHSA-2004:413 DSA-481 DSA-480 DSA-479 GLSA-200407-02 oval:org.mitre.oval:def:9427 http://linux.bkbits.net:8080/linux-2.4/cset@404ce5967rY2Ryu6Z_uNbYh643wuFA 20040804-01-U linux-sound-blaster-dos(15868) 9985 MDKSA-2004:029 O-193 O-127 O-121 CLA-2004:846 Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code. FEDORA-2004-1552 RHSA-2004:160 RHSA-2004:159 RHSA-2004:158 RHSA-2004:157 DSA-487 GLSA-200405-04 GLSA-200405-01 11363 SuSE-SA:2004:008 SuSE-SA:2004:009 20040404-01-U 10136 5365 MDKSA-2004:032 oval:org.mitre.oval:def:10913 20040416 void.at - neon format string bugs 20040416 [OpenPKG-SA-2004.016] OpenPKG Security Advisory (neon) oval:org.mitre.oval:def:1065 The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405. RHSA-2004:154 RHSA-2004:153 DSA-486 FreeBSD-SA-04:07 oval:org.mitre.oval:def:9462 20040404-01-U ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/002_cvs.patch cvs-rcs-create-files(15864) SSA:2004-108-02 MDKSA-2004:028 GLSA-200404-13 11548 11405 11400 11391 11380 11377 11375 11374 11371 11368 FEDORA-2004-1620 oval:org.mitre.oval:def:1042 The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device. ESA-20040428-004 2004-0020 ADV-2005-1878 GLSA-200407-02 oval:org.mitre.oval:def:10329 linux-jfs-info-disclosure(15902) TLSA-2004-14 10143 RHSA-2005:663 RHSA-2004:504 MDKSA-2004:029 17002 Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field. RHSA-2004:156 20040404-01-U TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via ISAKMP packets containing a Delete payload with a large number of SPI's, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#240790 DSA-478 FEDORA-2004-1468 tcpdump-isakmp-delete-bo(15680) http://www.tcpdump.org/tcpdump-changes.txt 10003 RHSA-2004:219 http://www.rapid7.com/advisories/R7-0017.html 1009593 11258 oval:org.mitre.oval:def:9971 2004-0015 11320 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities oval:org.mitre.oval:def:972 Integer underflow in the isakmp_id_print for TCPDUMP 3.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with an Identification payload with a length that becomes less than 8 during byte order conversion, which causes an out-of-bounds read, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#492558 DSA-478 FEDORA-2004-1468 tcpdump-isakmp-integer-underflow(15679) http://www.tcpdump.org/tcpdump-changes.txt 10004 RHSA-2004:219 http://www.rapid7.com/advisories/R7-0017.html 1009593 11258 oval:org.mitre.oval:def:9581 20040330 R7-0017: TCPDUMP ISAKMP payload handling denial-of-service vulnerabilities 2004-0015 oval:org.mitre.oval:def:976 Buffer overflow in the skey_challenge function in ftpd.c for wu-ftp daemon (wu-ftpd) 2.6.2 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a s/key (SKEY) request with a long name. http://www.securiteam.com/unixfocus/6X00Q1P8KC.html RHSA-2004:096 DSA-457 ftp://ftp.wu-ftpd.org/pub/wu-ftpd/patches/apply_to_2.6.2/skeychallenge.patch wuftpd-skey-bo(13518) http://unixpunx.org/txt/exploits_archive/packetstorm/0310-advisories/wuftpd-skey.txt 8893 smbmnt in Samba 2.x and 3.x on Linux 2.6, when installed setuid, allows local users to gain root privileges by mounting a Samba share that contains a setuid root program, whose setuid attributes are not cleared when the share is mounted. samba-smbmnt-gain-privileges(15131) 9619 DSA-463 20040209 Samba 3.x + kernel 2.6.x local root vulnerability 3916 20040211 Re: Samba 3.x + kernel 2.6.x local root vulnerability ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0185. Reason: This candidate is a reservation duplicate of CVE-2004-0185. Notes: All CVE users should reference CVE-2004-0185 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Heap-based buffer overflow in Calife 2.8.5 and earlier may allow local users to execute arbitrary code via a long password. 9756 DSA-461 calife-long-password-bo(15335) 20040227 Calife heap corrupt / potential local root exploit 9776 The "%xx" URL decoding function in Squid 2.5STABLE4 and earlier allows remote attackers to bypass url_regex ACLs via a URL with a NULL ("%00") characterm, which causes Squid to use only a portion of the requested URL when comparing it against the access control lists. http://www.squid-cache.org/Advisories/SQUID-2004_1.txt 9778 squid-urlregex-acl-bypass(15366) RHSA-2004:134 RHSA-2004:133 5916 MDKSA-2004:025 DSA-474 GLSA-200403-11 20040401 [OpenPKG-SA-2004.008] OpenPKG Security Advisory (squid) CLA-2004:838 20040404-01-U SCOSA-2005.16 oval:org.mitre.oval:def:941 oval:org.mitre.oval:def:877 Symantec FireWall/VPN Appliance model 200 records a cleartext password for the password administration page, which may be cached on the administrator's local system or in a proxy, which allows attackers to steal the password and gain privileges. 9784 symantec-firewallvpn-password-plaintext(15212) 20040216 Symantec FireWall/VPN Appliance model 200 leak of security 4117 20040216 Symantec FireWall/VPN Appliance model 200 leak of security Mozilla before 1.4.2 executes Javascript events in the context of a new page while it is being loaded, allowing it to interact with the previous page (zombie document) and enable cross-domain and cross-site scripting (XSS) attacks, as demonstrated using onmousemove events. mozilla-event-handler-xss(15322) 9747 20040225 Sandblad #13: Cross-domain exploit on zombie document with event handlers http://bugzilla.mozilla.org/show_bug.cgi?id=227417 RHSA-2004:112 RHSA-2004:110 4062 SSRT4722 oval:org.mitre.oval:def:937 oval:org.mitre.oval:def:874 Cross-site scripting (XSS) vulnerability in the Management Service for Symantec Gateway Security 2.0 allows remote attackers to steal cookies and hijack a management session via a /sgmi URL that contains malicious script, which is not quoted in the resulting error page. 9755 20040227 Symantec Gateway Security Management Service Cross Site Scripting symantecgateway-error-xss(15330) Heap-based buffer overflow in the ISS Protocol Analysis Module (PAM), as used in certain versions of RealSecure Network 7.0 and Server Sensor 7.0, Proventia A, G, and M Series, RealSecure Desktop 7.0 and 3.6, RealSecure Guard 3.6, RealSecure Sentry 3.6, BlackICE PC Protection 3.6, and BlackICE Server Protection 3.6, allows remote attackers to execute arbitrary code via an SMB packet containing an authentication request with a long username. VU#150326 20040226 Vulnerability in SMB Parsing in ISS Products http://www.eeye.com/html/Research/Upcoming/20040213.html pam-smb-protocol-bo(15207) 9752 4072 AD20040226 10988 20040227 EEYE: RealSecure/BlackICE Server Message Block (SMB) Processing Overflow Stack-based buffer overflow in the OutputDebugString function for Adobe Acrobat Reader 5.1 allows remote attackers to execute arbitrary code via a PDF document with XML Forms Data Format (XFDF) data. 9802 http://www.nextgenss.com/advisories/adobexfdf.txt acrobatreader-xfdf-bo(15384) 4135 20040303 Abobe Reader 5.1 XFDF Buffer Overflow Vulnerability 20040303 Adobe Acrobat Reader XML Forms Data Format Buffer Overflow Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query. VU#740716 TA04-104A msjet-query-execute-code(15703) 10112 MS04-014 oval:org.mitre.oval:def:968 Help and Support Center in Microsoft Windows XP and Windows Server 2003 SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code, as demonstrated using certain hcp:// URLs that access the DVD Upgrade capability (dvdupgrd.htm). VU#484814 win-hcp-code-execution(16095) 10321 MS04-015 20040512 MS04-015 - Windows Help Center - Dvdupgrade http://www.exploitlabs.com/files/advisories/EXPL-A-2004-001-helpctr.txt 20040512 MS04-015 - Windows Help Center - Dvdupgrade oval:org.mitre.oval:def:1032 oval:org.mitre.oval:def:1008 Buffer overflow in the JPEG (JPG) parsing engine in the Microsoft Graphic Device Interface Plus (GDI+) component, GDIPlus.dll, allows remote attackers to execute arbitrary code via a JPEG image with a small JPEG COM field length that is normalized to a large integer length before a memory copy operation. TA04-260A VU#297462 win-jpeg-bo(16304) MS04-028 20040914 Microsoft GDIPlus.DLL JPEG Parsing Engine Buffer Overflow oval:org.mitre.oval:def:4307 oval:org.mitre.oval:def:4216 oval:org.mitre.oval:def:4003 oval:org.mitre.oval:def:3881 oval:org.mitre.oval:def:3810 oval:org.mitre.oval:def:3320 oval:org.mitre.oval:def:3082 oval:org.mitre.oval:def:3038 oval:org.mitre.oval:def:2706 oval:org.mitre.oval:def:1721 oval:org.mitre.oval:def:1105 Heap-based buffer overflow in the HtmlHelp program (hh.exe) in HTML Help for Microsoft Windows 98, Me, NT 4.0, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary commands via a .CHM file with a large length field, a different vulnerability than CVE-2003-1041. TA04-196A VU#920060 MS04-023 win-htmlhelp-execute-code(16586) 20040714 HtmlHelp - .CHM File Heap Overflow oval:org.mitre.oval:def:3179 oval:org.mitre.oval:def:2155 oval:org.mitre.oval:def:1530 oval:org.mitre.oval:def:1503 IDirectPlay4 Application Programming Interface (API) of Microsoft DirectPlay 7.0a thru 9.0b, as used in Windows Server 2003 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed packet. 10487 MS04-016 ms-directx-directplay-dos(16306) 6742 11802 oval:org.mitre.oval:def:2705 oval:org.mitre.oval:def:2516 oval:org.mitre.oval:def:2413 oval:org.mitre.oval:def:2190 oval:org.mitre.oval:def:1027 Cross-site scripting (XSS) vulnerability in Outlook Web Access for Exchange Server 5.5 Service Pack 4 allows remote attackers to insert arbitrary script and spoof content in HTML email or web caches via an HTML redirect query. VU#948750 MS04-026 exchange-owa-execute-code(16583) oval:org.mitre.oval:def:2016 Directory traversal vulnerability in the web viewers for Business Objects Crystal Reports 9 and 10, and Crystal Enterprise 9 or 10, as used in Visual Studio .NET 2003 and Outlook 2003 with Business Contact Manager, Microsoft Business Solutions CRM 1.2, and other products, allows remote attackers to read and delete arbitrary files via ".." sequences in the dynamicimag argument to crystalimagehandler.aspx. 10260 crystalreports-file-deletion(16044) MS04-017 http://support.businessobjects.com/fix/hot/critical/bulletins/security_bulletin_june04.asp 6748 11800 20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reports 20040502 Crystal Reports Vulnerabilities oval:org.mitre.oval:def:1157 Buffer overflow in Microsoft Internet Information Server (IIS) 4.0 allows local users to execute arbitrary code via the redirect function. TA04-196A VU#717748 iis-redirect-bo(16578) MS04-021 O-179 10706 7799 12061 oval:org.mitre.oval:def:2204 Network Dynamic Data Exchange (NetDDE) services for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows attackers to remotely execute arbitrary code or locally gain privileges via a malicious message or application that involves an "unchecked buffer," possibly a buffer overflow. VU#640488 win-ms04031-patch(17657) win-netdde-bo(16556) MS04-031 12803 11372 20041013 Microsoft Windows NetDDE Service Buffer Overflow oval:org.mitre.oval:def:6788 oval:org.mitre.oval:def:5074 oval:org.mitre.oval:def:4592 oval:org.mitre.oval:def:3242 oval:org.mitre.oval:def:3120 oval:org.mitre.oval:def:2394 oval:org.mitre.oval:def:1852 "Shatter" style vulnerability in the Window Management application programming interface (API) for Microsoft Windows 98, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to gain privileges by using certain API functions to change properties of privileged programs using the SetWindowLong and SetWIndowLongPtr API functions. VU#218526 win-ms04032-patch(17658) win-mngmt-api-gain-privileges(16579) MS04-032 20041013 SetWindowLong Shatter Attacks The Virtual DOS Machine (VDM) subsystem of Microsoft Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows local users to access kernel memory and gain privileges via a malicious program that modified some system structures in a way that is not properly validated by privileged operating system functions. VU#910998 win-ms04032-patch(17658) win-vdm-gain-privilege(16580) MS04-032 20041013 EEYE: Windows VDM #UD Local Privilege Escalation oval:org.mitre.oval:def:4762 oval:org.mitre.oval:def:4316 oval:org.mitre.oval:def:3953 oval:org.mitre.oval:def:3161 oval:org.mitre.oval:def:1751 Unknown vulnerability in the Graphics Rendering Engine processes of Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats that involve "an unchecked buffer." VU#806278 win-emf-bo(16581) MS04-032 20041019 [EXPL] (MS04-032) Microsoft Windows XP Metafile (.emf) Heap Overflow win-ms04032-patch(17658) 11375 oval:org.mitre.oval:def:2428 oval:org.mitre.oval:def:2114 oval:org.mitre.oval:def:1872 The POSIX component of Microsoft Windows NT and Windows 2000 allows local users to execute arbitrary code via certain parameters, possibly by modifying message length values and causing a buffer overflow. TA04-196A VU#647436 win-posix-bo(16590) MS04-020 oval:org.mitre.oval:def:2847 oval:org.mitre.oval:def:2166 The kernel for Microsoft Windows Server 2003 does not reset certain values in CPU data structures, which allows local users to cause a denial of service (system crash) via a malicious program. VU#119262 win-ms04032-patch(17658) win2k3-kernel-cpu-dos(16582) MS04-032 oval:org.mitre.oval:def:4893 Stack-based buffer overflow in the Task Scheduler for Windows 2000 and XP, and Internet Explorer 6 on Windows NT 4.0, allows local or remote attackers to execute arbitrary code via a .job file containing long parameters, as demonstrated using Internet Explorer and accessing a .job file on an anonymous share. TA04-196A VU#228028 win-taskscheduler-bo(16591) http://www.ngssoftware.com/advisories/mstaskjob.txt MS04-022 20040714 Unchecked buffer in mstask.dll 12060 20040714 Microsoft Windows Task Scheduler '.job' Stack Overflow oval:org.mitre.oval:def:3428 oval:org.mitre.oval:def:1964 oval:org.mitre.oval:def:1781 oval:org.mitre.oval:def:1344 Utility Manager in Windows 2000 launches winhlp32.exe while Utility Manager is running with raised privileges, which allows local users to gain system privileges via a "Shatter" style attack that sends a Windows message to cause Utility Manager to launch winhlp32 by directly accessing the context sensitive help and bypassing the GUI, then sending another message to winhlp32 in order to open a user-selected file, a different vulnerability than CVE-2003-0908. TA04-196A VU#868580 MS04-019 20040713 Microsoft Window Utility Manager Local Elevation of Privileges win-utilitymanager-gain-privileges(16592) oval:org.mitre.oval:def:2495 Buffer overflow in Microsoft Internet Explorer and Explorer on Windows XP SP1, WIndows 2000, Windows 98, and Windows Me may allow remote malicious servers to cause a denial of service (application crash) and possibly execute arbitrary code via long share names, as demonstrated using Samba. VU#616200 win-ms04037-patch(17662) win-long-fileshare-bo(15956) 10213 MS04-037 322857 1011647 11482 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. 20040425 Microsoft's Explorer and Internet Explorer long share name buffer overflow. http://www.securiteam.com/windowsntfocus/5JP0M1PCKI.html 5687 oval:org.mitre.oval:def:5307 oval:org.mitre.oval:def:4345 oval:org.mitre.oval:def:2638 oval:org.mitre.oval:def:1749 oval:org.mitre.oval:def:1601 Microsoft Outlook Express 5.5 and 6 allows attackers to cause a denial of service (application crash) via a malformed e-mail header. TA04-196A VU#869640 outlook-malformed-email-header-dos(16585) MS04-018 oval:org.mitre.oval:def:3376 oval:org.mitre.oval:def:2657 oval:org.mitre.oval:def:2137 oval:org.mitre.oval:def:1950 Integer overflow in the Install Engine (inseng.dll) for Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious website or HTML email with a long .CAB file name, which triggers the integer overflow when calculating a buffer length and leads to a heap-based buffer overflow. TA04-293A VU#637760 ie-installenginectl-setciffile-bo(17620) MS04-038 20041012 Microsoft Internet Explorer Install Engine Control Buffer Overflow ie-ms04038-patch(17651) http://www.ngssoftware.com/advisories/msinsengfull.txt 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) 20050119 Microsoft Internet Explorer Install Engine Control Buffer Overflow (#NISR19012005a) oval:org.mitre.oval:def:7865 oval:org.mitre.oval:def:7717 oval:org.mitre.oval:def:6600 oval:org.mitre.oval:def:6100 oval:org.mitre.oval:def:5329 oval:org.mitre.oval:def:5316 The LiveUpdate capability (liveupdate.sh) in Symantec AntiVirus Scan Engine 4.0 and 4.3 for Red Hat Linux allows local users to create or append to arbitrary files via a symlink attack on /tmp/LiveUpdate.log. symantec-scanengine-race-condition(15215) 9662 20040216 Possible race condition in Symantec AntiVirus Scan Engine for Red isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (infinite loop) via an ISAKMP packet with a zero-length payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#349113 openbsd-isakmp-zerolength-dos(15518) 20040317 015: RELIABILITY FIX: March 17, 2004 http://www.rapid7.com/advisories/R7-0018.html 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities 1009468 10028 11156 isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a malformed IPSEC SA payload, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#785945 openbsd-isakmp-ipsec-dos(15628) 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 20040317 015: RELIABILITY FIX: March 17, 2004 1009468 9907 isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service via a an ISAKMP packet with a malformed Cert Request payload, which causes an integer underflow that is used in a malloc operation that is not properly handled, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#223273 openbsd-isakmp-integer-underflow(15629) 20040317 015: RELIABILITY FIX: March 17, 2004 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities 1009468 9907 http://www.rapid7.com/advisories/R7-0018.html isakmpd in OpenBSD 3.4 and earlier allows remote attackers to cause a denial of service (crash) via an ISAKMP packet with a delete payload containing a large number of SPIs, which triggers an out-of-bounds read error, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#524497 openbsd-isakmp-delete-dos(15630) 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 20040317 015: RELIABILITY FIX: March 17, 2004 1009468 9907 Multiple memory leaks in isakmpd in OpenBSD 3.4 and earlier allow remote attackers to cause a denial of service (memory exhaustion) via certain ISAKMP packets, as demonstrated by the Striker ISAKMP Protocol Test Suite. VU#996177 openbsd-isakmp-memory-leak(15519) 20040317 015: RELIABILITY FIX: March 17, 2004 20040323 R7-0018: OpenBSD isakmpd payload handling denial-of-service vulnerabilities http://www.rapid7.com/advisories/R7-0018.html 1009468 10028 Multiple buffer overflows in (1) iso2022jp.c or (2) shiftjis.c for Courier-IMAP before 3.0.0, Courier before 0.45, and SqWebMail before 4.0.0 may allow remote attackers to execute arbitrary code "when Unicode character is out of BMP range." 9845 11087 http://sourceforge.net/project/shownotes.php?release_id=5767 courier-codeset-converter-bo(15434) Multiple buffer overflows in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. RHSA-2004:172 midnight-commander-local-privileges(16016) SuSE-SA:2004:012 DSA-497 GLSA-200405-21 MDKSA-2004:039 Buffer overflow in the zms script in ZoneMinder before 1.19.2 may allow a remote attacker to execute arbitrary code via a long query string. zoneminder-zms-bo(16136) 10340 http://www.zoneminder.com/index.php?id=20&type=0&backPID=20&tt_news=29 Integer signedness error in the cpufreq proc handler (cpufreq_procctl) in Linux kernel 2.6 allows local users to gain privileges. SuSE-SA:2004:010 GLSA-200407-02 linux-cpufreq-info-disclosure(15951) MDKSA-2004:050 11683 11491 11486 11464 11429 FEDORA-2004-111 CLA-2004:852 The framebuffer driver in Linux kernel 2.6.x does not properly use the fb_copy_cmap function, with unknown impact. linux-framebuffer(15974) 10211 SuSE-SA:2004:010 GLSA-200407-02 MDKSA-2004:037 CLA-2004:852 TCP, when using a large Window Size, makes it easier for remote attackers to guess sequence numbers and cause a denial of service (connection loss) to persistent TCP connections by repeatedly injecting a TCP RST packet, especially in protocols that use long-lived connections, such as BGP. TA04-111A VU#415294 tcp-rst-dos(15886) ADV-2006-3983 http://www.uniras.gov.uk/vuls/2004/236929/index.htm 10183 SSRT061264 MS05-019 http://www.juniper.net/support/alert.html 20040420 TCP Vulnerabilities in Multiple IOS-Based Cisco Products oval:org.mitre.oval:def:5711 20040425 Perl code exploting TCP not checking RST ACK. 20040403-01-A SCOSA-2005.14 SCOSA-2005.9 SCOSA-2005.3 NetBSD-SA2004-006 SSRT061264 4030 MS06-064 22341 11458 11440 SSRT4696 oval:org.mitre.oval:def:4791 oval:org.mitre.oval:def:3508 oval:org.mitre.oval:def:270 oval:org.mitre.oval:def:2689 Multiple vulnerabilities in Midnight Commander (mc) before 4.6.0, with unknown impact, related to "Insecure temporary file and directory creations." DSA-497 midnight-commander-insecure-files(16020) RHSA-2004:172 SuSE-SA:2004:012 GLSA-200405-21 MDKSA-2004:039 Multiple format string vulnerabilities in Midnight Commander (mc) before 4.6.0 may allow attackers to cause a denial of service or execute arbitrary code. midnight-commander-format-string(16021) RHSA-2004:172 SuSE-SA:2004:012 DSA-497 GLSA-200405-21 MDKSA-2004:039 Utempter allows device names that contain .. (dot dot) directory traversal sequences, which allows local users to overwrite arbitrary files via a symlink attack on device names in combination with an application that trusts the utmp or wtmp files. 10178 RHSA-2004:174 utemper-symlink(15904) SSA:2004-110 RHSA-2004:175 1000752 GLSA-200405-05 oval:org.mitre.oval:def:10115 MDKSA-2004:031 oval:org.mitre.oval:def:979 Multiple stack-based buffer overflows in the get_header function in header.c for LHA 1.14, as used in products such as Barracuda Spam Firewall, allow remote attackers or local users to execute arbitrary code via long directory or file names in an LHA archive, which triggers the overflow when testing or extracting the archive. 10243 20040510 [Ulf Harnhammar]: LHA Advisory + Patch FLSA:1833 lha-multiple-bo(16012) ADV-2006-1220 RHSA-2004:179 RHSA-2004:178 FEDORA-2004-119 5754 5753 http://www.guay-leroux.com/projects/barracuda-advisory-LHA.txt DSA-515 1015866 GLSA-200405-02 19514 oval:org.mitre.oval:def:9881 20040502 Lha local stack overflow Proof Of Concept Code 20040501 LHa buffer overflows and directory traversal problems CLA-2004:840 20060403 Barracuda LHA archiver security bug leads to remote compromise oval:org.mitre.oval:def:977 Multiple directory traversal vulnerabilities in LHA 1.14 allow remote attackers or local users to create arbitrary files via an LHA archive containing filenames with (1) .. sequences or (2) absolute pathnames with double leading slashes ("//absolute/path"). 10243 20040510 [Ulf Harnhammar]: LHA Advisory + Patch FLSA:1833 lha-directory-traversal(16013) RHSA-2004:179 RHSA-2004:178 FEDORA-2004-119 DSA-515 GLSA-200405-02 oval:org.mitre.oval:def:10409 20040501 LHa buffer overflows and directory traversal problems CLA-2004:840 oval:org.mitre.oval:def:978 SQL injection vulnerability in login.asp in thePHOTOtool allows remote attackers to gain unauthorized access via the password field. thephototool-login-sql-injection(15007) 9884 6727 1008906 20040131 Advisory ! Directory traversal vulnerability in index.php in Aprox PHP Portal allows remote attackers to read arbitrary files via a full pathname in the show parameter. aproxphpportal-index-directory-traversal(15014) 9540 20040131 Directory Traversal in Aprox PHP Portal. 10859 1008915 Multiple buffer overflows in Overkill (0verkill) 0.15pre3 might allow local users to execute arbitrary code in the client via a long HOME environment variable in the (1) load_cfg and (2) save_cfg functions; possibly allow remote attackers to execute arbitrary code via long strings to (3) the send_message function; and, in the server, via (4) the parse_command_line function. overkill-server-parsecommandline-bo(15000) overkill-client-multiple-bo(14999) 9550 http://www.securiteam.com/securitynews/5AP010KC0C.html 20040202 0verkill - little simple vulnerability. 20040202 0verkill - little simple vulnerability. SQL injection vulnerability in showphoto.php in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain unauthorized access via the photo variable. photopostphp-sql-injection(15008) 9557 http://www.securiteam.com/securitynews/5KP010UC0W.html 20040202 ZH2004-03SA (security advisory): Photopost PHP Pro 4.6 Sql Directory traversal vulnerability in X-Cart 3.4.3 allows remote attackers to view arbitrary files via a .. (dot dot) in the shop_closed_file argument to auth.php. xcart-dotdot-directory-traversal(15033) 20040203 X-Cart vulnerability X-Cart 3.4.3 allows remote attackers to execute arbitrary commands via the perl_binary argument in (1) upgrade.php or (2) general.php. 9560 xcart-perlbinary-execute-commands(15034) 20040203 X-Cart vulnerability X-Cart 3.4.3 allows remote attackers to gain sensitive information via a mode parameter with (1) phpinfo command or (2) perlinfo command. 9563 xcart-generalphp-obtain-information(15036) 20040203 X-Cart vulnerability AIX 4.3.3 through AIX 5.1, when direct remote login is disabled, displays a different message if the password is correct, which allows remote attackers to guess the password via brute force methods. aix-password-enumeration(15172) 20040203 Re: sqwebmail web login 20040206 AIX password enumeration possible Cisco 6000, 6500, and 7600 series systems with Multilayer Switch Feature Card 2 (MSFC2) and a FlexWAN or OSM module allow local users to cause a denial of service (hang or reset) by sending a layer 2 frame packet that encapsulates a layer 3 packet, but has inconsistent length values with that packet. VU#810062 cisco-malformed-frame-dos(15013) 9562 20040203 Cisco 6000/6500/7600 Crafted Layer 2 Frame Vulnerability 10780 oval:org.mitre.oval:def:5828 Web Crossing 4.x and 5.x allows remote attackers to cause a denial of service (crash) by sending a HTTP POST request with a large or negative Content-Length, which causes an integer divide-by-zero. 20040203 Web Crossing 4.x/5.x Denial of Service Vulnerability webcrossing-contentlength-post-dos(15022) 9576 Multiple PHP remote file inclusion vulnerabilities in (1) fonctions.lib.php, (2) derniers_commentaires.php, and (3) admin.php in Les Commentaires 2.0 allow remote attackers to execute arbitrary PHP code via the rep parameter. 20040203 Les Commentaires (PHP) Include file lescommentaires-multiple-file-include(15010) 9536 10768 The client and server of Chaser 1.50 and earlier allow remote attackers to cause a denial of service (crash via exception) via a UDP packet with a length field that is greater than the actual data length, which causes Chaser to read unexpected memory. chaser-memory-dos(15031) 9567 20040203 Remote crash of Chaser game <= 1.50 Cross-site scripting vulnerability (XSS) in PHPX 3.2.3 allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into (1) keywords argument of main.inc.php, (2) body argument of help.inc.php, or (3) the subject field in Personal Messages and Forum. This vulnerability is addressed in the following product release: PHPX, PHPX, 3.2.4 phpx-main-help-xss(15051) phpx-subject-html-injection(15050) 9569 10797 20040203 Multiple Vulnerabilities in PHPX PHPX 2.0 through 3.2.4 allows remote attackers to gain access to other accounts by modifying the cookie's PXL variable to reference another userID. 9569 phpx-cookie-account-hijacking(15052) 20040203 Multiple Vulnerabilities in PHPX phpx-session-hijack(15512) 10797 20040316 PHPX 2.x - 3.2.4 SQL injection vulnerability in PhotoPost PHP Pro 4.6 and earlier allows remote attackers to gain privileges via (1) the product parameter in showproduct.php or (2) the cat parameter in showcat.php. 20040204 ZH2004-04SA (security advisory): Multiple Sql Injection photopostphp-sql-injection(15008) http://www.zone-h.org/en/advisories/read/id=3864/ 9557 Cross-site scripting (XSS) vulnerability in rxgoogle.cgi allows remote attackers to execute arbitrary script as other users via the query parameter. 20040204 rxgoogle.cgi XSS Vulnerability. rxgoogle-query-xss(15043) 9575 TYPSoft FTP Server 1.10 allows remote attackers to cause a denial of service (CPU consumption) via an empty USER name. typsoft-empty-username-dos(15048) 9573 20040204 TYPSoft FTP Server 1.10 may be crashed 1008943 IBM Cloudscape 5.1 running jdk 1.4.2_03 allows remote attackers to execute arbitrary programs or cause a denial of service via certain SQL code, possibly due to a SQL injection vulnerability. cloudscape-sql-injection(15067) 9583 20040205 IBM cloudscape SQL Database (DB2J) vulnerable to remote command Cross-site scripting (XSS) vulnerability in Discuz! Board 2.x and 3.x allows remote attackers to execute arbitrary script as other users via an img tag. discuzboard-image-tag-xss(15066) 9584 20040205 Possible Cross Site Scripting in Discuz! Board Xlight 1.52, with log to screen enabled, allows remote attackers to cause a denial of service by requesting a long directory consisting of . (dot) and / (slash) characters, which causes the server to crash when the administrator views the log file, possibly triggering a buffer overflow. xlight-long-string-dos(15064) 9585 20040205 Remote crash Xlight ftp server 1.52 GNU libtool before 1.5.2, during compile time, allows local users to overwrite arbitrary files via a symlink attack on libtool directories in /tmp. 9530 libtool-insecure-temp-directory(15017) 20040130 Symlink Vulnerability in GNU libtool <1.5.2 3795 http://www.geocrawler.com/mail/msg.php3?msg_id=3438808&list=405 10777 CLA-2004:811 OpenBSD 3.4 and NetBSD 1.6 and 1.6.1 allow remote attackers to cause a denial of service (crash) by sending an IPv6 packet with a small MTU to a listening port and then issuing a TCP connect to that port. 9577 openbsd-ipv6-dos(15044) http://www.openbsd.org/cgi-bin/cvsweb/src/sys/netinet6/ip6_output.c http://www.guninski.com/obsdmtu.html 20040205 OpenBSD IPv6 remote kernel crash 3825 20040204 Remote openbsd crash with ip6, yet still openbsd much better than windows NetBSD-SA2004-002 Multiple buffer overflows in RealOne Player, RealOne Player 2.0, RealOne Enterprise Desktop, and RealPlayer Enterprise allow remote attackers to execute arbitrary code via malformed (1) .RP, (2) .RT, (3) .RAM, (4) .RPM or (5) .SMIL files. VU#473814 9579 20040204 Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer realoneplayer-multiple-file-bo(15040) http://www.service.real.com/help/faq/security/040123_player/EN/ http://www.nextgenss.com/advisories/realone.txt O-075 20040204 [VulnWatch] Multiple File Format Vulnerabilities (Overruns) in REALOne & RealPlayer The check_referer() function in Formmail.php 5.0 and earlier allows remote attackers to bypass access restrictions via an empty or spoofed HTTP Referer, as demonstrated using an application on the same web server that contains a cross-site scripting (XSS) issue. jack-formmail-file-upload(15079) 9591 20040206 formmail (PHP) Upload file using CSS The AddToMailingList function in CactuSoft CactuShop 5.0 Lite contains a backdoor that allows remote attackers to delete arbitrary files via an email address that starts with |||. cactushoplite-backdoor(15063) 9589 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor 20040206 CactuSoft CactuShop 5.0 Lite shopping cart software backdoor oj.cgi in OpenJournal 2.0 through 2.0.5 allows remote attackers to bypass authentication and access the control panel via a 0 in the uid parameter. 9598 openjournal-uid-admin-access(15069) http://www.grohol.com/downloads/oj/latest/changelog.txt 20040206 Open Journal Blog Authenticaion Bypassing Vulnerability 3872 Stack-based buffer overflow in The Palace 3.5 and earlier client allows remote attackers to execute arbitrary code via a link to a palace:// url followed by a long server address string. palace-server-address-bo(15074) 9602 http://www.elitehaven.net/thepalace.txt 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability 20040207 The Palace 3.x (Client) Stack Overflow Vulnerability PHP 4.3.4 and earlier in Apache 1.x and 2.x (mod_php) can leak global variables between virtual hosts that are handled by the same Apache child process but have different settings, which could allow remote attackers to obtain sensitive information. php-virtualhost-info-disclosure(15072) 9599 3878 GLSA-200402-01 palmhttpd for PalmOS allows remote attackers to cause a denial of service (crash) by establishing two simultaneous HTTP connections, which exceeds the PalmOS accept queue. 9608 20040208 PalmOS httpd accept() queue overflow DoS vulnerability. palmhttpd-accept-bo(15090) Cross-site scripting (XSS) vulnerability in modules.php for Php-Nuke 6.x-7.1.0 allows remote attackers to execute arbitrary script as other users via URL-encoded (1) title or (2) fname parameters in the News or Reviews modules. phpnuke-mulitple-xss(15076) 9613 9605 20040208 [waraxe-2004-SA#002] - Cross-Site Scripting (XSS) in Php-Nuke 7.1.0 SQL injection vulnerability in the "public message" capability (public_message) for Php-Nuke 6.x to 7.1.0 allows remote attackers obtain the administrator password via the c_mid parameter. phpnuke-publicmessage-sql-injection(15080) 9615 20040208 [waraxe-2004-SA#003] - SQL injection in Php-Nuke 7.1.0 The (1) inoregupdate, (2) uniftest, or (3) unimove scripts in eTrust InoculateIT for Linux 6.0 allow local users to overwrite arbitrary files via a symlink attack on files in /tmp. etrust-inoculateit-symlink(15102) 9616 4856 4855 4735 http://www.excluded.org/advisories/advisory10.txt 10833 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux Multiple buffer overflows in EvolutionX 3921 and 3935 allow remote attackers to cause a denial of service (hang) via (1) a long cd command to the FTP server, or (2) a long dir command to the telnet server. evolutionx-command-line-dos(15104) 9631 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow 20040210 XBOX EvolutionX ftp 'cd' command and telnet 'dir' buffer overflow SQL injection vulnerability in PHP-Nuke 6.9 and earlier, and possibly 7.x, allows remote attackers to inject arbitrary SQL code and gain sensitive information via (1) the category variable in the Search module or (2) the admin variable in the Web_Links module. 9630 20040210 [SCAN Associates Sdn Bhd Security Advisory] PHPNuke 6.9 > and below SQL Injection in multiple module phpnuke-modules-sql-injection(15115) http://www.scan-associates.net/papers/phpnuke69.txt libclamav in Clam AntiVirus 0.65 allows remote attackers to cause a denial of service (crash) via a uuencoded e-mail message with an invalid line length (e.g., a lowercase character), which causes an assert error in clamd that terminates the calling program. 9610 20040209 clamav 0.65 remote DOS exploit clam-antivirus-uuencoded-dos(15077) http://www.freebsd.org/cgi/query-pr.cgi?pr=62586 GLSA-200402-07 3894 Multiple cross-site scripting vulnerabilities (XSS) in MaxWebPortal allow remote attackers to execute arbitrary web script as other users via (1) the sub_name parameter of dl_showall.asp, (2) the SendTo parameter in Personal Messages, (3) the HTTP_REFERER for down.asp, or (4) the image name of an Avatar in the register form. This vulnerability is addressed in the following product release: MaxWebPortal, MaxWebPortal, 1.32 maxwebportal-register-xss(15122) maxwebportal-multiple-xss(15120) 9625 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal SQL injection vulnerability in MaxWebPortal allows remote attackers to inject arbitrary SQL code and gain sensitive information via the SendTo parameter in Personal Messages. maxwebportal-personalmesssages-sql-injection(15121) 9625 20040210 XSS, Sql Injection and Avatar ScriptCode Injection in MaxWebPortal Directory traversal vulnerability in RealOne Player, RealOne Player 2.0, and RealOne Enterprise Desktop allows remote attackers to upload arbitrary files via an RMP file that contains .. (dot dot) sequences in a .rjs skin file. VU#514734 9580 http://service.real.com/help/faq/security/040123_player/EN/ 20040210 Directory traversal in RealPlayer allows code execution realoneplayer-rmp-directory-traversal(15123) Share.mod in Eggheads Eggdrop IRC bot 1.6.10 through 1.6.15 can mistakenly assign STAT_OFFERED status to a bot that is not a sharebot, which allows remote attackers to use STAT_OFFERED to promote a bot to a sharebot and conduct unauthorized activities. 20040210 Re: Eggrop bug 20040208 Eggrop bug eggdrop-sharemod-gain-access(15084) 9606 http://mogan.nonsoloirc.com/egg_advisory.txt 3928 http://www.eggheads.org/news/2004/04/10/26 SQL injection vulnerability in calendar_download.php in BosDates 3.2 and earlier allows remote attackers to obtain sensitive information and gain access via the calendar parameter. bosdates-calendar-sql-injection(15133) http://www.zone-h.org/en/advisories/read/id=3925/ 9639 20040211 ZH2004-05SA (security advisory): Sql Injection Vulnerability in BosDates The get_real_string function in Monkey HTTP Daemon (monkeyd) 0.8.1 and earlier allows remote attackers to cause a denial of service (crash) via an HTTP request with a sequence of "%" characters and a missing Host field. 9642 monkey-getrealstring-dos(15187) http://monkeyd.sourceforge.net/ 20040211 Denial of Service in Monkey httpd <= 0.8.1 http://aluigi.altervista.org/poc/monkeydos.zip 3921 Format string vulnerability in Dream FTP 1.02 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in the username. dreamftp-username-format-string(15070) 9600 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1722 20040211 Re: [Full-Disclosure] DreamFTP Server 1.02 Buffer Overflow 20040207 DreamFTP Server 1.02 Buffer Overflow Ratbag game engine, as used in products such as Dirt Track Racing, Leadfoot, and World of Outlaws Spring Cars, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet that specifies the length of data to read and then sends a second TCP packet that contains less data than specified, which causes Ratbag to repeatedly check the socket for more data. ratbag-data-length-dos(15188) 9644 20040211 Denial of Service in Ratbag's game engine AIM Sniff (aimSniff.pl) 0.9b allows local users to overwrite arbitrary files via a symlink attack on /tmp/AS.log. 9653 20040212 aimSniff.pl file "deletion" (local) aim-sniff-symlink(15199) Caucho Technology Resin 2.1.12 allows remote attackers to view JSP source via an HTTP request to a .jsp file that ends in a "%20" (encoded space character), e.g. index.jsp%20. resin-source-disclosure(15085) 9614 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") Caucho Technology Resin 2.1.12 allows remote attackers to gain sensitive information and view the contents of the /WEB-INF/ directory via an HTTP request for "WEB-INF..", which is equivalent to "WEB-INF" in Windows. resin-dotdot-directory-traversal(15087) 9617 20040205 Apache Http Server Reveals Script Source Code to Remote Users And Any Users Can Access Resin Forbidden Directory ("/WEB-INF/") Crob FTP daemon 3.5.2 allows remote attackers to cause a denial of service (crash) by repeatedly connecting to and disconnecting from the server. crob-multiple-connections-dos(15201) 9651 6621 10882 20040212 crob ftpd Denial of Service Mailmgr 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on (1) /tmp/mailmgr.unsort, (2) /tmp/mailmgr.tmp, or (3) /tmp/mailmgr.sort. mailmgr-insecure-temp-directory (15203) 9654 20040212 Symlink vulnerabilities in mailmgr Microsoft Internet Explorer 6.0, Outlook 2002, and Outlook 2003 allow remote attackers to cause a denial of service (CPU consumption), if "Do not save encrypted pages to disk" is disabled, via a web site or HTML e-mail that contains two null characters (%00) after the host name. 9629 20040210 ASPR #2004-01-20-1: Internet Explorer/Outlook double null character DoS ie-host-null-dos(15127) PHP remote file inclusion vulnerabilities in include/footer.inc.php in (1) AllMyVisitors, (2) AllMyLinks, and (3) AllMyGuests allow remote attackers to execute arbitrary PHP code via a URL in the _AMVconfig[cfg_serverpath] parameter. 9664 allmyvisitors-file-include(15228) allmyguests-php-file-include(15227) allmylinks-file-include(15226) 6721 20040214 AllMyLinks PHP Code Injection vulnerability 20040214 AllMyVisitors PHP Code Injection vulnerability 20040214 AllMyGuests PHP Code Injection vulnerability Buffer overflow in RobotFTP 1.0 and 2.0 beta 1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long username. robot-username-bo(15225) 9672 20040215 buffer overflow in Robot FTP Server Xlight FTP server 1.52 allows remote authenticated users to cause a denial of service (crash) via a RETR command with a long argument containing a large number of / (slash) characters, possibly triggering a buffer overflow. xlight-retr-dos(15220) 9668 20040215 Xlight ftp server 1.52 RETR bug Buffer overflow in the UdmDocToTextBuf function in mnoGoSearch 3.2.13 through 3.2.15 could allow remote attackers to execute arbitrary code by indexing a large document. 9667 20040215 Buffer overflow in mnoGoSearch mnogosearch-udmdoctotextbuf-bo(15209) Buffer overflow in sdbscan in SignatureDB 0.1.1 allows local users to cause a denial of service (segmentation fault) via a database file that contains a large key parameter. signaturedb-sdbscan-bo(15217) 9661 20040215 problems with database files in 'SignatureDB' Buffer overflow in Purge Jihad 2.0.1 and earlier allows remote game servers to execute arbitrary code via an information packet that contains large (1) battle type and (2) map name fields. purge-battletype-map-bo(15216) 9671 http://purge.worthplaying.com/phpbb/viewtopic.php?t=1167 20040216 Broadcast client buffer-overflow in Purge Jihad <= 2.0.1 SQL injection vulnerability in post.php for YaBB SE 1.5.4 and 1.5.5 allows remote attackers to obtain hashed passwords via the quote parameter. 9674 yabb-post-sql-injection(15224) 20040216 Another YabbSE SQL Injection Buffer overflow in KarjaSoft Sami HTTP Server 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request. sami-http-get-bo(15237) 9679 http://www.security-protocols.com/modules.php?name=News&file=article&sid=1746 20040217 KarjaSoft Sami HTTP Server 1.0.4 Buffer Overflow Directory traversal vulnerability in ShopCartCGI 2.3 allows remote attackers to retrieve arbitrary files via a .. (dot dot) in a HTTP request to (1) gotopage.cgi or (2) genindexpage.cgi. shopcartcgi-dotdot-directory-traversal(14982) http://www.zone-h.org/en/advisories/read/id=3962/ 9670 20040217 ZH2004-06SA (security advisory): ShopCartCGI v2.3 Remote YaBB 1 SP 1.3.1 displays different error messages when a user exists or not, which makes it easier for remote attackers to identify valid users and conduct a brute force password guessing attack. yabb-invalidmessage-obtain-information(15236) 9677 20040217 YABB information leakage on failed login TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a denial of service (CPU consumption) via an open idle connection. broker-ftp-tsftpsrv-dos(15242) 9680 http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 20040217 Broker FTP DoS (Message Server) TsFtpSrv.exe in Broker FTP 6.1.0.0 allows remote attackers to cause a TsFtpSrv.exe to exit with an exception by opening and immediately closing a connection. broker-ftp-dos(15241) 9680 http://www.securiteam.com/windowsntfocus/5IP0B0AC1I.html 20040217 Broker FTP DoS (Message Server) Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length. VU#972334 9682 imail-ldap-tag-bo(15243) http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html 3984 20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow CesarFTP 0.99e allows remote attackers to cause a denial of service (CPU consumption) via a long RETR parameter. cesarftp-userpass-dos(15252) 9666 20040217 CesarFTP 0.99 : 100% employment of computer resources Buffer overflow in smallftpd 0.99 allows local users to cause a denial of service (crash) via an FTP request with a large number of "/" (slash) characters. smallftpd-forwardslash-dos(15262) 9684 20040217 Smallftpd 1.0.3 DoS SQL injection vulnerability in Online Store Kit 3.0 allows remote attackers to inject arbitrary SQL and gain unauthorized access via (1) the cat parameter in shop.php, (2) the id parameter in more.php, (3) the cat_manufacturer parameter in shop_by_brand.php, or (4) the id parameter in listing.php. onlinestorekit-more-sql-injection(15232) http://www.zone-h.org/en/advisories/read/id=3972/ http://www.systemsecure.org/advisories/ssadvisory16022004.php 9687 9676 10902 20040218 ZH2004-07SA (security advisory): Multiple Sql injection 3973 1009092 Cross-site scripting (XSS) vulnerability in more.php for Online Store Kit 3.0 allows remote attackers to inject arbitrary HTML via the id parameter. onlinestorekit-more-xss(15235) http://www.systemsecure.org/advisories/ssadvisory16022004.php 9676 1009079 10902 Directory traversal vulnerability in OWLS 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the (1) file parameter in index.php, (2) editfile in glossary.php, or (3) editfile in newmultiplechoice.php. owls-file-retrieval(15249) http://www.zone-h.org/en/advisories/read/id=3973/ 9689 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files OWLS 1.0 allows remote attackers to retrieve arbitrary files via absolute pathnames in (1) the file parameter in /glossaries/index.php, (2) the filename parameter in /readings/index.php, or (3) the filename parameter in /multiplechoice/resultsignore.php, as demonstrated using /etc/passwd. owls-file-retrieval(15249) http://www.zone-h.org/en/advisories/read/id=3973/ 9689 20040218 ZH2004-08SA (security advisory): OWLS 1.0 Remote arbitrary files SQL injection vulnerability in browse_items.asp in WebCortex WebStores 2000 6.0 allows remote attackers to gain unauthorized access and execute arbitrary commands via the Search_Text parameter. webstores-browseitems-sql-injection(15253) 7766 http://www.s-quadra.com/advisories/Adv-20040218.txt 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Cross-site scripting (XSS) vulnerability in error.asp in WebCortex WebStores 2000 6.0 allows remote attackers to execute arbitrary script as other users and steal session IDs via the Message_id parameter. webstores-error-xss(15254) 9693 20040218 WebCortex Webstores2000 version 6.0 multiple security vulnerabilities Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS 15600 before 1.3(0) enable TFTP service on UDP port 69 by default, which allows remote attackers to GET or PUT ONS system files on the current active TCC in the /flash0 or /flash1 directories. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-file-upload(15264) Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), and ONS 15454 SD before 4.1(3) allows remote attackers to cause a denial of service (reset) by not sending the ACK portion of the TCP three-way handshake and sending an invalid response instead. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-ack-dos(15265) 4009 Unknown vulnerability in Cisco ONS 15327 before 4.1(3), ONS 15454 before 4.6(1), ONS 15454 SD before 4.1(3), and Cisco ONS15600 before 1.3(0) allows a superuser whose account is locked out, disabled, or suspended to gain unauthorized access via a Telnet connection to the VxWorks shell. 9699 20040219 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Vulnerabilities cisco-ons-gain-access(15266) 4010 Stack-based buffer overflow in the SMTP service support in vsmon.exe in Zone Labs ZoneAlarm before 4.5.538.001, ZoneLabs Integrity client 4.0 before 4.0.146.046, and 4.5 before 4.5.085, allows remote attackers to execute arbitrary code via a long RCPT TO argument. VU#619982 20040219 EEYE: ZoneLabs SMTP Processing Buffer Overflow zonelabs-multiple-products-bo(14991) 9696 http://download.zonelabs.com/bin/free/securityAlert/8.html 3991 O-084 Cross-site scripting (XSS) vulnerability in LiveJournal 1.0 and 1.1 allows remote attackers to execute Javascript as other users via the stylesheet, which does not strip the semicolon or parentheses, as demonstrated using a background:url. livejournal-url-xss(15268) 9700 20040219 LiveJournal XSS American Power Conversion (APC) Web/SNMP Management SmartSlot Card 3.0 through 3.0.3 and 3.21 are shipped with a default password of TENmanUFactOryPOWER, which allows remote attackers to gain unauthorized access. 9681 apc-smartslot-default-password(15238) http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=3131&p_created=1077139129 20040219 Re: Fw: APC 9606 SmartSlot Web/SNMP management card "backdoor" 20040216 APC 9606 SmartSlot Web/SNMP management card "backdoor" Linksys WAP55AG 1.07 allows remote attackers with access to an SNMP read only community string to gain access to read/write communtiy strings via a query for OID 1.3.6.1.4.1.3955.2.1.13.1.2. linksys-snmp-strings-disclosure(15257) 9688 20040219 Re: SNMP community string disclosure in Linksys WAP55AG 20040217 SNMP community string disclosure in Linksys WAP55AG Buffer overflow in PSOProxy 0.91 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP request, as demonstrated using a long (1) GET argument or (2) method name. psoproxy-long-get-bo(15275) 9706 20040220 Remote Buffer Overflow in PSOProxy 0.91 Cross-site scripting (XSS) vulnerability in done.jsp in WebzEdit 1.9 and earlier allows remote attackers to execute arbitrary script as other users via the message parameter. webzedit-done-xss(15289) 20040221 Cross Site Scripting in WebzEdit Buffer overflow in Avirt Voice 4.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long GET request on port 1080. avirt-voice-get-bo(15288) 9721 20040223 Remote Buffer Overflow in Avirt Voice 4.0 Buffer overflow in Avirt Soho 4.3 allows remote attackers to cause a denial of service (crash) via (1) a large GET request to port 1080 or (2) a large GET request of % characters to port 8080. avirt-soho-multiple-bo(15286) 9723 9722 20030223 Multiple Remote Buffer Overflow in Avirt Soho 4.3 Buffer overflow in eauth in Load Sharing Facility 4.x, 5.x, and 6.x allows local users or remote attackers within the LSF cluster to cause a denial of service (segmentation fault) and possibly execute arbitrary code via a long LSF_From_PC parameter. 9719 20040223 Lam3rZ Security Advisory #1/2004: LSF eauth vulnerability leads to remote code execution lsf-eauth-execute-code(15282) Load Sharing Facility (LSF) 4.x, 5.x, and 6.x uses the LSF_EAUTH_UID environment variable, if it exists, instead of the real UID of the user, which could allow remote attackers within the local cluster to gain privileges. 9724 20040223 Lam3rZ Security Advisory #2/2004: LSF eauth vulnerability leads to a possibility of controlling cluster jobs on behalf of other users lsf-eauth-process-hijack(15278) Cross-site scripting (XSS) vulnerability in the font tag in ezBoard 7.3u allows remote attackers to execute arbitrary script as other users, as demonstrated using the background:url in a (1) font color or (2) font face argument. ezboard-font-xss(15287) 9725 20040223 ezBoard Cross Site Scripting Vulnerability Unknown vulnerability in nCipher Hardware Security Modules (HSM) 1.67.x through 1.99.x allows local users to access secrets stored in the module's run-time memory via certain sequences of commands. 20040223 nCipher Advisory #9: Host-side attackers can access secret data ncipher-hsm-obtain-info(15281) 9717 4055 Team Factor 1.25 and earlier allows remote attackers to cause a denial of service (crash) via a packet that uses a negative number to specify the size of the data block that follows, which causes Team Factor to read unallocated memory. 20040223 Remote server crash in Team Factor <= 1.25 teamfactor-packet-dos(15274) http://www.zone-h.org/advisories/read/id=4006 9708 Multiple cross-site scripting (XSS) vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to execute arbitrary script as other users via the (1) member parameter in member.php, (2) uid parameter in u2uadmin.php, (3) user parameter in editprofile.php, (4) an onmouseover event in an align tag when bbcode is allowed, or (5) img tag where bbcode is allowed. xmb-multiple-scripts-xss(15292) 9726 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 xmb-bbcode-execute-code(15294) http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 Multiple SQL injection vulnerabilities in XMB 1.8 Final SP2 allow remote attackers to inject arbitrary SQL and gain privileges via the (1) ppp parameter in viewthread.php, (2) desc parameter in misc.php, (3) tpp parameter in forumdisplay.php, (4) ascdesc parameter in forumdisplay.php, or (5) the addon parameter in stats.php. NOTE: it has also been shown that item (3) is also in XMB 1.9 beta. xmb-multiple-sql-injection(15295) 9726 http://www.xmbforum.com/community/boards/viewthread.php?tid=746859 20040223 [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] 20040225 Re: [waraxe-2004-SA#004] - Multiple vulnerabilities in XMB 1.8 Partagium Final SP2 Confirm 0.62 and earlier could allow remote attackers to execute arbitrary code via an e-mail header that contains shell metacharacters such as ", `, |, ;, or $. confirm-header-gain-access(15290) 9728 20040223 Lam3rZ Security Advisory #3/2004: A bug in Confirm leads to remote command execution TYPSoft FTP Server 1.10 allows remote authenticated users to cause a denial of service (CPU consumption) via "//../" arguments to (1) mkd, (2) xmkd, (3) dele, (4) size, (5) retr, (6) stor, (7) appe, (8) rnfr, (9) rnto, (10) rmd, or (11) xrmd, as demonstrated using "//../qwerty". typsoft-ftp-command-dos(15306) 9702 20040223 TYPSoft FTP Server 1.10 multiple vulnerabilities Buffer overflow in the web proxy for GateKeeper Pro 4.7 allows remote attackers to execute arbitrary code via a long GET request. gatekeeper-long-get-bo(15277) 9716 20040222 GateKeeper Pro 4.7 buffer overflow 20040222 GateKeeper Pro 4.7 buffer overflow Directory traversal vulnerability in functions.php in PhpNewsManager 1.46 allows remote attackers to retrieve arbitrary files via .. (dot dot) sequences in the clang parameter. phpnewsmanager-dotdot-directory-traversal(15283) http://www.zone-h.org/advisories/read/id=4024 9720 20040223 ZH2004-09SA (security advisory): PhpNewsManager Remote arbitrary Gigabyte Gn-B46B 2.4Ghz wireless broadband router firmware 1.003.00 allows local users on the same local network as the router to bypass authentication by using a copy of the router's html menu on a separate system. gigabyte-gnb46b-bypass-authentication(15313) 9740 20040224 Gigabyte Broadband Router - Multiple Vulnerabilities FreeChat 1.1.1a allows remote attackers to cause a denial of service (crash) via certain unexpected strings, as demonstrated using "aaaaa". freechat-string-dos(15321) 9744 20040226 Denial Of Service in FreeChat 1.1.1a Buffer overflow in Serv-U ftp before 5.0.0.4 allows remote authenticated users to execute arbitrary code via a long time zone argument to the MDTM command. servu-mdtm-bo(15323) 9751 http://www.cnhonker.com/advisory/serv-u.mdtm.txt 20040226 [vulnwatch] Serv-U MDTM Command Buffer Overflow Vulnerability Heap-based buffer overflow in Dell OpenManage Web Server 3.4.0 allows remote attackers to cause a denial of service (crash) via a HTTP POST with a long application variable. 9750 dell-openmanage-ocsgetoeminpathfile-bo(15325) http://sh0dan.org/files/domadv.txt 20040226 Dell OpenManage Web Server Heap Overflow (Pre-Auth) Extremail 1.5.9 does not check passwords correctly when they are all digits or begin with a digit, which allows remote attackers to gain privileges. extremail-password-gain-access(15329) 9754 20040226 Extremail Security Problem Buffer overflow in the UUDeview package, as used in WinZip 6.2 through WinZip 8.1 SR-1, and possibly other packages, allows remote attackers to execute arbitrary code via a MIME archive with certain long MIME parameters. This was fixed in WinZip 8.1 SR-2 in March of 2004. You can find more information on the subject on the following pages of the winzip site: http://www.winzip.com/wz81sr2.htm http://www.winzip.com/fmwz90.htm VU#116182 9758 uudeview-multiple-bo(15490) winzip-mime-bo(15336) http://www.winzip.com/fmwz90.htm 4119 http://www.openpkg.org/security/OpenPKG-SA-2004.006-uudeview.html 20040227 WinZip MIME Parsing Buffer Overflow Vulnerability O-092 11019 10995 InnoMedia VideoPhone allows remote attackers to bypass Basic Authorization via an HTTP request to (1) videophone_admindetail.asp, (2) videophone_syscfg.asp, (3) videophone_upgrade.asp, or (4) videophone_sysctrl.asp that contains a trailing / (slash). NOTE: the original report mentioned AXIS 2100 Network Camera, but this was likely a cut-and-paste error. InnoMedia-videophone-bypass-authentication(15636) 4809 1009522 20040227 InnoMedia VideoPhone Authorization Bypass LAN SUITE Web Mail 602Pro, when configured to use the "Directory browsing" feature, allows remote attackers to obtain a directory listing via an HTTP request to (1) index.html, (2) cgi-bin/, or (3) users/. 602pro-directory-listing(15349) 9780 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities LAN SUITE Web Mail 602Pro allows remote attackers to gain sensitive information via the mail login form, which contains the path to the mail directory. 602pro-path-disclosure(15350) 9781 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in LAN SUITE Web Mail 602Pro allows remote attackers to execute arbitrary script or HTML as other users via a URL to index.html, followed by a / (slash) and the desired script. NOTE: the vendor states that this bug could not be reproduced, so this issue may be REJECTed in the future. 602pro-index-xss(15351) 9777 20040228 LAN SUITE Web Mail 602Pro Multiple Vulnerabilities 20040310 Re: LAN SUITE Web Mail 602Pro Multiple Vulnerabilities SQL injection vulnerability in search.php for Invision Board Forum allows remote attackers to execute arbitrary SQL queries via the st parameter. 20040228 Invision Power Board SQL injection! invision-search-sql-injection(15343) 9766 Cross-site scripting (XSS) vulnerability in ViewTopic.php in phpBB, possibly 2.0.6c and earlier, allows remote attackers to execute arbitrary script or HTML as other users via the postorder parameter. This vulnerability is addressed in the following product release: phpBB Group, phpBB, 2.0.7 9765 phpbb-viewtopicphp-xss(15348) 20040228 New phpBB ViewTopic.php Cross Site Scripting Vulnerability Stack-based buffer overflow in WFTPD Pro Server 3.21 Release 1, Pro Server 3.20 Release 2, Server 3.21 Release 1, and Server 3.10 allows local users to execute arbitrary code via long (1) LIST, (2) NLST, or (3) STAT commands. 9767 wftpd-ftp-commands-bo(15340) 20040228 Critical WFTPD buffer overflow vulnerability 11001 WFTPD Pro Server 3.21 Release 1 allocates memory for a command until a 0Ah byte (newline) is sent, which allows local users to cause a denial of service (CPU consumption) by continuing to send a long command that does not contain a newline. 9767 wftpd-string-0Ahbyte-dos(15341) 20040228 Multiple WFTPD Denial of Service vulnerabilities 4115 11001 WFTPD Pro Server 3.21 Release 1, with the XeroxDocutech option enabled, allows local users to cause a denial of service (crash) via a (1) MKD or (2) XMKD command that causes an absolute path of 260 characters to be used, which overwrites a cookie with a null character, possibly due to an off-by-one error. 9767 wftpd-ftp-command-dos(15342) 20040228 Multiple WFTPD Denial of Service vulnerabilities 4116 11001 Multiple SQL injection vulnerabilities in YaBB SE 1.5.4 through 1.5.5b allow remote attackers to execute arbitrary SQL via (1) the msg parameter in ModifyMessage.php or (2) the postid parameter in ModifyMessage.php. 9774 yabb-multiple-sql-injection(15354) 20040301 YabbSE (3 on 1) Directory traversal vulnerability in ModifyMessage.php in YaBB SE 1.5.4 through 1.5.5b allows remote attackers to delete arbitrary files via a .. (dot dot) in the attachOld parameter. 9774 20040301 YabbSE (3 on 1) Buffer overflow in Red Faction client 1.20 and earlier allows remote servers to execute arbitrary code via a long server name. redfaction-bo(15353) 9775 20040301 Clients broadcast buffer overflow in Red Faction <= 1.20 Off-by-one buffer overflow in _xlate_ascii_write() in ProFTPD 1.2.7 through 1.2.9rc2p allows local users to gain privileges via a 1024 byte RETR command. proftpd-offbyone-bo(15387) 9782 20040302 The Cult of a Cardinal Number Cross-site scripting (XSS) vulnerability in delhomepage.cgi in NetScreen-SA 5000 Series running firmware 3.3 Patch 1 (build 4797) allows remote authenticated users to execute arbitrary script as other users via the row parameter. VU#114070 9791 20040304 NetScreen Advisory 58412: XSS Bug in NetScreen-SA SSL VPN 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance netscreen-delhomepagecgi-xss(15368) 20040302 03-02-04 XSS Bug in NetScreen-SA 5000 Series of SSL VPN appliance SQL injection vulnerability in viewCart.asp in SpiderSales shopping cart software allows remote attackers to execute arbitrary SQL via the userId parameter. spidersales-userid-sql-injection(15371) 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt 20040303 Spider Sales shopping cart software multiple security vulnerabilities Directory traversal vulnerability in GWeb HTTP Server 0.6 allows remote attackers to view arbitrary files via a .. (dot dot) in the URL. 20040303 directory traversal in GWeb 0.6 gweb-dotdot-directory-traversal(15381) 9742 SpiderSales shopping cart does not enforce a minimum length for the private key, which can make it easier for local users to obtain the private key by factoring. spidersales-weak-encryption(15370) 9799 http://www.s-quadra.com/advisories/Adv-20040303.txt 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities Spider Sales shopping cart stores the private key in the same database and table as the public key, which allows local users with access to the database to decrypt data. spidersales-weak-encryption(15370) 9799 20040303 Spider Sales shopping cart software multiple security vulnerabilities 20040303 Spider Sales shopping cart software multiple security vulnerabilities Cisco 11000 Series Content Services Switches (CSS) running WebNS 5.0(x) before 05.0(04.07)S, and 6.10(x) before 06.10(02.05)S allow remote attackers to cause a denial of service (device reset) via a malformed packet to UDP port 5002. VU#363374 9806 20040304 Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability cisco-css-udp-dos(15388) Multiple buffer overflows in auth_ident() function in auth.c for GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to gain privileges via a long string. 9772 anubis-ident-bo(15345) 20040310 GNU Anubis 3.6.2 remote root exploit 20040304 GNU Anubis buffer overflows and format string bugs [bug-anubis] 20040228 Important security update Multiple format string vulnerabilities in GNU Anubis 3.6.0 through 3.6.2, 3.9.92 and 3.9.93 allow remote attackers to execute arbitrary code via format string specifiers in strings passed to (1) the info function in log.c, (2) the anubis_error function in errs.c, or (3) the ssl_error function in ssl.c. 9772 anubis-format-string(15346) 20040304 GNU Anubis buffer overflows and format string bugs [bug-anubis] 20040228 Important security update Invision Power Board 1.3 Final allows remote attackers to gain sensitive information by selecting a file for "Personal Photo" that is not an image file, which displays the installation path in an error message. invision-invalid-path-disclosure(15400) 9810 20040305 Invision Power Board 1.3 Final Path Disclosure Vulnerability Stack-based buffer overflow in Supervisor Report Center in SL Mail Pro 2.0.9 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a long HTTP sub-version. slmail-src-stack-bo(15398) 9809 http://www.nextgenss.com/advisories/slmailsrc.txt 20040305 SLMail Pro Supervisor Report Center Buffer Overflow (#NISR05022004a) http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf Stack-based buffer overflows in SL Mail Pro 2.0.9 allow remote attackers to execute arbitrary code via (1) user.dll, (2) loadpageadmin.dll or (3) loadpageuser.dll. 9808 slmail-slwebmail-bo(15399) http://www.nextgenss.com/advisories/slmailwm.txt 20040305 SLWebMail Multiple Buffer Overflow Vulnerabilities (#NISR05022004b) http://216.26.170.92/Download/webfiles/Patches/SLMPPatch-2.0.14.pdf Cross-site scripting (XSS) vulnerability in VirtuaNews Admin Panel Pro 1.0.3 allows remote attackers to execute arbitrary script as other users via (1) the mainnews parameter in admin.php, (2) the expand parameter in admin.php, (3) the id parameter in admin.php, (4) the catid parameter in admin.php, or (5) an unnamed parameter during the newslogo_upload action in admin.php. virtuanews-multiple-xss(15402) 9819 9812 20040305 VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity 20040307 RE: VirtuaNews Admin Panel 1.0.3 Pro Cross Site Scripting Vulnerabillity Cross-site scripting (XSS) vulnerability in index.php for Invision Power Board 1.3 final allows remote attackers to execute arbitrary script as other users via the (1) c, (2) f, (3) showtopic, (4) showuser, or (5) username parameters. invision-xss(15403) 9768 4154 11053 20040305 Invision Power Board v1.3 Final Cross Site Scripting Vulnerabillity Unknown vulnerability in passwd(1) in Solaris 8.0 and 9.0 allows local users to gain privileges via unknown attack vectors. VU#694782 9757 solaris-passwd-gain-privileges(15327) O-088 57454 200470305 O-088: Sun passwd(1) Command Vulnerability The Javascript engine in Safari 1.2 and earlier allows remote attackers to cause a denial of service (segmentation fault) by creating a new Array object with a large size value, then writing into that array. safari-array-dos(15413) 9815 http://www.insecure.ws/article.php?story=2004021918172533 20040306 Safari javascript array overflow Multiple stack-based buffer overflows in the ICQ parsing routines of the ISS Protocol Analysis Module (PAM) component, as used in various RealSecure, Proventia, and BlackICE products, allow remote attackers to execute arbitrary code via a SRV_MULTI response containing a SRV_USER_ONLINE response packet and a SRV_META_USER response packet with long (1) nickname, (2) firstname, (3) lastname, or (4) email address fields, as exploited by the Witty worm. VU#947254 20040318 Vulnerability in ICQ Parsing in ISS Products 9913 20040318 EEYE: Internet Security Systems PAM ICQ Server Response Processing Vulnerability witty-worm-propagation(15543) pam-icq-parsing-bo(15442) 4355 AD20040318 O-104 11073 Stack-based buffer overflow in the SymSpamHelper ActiveX component (symspam.dll) in Norton AntiSpam 2004, as used in Norton Internet Security 2004, allows remote attackers to execute arbitrary code via a long parameter to the LaunchCustomRuleWizard method. VU#344718 http://www.nextgenss.com/advisories/antispam.txt nas-launchcustomrulewizard-bo(15536) 9916 http://www.sarc.com/avcenter/security/Content/2004.03.19.html 11169 20040319 Norton AntiSpam Remote Buffer Overrun (#NISR19042004a) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b The WrapNISUM ActiveX component (WrapUM.dll) in Norton Internet Security 2004 is marked safe for scripting, which allows remote attackers to execute arbitrary programs via the LaunchURL method. VU#549054 http://www.nextgenss.com/advisories/nisrce.txt norton-is-launchurl-command-execution(15538) 9915 http://www.sarc.com/avcenter/security/Content/2004.03.19.html 11168 20040319 Norton Internet Security Remote Command Execution (#NISR19042004b) 20040319 Ref: NGSSoftware Advisories NISR19042004a and NISR19042004b The dissect_attribute_value_pairs function in packet-radius.c for Ethereal 0.8.13 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a malformed RADIUS packet that triggers a null dereference. VU#124454 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal ethereal-radius-dos(15571) RHSA-2004:137 RHSA-2004:136 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 11185 oval:org.mitre.oval:def:9196 [ethereal-dev] 20040318 ethereal radius dissector vulnerability MDKSA-2004:024 20040416 [OpenPKG-SA-2004.015] OpenPKG Security Advisory (ethereal) CLA-2004:835 oval:org.mitre.oval:def:891 oval:org.mitre.oval:def:879 SQL injection vulnerability in the libpam-pgsql library before 0.5.2 allows attackers to execute arbitrary SQL statements. pam-pgsql-sql-injection(15651) DSA-469 10266 11237 Ethereal 0.10.1 to 0.10.2 allows remote attackers to cause a denial of service (crash) via a zero-length Presentation protocol selector. VU#792286 RHSA-2004:137 ethereal-zero-presentation-dos(15570) RHSA-2004:136 [Ethereal-dev] 20040416 Possibly incorrect CVE entry CAN-2004-0367 http://www.ethereal.com/appnotes/enpa-sa-00013.html GLSA-200403-07 11185 oval:org.mitre.oval:def:11071 20040329 LNSA-#2004-0007: Multiple security problems in Ethereal CLA-2004:835 MDKSA-2004:024 oval:org.mitre.oval:def:905 oval:org.mitre.oval:def:880 Double free vulnerability in dtlogin in CDE on Solaris, HP-UX, and other operating systems allows remote attackers to execute arbitrary code via a crafted XDMCP packet. VU#179804 cde-dtlogin-double-free(15581) 9958 http://www.immunitysec.com/downloads/dtlogin.sxw.pdf O-129 HPSBUX01038 57539 101478 11614 11495 11214 11210 [Dailydave] 20040323 dtlogin advisory 20040323 how much fun can you have with UDP? 20040801-01-P oval:org.mitre.oval:def:1436 Buffer overflow in Entrust LibKmp ISAKMP library, as used by Symantec Enterprise Firewall 7.0 through 8.0, Gateway Security 5300 1.0, Gateway Security 5400 2.0, and VelociRaptor 1.5, allows remote attackers to execute arbitrary code via a crafted ISAKMP payload. isakmp-spi-size-bo(15669) 20040826 Entrust LibKmp Library Buffer Overflow 11039 O-206 ESB-2004.0538 http://securityresponse.symantec.com/avcenter/security/Content/2004.08.26.html The setsockopt call in the KAME Project IPv6 implementation, as used in FreeBSD 5.2, does not properly handle certain IPv6 socket options, which could allow attackers to read kernel memory and cause a system panic. freebsd-ipv6-dos(15662) 9992 11233 FreeBSD-SA-04:06 Heimdal 0.6.x before 0.6.1 and 0.5.x before 0.5.3 does not properly perform certain consistency checks for cross-realm requests, which allows remote attackers with control of a realm to impersonate others in the cross-realm trust path. heimdal-cross-realm-spoofing(15701) DSA-476 http://www.pdc.kth.se/heimdal/advisory/2004-04-01/ GLSA-200404-09 20040530 009: SECURITY FIX: May 30, 2004 FreeBSD-SA-04:08 xine allows local users to overwrite arbitrary files via a symlink attack on a bug report email that is generated by the (1) xine-bugreport or (2) xine-check scripts. xine-xinebugreport-xinecheck-symlink(15564) DSA-477 9939 GLSA-200404-20 20040320 xine-check/xine-bugreport symlink vulnerability. Interchange before 5.0.1 allows remote attackers to "expose the content of arbitrary variables" and read or modify sensitive SQL information via an HTTP request ending with the "__SQLUSER__" string. interchange-url-obtain-information(15670) DSA-471 10005 11234 http://ftp.icdevgroup.org/interchange/5.0/WHATSNEW [interchange-announce] 20040329 Security Problem in Interchange SYMNDIS.SYS in Symantec Norton Internet Security 2003 and 2004, Norton Personal Firewall 2003 and 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 and 1.1 allow remote attackers to cause a denial of service (infinite loop) via a TCP packet with (1) SACK option or (2) Alternate Checksum Data option followed by a length of zero. symantec-firewall-tcp-dos(15936) norton-firewalls-dos(15433) http://www.symantec.com/avcenter/security/Content/2004.04.20.html 9912 http://www.eeye.com/html/Research/Upcoming/20040309.html 1009380 1009379 20040423 EEYE: Symantec Multiple Firewall TCP Options Denial of Service oftpd 0.3.6 and earlier allows remote attackers to cause a denial of service (crash) via a PORT command with a large value. 9980 DSA-473 oftpd-port-dos(15622) http://www.time-travellers.org/oftpd/oftpd-dos.html GLSA-200403-08 11220 Buffer overflow in the win32_stat function for (1) ActiveState's ActivePerl and (2) Larry Wall's Perl before 5.8.3 allows local or remote attackers to execute arbitrary commands via filenames that end in a backslash character. VU#722414 perl-win32stat-bo(15732) 20040405 iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function http://public.activestate.com/cgi-bin/perlbrowse?patch=22552 http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities 20040405 [Full-Disclosure] iDEFENSE Security Advisory 04.05.04: Perl win32_stat Function Multiple cross-site scripting (XSS) vulnerabilities in Microsoft SharePoint Portal Server 2001 allow remote attackers to process arbitrary web content and steal cookies via certain server scripts. 20040405 Multiple XSS vulnerabilities in Microsoft SharePoint Portal Server 2001 sharepoint-portal-xss(15729) The MHTML protocol handler in Microsoft Outlook Express 5.5 SP2 through Outlook Express 6 SP1 allows remote attackers to bypass domain restrictions and execute arbitrary code, as demonstrated on Internet Explorer using script in a compiled help (CHM) file that references the InfoTech Storage (ITS) protocol handlers such as (1) ms-its, (2) ms-itss, (3) its, or (4) mk:@MSITStore, aka the "MHTML URL Processing Vulnerability." VU#323070 TA04-104A 20040328 IE ms-its: and mk:@MSITStore: vulnerability 20040219 Microsoft Internet Explorer Unspecified CHM File Processing Arbitrary Code Execution Vulnerability (bid 9658) MS04-013 outlook-mhtml-execute-code(15705) 9658 http://www.k-otik.net/bugtraq/02.18.InternetExplorer.php 9105 10523 oval:org.mitre.oval:def:990 oval:org.mitre.oval:def:882 oval:org.mitre.oval:def:1028 oval:org.mitre.oval:def:1010 mysqlbug in MySQL allows local users to overwrite arbitrary files via a symlink attack on the failed-mysql-bugreport temporary file. 9976 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) mysql-mysqlbug-symlink(15617) RHSA-2004:597 RHSA-2004:569 DSA-483 P-018 GLSA-200405-20 oval:org.mitre.oval:def:11557 20040324 mysqlbug tmpfile/symlink vulnerability. MDKSA-2004:034 Unknown vulnerability in the CUPS printing system in Mac OS X 10.3.3 and Mac OS X 10.2.8 with unknown impact, possibly related to a configuration file setting. macos-cups-configuration-unknown(15769) http://lists.apple.com/mhonarc/security-announce/msg00047.html http://docs.info.apple.com/article.html?artnum=61798 Unknown vulnerability in Mail for Mac OS X 10.3.3 and 10.2.8, with unknown impact, related to "the handling of HTML-formatted email." macos-mail-unknown(15768) http://lists.apple.com/mhonarc/security-announce/msg00047.html http://docs.info.apple.com/article.html?artnum=61798 Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener. NOTE: due to the vagueness of the Oracle advisory, it is not clear whether there are additional issues besides this overflow, although the advisory alludes to multiple "vulnerabilities." VU#413006 http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf oracle-web-cache-vulnerabilities(15463) 9868 http://www.inaccessnetworks.com/ian/services/secadv01.txt 20040316 new security alert #66 issued in Oracle web cache 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache 4249 11118 20040408 Heap Overflow in Oracle 9iAS / 10g Application Server Web Cache Buffer overflow in the HTTP parser for MPlayer 1.0pre3 and earlier, 0.90, and 0.91 allows remote attackers to execute arbitrary code via a long Location header. VU#723910 mplayer-header-bo(15675) 10008 20040330 Heap overflow in MPlayer GLSA-200403-13 11259 20040330 MPlayer Security Advisory #002 - HTTP parsing vulnerability http://www.mplayerhq.hu/homepage/design6/news.html MDKSA-2004:026 Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file. realplayer-r3t-bo(15774) http://www.service.real.com/help/faq/security/040406_r3t/en/ http://www.ngssoftware.com/advisories/realr3t.txt 20040307 REAL One Player R3T File Format Stack Overflow 10070 4977 11314 20040307 REAL One Player R3T File Format Stack Overflow The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack. DSA-483 mysql-mysqldmulti-symlink(15883) 10142 RHSA-2004:597 RHSA-2004:569 6421 P-018 1009784 GLSA-200405-20 11223 oval:org.mitre.oval:def:10559 20040414 [OpenPKG-SA-2004.014] OpenPKG Security Advisory (mysql) http://dev.mysql.com/doc/mysql/en/news-4-1-2.html MDKSA-2004:034 RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests. 20040415 RealNetworks Helix Universal Server Denial of Service Vulnerability helix-get-dos(15880) 10157 11395 SCO OpenServer 5.0.5 through 5.0.7 only supports Xauthority style access control when users log in using scologin, which allows remote attackers to gain unauthorized access to an X session via other X login methods. openserver-x-session-insecure(16113) SCOSA-2004.5 20040510 OpenServer 5.0.5 OpenServer 5.0.6 OpenServer 5.0.7 : X sessions which are not started by scologin cannot use the X authorization protocol Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration. VU#659228 cisco-default-password(15773) 20040407 A Default Username and Password in WLSE and HSE Devices O-111 10076 racoon before 20040407b allows remote attackers to cause a denial of service (infinite loop and dropped connections) via an IKE message with a malformed Generic Payload Header containing invalid (1) "Security Association Next Payload" and (2) "RESERVED" fields. racoon-isakmp-dos(15893) http://www.vuxml.org/freebsd/40fcf20f-8891-11d8-90d1-0020ed76ef5a.html SCOSA-2005.10 http://orange.kame.net/dev/query-pr.cgi?pr=555 Format string vulnerability in the msg function for rlpr daemon (rlprd) 2.0.4 allows remote attackers to execute arbitrary code via format string specifiers in a buffer that can not be resolved, which is provided to the syslog function. rlpr-msg-format-string(16453) 10578 DSA-524 20040624 Rlpr Advisory A "potential" buffer overflow exists in the panic() function in Linux 2.4.x, although it may not be exploitable due to the functionality of panic. linux-panic-bo(15953) SuSE-SA:2004:010 ESA-20040428-004 GLSA-200407-02 [fedora-announce] 20040422 Fedora alert FEDORA-2004-111 (kernel) CLA-2004:846 20040505-01-U 20040504-01-U 10233 MDKSA-2004:037 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 The xatitv program in the gatos package does not properly drop root privileges when the configuration file does not exist, which allows local users to execute arbitrary commands via shell metacharacters in a system call. gatos-xatitv-gain-privileges(16273) 10437 DSA-509 Heap-based buffer overflow in CVS 1.11.x up to 1.11.15, and 1.12.x up to 1.12.7, when using the pserver mechanism allows remote attackers to execute arbitrary code via Entry lines. VU#192038 TA04-147A RHSA-2004:190 DSA-505 20040519 Advisory 07/2004: CVS remote vulnerability GLSA-200405-12 http://security.e-matters.de/advisories/072004.html oval:org.mitre.oval:def:9058 SuSE-SA:2004:013 NetBSD-SA2004-008 FreeBSD-SA-04:10 cvs-entry-line-bo(16193) SSA:2004-140-01 10384 6305 MDKSA-2004:048 O-147 11674 11652 11651 11647 11641 20040520 cvs server buffer overflow vulnerability FEDORA-2004-1620 20040519 [OpenPKG-SA-2004.022] OpenPKG Security Advisory (cvs) 20040519 Advisory 07/2004: CVS remote vulnerability 20040519 Advisory 07/2004: CVS remote vulnerability oval:org.mitre.oval:def:970 Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command. subversion-date-parsing-command-execution(16191) 10386 20040519 [OpenPKG-SA-2004.023] OpenPKG Security Advisory (subversion) FLSA:1748 FEDORA-2004-128 http://security.e-matters.de/advisories/082004.html 20040519 Advisory 08/2004: Subversion remote vulnerability 20040519 Advisory 08/2004: Subversion remote vulnerability 6301 GLSA-200405-14 http://subversion.tigris.org/svn-sscanf-advisory.txt 11675 11642 Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client. FEDORA-2004-1552 neon-library-nerfc1036parse-bo(16192) 10385 RHSA-2004:191 DSA-507 DSA-506 GLSA-200405-15 GLSA-200405-13 11673 11650 11638 6302 O-148 CLA-2004:841 20040519 Advisory 06/2004: libneon date parsing vulnerability MDKSA-2004:049 20040519 [OpenPKG-SA-2004.024] OpenPKG Security Advisory (neon) 20040519 Advisory 06/2004: libneon date parsing vulnerability Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification. exim-requireverify-bo(16079) http://www.guninski.com/exim1.html DSA-502 DSA-501 20040506 Buffer overflows in exim, yet still exim much better than windows 11558 Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check. exim-headerschecksyntax-bo(16077) http://www.guninski.com/exim1.html DSA-502 DSA-501 20040506 Buffer overflows in exim, yet still exim much better than windows Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions. libtasn1-der-parsing(16157) http://www.backports.org/changelog.html 10360 15126 1010159 http://packages.debian.org/changelogs/pool/main/libt/libtasn1-2/libtasn1-2_0.2.13-1/changelog Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code. 10403 DSA-508 xpcd-svga-pcdopen-bo(16236) MDKSA-2004:053 Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field. RHSA-2004:165 APPLE-SA-2004-05-03 http://www.vuxml.org/freebsd/ccd698df-8e20-11d8-90d1-0020ed76ef5a.html MDKSA-2004:069 http://www.kame.net/dev/cvsweb2.cgi/kame/kame/kame/racoon/isakmp.c.diff?r1=1.180&r2=1.181 GLSA-200404-17 oval:org.mitre.oval:def:11220 20040506-01-U SCOSA-2005.10 racoon-isakmp-dos(15893) 10172 5491 http://sourceforge.net/project/shownotes.php?release_id=232288 1009937 11877 11410 oval:org.mitre.oval:def:984 logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp. logcheck-directory-symlink(15888) 10162 DSA-488 11399 MDKSA-2004:155 CVS before 1.11 allows CVS clients to read arbitrary files via .. (dot dot) sequences in filenames via CVS client requests, a different vulnerability than CVE-2004-0180. DSA-486 FEDORA-2004-1620 20040404-01-U FreeBSD-SA-04:07 oval:org.mitre.oval:def:10818 cvs-dotdot-directory-traversal(15891) SSA:2004-108-02 GLSA-200404-13 oval:org.mitre.oval:def:1060 The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish. http://www.macromedia.com/devnet/security/security_zone/mpsb04-06.html 20040416 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted] coldfusion-upload-file-dos(15882) 10158 5402 1009825 11392 Buffer overflow in the child_service function in the ident2 ident daemon allows remote attackers to execute arbitrary code. ident2-childservice-bo(15938) 10192 DSA-494 Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code. http://www.xchat.org/ RHSA-2004:177 DSA-493 [xchat-announce] 20040405 xchat 2.0.x Socks5 Vulnerability RHSA-2004:585 GLSA-200404-15 oval:org.mitre.oval:def:11312 FLSA:123013 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code. http://www.kde.org/info/security/advisory-20040517-1.txt 20040513 Opera Telnet URI Handler Vulnerability also applies to other browsers RHSA-2004:222 SuSE-SA:2003:014 DSA-518 GLSA-200405-11 kde-url-handler-gain-access(16163) SSA:2004-238 10358 FEDORA-2004-122 FEDORA-2004-121 6107 O-146 11602 20040517 KDE Security Advisory: URI Handler Vulnerabilities CLA-2004:843 oval:org.mitre.oval:def:954 Mailman before 2.1.5 allows remote attackers to obtain user passwords via a crafted email request to the Mailman server. 10412 FEDORA-2004-1734 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=123559 MDKSA-2004:051 GLSA-200406-04 [Mailman-Announce] 20040515 RELEASED Mailman 2.1.5 CLA-2004:842 mailman-obtain-password(16256) 11701 libsvn_ra_svn in Subversion 1.0.4 trusts the length field of (1) svn://, (2) svn+ssh://, and (3) other svn protocol URL strings, which allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via an integer overflow that leads to a heap-based buffer overflow. subversion-svn-bo(16396) 10519 FLSA:1748 FEDORA-2004-165 SuSE-SA:2004:018 GLSA-200406-07 http://subversion.tigris.org/security/CAN-2004-0413-advisory.txt 20041012 [FMADV] Subversion <= 1.04 Heap Overflow CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle malformed "Entry" lines, which prevents a NULL terminator from being used and may lead to a denial of service (crash), modification of critical program data, or arbitrary code execution. DSA-517 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:10575 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U MDKSA-2004:058 oval:org.mitre.oval:def:993 Linux kernel does not properly convert 64-bit file offset pointers to 32 bits, which allows local users to access portions of kernel memory. RHSA-2004:418 linux-pointer-info-disclosure(16877) RHSA-2004:413 MDKSA-2004:087 GLSA-200408-24 oval:org.mitre.oval:def:9965 20040804-01-U CLA-2004:879 Double free vulnerability for the error_prog_name string in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to execute arbitrary code. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 MDKSA-2004:058 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:10070 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U oval:org.mitre.oval:def:994 Integer overflow in the "Max-dotdot" CVS protocol command (serve_max_dotdot) for CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, may allow remote attackers to cause a server crash, which could cause temporary data to remain undeleted and consume disk space. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:11145 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U MDKSA-2004:058 oval:org.mitre.oval:def:1001 serve_notify in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16, does not properly handle empty data lines, which may allow remote attackers to perform an "out-of-bounds" write for a single byte to execute arbitrary code or modify critical program data. DSA-519 20040611 [OpenPKG-SA-2004.027] OpenPKG Security Advisory (cvs) RHSA-2004:233 GLSA-200406-06 http://security.e-matters.de/advisories/092004.html oval:org.mitre.oval:def:11242 20040609 Advisory 09/2004: More CVS remote vulnerabilities 20040605-01-U 20040604-01-U MDKSA-2004:058 oval:org.mitre.oval:def:1003 XDM in XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0, which could allow remote attackers to connect to the port, in violation of the intended restrictions. 10423 MDKSA-2004:073 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124900 20040526 008: SECURITY FIX: May 26, 2004 GLSA-200407-05 oval:org.mitre.oval:def:10161 http://bugs.xfree86.org/show_bug.cgi?id=1376 xdm-socket-gain-access(16264) RHSA-2004:478 P-001 1010306 12019 The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP. TA04-196A VU#106324 9510 20040127 GOOROO CROSSING: File Spoofing Internet Explorer 6 20040127 RE: GOOROO CROSSING: File Spoofing Internet Explorer 6 MS04-024 ie-clsid-file-extension-spoofing(14964) 10736 oval:org.mitre.oval:def:3604 oval:org.mitre.oval:def:3533 oval:org.mitre.oval:def:3386 oval:org.mitre.oval:def:2894 oval:org.mitre.oval:def:2381 oval:org.mitre.oval:def:2245 The Portable Network Graphics library (libpng) 1.0.15 and earlier allows attackers to cause a denial of service (crash) via a malformed PNG image file that triggers an error that causes an out-of-bounds read when creating the error message. 10244 RHSA-2004:180 libpng-png-dos(16022) RHSA-2004:181 DSA-498 oval:org.mitre.oval:def:11710 FEDORA-2004-106 FEDORA-2004-105 2004-0025 20040429 [OpenPKG-SA-2004.017] OpenPKG Security Advisory (png) APPLE-SA-2004-09-09 MDKSA-2006:213 MDKSA-2006:212 MDKSA-2004:040 22958 22957 oval:org.mitre.oval:def:971 flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack. flim-insecure-temporary-file(16027) DSA-500 RHSA-2004:344 The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file. 20040418 ssmtp insecure file creation Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option. linux-ipsetsockopt-integer-bo(15907) 10179 ESA-20040428-004 http://www.isec.pl/vulnerabilities/isec-0015-msfilter.txt 20040420 Linux kernel setsockopt MCAST_MSFILTER integer overflow SuSE-SA:2004:010 oval:org.mitre.oval:def:11214 20040504-01-U SSA:2004-119 RHSA-2004:183 MDKSA-2004:037 CLA-2004:852 oval:org.mitre.oval:def:939 Heap-based buffer overflow in SiteMinder Affiliate Agent 4.x allows remote attackers to execute arbitrary code via a large SMPROFILE cookie. siteminder-affiliate-smprofile-bo(15950) 10198 A042204-1 rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path. RHSA-2004:192 DSA-499 20040521 [OpenPKG-SA-2004.025] OpenPKG Security Advisory (rsync) rsync-write-files(16014) TSL-2004-0024 SSA:2004-124-01 10247 GLSA-200407-10 O-212 O-134 12054 11993 11688 11669 11583 11537 11523 11515 11514 http://rsync.samba.org/ oval:org.mitre.oval:def:9495 MDKSA-2004:042 oval:org.mitre.oval:def:967 The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call. [linux-kernel] 20040408 [PATCH]: 2.4/2.6 do_fork() error path memory leak 20040505-01-U 20040504-01-U RHSA-2004:255 SuSE-SA:2004:010 GLSA-200407-02 oval:org.mitre.oval:def:10297 http://linux.bkbits.net:8080/linux-2.6/cset@407b1217x4jtqEkpFW2g_-RcF0726A http://linux.bkbits.net:8080/linux-2.4/cset@407bf20eDeeejm8t36_tpvSE-8EFHA FEDORA-2004-111 CLA-2004:846 linux-dofork-memory-leak(16002) TLSA-2004-14 10221 RHSA-2004:327 RHSA-2004:260 MDKSA-2004:037 DSA-1082 DSA-1070 DSA-1069 DSA-1067 O-164 20338 20202 20163 20162 11892 11891 11861 11541 11486 11464 11429 oval:org.mitre.oval:def:2819 Unknown vulnerability in CoreFoundation in Mac OS X 10.3.3 and Mac OS X 10.3.3 Server, related to "the handling of an environment variable," has unknown attack vectors and unknown impact. macos-corefoundation-environment(16051) 10270 ESB-2004.0314 1010045 11539 APPLE-SA-2004-05-03 Unknown vulnerability related to "the handling of large requests" in RAdmin for Apple Mac OS X 10.3.3 and Mac OS X 10.2.8 may allow attackers to have unknown impact via unknown attack vectors. ESB-2004.0314 1010045 11539 20040503 [product-security@apple.com: APPLE-SA-2004-05-03 Security Update 2004-05-03] APPLE-SA-2004-05-03 macos-radmin-large-request(16053) O-138 Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field. VU#648406 applefileserver-afp-pathname-bo(16049) A050304-1 http://www.securiteam.com/securitynews/5QP0115CUO.html 1010039 11539 APPLE-SA-2004-05-03 Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow. VU#782958 quicktime-heap-bo(16026) 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow 20040502 EEYE: Apple QuickTime (QuickTime.qts) Heap Overflow APPLE-SA-2004-04-30 ProFTPD 1.2.9 treats the Allow and Deny directives for CIDR based ACL entries as if they were AllowAll, which could allow FTP clients to bypass intended access restrictions. 10252 proftpd-cidr-acl-bypass(16038) 11527 2004-0025 http://bugs.proftpd.org/show_bug.cgi?id=2267 MDKSA-2004:041 20040430 [OpenPKG-SA-2004.018] OpenPKG Security Advisory (proftpd) Multiple buffer overflows in the Real-Time Streaming Protocol (RTSP) client for (1) MPlayer before 1.0pre4 and (2) xine lib (xine-lib) before 1-rc4, when playing Real RTSP (realrtsp) streams, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via (a) long URLs, (b) long Real server responses, or (c) long Real Data Transport (RDT) packets. mplayer-rtsp-rdt-bo(16019) http://www.xinehq.de/index.php/security/XSA-2004-3 GLSA-200405-24 k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow. heimdal-kadmind-bo(16071) DSA-504 GLSA-200405-23 20040505 Advisory: Heimdal kadmind version4 remote heap overflow 20040506 Advisory: Heimdal kadmind version4 remote heap overflow FreeBSD-SA-04:09 Certain "programming errors" in the msync system call for FreeBSD 5.2.1 and earlier, and 4.10 and earlier, do not properly handle the MS_INVALIDATE operation, which leads to cache consistency problems that allow a local user to prevent certain changes to files from being committed to disk. FreeBSD-SA-04:11 freebsd-msync-gain-privileges(16254) 10416 11714 Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket. titan-list-command-dos(16057) http://www.securiteam.com/windowsntfocus/5RP0215CUU.html 20040505 Titan FTP Server Aborted LIST DoS 20040505 Titan FTP Server Aborted LIST DoS Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components. VU#634414 VU#294998 VU#637318 10335 10334 10333 http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html 11066 20040512 EEYE: Symantec Multiple Firewall NBNS Response Remote Heap Corruption 20040512 EEYE: Symantec Multiple Firewall Remote DNS KERNEL Overflow 20040512 EEYE: Symantec Multiple Firewall NBNS Response Processing Stack Overflow symantec-dns-response-bo(16137) symantec-firewalls-nbns-bo(16135) symantec-nbns-response-bo(16134) 6102 6101 6099 O-141 1010146 1010145 1010144 The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself. VU#682110 http://securityresponse.symantec.com/avcenter/security/Content/2004.05.12.html symantec-firewall-dns-dos(16132) 10336 11066 20040512 EEYE: Symantec Multiple Firewall DNS Response Denial-of-Service 6100 O-141 1010146 1010145 1010144 Unknown vulnerability in Linux before 2.4.26 for IA64 allows local users to cause a denial of service, with unknown impact. NOTE: due to a typo, this issue was accidentally assigned CVE-2004-0477. This is the proper candidate to use for the Linux local DoS. 10783 linux-ia64-dos(16661) RHSA-2004:413 DSA-1082 DSA-1070 DSA-1069 DSA-1067 O-193 GLSA-200407-16 20338 20202 20163 20162 oval:org.mitre.oval:def:10918 [owl-users] 20040619 Linux 2.4.26-ow2 20040804-01-U Format string vulnerability in the log function for jftpgw 0.13.4 and earlier allows remote authenticated users to execute arbitrary code via format string specifiers in certain syslog messages. jftpgw-log-format-string(16271) 10438 DSA-510 Format string vulnerability in the printlog function in log2mail before 0.2.5.2 allows local users or remote attackers to execute arbitrary code via format string specifiers in a logfile monitored by log2mail. 10460 DSA-513 log2mail-syslog-format-string(16311) 11769 11768 6711 http://felinemenace.org/~jaguar/advisories/log2mail.txt Multiple format string vulnerabilities in the (1) logquit, (2) logerr, or (3) loginfo functions in Software Upgrade Protocol (SUP) allows remote attackers to execute arbitrary code via format string specifiers in messages that are logged by syslog. sup-format-string(16459) 10571 DSA-521 1010539 Race condition in the rmtree function in the File::Path module in Perl 5.6.1 and 5.8.4 sets read/write permissions for the world, which allows local users to delete arbitrary files and directories, and possibly read files and directories, via a symlink attack. RHSA-2005:103 GLSA-200501-38 DSA-620 20050111 [OpenPKG-SA-2005.001] OpenPKG Security Advisory (perl) perl-filepathrmtree-insecure-permissions(18650) oval:org.mitre.oval:def:9938 USN-44-1 12072 RHSA-2005:105 18517 12991 FLSA-2006:152845 20060101-01-U Format string vulnerability in the monitor "memory dump" command in VICE 1.6 to 1.14 allows local users to cause a denial of service (emulator crash) and possibly execute arbitrary code via format string specifiers in an output string. 10543 vice-memory-dump-format-string(16404) 20040614 VICE emulator format string vulnerability Buffer overflow in the msg function for rlpr daemon (rlprd) 2.04 allows local users to execute arbitrary code. rlpr-msg-bo(16454) 10578 DSA-524 Buffer overflow in cgi.c in www-sql before 0.5.7 allows local users to execute arbitrary code via a web page that is processed by www-sql. wwwsql-cgi-command-execution(16455) 10577 DSA-523 Stack-based buffer overflow in pavuk 0.9pl28, 0.9pl27, and possibly other versions allows remote web sites to execute arbitrary code via a long HTTP Location header. pavuk-location-bo(16551) 10633 DSA-527 GLSA-200406-22 20040702 pavuk buffer overflow The mysqlhotcopy script in mysql 4.0.20 and earlier, when using the scp method from the mysql-server package, allows local users to overwrite arbitrary files via a symlink attack on temporary files. mysql-mysqlhotcopy-insecure-file(17030) RHSA-2004:597 DSA-540 P-018 oval:org.mitre.oval:def:10693 mah-jong before 1.6.2 allows remote attackers to cause a denial of service (server crash) via a missing argument, which triggers a null pointer dereference. mah-jong-null-dos(16143) 10343 DSA-503 The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data. VU#106678 AA-2004.02 ieee80211-cca-dos(16138) 10342 16034 http://support.avaya.com/elmodocs2/security/ASA-2004-009.pdf 1010152 20040513 802.11b (others) single packet DoS Buffer overflow in the logging capability for the DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13 allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via multiple hostname options in (1) DISCOVER, (2) OFFER, (3) REQUEST, (4) ACK, or (5) NAK messages, which can generate a long string when writing to a log file. TA04-174A VU#317350 10590 dhcp-ascii-log-bo(16475) SuSE-SA:2004:019 20040628 ISC DHCP overflows http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf MDKSA-2004:061 23265 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) 20040622 DHCP Vuln // no code 0day // The DHCP daemon (DHCPD) for ISC DHCP 3.0.1rc12 and 3.0.1rc13, when compiled in environments that do not provide the vsnprintf function, uses C include files that define vsnprintf to use the less safe vsprintf function, which can lead to buffer overflow vulnerabilities that enable a denial of service (server crash) and possibly execute arbitrary code. TA04-174A VU#654390 10591 dhcp-c-include-bo(16476) SuSE-SA:2004:019 20040628 ISC DHCP overflows http://www.xerox.com/downloads/usa/en/c/cert_XRX06_004_v11.pdf MDKSA-2004:061 23265 20040708 [OpenPKG-SA-2004.031] OpenPKG Security Advisory (dhcpd) 20040622 DHCP Vuln // no code 0day // The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server. VU#546483 network-device-secure-plaintext(17702) Directory traversal vulnerability in jretest.html in WebConnect 6.5 and 6.4.4, and possibly earlier versions, allows remote attackers to read keys within arbitrary INI formatted files via "..//" sequences in the WCP_USER parameter. http://www.kb.cert.org/vuls/id/JSHA-69HVPK VU#628411 webconnect-wcpuser-directory-traversal(19394) http://www.cirt.dk/advisories/cirt-29-advisory.pdf 14006 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities WebConnect 6.5, 6.4.4, and possibly earlier versions allows remote attackers to cause a denial of service (hang) via a URL containing an MS-DOS device name such as (1) AUX, (2) CON, (3) PRN, (4) COM1, or (5) LPT1. http://www.kb.cert.org/vuls/id/JSHA-69FVMM VU#552561 webconnect-device-name-dos(19393) 14006 http://www.cirt.dk/advisories/cirt-29-advisory.pdf 20050220 The WebConnect 6.4.4 and 6.5 contains several vulnerabilities Juniper JUNOS 5.x through JUNOS 7.x allows remote attackers to cause a denial of service (routing disabled) via a large number of MPLS packets, which are not filtered or verified before being sent to the Routing Engine, which reduces the speed at which other packets are processed. http://www.kb.cert.org/vuls/id/JSHA-68ZJCQ VU#409555 junos-dos(19094) 12379 http://www.niscc.gov.uk/niscc/docs/al-20050126-00067.html?lang=en RHSA-2005:081 1013039 14049 Memory leak in Juniper JUNOS Packet Forwarding Engine (PFE) allows remote attackers to cause a denial of service (memory exhaustion and device reboot) via certain IPv6 packets. VU#658859 juniper-ipv6-dos(16548) http://www.kb.cert.org/vuls/id/JSHA-6253CC http://www.jpcert.or.jp/at/2004/at040009.txt Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation. vpn1-isakmp-bo(16060) 10273 20040504 ISAKMP Vulnerability BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application. VU#950070 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_59.00.jsp weblogic-application-unauth-access(16123) 10328 6076 1010128 11593 BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown). http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_60.00.jsp weblogic-server-policy-bypass(16121) 10327 6077 1010129 11594 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate is a reservation duplicate of CVE-2004-0434. Notes: All CVE users should reference CVE-2004-0434 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux. http://www.opera.com/linux/changelogs/750/index.dml GLSA-200405-19 opera-telnet-file-overwrite(16139) 10341 20040512 Opera Telnet URI Handler File Creation/Truncation Vulnerability 1010142 Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL. NOTE: since the initial report of this problem, several researchers have been unable to reproduce this issue. winxp-helpctr-hcp-xss(15101) 9621 20040207 HelpCtr - allow open any page or run 20040211 Re: HelpCtr - allow open any page or run 20040213 Re: HelpCtr - allow open any page or run 20040210 Re: HelpCtr - allow open any page or run 20040210 Re: HelpCtr - allow open any page or run The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm. NOTE: this bug may overlap CVE-2003-1041. ie-showhelp-chm-execution(16147) 10348 20040513 Showhelp() local CHM file execution Buffer overflow in 3Com OfficeConnect Remote 812 ADSL Router 1.1.9.4 allows remote attackers to cause a denial of service (reboot or packet loss) via a long string containing Telnet escape characters to the Telnet port. 10419 20040526 OfficeConnect Remote 812 ADSL Router Telnet Protocol DoS Vulnerability 3com-officeconnect-telnet-bo(16257) 11716 Unknown vulnerability in 3Com OfficeConnect Remote 812 ADSL Router allows remote attackers to bypass authentication via repeated attempts using any username and password. NOTE: this identifier was inadvertently re-used for another issue due to a typo; that issue was assigned CVE-2004-0447. This candidate is ONLY for the ADSL router bypass. 10426 20040527 iDEFENSE Security Advisory 05.27.04: 3Com OfficeConnect Remote 812 ADSL Router Authentication Bypass Vulnerability 3com-officeconnect-gain-access(16267) 11716 Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U. mozilla-javascript-dos(16225) [Dailydave] 20040514 Mozilla bug might even get fixed! http://bugzilla.mozilla.org/show_bug.cgi?id=243540 Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference. 20040516 Re: IE Crash - Anyone Seen This Before? 20040514 IE Crash - Anyone Seen This Before? 20040514 IE Crash - Anyone Seen This Before? Argument injection vulnerability in IBM Lotus Notes 6.0.3 and 6.5 allows remote attackers to execute arbitrary code via a notes: URI that uses a UNC network share pathname to provide an alternate notes.ini configuration file to notes.exe. lotus-notes-xss(16496) 10600 http://www.idefense.com/application/poi/display?id=111&type=vulnerabilities http://www-1.ibm.com/support/docview.wss?rs=475/context=SSKTWP&uid=swg21169510 20040627 Lotus Notes URL argument injection vulnerability The logging feature in kcms_configure in the KCMS package on Solaris 8 and 9, and possibly other versions, allows local users to corrupt arbitrary files via a symlink attack on the KCS_ClogFile file. 20050223 Sun Solaris kcms_configure Arbitrary File Corruption Vulnerability 57706 Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities. [openbsd-security-announce] 20040513 procfs vulnerability ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.5/common/006_procfs.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/020_procfs.patch openbsd-procfs-gain-privileges(16226) 6114 20040513 [3.5] 006: SECURITY FIX: May 13, 2004 20040513 [3.4] 020: SECURITY FIX: May 13, 2004 http://www.deprotect.com/advisories/DEPROTECT-20041305.txt 11605 20040517 OpenBSD procfs Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests. 10372 11628 rpcmountd-rpc-dos(16175) 6201 1010185 20040503-01-P mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference. ie-css-dos(16189) 10382 20040518 Unknown IE bug with css-styles The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume. VU#210606 11622 macos-runscript-code-execution(16166) APPLE-SA-2004-05-21 http://fundisom.com/owned/warning APPLE-SA-2004-05-28 HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler. VU#578798 10356 11622 macos-runscript-code-execution(16166) http://www.fundisom.com/owned/warning APPLE-SA-2004-05-21 6184 1010167 20040516 Vuln. MacOSX/Safari: Remote help-call, execute scripts A certain ActiveX control in Symantec Norton AntiVirus 2004 allows remote attackers to cause a denial of service (resource consumption) and possibly execute arbitrary programs. VU#312510 nav-activex-code-execution(16220) http://www.symantec.com/avcenter/security/Content/2004.05.20.html 10392 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/72_e.html O-149 11676 6303 20040521 [SNS Advisory No.72] Symantec Norton AntiVirus 2004 ActiveX Control Vulnerability Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN. 10355 FLSA:1888 apache-modssl-uuencode-bo(16214) 2004-0031 RHSA-2004:405 RHSA-2004:342 DSA-532 GLSA-200406-05 RHSA-2004:245 oval:org.mitre.oval:def:11458 SSRT4788 SSRT4777 20040601 TSSA-2004-008 - apache 20040517 mod_ssl ssl_util_uuencode_binary potential problem 20040605-01-U RHSA-2005:816 MDKSA-2004:055 MDKSA-2004:054 20040527 [OpenPKG-SA-2004.026] OpenPKG Security Advisory (apache) Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option. macos-ssh-code-execution(16242) http://www.insecure.ws/article.php?story=200405222251133 20040524 SSH URI handler remote arbitrary code execution cPanel, when compiling Apache 1.3.29 and PHP with the mod_phpsuexec option, does not set the --enable-discard-path option, which causes php to use the SCRIPT_FILENAME variable to find and execute a script instead of the PATH_TRANSLATED variable, which allows local users to execute arbitrary PHP code as other users via a URL that references the attacker's script after the user's script, which executes the attacker's script with the user's privileges, a different vulnerability than CVE-2004-0529. cpanel-modphpsuexec-execute-commands(16239) 10407 20040524 cPanel mod_phpsuexec Vulnerability http://www.securiteam.com/tools/5TP0N15CUA.html http://www.a-squad.com/audit/explain10.html http://bugzilla.cpanel.net/show_bug.cgi?id=664 http://bugzilla.cpanel.net/show_bug.cgi?id=283 The linux-2.4.21-mlock.patch in Red Hat Enterprise Linux 3 does not properly maintain the mlock page count when one process unlocks pages that belong to another process, which allows local users to mlock more memory than specified by the rlimit. [linux-kernel] 20040402 Re: disable-cap-mlock oval:org.mitre.oval:def:10672 13769 RHSA-2005:472 19607 20060402-01-U oval:org.mitre.oval:def:1117 Heap-based buffer overflow in proxy_util.c for mod_proxy in Apache 1.3.25 to 1.3.31 allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. VU#541310 DSA-525 RHSA-2004:245 20040611 [OpenPKG-SA-2004.029] OpenPKG Security Advisory (apache) FLSA:1737 apache-modproxy-contentlength-bo(16387) http://www.guninski.com/modproxy1.html 57628 101841 101555 11841 20040610 Buffer overflow in apache mod_proxy,yet still apache much better than windows SSRT090208 HPSBOV02683 20040605-01-U MDKSA-2004:065 oval:org.mitre.oval:def:4863 oval:org.mitre.oval:def:100112 The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters. 10619 apache-apgetmimeheaderscore-dos(16524) 2004-0039 RHSA-2004:342 http://www.guninski.com/httpd1.html http://www.apacheweek.com/features/security-20 GLSA-200407-03 oval:org.mitre.oval:def:10605 SSRT4777 20040628 DoS in apache httpd 2.0.49, yet still apache much better than windows MDKSA-2004:064 20040629 TSSA-2004-012 - apache Multiple extfs backend scripts for GNOME virtual file system (VFS) before 1.0.1 may allow remote attackers to perform certain unauthorized actions via a gnome-vfs URI. RHSA-2004:373 FLSA:1944 gnome-vfs-extfs-gain-access(16897) oval:org.mitre.oval:def:9854 http://rpmfind.net/linux/RPM/suse/9.3/i386/suse/i586/gnome-vfs-1.0.5-816.2.i586.html Multiple unknown vulnerabilities in Linux kernel 2.4 and 2.6 allow local users to gain privileges or access kernel memory, as found by the Sparse source code checking tool. 10566 RHSA-2004:255 linux-drivers-gain-privileges(16449) RHSA-2004:260 SUSE-SA:2004:020 MDKSA-2004:066 GLSA-200407-02 oval:org.mitre.oval:def:10155 FEDORA-2004-186 CLA-2004:846 CLA-2004:845 oval:org.mitre.oval:def:2961 Multiple unknown vulnerabilities in Linux kernel 2.6 allow local users to gain privileges or access kernel memory, a different set of vulnerabilities than those identified in CVE-2004-0495, as found by the Sparse source code checking tool. linux-gain-privileges(16625) SUSE-SA:2004:020 Unknown vulnerability in Linux kernel 2.x may allow local users to modify the group ID of files, such as NFS exported files in kernel 2.4. linux-fchown-groupid-modify(16599) RHSA-2004:354 MDKSA-2004:066 CLA-2004:852 RHSA-2004:360 SUSE-SA:2004:020 oval:org.mitre.oval:def:9867 The H.323 protocol agent in StoneSoft firewall engine 2.2.8 and earlier allows remote attackers to cause a denial of service (crash) via crafted H.323 packets. http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en http://www.stonesoft.com/support/Security_Advisories/6735.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none. Buffer overflow in the MSN protocol plugins (1) object.c and (2) slp.c for Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via MSNSLP protocol messages that are not properly handled in a strncpy call. gaim-msn-bo(16920) 10865 GLSA-200408-12 RHSA-2004:400 SUSE-SA:2004:025 MDKSA-2004:081 GLSA-200408-27 FEDORA-2004-279 FEDORA-2004-278 oval:org.mitre.oval:def:9429 http://gaim.sourceforge.net/security/?id=0 Outlook 2003 allows remote attackers to bypass intended access restrictions and cause Outlook to request a URL from a remote site via an HTML e-mail message containing a Vector Markup Language (VML) entity whose src parameter points to the remote site, which could allow remote attackers to know when a message has been read, verify valid e-mail addresses, and possibly leak other information. outlook-vml-obtain-information(16116) 10323 20040511 PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam 20040604 RE: PING: Outlook 2003 Spam Outlook 2003, when replying to an e-mail message, stores certain files in a predictable location for the "src" of an img tag of the original message, which allows remote attackers to bypass zone restrictions and exploit other issues that rely on predictable locations, as demonstrated using a shell: URI. outlook-file-location-predictable(16104) 10307 11572 20040604 RE: PING: Outlook 2003 Spam 20040509 OUTLOOK 2003: OuchLook 20040604 RE: PING: Outlook 2003 Spam Microsoft Outlook 2003 allows remote attackers to bypass the default zone restrictions and execute script within media files via a Rich Text Format (RTF) message containing an OLE object for the Windows Media Player, which bypasses Media Player's setting to disallow scripting and may lead to unprompted installation of an executable when exploited in conjunction with predictable-file-location exposures such as CVE-2004-0502. 10369 outlook-ole-restriction-bypass(16173) 20040517 ROCKET SCIENCE: Outllook 2003 6217 11629 20040517 ROCKET SCIENCE: Outllook 2003 Ethereal 0.10.3 allows remote attackers to cause a denial of service (crash) via certain SIP messages between Hotsip servers and clients. 10347 RHSA-2004:234 [Ethereal-users] 20040503 Re: HotSIP sip-messages crasching ethereal http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9769 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-sip-packet-dos(16148) 6131 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:982 The AIM dissector in Ethereal 0.10.3 allows remote attackers to cause a denial of service (assert error) via unknown attack vectors. 10347 RHSA-2004:234 http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9433 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-aim-dissector-dos(16150) 6132 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:986 The SPNEGO dissector in Ethereal 0.9.8 to 0.10.3 allows remote attackers to cause a denial of service (crash) via unknown attack vectors that cause a null pointer dereference. 10347 RHSA-2004:234 http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 oval:org.mitre.oval:def:9695 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-spnego-dos(16151) O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:987 Buffer overflow in the MMSE dissector for Ethereal 0.10.1 to 0.10.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. http://www.ethereal.com/appnotes/enpa-sa-00014.html GLSA-200406-01 RHSA-2004:234 oval:org.mitre.oval:def:11026 CLA-2005:916 20040605-01-U 20040604-01-U ethereal-mmse-bo(16152) 10347 6134 O-150 1010158 11836 11776 11608 oval:org.mitre.oval:def:988 Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program. openserver-mmdf-bo(16738) 10758 http://www.deprotect.com/advisories/DEPROTECT-20040206.txt SCOSA-2004.7 20041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86 Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference. openserver-mmdf-name-dos(16739) 10758 SCOSA-2004.7 Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a core dump. openserver-mmdf-dos(16740) 10758 SCOSA-2004.7 Unspecified vulnerability in Mac OS X before 10.3.4 has unknown impact and attack vectors related to "logging when tracing system calls." macosx-nfs-logging(16291) 1010329 10432 APPLE-SA-2004-05-28 Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of directory services lookups." VU#174790 10432 macosx-loginwindow-gain-privileges(16289) 1010330 APPLE-SA-2004-05-28 Unknown vulnerability in LoginWindow for Mac OS X 10.3.4, related to "handling of console log files." 10432 macosx-loginwindow-gain-privileges(16289) 1010330 APPLE-SA-2004-05-28 Unknown vulnerability in Mac OS X 10.3.4, related to "package installation scripts," a different vulnerability than CVE-2004-0517. 10432 macosx-package-installation(16290) 1010331 APPLE-SA-2004-05-28 Unknown vulnerability in Mac OS X 10.3.4, related to "handling of process IDs during package installation," a different vulnerability than CVE-2004-0516. 10432 macosx-package-installation(16290) 1010331 APPLE-SA-2004-05-28 Unknown vulnerability in AppleFileServer for Mac OS X 10.3.4, related to "the use of SSH and reporting errors," has unknown impact and attack vectors. applefileserver-reporting-error(16288) 1010333 APPLE-SA-2004-05-28 Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.2 allow remote attackers to execute arbitrary script as other users and possibly steal authentication information via multiple attack vectors, including the mailbox parameter in compose.php. FEDORA-2004-1733 10246 FEDORA-2004-160 DSA-535 12289 11870 11686 11531 RHSA-2004:240 20040604-01-U squirrel-composephp-xss(16025) 20040430 Re: SquirrelMail Cross Scripting Attacks.... SUSE-SR:2005:019 GLSA-200405-16 oval:org.mitre.oval:def:10274 20040429 SquirrelMail Cross Scripting Attacks.... CLA-2004:858 oval:org.mitre.oval:def:1006 Cross-site scripting (XSS) vulnerability in mime.php for SquirrelMail before 1.4.3 allows remote attackers to insert arbitrary HTML and script via the content-type mail header, as demonstrated using read_body.php. FEDORA-2004-1733 10439 FEDORA-2004-160 DSA-535 12289 11870 RHSA-2004:240 20040604-01-U http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt GLSA-200406-08 oval:org.mitre.oval:def:10766 [squirrelmail-cvs] 20040523 [SM-CVS] CVS: squirrelmail/functions mime.php,1.265.2.27,1.265.2.28 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability CLA-2004:858 oval:org.mitre.oval:def:1012 SQL injection vulnerability in SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements, with unknown impact, probably via abook_database.php. 10397 FEDORA-2004-1733 DSA-535 GLSA-200405-16 RHSA-2004:240 oval:org.mitre.oval:def:11446 [squirrelmail-cvs] 20040427 [SM-CVS] CVS: squirrelmail/functions abook_database.php,1.15.2.1,1.15.2.2 20040604-01-U squirrelmail-sql-injection(16235) APPLE-SA-2004-09-07 FEDORA-2004-160 6841 O-212 12289 11870 11686 11685 [squirrelmail-devel] 20040511 [SM-DEVEL] SquirrelMail 1.4.3-RC1 Release CLA-2004:858 oval:org.mitre.oval:def:1033 Gallery 1.4.3 and earlier allows remote attackers to bypass authentication and obtain Gallery administrator privileges. 10451 DSA-512 gallery-user-bypass-authentication(16301) GLSA-200406-10 11752 Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root. VU#686862 DSA-520 Kerberos-krb5anametolocalname-bo(16268) 10448 RHSA-2004:236 MDKSA-2004:056 GLSA-200406-21 101512 oval:org.mitre.oval:def:10295 2004-0032 20040602 TSSA-2004-009 - kerberos5 20040601 MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname FEDORA-2004-149 CLA-2004:860 20040605-01-U 20040604-01-U oval:org.mitre.oval:def:991 oval:org.mitre.oval:def:724 oval:org.mitre.oval:def:2002 Buffer overflow in the chpasswd command in the Change_passwd plugin before 4.0, as used in SquirrelMail, allows local users to gain root privileges via a long user name. 10166 20040427 Re: Squirrelmail Chpasswod bof squirrelmail-chpasswd-binary-bo(15889) http://www.squirrelmail.org/plugin_view.php?id=117 11415 20040417 Squirrelmail Chpasswod bof HP Integrated Lights-Out (iLO) 1.10 and other versions before 1.55 allows remote attackers to cause a denial of service (hang) by accessing iLO using the TCP/IP reserved port zero. 10415 ilo-port-zero-dos(16251) SSRT4724 Unknown versions of Internet Explorer and Outlook allow remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. ie-ahref-url-spoofing(16102) 10308 http://www.kurczaba.com/securityadvisories/0405132poc.htm 20040510 DEEP SEA PHISHING: Internet Explorer / Outlook Express 20040517 Microsoft Internet Explorer ImageMap URL Spoof Vulnerability KDE Konqueror 2.1.1 and 2.2.2 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. 10383 ie-ahref-url-spoofing(16102) 6579 Netscape Navigator 7.1 allows remote attackers to spoof a legitimate URL in the status bar via A HREF tags with modified "alt" values that point to the legitimate site, combined with an image map whose href points to the malicious site, which facilitates a "phishing" attack. 10389 ie-ahref-url-spoofing(16102) 6580 The modified suexec program in cPanel, when configured for mod_php and compiled for Apache 1.3.31 and earlier without mod_phpsuexec, allows local users to execute untrusted shared scripts and gain privileges, as demonstrated using untainted scripts such as (1) proftpdvhosts or (2) addalink.cgi, a different vulnerability than CVE-2004-0490. 20040605 cPanel mod_php suEXEC Taint Vulnerability 10478 http://bugzilla.cpanel.net/show_bug.cgi?id=668 cpanel-suexec-command-execute(16347) 1010411 11798 The PHP package in Slackware 8.1, 9.0, and 9.1, when linked against a static library, includes /tmp in the search path, which allows local users to execute arbitrary code as the PHP user by inserting shared libraries into the appropriate path. SSA:2004-154 linux-php-gain-privileges(16310) 10461 11760 Business Objects WebIntelligence 2.7.0 through 2.7.4 only enforces access controls on the client, which allows remote authenticated users to delete arbitrary files on the server via a crafted delete request using the InfoView web client. webintelligence-url-delete-files(17422) 11208 12587 20040907 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue 20040917 Corsaire Security Advisory - Business Objects WebIntelligence arbitrary document deletion issue Cross-site scripting (XSS) vulnerability in Business Objects InfoView 5.1.4 through 5.1.8 for WebIntelligence 2.7.0 through 2.7.4 allows remote attackers to inject arbitrary web script or HTML via document names when uploading a document. webintelligence-input-document-xss(17419) 12587 20040907 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue 20040917 Corsaire Security Advisory - Business Objects WebIntelligence XSS issue 11209 The e1000 driver for Linux kernel 2.4.26 and earlier does not properly initialize memory before using it, which allows local users to read portions of kernel memory. NOTE: this issue was originally incorrectly reported as a "buffer overflow" by some sources. 10352 RHSA-2004:413 linux-e1000-bo(16159) RHSA-2004:418 SUSE-SA:2004:020 http://www.kernel.org/pub/linux/kernel/v2.4/testing/patch-2.4.27.log GLSA-200407-02 oval:org.mitre.oval:def:11136 FEDORA-2004-186 CLA-2004:845 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=125168 20040804-01-U MDKSA-2004:062 Format string vulnerability in Tripwire commercial 4.0.1 and earlier, including 2.4, and open source 2.3.1 and earlier, allows local users to gain privileges via format string specifiers in a file name, which is used in the generation of an email report. GLSA-200406-02 tripwire-fprintf-format-string(16309) 10454 RHSA-2004:244 20040603 Re: Format String Vulnerability in Tripwire 20040602 Format String Vulnerability in Tripwire Opera 7.50 and earlier allows remote web sites to provide a "Shortcut Icon" (favicon) that is wider than expected, which could allow the web sites to spoof a trusted domain and facilitate phishing attacks using a wide icon and extra spaces. 10452 http://www.opera.com/linux/changelogs/751/index.dml http://security.greymagic.com/security/advisories/gm007-op/ 20040603 Phishing for Opera (GM#007-OP) 20040603 Phishing for Opera (GM#007-OP) opera-favicon-spoofing(16307) 11762 6590 LaunchServices in Mac OS X 10.3.4 and 10.2.8 automatically registers and executes new applications, which could allow attackers to execute arbitrary code without warning the user. The "Show in Finder" button in the Safari web browser in Mac OS X 10.3.4 and 10.2.8 may execute downloaded applications, which could allow remote attackers to execute arbitrary code. VU#773190 Microsoft Windows 2000, when running in a domain whose Fully Qualified Domain Name (FQDN) is exactly 8 characters long, does not prevent users with expired passwords from logging on to the domain. 830847 11746 Buffer overflow in the ntlm_check_auth (NTLM authentication) function for Squid Web Proxy Cache 2.5.x and 3.x, when compiled with NTLM handlers enabled, allows remote attackers to execute arbitrary code via a long password ("pass" variable). squid-ntlm-bo(16360) RHSA-2004:242 http://www.idefense.com/application/poi/display?id=107&type=vulnerabilities GLSA-200406-13 2004-0033 oval:org.mitre.oval:def:10722 20040604-01-U 10500 FLSA-2006:152809 oval:org.mitre.oval:def:980 PHP before 4.3.7 on Win32 platforms does not properly filter all shell metacharacters, which allows local or remote attackers to execute arbitrary code, overwrite files, and access internal environment variables via (1) the "%", "|", or ">" characters to the escapeshellcmd function, or (2) the "%" character to the escapeshellarg function. php-escapeshellarg-execute-command(16331) http://www.php.net/release_4_3_7.php http://www.idefense.com/application/poi/display?id=108 Multiple SQL injection vulnerabilities in Oracle Applications 11.0 and Oracle E-Business Suite 11.5.1 through 11.5.8 allow remote attackers to execute arbitrary SQL procedures and queries. TA04-160A VU#961579 10465 oracle-ebusiness-sql-injection(16324) http://www.integrigy.com/alerts/OraAppsSQLInjection.htm http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf O-153 20040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite 20040604 Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite Multiple buffer overflows in LVM for AIX 5.1 and 5.2 allow local users to gain privileges via the (1) putlvcb or (2) getlvcb commands. 9905 O-131 aix-putlvcb-bo(15555) IY55682 IY55681 MSS-OAR-E01-2004.0544 11158 aix-getlvcb-bo(18317) 9906 4393 4392 LVM for AIX 5.1 and 5.2 allows local users to overwrite arbitrary files via a symlink attack. 10230 aix-lvm-commands-symlink(16011) O-131 MSS-OAR-E01-2004.0544 Buffer overflow in the ODBC driver for PostgreSQL before 7.2.1 allows remote attackers to cause a denial of service (crash). DSA-516 postgresql-odbc-bo(16329) MDKSA-2004:072 Multiple stack-based buffer overflows in the word-list-compress functionality in compress.c for Aspell allow local users to execute arbitrary code via a long entry in the wordlist that is not properly handled when using the (1) "c" compress option or (2) "d" decompress option. 20040608 Aspell 'word-list-compress' stack overflow vulnerability GLSA-200406-14 The WebBrowser ActiveX control, or the Internet Explorer HTML rendering engine (MSHTML), as used in Internet Explorer 6, allows remote attackers to execute arbitrary code in the Local Security context by using the showModalDialog method and modifying the location to execute code such as Javascript, as demonstrated using (1) delayed HTTP redirect operations, and an HTTP response with a Location: header containing a "URL:" prepended to a "ms-its" protocol URI, or (2) modifying the location attribute of the window, as exploited by the Download.ject (aka Scob aka Toofer) using the ADODB.Stream object. TA04-163A TA04-212A TA04-184A VU#713878 MS04-025 http://umbrella.name/originalvuln/msie/InsiderPrototype/ 20040628 JS.Scob.Trojan Source Code ... 20040606 Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan) 20040602 180 Solutions Exploits and Toolbars Hacking Patched Users(I.E Exploits) http://62.131.86.111/analysis.htm ie-location-restriction-bypass(16348) 20040621 IE/0DAY -> Insider Prototype oval:org.mitre.oval:def:519 oval:org.mitre.oval:def:241 oval:org.mitre.oval:def:207 oval:org.mitre.oval:def:1133 Buffer overflow in Real Networks RealPlayer 10 allows remote attackers to execute arbitrary code via a URL with a large number of "." (period) characters. realplayer-dot-file-bo(16388) http://www.idefense.com/application/poi/display?id=109&type=vulnerabilities&flashstatus=false Cisco CatOS 5.x before 5.5(20) through 8.x before 8.2(2) and 8.3(2)GLX, as used in Catalyst switches, allows remote attackers to cause a denial of service (system crash and reload) by sending invalid packets instead of the final ACK portion of the three-way handshake to the (1) Telnet, (2) HTTP, or (3) SSH services, aka "TCP-ACK DoS attack." VU#245190 cisco-catalyst-ack-dos(16370) 20040609 Cisco CatOS Telnet, HTTP and SSH Vulnerability Sophos Small Business Suite 1.00 on Windows does not properly handle files whose names contain reserved MS-DOS device names such as (1) LPT1, (2) COM1, (3) AUX, (4) CON, or (5) PRN, which can allow malicious code to bypass detection when it is installed, copied, or executed. sophos-business-security-bypass(17468) http://www.seifried.org/security/advisories/kssa-005.html 20040922 Sophos Small Business Suite Reserved Device Name Handling Vulnerability Linux kernel 2.4.x and 2.6.x for x86 allows local users to cause a denial of service (system crash), possibly via an infinite loop that triggers a signal handler with a certain sequence of fsave and frstor instructions, as originally demonstrated using a "crash.c" program. VU#973654 linux-dos(16412) 2004-0034 RHSA-2004:260 RHSA-2004:255 SuSE-SA:2004:017 GLSA-200407-02 oval:org.mitre.oval:def:9426 [linux-kernel] 20040609 timer + fpu stuff locks my console race ESA-20040621-005 FEDORA-2004-186 http://linuxreviews.org/news/2004-06-11_kernel_crash/index.html http://gcc.gnu.org/bugzilla/show_bug.cgi?id=15905 CLA-2004:845 10538 MDKSA-2004:062 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 20040620 TSSA-2004-011 - kernel oval:org.mitre.oval:def:2915 Buffer overflow in (1) queue.c and (2) queued.c in queue before 1.30.1 may allow remote attackers to execute arbitrary code. queue-bo(18945) DSA-643 1012929 Multiple buffer overflows in the st_wavstartread function in wav.c for Sound eXchange (SoX) 12.17.2 through 12.17.4 allow remote attackers to execute arbitrary code via certain WAV file header fields. 10819 RHSA-2004:409 FLSA:1945 sox-wav-bo(16827) GLSA-200407-23 DSA-565 12175 oval:org.mitre.oval:def:9801 FEDORA-2004-244 FEDORA-2004-235 20040728 SoX buffer overflows when handling .WAV files MDKSA-2004:076 20040728 SoX buffer overflows when handling .WAV files CLA-2004:855 The Internet Printing Protocol (IPP) implementation in CUPS before 1.1.21 allows remote attackers to cause a denial of service (service hang) via a certain UDP packet to the IPP port. FLSA:2072 cups-udp-dos(17389) RHSA-2004:449 DSA-545 2004-0047 SUSE-SA:2004:031 11183 1000757 201005 57646 oval:org.mitre.oval:def:11732 SCOSA-2004.15 APPLE-SA-2004-09-30 CLA-2004:872 The maketemp.pl script in Usermin 1.070 and 1.080 allows local users to overwrite arbitrary files at install time via a symlink attack on the /tmp/.usermin directory. usermin-installation-unspecified(17299) 11153 GLSA-200409-15 12488 http://www.webmin.com/uchanges-1.089.html Integer overflow in gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted content of a certain size that triggers the overflow. DSA-638 13855 Format string vulnerability in the log routine for gopher daemon (gopherd) 3.0.3 allows remote attackers to cause a denial of service and possibly execute arbitrary code. DSA-638 13855 The tspc.conf configuration file in freenet6 before 0.9.6 and before 1.0 on Debian Linux has world readable permissions, which could allow local users to gain sensitive information, such as a username and password. freenet6-world-readable(17544) 11280 DSA-555 1011460 12705 Roaring Penguin pppoe (rp-ppoe), if installed or configured to run setuid root contrary to its design, allows local users to overwrite arbitrary files. NOTE: the developer has publicly disputed the claim that this is a vulnerability because pppoe "is NOT designed to run setuid-root." Therefore this identifier applies *only* to those configurations and installations under which pppoe is run setuid root despite the developer's warnings. pppoe-file-overwrite(17576) 11315 DSA-557 MDKSA-2004:145 FLSA:152794 20041208 Re: MDKSA-2004:145 - Updated rp-pppoe packages fix vulnerability Floating point information leak in the context switch code for Linux 2.4.x only checks the MFH bit but does not verify the FPH owner, which allows local users to read register values of other processes by setting the MFH bit. linux-ia64-info-disclosure(16644) https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=124734 oval:org.mitre.oval:def:10714 [owl-users] 20040619 Linux 2.4.26-ow2 10687 RHSA-2004:504 MDKSA-2004:066 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 Integer overflow in imgbmp.cxx for Windows 2000 allows remote attackers to execute arbitrary code via a BMP image with a large bfOffBits value. TA04-212A VU#266926 ie-bmp-integer-overflow(15210) MS04-025 20040215 GAYER THAN AIDS ADVISORY #01: IE 5 remote code execution oval:org.mitre.oval:def:515 oval:org.mitre.oval:def:507 oval:org.mitre.oval:def:322 oval:org.mitre.oval:def:306 oval:org.mitre.oval:def:216 The Windows Internet Naming Service (WINS) in Windows NT Server 4.0 SP 6a, NT Terminal Server 4.0 SP 6, Windows 2000 Server SP3 and SP4, and Windows Server 2003 does not properly validate the computer name value in a WINS packet, which allows remote attackers to execute arbitrary code or cause a denial of service (server crash), which results in an "unchecked buffer" and possibly triggers a buffer overflow, aka the "Name Validation Vulnerability." VU#378160 wins-memory-pointer-hijack(18259) MS04-045 P-054 11922 12370 1012517 13466 HyperTerminal application for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the length of a value that is saved in a session file, which allows remote attackers to execute arbitrary code via a malicious HyperTerminal session file (.ht), web site, or Telnet URL contained in an e-mail message, triggering a buffer overflow. MS04-043 win-hyperterminal-session-bo(18336) 20041214 HyperTerminal - Buffer Overflow In .ht File oval:org.mitre.oval:def:4741 oval:org.mitre.oval:def:4508 oval:org.mitre.oval:def:3973 oval:org.mitre.oval:def:3138 oval:org.mitre.oval:def:2545 oval:org.mitre.oval:def:1603 The RPC Runtime Library for Microsoft Windows NT 4.0 allows remote attackers to read active memory or cause a denial of service (system crash) via a malicious message, possibly related to improper length values. win-ms04029-patch(17663) wins-rpc-obtain-information(17646) MS04-029 20041013 BindView Advisory: Memory Leak and DoS in NT4 RPC server oval:org.mitre.oval:def:5277 oval:org.mitre.oval:def:2505 Microsoft Word for Windows 6.0 Converter does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Table Conversion Vulnerability," a different vulnerability than CVE-2004-0901. MS04-041 win-converter-table-code-execution(18337) oval:org.mitre.oval:def:685 oval:org.mitre.oval:def:4328 oval:org.mitre.oval:def:3743 oval:org.mitre.oval:def:3416 oval:org.mitre.oval:def:1976 oval:org.mitre.oval:def:1959 oval:org.mitre.oval:def:1417 oval:org.mitre.oval:def:1168 Buffer overflow in the Windows Program Group Converter (grpconv.exe) may allow remote attackers to execute arbitrary code via a shell: URL with a long filename and a .grp extension, which is not properly handled when the shell capability launches grpconv.exe. VU#543864 win-grpconv-bo(16664) 10677 MS04-037 win-ms04037-patch(17662) 20040707 Re: shell:windows command question oval:org.mitre.oval:def:4493 oval:org.mitre.oval:def:4244 oval:org.mitre.oval:def:3822 oval:org.mitre.oval:def:3768 oval:org.mitre.oval:def:3071 oval:org.mitre.oval:def:2753 oval:org.mitre.oval:def:1843 oval:org.mitre.oval:def:1837 oval:org.mitre.oval:def:1279 Buffer overflow in the converter for Microsoft WordPerfect 5.x on Office 2000, Office XP, Office 2003, and Works Suites 2001 through 2004 allows remote attackers to execute arbitrary code via a malicious document or website. VU#449438 wordperfect-converter-message-bo(17306) MS04-027 1011252 1011251 1011250 1011249 12529 20040914 Microsoft Office WordPerfect Converter Buffer Overflow Vulnerability oval:org.mitre.oval:def:5021 oval:org.mitre.oval:def:4005 oval:org.mitre.oval:def:3333 oval:org.mitre.oval:def:3311 oval:org.mitre.oval:def:2670 The Network News Transfer Protocol (NNTP) component of Microsoft Windows NT Server 4.0, Windows 2000 Server, Windows Server 2003, Exchange 2000 Server, and Exchange Server 2003 allows remote attackers to execute arbitrary code via XPAT patterns, possibly related to improper length validation and an "unchecked buffer," leading to off-by-one and heap-based buffer overflows. VU#203126 win-nntp-bo(17641) MS04-036 win-ms04036-patch(17661) http://www.coresecurity.com/common/showdoc.php?idx=420&idxseccion=10 P-012 20041012 CORE-2004-0802: IIS NNTP Service XPAT Command Vulnerabilities oval:org.mitre.oval:def:5926 oval:org.mitre.oval:def:5070 oval:org.mitre.oval:def:5021 oval:org.mitre.oval:def:4392 oval:org.mitre.oval:def:246 Integer overflow in DUNZIP32.DLL for Microsoft Windows XP, Windows XP 64-bit Edition, Windows Server 2003, and Windows Server 2003 64-bit Edition allows remote attackers to execute arbitrary code via compressed (zipped) folders that involve an "unchecked buffer" and improper length validation. VU#649374 win-ms04034-patch(17659) win-compressed-folders-bo(17624) MS04-034 http://www.eeye.com/html/research/advisories/AD20041012A.html P-010 1011637 20041013 EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability oval:org.mitre.oval:def:6397 oval:org.mitre.oval:def:4276 oval:org.mitre.oval:def:3913 oval:org.mitre.oval:def:1053 The radius daemon (radiusd) for GNU Radius 1.1, when compiled with the -enable-snmp option, allows remote attackers to cause a denial of service (server crash) via malformed SNMP messages containing an invalid OID. radius-snmp-oid-dos(16466) http://www.idefense.com/application/poi/display?id=110&type=vulnerabilities 20040621 [Full-Disclosure] iDEFENSE Security Advisory 06.21.04 - GNU Radius SNMP Invalid OID Denial of Service Vulnerability WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files from the root directory via a URL request to the wingate-internal directory. wingate-directory-traversal(16589) 20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosure http://www.idefense.com/application/poi/display?id=113 WinGate 5.2.3 build 901 and 6.0 beta 2 build 942, and other versions such as 5.0.5, allows remote attackers to read arbitrary files via leading slash (//) characters in a URL request to the wingate-internal directory. wingate-directory-traversal(16589) 20040701 iDEFENSE Security Advisory 07.01.04: WinGate Information Disclosure http://www.idefense.com/application/poi/display?id=113 Format string vulnerability in super before 3.23 allows local users to execute arbitrary code as root. DSA-522 super-format-string(16458) DHCP on Linksys BEFSR11, BEFSR41, BEFSR81, and BEFSRU31 Cable/DSL Routers, firmware version 1.45.7, does not properly clear previously used buffer contents in a BOOTP reply packet, which allows remote attackers to obtain sensitive information. linksys-etherfast-bootp-dos(16142) 10329 20040607 Linksys BEFSR41 DHCP vulnerability server leaks network data http://linksys.custhelp.com/cgi-bin/linksys.cfg/php/enduser/std_adp.php?p_faqid=832&p_%20\created=1086294093&p_sid=pU1X1idh&p_lva=&p_sp=cF9zcmNoPSZwX3NvcnRfYnk9JnBfZ3JpZHNvcnQ9%20\JnBfcm93X2NudD02NTQmcF9wYWdlPTE*&p_li= 6325 1010288 11606 ksymoops-gznm script in Mandrake Linux 9.1 through 10.0, and Corporate Server 2.1, allows local users to delete arbitrary files via a symlink attack on files in /tmp. 10516 ksymoops-symlink(16392) MDKSA-2004:060 Unknown vulnerability in Webmin 1.140 allows remote attackers to bypass access control rules and gain read access to configuration information for a module. 10522 10474 20040611 [SNS Advisory No.74] Webmin Access Control Rule Bypass Vulnerability webmin-bypass-security(16333) http://www.webmin.com/changes-1.150.html MDKSA-2004:074 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/74_e.html GLSA-200406-12 DSA-526 CLA-2004:848 The account lockout functionality in (1) Webmin 1.140 and (2) Usermin 1.070 does not parse certain character strings, which allows remote attackers to conduct a brute force attack to guess user IDs and passwords. 10523 10474 webmin-username-password-dos(16334) http://www.webmin.com/changes-1.150.html MDKSA-2004:074 http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/75_e.html GLSA-200406-15 GLSA-200406-12 DSA-526 20040611 [SNS Advisory No.75] Webmin/Usermin Account Lockout Bypass Vulnerability Unknown vulnerability in Horde IMP 3.2.3 and earlier, before a "security fix," does not properly validate input, which allows remote attackers to execute arbitrary script as other users via script or HTML in an e-mail message, possibly triggering a cross-site scripting (XSS) vulnerability. imp-content-type-xss(16357) 10501 http://www.horde.org/imp/3.2/ GLSA-200406-11 11805 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0589. Reason: This candidate is a duplicate of CVE-2004-0589. Notes: All CVE users should reference CVE-2004-0589 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. acpRunner ActiveX 1.2.5.0 allows remote attackers to execute arbitrary code via the (1) DownLoadURL, (2) SaveFilePath, and (3) Download ActiveX methods. ibm-acprunner-execute-code(16429) http://www-306.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-54588 20040616 IBM acpRunner Activex Dangerous Methods Vulnerability Insecure permissions for the /proc/scsi/qla2300/HbaApiNode file in Linux allows local users to cause a denial of service. 10279 suse-hbaapinode-dos(16062) RHSA-2004:418 RHSA-2004:413 SuSE-SA:2004:010 MDKSA-2004:066 1010057 oval:org.mitre.oval:def:9398 FEDORA-2004-186 20040804-01-U Cross-site scripting (XSS) vulnerability in the web mail module for Usermin 1.070 allows remote attackers to insert arbitrary HTML and script via e-mail messages. This vulnerability is addressed in the following product update: Usermin, Usermin, 1.080 10521 GLSA-200406-15 20040611 [SNS Advisory No.73] Usermin Cross-site Scripting Vulnerability usermin-email-xss(16494) http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/73_e.html Cisco IOS 11.1(x) through 11.3(x) and 12.0(x) through 12.2(x), when configured for BGP routing, allows remote attackers to cause a denial of service (device reload) via malformed BGP (1) OPEN or (2) UPDATE messages. VU#784540 cisco-ios-bgp-packet-dos(16427) 20040616 Cisco IOS Malformed BGP Packet Causes Reload oval:org.mitre.oval:def:4948 FreeS/WAN 1.x and 2.x, and other related products including superfreeswan 1.x, openswan 1.x before 1.0.6, openswan 2.x before 2.1.4, and strongSwan before 2.1.3, allows remote attackers to authenticate using spoofed PKCS#7 certificates in which a self-signed certificate identifies an alternate Certificate Authority (CA) and spoofed issuer and subject. ipsec-verifyx509cert-auth-bypass(16515) http://www.openswan.org/support/vuln/can-2004-0590/ MDKSA-2004:070 GLSA-200406-20 Cross-site scripting (XSS) vulnerability in the print_header_uc function for SqWebMail 4.0.4 and earlier, and possibly 3.x, allows remote attackers to inject arbitrary web script or HRML via (1) e-mail headers or (2) a message with a "message/delivery-status" MIME Content-Type. This vulnerability is addressed in the following product release: Inter7, SqWebMail, 4.0.5 10588 GLSA-200408-02 DSA-533 11918 sqwebmail-print-header-xss(16467) 20040621 XSS vulnerability in Sqwebmail 4.0.4 The tcp_find_option function of the netfilter subsystem for IPv6 in the SUSE Linux 2.6.5 kernel with USAGI patches, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type, a similar flaw to CVE-2004-0626. SUSE-SA:2004:020 20040703 Re: SUSE Security Announcement: kernel (SUSE-SA:2004:020) linux-kernel-tcpfindoption-dos(43137) Sygate Enforcer 3.5MR1 and earlier passes broadcast traffic before authentication, which could allow remote attackers to bypass filtering rules. sygate-enforcer-filter-bypass(16948) http://www.corsaire.com/advisories/c031120-003.txt 10908 20040810 Corsaire Security Advisory - Sygate Enforcer unauthenticated broadcast issue The memory_limit functionality in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, under certain conditions such as when register_globals is enabled, allows remote attackers to execute arbitrary code by triggering a memory_limit abort during execution of the zend_hash_init function and overwriting a HashTable destructor pointer before the initialization of key data structures is complete. php-memorylimit-code-execution(16693) 2004-0039 RHSA-2004:405 RHSA-2004:395 RHSA-2004:392 SUSE-SA:2004:021 MDKSA-2004:068 GLSA-200407-13 DSA-669 DSA-531 oval:org.mitre.oval:def:10896 20040713 Advisory 11/2004: PHP memory_limit remote vulnerability 20040714 Advisory 11/2004: PHP memory_limit remote vulnerability 10725 RHSA-2005:816 SSRT4777 20040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) 20040714 TSSA-2004-013 - php CLA-2004:847 The strip_tags function in PHP 4.x up to 4.3.7, and 5.x up to 5.0.0RC3, does not filter null (\0) characters within tag names when restricting input to allowed tags, which allows dangerous tags to be processed by web browsers such as Internet Explorer and Safari, which ignore null characters and facilitate the exploitation of cross-site scripting (XSS) vulnerabilities. 10724 DSA-531 php-strip-tag-bypass(16692) RHSA-2004:405 RHSA-2004:395 RHSA-2004:392 SUSE-SA:2004:021 MDKSA-2004:068 GLSA-200407-13 DSA-669 oval:org.mitre.oval:def:10619 20040713 Advisory 11/2004: PHP memory_limit remote vulnerability 20040714 Advisory 12/2004: PHP strip_tags() bypass vulnerability RHSA-2005:816 SSRT4777 20040722 [OpenPKG-SA-2004.034] OpenPKG Security Advisory (php) 20040714 TSSA-2004-013 - php CLA-2004:847 The Equalizer Load-balancer for serial network interfaces (eql.c) in Linux kernel 2.6.x up to 2.6.7 allows local users to cause a denial of service via a non-existent device name that triggers a null dereference. 10730 linux-eql-dos(16694) http://linux.bkbits.net:8080/linux-2.6/cset@40d4aa72hPLWy-jMLr0eJAXMxHcNZg Multiple buffer overflows in libpng 1.2.5 and earlier, as used in multiple products, allow remote attackers to execute arbitrary code via malformed PNG images in which (1) the png_handle_tRNS function does not properly validate the length of transparency chunk (tRNS) data, or the (2) png_handle_sBIT or (3) png_handle_hIST functions do not perform sufficient bounds checking. TA05-039A TA04-217A VU#817368 VU#388984 FLSA:1943 libpng-pnghandle-bo(16894) 2004-0040 10857 SUSE-SA:2004:023 MS05-009 GLSA-200408-22 GLSA-200408-03 DSA-536 http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679 15495 RHSA-2004:429 RHSA-2004:421 RHSA-2004:402 http://www.mozilla.org/projects/security/known-vulnerabilities.html http://www.coresecurity.com/common/showdoc.php?idx=421&idxseccion=10 http://scary.beasts.org/security/CESA-2004-001.txt oval:org.mitre.oval:def:7709 oval:org.mitre.oval:def:11284 20050209 MSN Messenger PNG Image Buffer Overflow Download Shellcoded Exploit FLSA:2089 SCOSA-2004.16 SSRT4778 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) CLA-2004:856 SCOSA-2005.49 MDKSA-2006:213 MDKSA-2006:212 MDKSA-2004:079 http://sunsolve.sun.com/search/document.do?assetkey=urn:cds:docid:1-21-114816-02-1 200663 22958 22957 oval:org.mitre.oval:def:594 oval:org.mitre.oval:def:4492 oval:org.mitre.oval:def:2378 oval:org.mitre.oval:def:2274 The png_handle_iCCP function in libpng 1.2.5 and earlier allows remote attackers to cause a denial of service (application crash) via a certain PNG image that triggers a null dereference. TA04-217A VU#236656 FLSA:1943 libpng-pnghandleiccp-dos(16895) 10857 SUSE-SA:2004:023 GLSA-200408-22 GLSA-200408-03 DSA-536 SCOSA-2004.16 SSRT4778 2004-0040 RHSA-2004:429 RHSA-2004:402 http://www.mozilla.org/projects/security/known-vulnerabilities.html http://scary.beasts.org/security/CESA-2004-001.txt oval:org.mitre.oval:def:10203 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) CLA-2004:856 MDKSA-2006:213 MDKSA-2006:212 MDKSA-2004:079 200663 22958 22957 oval:org.mitre.oval:def:2572 Multiple integer overflows in the (1) png_read_png in pngread.c or (2) png_handle_sPLT functions in pngrutil.c or (3) progressive display image reading capability in libpng 1.2.5 and earlier allow remote attackers to cause a denial of service (application crash) via a malformed PNG image. TA04-217A VU#477512 VU#286464 VU#160448 FLSA:1943 10857 SUSE-SA:2004:023 GLSA-200408-22 GLSA-200408-03 DSA-571 DSA-570 DSA-536 FLSA:2089 SCOSA-2004.16 SSRT4778 20040804 [OpenPKG-SA-2004.035] OpenPKG Security Advisory (png) lilbpng-integer-bo(16896) 2004-0040 15495 RHSA-2004:429 RHSA-2004:421 RHSA-2004:402 http://www.mozilla.org/projects/security/known-vulnerabilities.html http://scary.beasts.org/security/CESA-2004-001.txt oval:org.mitre.oval:def:10938 APPLE-SA-2004-09-09 CLA-2004:856 SCOSA-2005.49 MDKSA-2006:213 MDKSA-2006:212 MDKSA-2004:079 200663 22958 22957 oval:org.mitre.oval:def:1479 Buffer overflow in the Samba Web Administration Tool (SWAT) in Samba 3.0.2 to 3.0.4 allows remote attackers to execute arbitrary code via an invalid base-64 character during HTTP basic authentication. RHSA-2004:259 20040722 Samba 3.x swat preauthentication buffer overflow samba-swat-base64-bo(16785) 2004-0039 SUSE-SA:2004:022 MDKSA-2004:071 GLSA-200407-21 oval:org.mitre.oval:def:11445 20040722 SWAT PreAuthorization PoC 20040722 TSSA-2004-014 - samba 20040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba) 20040722 Security Release - Samba 3.0.5 and 2.2.10 CLA-2004:854 CLA-2004:851 distcc before 2.16, when running on 64-bit platforms, does not interpret IP-based access control rules correctly, which could allow remote attackers to bypass intended restrictions. 11319 12711 distcc-ip-gain-privileges(17581) http://distcc.samba.org/ftp/distcc/distcc-2.17.NEWS The binary compatibility mode for FreeBSD 4.x and 5.x does not properly handle certain Linux system calls, which could allow local users to access kernel memory to gain privileges or cause a system panic. freebsd-binary-information-disclosure(16558) FreeBSD-SA-04:13 10643 gzexe in gzip 1.3.3 and earlier will execute an argument when the creation of a temp file fails instead of exiting the program, which could allow remote attackers or local users to execute arbitrary commands, a different vulnerability than CVE-1999-1332. gzip-gzexe-tmpfile(16506) 10603 GLSA-200406-18 http://bugs.gentoo.org/show_bug.cgi?id=54890 The HTTP client and server in giFT-FastTrack 0.8.6 and earlier allows remote attackers to cause a denial of service (crash), possibly via an empty search query, which triggers a NULL dereference. gift-fasttrack-daemon-dos(16508) 10604 GLSA-200406-19 11941 http://gift-fasttrack.berlios.de/ http://developer.berlios.de/bugs/?func=detailbug&bug_id=1573&group_id=809 Non-registered IRC users using (1) ircd-hybrid 7.0.1 and earlier, (2) ircd-ratbox 1.5.1 and earlier, or (3) ircd-ratbox 2.0rc6 and earlier do not have a rate-limit imposed, which could allow remote attackers to cause a denial of service by repeatedly making requests, which are slowly dequeued. ircd-parseclientqueued-dos(16457) 10572 20040618 ircd-hybrid-7 / ircd-ratbox low-bandwidth DoS Cross-site scripting (XSS) vulnerability in Infoblox DNS One running firmware 2.4.0-8 and earlier allows remote attackers to execute arbitrary scripts as other users via the (1) CLIENTID or (2) HOSTNAME option of a DHCP request. dnsone-dhcp-report-xss(16456) 20040619 Script injection in DNSONE appliance 10573 The eay_check_x509cert function in KAME Racoon successfully verifies certificates even when OpenSSL validation fails, which could allow remote attackers to bypass authentication. racoon-eaycheckx509cert-auth-bypass(16414) GLSA-200406-17 20040615 Re: authentication bug in KAME's racoon 10546 RHSA-2004:308 oval:org.mitre.oval:def:9163 20040614 authentication bug in KAME's racoon SCOSA-2005.10 7113 http://sourceforge.net/project/shownotes.php?release_id=245982 1010495 11877 11863 The Unreal Engine, as used in DeusEx 1.112fm and earlier, Devastation 390 and earlier, Mobile Forces 20000 and earlier, Nerf Arena Blast 1.2 and earlier, Postal 2 1337 and earlier, Rune 107 and earlier, Tactical Ops 3.4.0 and earlier, Unreal 1 226f and earlier, Unreal II XMP 7710 and earlier, Unreal Tournament 451b and earlier, Unreal Tournament 2003 2225 and earlier, Unreal Tournament 2004 before 3236, Wheel of Time 333b and earlier, and X-com Enforcer, allows remote attackers to execute arbitrary code via a UDP packet containing a secure query with a long value, which overwrites memory. unreal-secure-query-command-execute(16451) GLSA-200407-14 10570 http://aluigi.altervista.org/adv/unsecure-adv.txt 20040618 Code execution in the Unreal Engine through \secure\ packet rssh 2.0 through 2.1.x expands command line arguments before entering a chroot jail, which allows remote authenticated users to determine the existence of files in a directory outside the jail. rssh-jail-obtain-info(16470) 10574 20040619 Security flaw in rssh The Web administration interface in Microsoft MN-500 Wireless Router allows remote attackers to cause a denial of service (connection refusal) via a large number of open HTTP connections. mn500-web-admin-dos(16448) 10585 http://www.kurczaba.com/securityadvisories/0406213.htm 20040621 Microsoft MN-500 Wireless Router Web-Based Administration DoS Web-Based Administration in Netgear FVS318 VPN Router allows remote attackers to cause a denial of service (no new connections) via a large number of open HTTP connections. netgear-fvs318-dos(16462) 10585 20040621 NETGEAR FVS318 Web-Based Administration DoS The Mobile Code filter in ZoneAlarm Pro 5.0.590.015 does not filter mobile code within an SSL encrypted session, which could allow remote attackers to bypass the mobile code filtering. NOTE: it has been disputed by the vendor that this behavior is required by the SSL specification. zonealarm-mobile-code-bypass(16471) 10584 20040621 ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability 20040625 Zone Labs response to "ZoneAlarm Pro 'Mobile Code' Bypass Vulnerability" osTicket allows remote attackers to view sensitive uploaded files and possibly execute arbitrary code via an HTTP request that uploads a PHP file to the ticket attachments directory. 10586 20040621 Multiple osTicket exploits! osticket-view-attachments(16478) osticket-php-file-upload(16477) osTicket trusts a hidden form field in the submit form to limit the upload size of a document, which could allow remote attackers to upload a file of any size. 20040621 Multiple osTicket exploits! osticket-php-file-upload(16477) Cross-site scripting (XSS) vulnerability in D-Link DI-614+ SOHO router running firmware 2.30, and DI-704 SOHO router running firmware 2.60B2, and DI-624, allows remote attackers to inject arbitrary script or HTML via the DHCP HOSTNAME option in a DHCP request. dlink614-dhcp-xss(16468) 1010562 10587 7211 11919 20040621 DLINK 704, script injection vulnerability 20040621 DLINK 614+, script injection vulnerability 20040701 DLINK 624, script injection vulnerability The BT Voyager 2000 Wireless ADSL Router has a default public SNMP community name, which allows remote attackers to obtain sensitive information such as the password, which is stored in plaintext. 20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password) 20040622 Wireless Modem (BT Voyager 2000 Wireless ADSL Router cleartext password) bt-voyager-password-plaintext(16472) 10589 Cross-site scripting (XSS) vulnerability in ArbitroWeb 0.6 allows remote attackers to inject arbitrary script or HTML via the rawURL parameter. arbitroweb-rawurl-xss(16481) 10592 20040622 ArbitroWeb v0.6 Javascript injection vulnerability FreeBSD 5.1 for the Alpha processor allows local users to cause a denial of service (crash) via an execve system call with an unaligned memory address as an argument. 10596 20040623 Security Advisory : FreeBSD local DoS freebsd-execve-dos(16499) Integer overflow in the ubsec_keysetup function for Linux Broadcom 5820 cryptonet driver allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a negative add_dsa_buf_bytes variable, which leads to a buffer overflow. bcm5820-adddsabufbytes-integer-bo(16459) RHSA-2004:549 10599 RHSA-2005:283 oval:org.mitre.oval:def:9773 20040623 Linux Broadcom 5820 Cryptonet Driver Integer Overflow P-047 11936 Cross-site scripting (XSS) vulnerability in (1) newreply.php or (2) newthread.php in vBulletin 3.0.1 allows remote attackers to inject arbitrary HTML or script as other users via the Edit-panel. vbulletin-newreply-newthread-xss(16502) 10602 20040624 vBulletin HTML Injection Vuln admin.php in Newsletter ZWS allows remote attackers to gain administrative privileges via a list_user operation with the ulevel parameter set to 1 (administrator level), which lists all users and their passwords. zws-gain-admin-access(16507) 10605 20040624 ZWS Newsletter & Mailing List Manager Apple Mac OS X 10.3.4, 10.4, 10.5, and possibly other versions does not properly clear memory for login (aka Loginwindow.app), Keychain, or FileVault passwords, which could allow the root user or an attacker with physical access to obtain sensitive information by reading memory. macos-memory-view-passwords(16557) 20080229 Re: Loginwindow.app and Mac OS X 20080228 Loginwindow.app and Mac OS X 20040625 Mac OS X stores login/Keychain/FileVault passwords on disk http://citp.princeton.edu/pub/coldboot.pdf Format string vulnerability in misc.c in GNU GNATS 4.00 may allow remote attackers to execute arbitrary code via format string specifiers in a string that gets logged by syslog. 10609 gnats-format-string(16517) 20040625 format string vulnerability in Gnats PHP remote file inclusion vulnerability in index.php for Artmedic links 5.0 (artmedic_links5) allows remote attackers to execute arbitrary PHP code by modifying the id parameter to reference a URL on a remote web server that contains the code. artmedic-url-file-disclosure(16518) 20040625 artmedic_links5 PHP Script (include path) vuln SQL injection vulnerability in Infinity WEB 1.0 allows remote attackers to bypass authentication and gain privileges via the login page. infinity-web-sql-injection(16513) http://www.zone-h.org/en/advisories/read/id=4892/ 10614 20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEB 20040627 ZH2004-14SA (security advisory):Sql Injection in Infinity WEB The tcp_find_option function of the netfilter subsystem in Linux kernel 2.6, when using iptables and TCP options rules, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a large option length that produces a negative integer after a casting operation to the char type. linux-tcpfindoption-dos(16554) GLSA-200407-12 20040630 Remote DoS vulnerability in Linux kernel 2.6.x FEDORA-2004-202 CLA-2004:852 SUSE-SA:2004:020 The check_scramble_323 function in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to bypass authentication via a zero-length scrambled string. VU#184030 20040705 MySQL Authentication Bypass 20040705 MySQL Authentication Bypass Stack-based buffer overflow in MySQL 4.1.x before 4.1.3, and 5.0, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long scramble string. VU#645326 mysql-myrnd-bo(16612) 20040705 MySQL Authentication Bypass 20040705 MySQL Authentication Bypass Buffer overflow in the ActiveX component (pdf.ocx) for Adobe Acrobat 5.0.5 and Acrobat Reader, and possibly other versions, allows remote attackers to execute arbitrary code via a URI for a PDF file with a null terminator (%00) followed by a long string. 10947 GLSA-200408-14 acrobat-reader-activex-bo(16998) http://www.adobe.com/support/techdocs/330527.html 20040813 Adobe Acrobat/Acrobat Reader ActiveX Control Buffer Overflow Vulnerability The uudecoding feature in Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via shell metacharacters ("`" or backtick) in the filename of the PDF file that is provided to the uudecode command. 10931 acrobat-reader-execute-code(16973) RHSA-2004:432 http://www.adobe.com/support/techdocs/322914.html GLSA-200408-14 20040812 Adobe Acrobat Reader (Unix) Shell Metacharacter Code Execution Vulnerability Buffer overflow in the uudecoding feature for Adobe Acrobat Reader 5.0.5 and 5.0.6 for Unix and Linux, and possibly other versions including those before 5.0.9, allows remote attackers to execute arbitrary code via a long filename for the PDF file that is provided to the uudecode command. adobe-acrobat-uudecode-bo(16972) 10932 RHSA-2004:432 http://www.adobe.com/support/techdocs/322914.html GLSA-200408-14 20040812 Adobe Acrobat Reader (Unix) 5.0 Uudecode Filename Buffer Overflow Vulnerability Adobe Reader 6.0 does not properly handle null characters when splitting a filename path into components, which allows remote attackers to execute arbitrary code via a file with a long extension that is not normally handled by Reader, triggering a buffer overflow. adobe-acrobat-null-bo(16667) http://www.adobe.com/support/techdocs/34222.htm http://www.adobe.com/support/techdocs/330527.html 20040712 Adobe Reader 6.0 Filename Handler Buffer Overflow Vulnerability The iSNS dissector for Ethereal 0.10.3 through 0.10.4 allows remote attackers to cause a denial of service (process abort) via an integer overflow. VU#829422 ethereal-isns-dos(16630) FEDORA-2004-220 FEDORA-2004-219 MDKSA-2004:067 GLSA-200407-08 RHSA-2004:378 http://www.ethereal.com/appnotes/enpa-sa-00015.html 1010655 12024 oval:org.mitre.oval:def:9931 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 CLA-2005:916 The SMB SID snooping capability in Ethereal 0.9.15 to 0.10.4 allows remote attackers to cause a denial of service (process crash) via a handle without a policy name, which causes a null dereference. VU#518782 ethereal-smb-sid-dos(16631) FEDORA-2004-220 FEDORA-2004-219 MDKSA-2004:067 GLSA-200407-08 RHSA-2004:378 http://www.ethereal.com/appnotes/enpa-sa-00015.html 1010655 12024 oval:org.mitre.oval:def:10252 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 CLA-2005:916 The SNMP dissector in Ethereal 0.8.15 through 0.10.4 allows remote attackers to cause a denial of service (process crash) via a (1) malformed or (2) missing community string, which causes an out-of-bounds read. VU#835846 ethereal-snmp-community-dos(16632) FEDORA-2004-220 FEDORA-2004-219 MDKSA-2004:067 GLSA-200407-08 RHSA-2004:378 http://www.ethereal.com/appnotes/enpa-sa-00015.html DSA-528 1010655 12024 oval:org.mitre.oval:def:9721 CLA-2005:916 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127381 Buffer overflow in the goaway function in the aim:goaway URI handler for AOL Instant Messenger (AIM) 5.5, including 5.5.3595, allows remote attackers to execute arbitrary code via a long Away message. VU#735966 http://www.idefense.com/application/poi/display?id=121&type=vulnerabilities 12198 aim-away-bo(16926) Oracle Database Server 8.1.7.4 through 9.2.0.4 allows local users to execute commands with additional privileges via the ctxsys.driload package, which is publicly accessible. VU#316206 20040902 Oracle Database Server ctxsys.driload Access Validation Vulnerability 12409 11099 Buffer overflow in the KSDWRTB function in the dbms_system package (dbms_system.ksdwrt) for Oracle 9i Database Server Release 2 9.2.0.3 and 9.2.0.4, 9i Release 1 9.0.1.4 and 9.0.1.5, and 8i Release 1 8.1.7.4, allows remote authorized users to execute arbitrary code via a long second argument. oracle-dbmssystem-bo(17254) 11100 http://www.red-database-security.com/advisory/advisory_20040903_3.htm 20040902 Oracle Database Server dbms_system.ksdwrt Buffer Overflow Vulnerability 20040905 Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9i http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf Multiple cross-site scripting (XSS) vulnerabilities in Squirrelmail 1.2.10 and earlier allow remote attackers to inject arbitrary HTML or script via (1) the $mailer variable in read_body.php, (2) the $senderNames_part variable in mailbox_display.php, and possibly other vectors including (3) the $event_title variable or (4) the $event_text variable. 10450 DSA-535 squirrelmail-from-header-xss(16285) http://www.rs-labs.com/adv/RS-Labs-Advisory-2004-1.txt 20040530 RS-2004-1: SquirrelMail "Content-Type" XSS vulnerability CLA-2004:858 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=257973 Format string vulnerability in the SSL_set_verify function in telnetd.c for SSLtelnet daemon (SSLtelnetd) 0.13 allows remote attackers to execute arbitrary code. DSA-529 ssltelnetd-format-string(16653) http://www.idefense.com/application/poi/display?id=114&type=vulnerabilities Thomson SpeedTouch 510 ADSL Router with firmware GV8BAA3.270, and possibly earlier versions, generates predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. speedtouch-hijack-connection(16919) 10881 20040805 Thompson SpeedTouch Home ADSL Modem Predictable TCP ISN Generation ESB-2004.0504 12238 Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code. TA04-247A VU#795632 kerberos-kdc-double-free(17157) 2004-0045 11078 GLSA-200409-09 DSA-543 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt RHSA-2004:350 oval:org.mitre.oval:def:10709 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) CLA-2004:860 oval:org.mitre.oval:def:4936 Double free vulnerability in the krb5_rd_cred function for MIT Kerberos 5 (krb5) 1.3.1 and earlier may allow local users to execute arbitrary code. TA04-247A VU#866472 kerberos-krb5rdcred-double-free(17159) 2004-0045 11078 GLSA-200409-09 DSA-543 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt RHSA-2004:350 oval:org.mitre.oval:def:10267 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) CLA-2004:860 oval:org.mitre.oval:def:3322 The asn1buf_skiptail function in the ASN.1 decoder library for MIT Kerberos 5 (krb5) 1.2.2 through 1.3.4 allows remote attackers to cause a denial of service (infinite loop) via a certain BER encoding. TA04-247A VU#550464 kerberos-asn1-library-dos(17160) 2004-0045 GLSA-200409-09 11079 DSA-543 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-003-asn1.txt RHSA-2004:350 oval:org.mitre.oval:def:10014 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) CLA-2004:860 oval:org.mitre.oval:def:2139 Buffer overflow in the wvHandleDateTimePicture function in wv library (wvWare) 0.7.4 through 0.7.6 and 1.0.0 allows remote attackers to execute arbitrary code via a document with a long DateTime field. 20040709 wvWare Library Buffer Overflow Vulnerability GLSA-200407-11 FLSA:1906 wvware-wvhandledatetimepicture-bo(16660) 7761 MDKSA-2004:077 http://www.freebsd.org/ports/portaudit/7a5430df-d562-11d8-b479-02e0185c0b53.html DSA-579 http://cpan.cybercomm.nl/pub/gentoo-portage/app-text/wv/files/wv-1.0.0-fix_overflow.patch CLA-2004:863 Buffer overflow in the WriteToLog function for JRun 3.0 through 4.0 web server connectors, such as (1) mod_jrun and (2) mod_jrun20 for Apache, with verbose logging enabled, allows remote attackers to execute arbitrary code via a long HTTP header Content-Type field or other fields. VU#990200 coldfusion-jrun-verbose-bo(17485) 11245 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html 20040929 iDEFENSE Security Advisory 09.29.04 - Macromedia JRun 4 mod_jrun Apache Module Buffer Overflow Vulnerability http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html 12647 shorewall 1.4.10c and earlier, and 2.0.x before 2.0.3a, allows local users to overwrite arbitrary files via a symlink attack on the chains-$$ temporary file. GLSA-200407-07 shorewall-symlink(16651) MDKSA-2004:080 [Shorewall-announce] 20040628 URGENT: Shorewall Security Vulnerability Mozilla (Suite) before 1.7.1, Firefox before 0.9.2, and Thunderbird before 0.7.2 allow remote attackers to launch arbitrary programs via a URI referencing the shell: protocol. VU#927014 20040708 Mozilla Security Advisory 2004-07-08 mozilla-shell-program-execution(16655) http://www.mozilla.org/security/shell.html http://www.mozilla.org/projects/security/known-vulnerabilities.html O-175 20040707 shell:windows command question 12027 Buffer overflow in write_packet in control.c for l2tpd may allow remote attackers to execute arbitrary code. DSA-530 l2tpd-writepacket-bo(16326) GLSA-200407-17 20040604 bss-based buffer overflow in l2tpd UploadServlet in Cisco Collaboration Server (CCS) running ServletExec before 3.0E allows remote attackers to upload and execute arbitrary files via a direct call to the UploadServlet URL. VU#718896 10639 ccs-servletexec-gain-privileges(16553) 20040630 Cisco Collaboration Server Vulnerability 11979 Unknown vulnerability in Sun Java Runtime Environment (JRE) 1.4.2 through 1.4.2_03 allows remote attackers to cause a denial of service (virtual machine hang). VU#118558 10301 sun-java-dos(16085) SSRT4749 57555 HPSBUX01044 BEA WebLogic Server and WebLogic Express 7.0 through 7.0 Service Pack 4, and 8.1 through 8.1 Service Pack 2, allows attackers to obtain the username and password for booting the server by directly accessing certain internal methods. VU#352110 10133 bea-gain-privileges(15865) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_55.00.jsp 5296 1009766 11359 Solaris 9, when configured as a Kerberos client with patch 112908-12 or 115168-03 and using pam_krb5 as an "auth" module with the debug feature enabled, records passwords in plaintext, which could allow local users to gain other user's passwords by reading log files. VU#523710 O-172 solaris-kerberos-password-plaintext(16450) 10606 57587 11940 101519 oval:org.mitre.oval:def:255 oval:org.mitre.oval:def:2065 Unknown vulnerability in the Basic Security Module (BSM), when configured to audit either the Administrative (ad) or the System-Wide Administration (as) audit class in Solaris 7, 8, and 9, allows local users to cause a denial of service (kernel panic). VU#901582 solaris-bsm-audit-dos(16483) 10594 57497 11930 oval:org.mitre.oval:def:2426 eupdatedb in esearch 0.6.1 and earlier allows local users to create arbitrary files via a symlink attack on the esearchdb.py.tmp temporary file. 10644 esearch-eupdatedb-symlink(16584) GLSA-200407-01 The accept_client function in PureFTPd 1.0.18 and earlier allows remote attackers to cause a denial of service by exceeding the maximum number of connections. GLSA-200407-04 pure-ftpd-acceptclient-dos(16611) http://www.pureftpd.org/ Integer overflow in the NTP daemon (NTPd) before 4.0 causes the NTP server to return the wrong date/time offset when a client requests a date/time that is more than 34 years away from the server's time. VU#584606 ntp-integer-bo(15406) SSRT4718 Integer overflow in the hpsb_alloc_packet function (incorrectly reported as alloc_hpsb_packet) in IEEE 1394 (Firewire) driver 2.4 and 2.6 allows local users to cause a denial of service (crash) and possibly execute arbitrary code via the functions (1) raw1394_write, (2) state_connected, (3) handle_remote_request, or (4) hpsb_make_writebpacket. linux-1394-integer-bo(16480) 20040622 linux kernel IEEE1394(Firewire) driver integer overflow Buffer overflow in TranslateFilename for common.c in MPlayer 1.0pre4 allows remote attackers to execute arbitrary code via a long file name. mplayer-common-bo(16532) 10615 GLSA-200408-01 20040627 MPlayer MeMPlayer.c Cross-site scripting (XSS) vulnerability in (1) show_archives.php, (2) show_news.php, and possibly other php files in CuteNews 1.3.1 allows remote attackers to inject arbitrary script or HTML via the id parameter. cutenews-id-xss(16525) 20040628 Cross-Site Scripting CuteNews Integer signedness error in D-Link AirPlus DI-614+ running firmware 2.30 and earlier allows remote attackers to cause a denial of service (IP lease depletion) via a DHCP request with the LEASETIME option set to -1, which makes the DHCP lease valid for thirteen or more years. dlink-dhcp-request-dos(16531) 10621 20040629 Re: DLINK 614+ - SOHO routers, system DOS 7294 12018 20040628 DLINK 614+ - SOHO routers, DHCP service DOS PowerPortal 1.x allows remote attackers to gain sensitive information via invalid or missing parameters in HTTP requests to (1) resize.php or (2) modules.php, which reveals the path in an error message. powerportal-path-disclosure(16529) http://www.swp-zone.org/archivos/advisory-07.txt 10622 20040628 Multiple vulnerabilities PowerPortal Cross-site scripting (XSS) vulnerability in modules.php in PowerPortal 1.x allows remote attackers to inject arbitrary script or HTML via the (1) id parameter to the (a) private_messages module; (2) search parameter to the (b) links and (c) content modules; and (3) files parameter to the gallery module. powerportal-multiple-xss(16528) 20040628 Multiple vulnerabilities PowerPortal Directory traversal vulnerability in modules.php in PowerPortal 1.x allows remote attackers to list arbitrary directories via a .. (dot dot) in the files parameter. powerportal-dotdot-directory-traversal(16530) http://www.swp-zone.org/archivos/advisory-07.txt 10622 20040628 Multiple vulnerabilities PowerPortal csFAQ.cgi in csFAQ allows remote attackers to gain sensitive information via an invalid database parameter, which reveals the path to the web server in an error message. csfaq-path-disclosure(16526) http://www.swp-zone.org/archivos/advisory-08.txt 10618 20040628 Full path disclosure csFAQ Off-by-one error in the POP3_readmsg function in popclient 3.0b6 allows remote attackers to cause a denial of service (application crash) via an e-mail message with a certain line length, which leads to a buffer overflow. popclient-pop3readmsg-offbyone-bo(16538) 10625 http://www.grok.org.uk/advisories/popclient.html 20040629 DoS in popclient 3.0b6 20040629 DoS in popclient 3.0b6 Rule Set Based Access Control (RSBAC) 1.2.2 through 1.2.3 allows access to sys_creat, sys_open, and sys_mknod inside jails, which could allow local users to gain elevated privileges. 10640 rsbac-jail-gain-privileges(16552) http://www.rsbac.org/download/bugfixes/ 20040702 Announce: RSBAC v1.2.3 released 20040630 rsbac 1.2.3 jail security problems Web Access in Lotus Domino 6.5.1 allows remote attackers to cause a denial of service (server crash) via a large e-mail message, as demonstrated using a large image attachment. lotus-domino-web-dos(16596) 10641 20040630 DoS against Domino 6.5.1 Lotus Domino 6.5.0 and 6.5.1, with IMAP enabled, allows remote authenticated users to change their quota by using the IMAP setquota command. lotus-quota-change(16575) 10642 20040630 Unprevileged user can change quota on Domino Prestige 650HW-31 running Rompager 4.7 software allows remote attackers to cause a denial of service (device reboot) via a long password. zyxel-long-password-dos(16547) 10638 20040630 DSL router Prestige 650HW-31 20040630 DSL router Prestige 650HW-31 Brightmail Spamfilter 6.0 and earlier beta releases allows remote attackers to read mail from other users by modifying the id parameter in a viewMsgDetails.do request. symantec-brightmail-view-mail(16609) 10657 20040701 Brightmail leaks other user's spam 20040714 Ref: http://www.securityfocus.com/archive/1/367866, Jul 1 2004 1:19PM, Subj: Brightmail Multiple cross-site scripting (XSS) vulnerabilities in the primary and management web interfaces in Netegrity IdentityMinder Web Edition 5.6 allows remote attackers to execute script as other users via (1) script that starts with %00 in the numOfExpressions parameter or (2) the mobjtype parameter. identityminder-xss(16618) 10645 20040701 [HW-MED] XSS in Netegrity IdentityMinder Cross-site scripting (XSS) vulnerability in SCI Photo Chat Server 3.4.9 allows remote attackers to execute arbitrary web script as other users via an invalid request that is echoed in the resulting error message. sci-server-xss(16602) 10648 20040702 XSS in SCI Photo Chat Server 3.4.9 Enterasys XSR-1800 series Security Routers, when running firmware 7.0.0.0 and using Policy-Based Routing, allow remote attackers to cause a denial of service (crash) via a packet with the IP record route option set. xsr-ip-record-dos(16616) 10653 http://www.enterasys.com/support/security/incidents/2004/07/11036.html 20040702 Enterasys XSR Security Routers DoS Cross-site scripting (XSS) vulnerability in (1) cart32.exe or (2) c32web.exe in Cart32 shopping cart allows remote attackers to execute arbitrary web script via the cart32 parameter to a GetLatestBuilds command. cart32-getlatestbuilds-xss(16535) 10617 20040703 Cart32 Input Validation Flaw in 'GetLatestBuilds?cart32=' Permits Remote Cross-Site Scripting Attacks Directory traversal vulnerability in Fastream NETFile FTP/Web Server 6.7.2.1085 and earlier allows remote attackers to create or delete arbitrary files via .. (dot dot) and // (double slash) sequences in the filename parameter. 10658 fastream-mkdir-file-upload(16613) http://www.haxorcitos.com/Fastream_advisory.txt 20040704 Fastream NETFile FTP/Web Server Input validation Errors Fastream NETFile FTP Server 6.7.2.1085 and earlier allows remote attackers to cause a denial of service (temporary hang) via the cd command with an unusual argument, possibly due to multiple leading slashes and/or an access to the floppy drive ("A"). fastream-cd-dos(16615) 20040704 Fastream NETFile FTP/Web Server Input validation Errors Cross-site scripting (XSS) in one2planet.infolet.InfoServlet in 12Planet Chat Server 2.9 allows remote attackers to execute arbirary script as other users via the page parameter. 12planet-chat-server-xss(16605) 10659 http://www.autistici.org/fdonato/advisory/12PlanetChatServer2.9-adv.txt 20040705 XSS in 12Planet Chat Server 2.9 The IP cloaking feature (cloak.c) in UnrealIRCd 3.2, and possibly other versions, uses a weak hashing scheme to hide IP addresses, which could allow remote attackers to use brute force methods to gain other user's IP addresses. 10663 unreal-ircd-information-disclosure(16610) http://www.unrealircd.com/ http://www.bandecon.com/advisory/unreal.txt 20040705 unreal ircd ip cloaking subsystem vulnerability 560 Zoom X3 ADSL modem has a terminal running on port 254 that can be accessed using the default HTML management password, even if the password has been changed for the HTTP interface, which could allow remote attackers to gain unauthorized access. conexant-chipset-settings-restore(16639) 10669 20040706 backdoor menu on conexant chipset dsl router (Zoom X3) Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_customerAuthenticateForm.asp, (2) comersus_backoffice_message.asp, (3) comersus_supportError.asp, or (4) comersus_message.asp in Comersus Cart 5.09 allow remote attackers to execute web script as other users via the message parameter. This vulnerability is addressed in the following product update: Comersus Open Technologies, Comersus Cart, 5.098 10674 comersus-cart-xss(16646) 20040707 Comersus Cart Cross-Site Scripting Vulnerability comersus_gatewayPayPal.asp in Comersus Cart 5.09, and possibly other versions before 5.098, allows remote attackers to change the prices of items by directly modifying them in the URL. comersus-cart-price-modification(16645) 10674 20040707 Comersus Cart Improper Request Handling Symantec Norton AntiVirus 2002 and 2003 allows remote attackers to cause a denial of service (CPU consumption) via a compressed archive that contains a large number of directories. nav-compressed-dos(16658) 20040709 Norton AntiVirus Denial Of Service Vulnerability [Part: !!!] WebSphere Edge Component Caching Proxy in WebSphere Edge Server 5.02, with the JunctionRewrite directive enabled, allows remote attackers to cause a denial of service via an HTTP GET request without any parameters. ibm-edge-caching-dos(16607) http://www.cybsec.com/vuln/IBM-WebSphere-Edge-Server-DOS.pdf 20040708 CYBSEC - Security Advisory: Denial of Service in IBM WebSphere Certain USB drivers in the Linux 2.4 kernel use the copy_to_user function on uninitialized structures, which could allow local users to obtain sensitive information by reading memory that was not cleared from previous usage. VU#981134 linux-usb-gain-privileges(16931) 10892 GLSA-200408-24 FLSA:2336 2004-0041 http://www.securityspace.com/smysecure/catid.html?id=14580 RHSA-2004:505 RHSA-2004:504 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 oval:org.mitre.oval:def:10665 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127921 Buffer overflow in Samba 2.2.x to 2.2.9, and 3.0.0 to 3.0.4, when the "mangling method = hash" option is enabled in smb.conf, has unknown impact and attack vectors. RHSA-2004:259 20040722 Security Release - Samba 3.0.5 and 2.2.10 samba-mangling-method-bo(16786) 2004-0039 SUSE-SA:2004:022 MDKSA-2004:071 GLSA-200407-21 oval:org.mitre.oval:def:10461 57664 101584 FLSA:2102 SSRT4782 20040722 TSSA-2004-014 - samba 20040722 [OpenPKG-SA-2004.033] OpenPKG Security Advisory (samba) CLA-2004:854 CLA-2004:851 Multiple stack-based buffer overflows in (1) xpmParseColors in parse.c, (2) ParseAndPutPixels in create.c, and (3) ParsePixels in parse.c for libXpm before 6.8.1 allow remote attackers to execute arbitrary code via a malformed XPM image file. VU#882750 TA05-136A 11196 libxpm-multiple-stack-bo(17414) ADV-2006-1914 HPSBUX02119 HPSBUX02119 RHSA-2005:004 RHSA-2004:537 SUSE-SA:2004:034 GLSA-200502-07 GLSA-200409-34 DSA-560 http://scary.beasts.org/security/CESA-2004-003.txt oval:org.mitre.oval:def:9187 20040915 CESA-2004-004: libXpm APPLE-SA-2005-05-03 http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch USN-27-1 FLSA-2006:152803 MDKSA-2004:098 57653 20235 CLA-2005:924 Multiple integer overflows in (1) the xpmParseColors function in parse.c, (2) XpmCreateImageFromXpmImage, (3) CreateXImage, (4) ParsePixels, and (5) ParseAndPutPixels for libXpm before 6.8.1 may allow remote attackers to execute arbitrary code via a malformed XPM image file. VU#537878 TA05-136A 11196 libxpm-xpmfile-integer-overflow(17416) ADV-2006-1914 SSRT4848 RHSA-2005:004 RHSA-2004:537 SUSE-SA:2004:034 GLSA-200502-07 GLSA-200409-34 DSA-560 http://scary.beasts.org/security/CESA-2004-003.txt oval:org.mitre.oval:def:11796 20040915 CESA-2004-004: libXpm APPLE-SA-2005-05-03 http://ftp.x.org/pub/X11R6.8.0/patches/README.xorg-CAN-2004-0687-0688.patch USN-27-1 HPSBUX02119 FLSA-2006:152803 MDKSA-2004:098 57653 20235 CLA-2005:924 KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files. kde-application-symlink(16963) http://www.kde.org/info/security/advisory-20040811-1.txt DSA-539 200408-13 12276 oval:org.mitre.oval:def:9334 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities CLA-2004:864 The DCOPServer in KDE 3.2.3 and earlier allows local users to gain unauthorized access via a symlink attack on DCOP files in the /tmp directory. VU#330638 kde-dcopserver-symlink(16962) http://www.kde.org/info/security/advisory-20040811-2.txt http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261386 10924 200408-13 12276 MDKSA-2004:086 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities CLA-2004:864 Heap-based buffer overflow in the BMP image format parser for the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. qt-bmp-bo(17040) RHSA-2004:414 GLSA-200408-20 SUSE-SA:2004:027 DSA-542 201610 oval:org.mitre.oval:def:9485 20040818 CESA-2004-004: qt MDKSA-2004:085 The XPM parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0693. qt-xpm-dos(17041) GLSA-200408-20 RHSA-2004:414 SUSE-SA:2004:027 DSA-542 201610 oval:org.mitre.oval:def:10327 FLSA:2314 MDKSA-2004:085 The GIF parser in the QT library (qt3) before 3.3.3 allows remote attackers to cause a denial of service (application crash) via a malformed image file that triggers a null dereference, a different vulnerability than CVE-2004-0692. qt-gif-dos(17042) GLSA-200408-20 RHSA-2004:414 SUSE-SA:2004:027 DSA-542 201610 oval:org.mitre.oval:def:10883 MDKSA-2004:085 Buffer overflow in LHA 1.14 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors related to "command line processing," a different vulnerability than CVE-2004-0771. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. RHSA-2004:440 RHSA-2004:323 oval:org.mitre.oval:def:9981 Stack-based buffer overflow in the FTP service for 4D WebSTAR 5.3.2 and earlier allows remote attackers to execute arbitrary code via a long FTP command. 4dwebstar-long-ftp-bo(16686) A071304-1 ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt The ShellExample.cgi script in 4D WebSTAR 5.3.2 and earlier allows remote attackers to list arbitrary directories via a URL with the desired path and a "*" (asterisk) character. 4dwebstar-view-directory-listing(16687) A071304-1 ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt 10721 Unknown vulnerability in 4D WebSTAR 5.3.2 and earlier allows remote attackers to read the php.ini configuration file and possibly obtain sensitive information. 4dwebstar-view-phpini-files(16688) A071304-1 ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt 4D WebSTAR 5.3.2 and earlier allows local users to read and modify arbitrary files via a symlink attack. 4dwebstar-symlink(16689) A071304-1 ftp://ftp.4d.com/ACI_PRODUCT_REFERENCE_LIBRARY/4D_PRODUCT_DOCUMENTATION/PDF_Docs_by_4D_Product_A-Z/4D_WebSTAR/Software_Change_History.txt Heap-based buffer overflow in ASN.1 decoding library in Check Point VPN-1 products, when Aggressive Mode IKE is implemented, allows remote attackers to execute arbitrary code by initiating an IKE negotiation and then sending an IKE packet with malformed ASN.1 data. VU#435358 vpn1-asn1-decoding-bo(16824) 20040728 Check Point VPN-1 ASN.1 Decoding Remote Compromise http://www.checkpoint.com/techsupport/alerts/asn1.html O-190 12177 10820 8290 1010799 Format string vulnerability in the mod_proxy hook functions function in ssl_engine_log.c in mod_ssl before 2.8.19 for Apache before 1.3.31 may allow remote attackers to execute arbitrary messages via format string specifiers in certain log messages for HTTPS that are handled by the ssl_log function. VU#303448 apache-modssl-format-string(16705) FLSA:1888 10736 RHSA-2004:408 RHSA-2004:405 7929 MDKSA-2004:075 DSA-532 http://virulent.siyahsapka.org/ http://packetstormsecurity.org/0407-advisories/modsslFormat.txt [apache-modssl] 20040716 [ANNOUNCE] mod_ssl 2.8.19 for Apache 1.3.31 USN-177-1 20040716 [OpenPKG-SA-2004.032] OpenPKG Security Advisory (apache) CLA-2004:857 Sun Ray Server Software (SRSS) 1.3 and 2.0 for Solaris 2.6, 7 and 8 does not properly detect a smartcard removal when the card is quickly removed, reinserted, and removed again, which could cause a user session to stay logged in and allow local users to gain unauthorized access. VU#100780 7457 sun-ray-session-access(11905) 53922 DBI in Bugzilla 2.17.1 through 2.17.7 displays the database password in an error message when the SQL server is not running, which could allow remote attackers to gain sensitive information. 10698 bugzilla-database-password-disclosure(16673) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 Unknown vulnerability in the administrative controls in Bugzilla 2.17.1 through 2.17.7 allows users with "grant membership" privileges to grant memberships to groups that the user does not control. 10698 bugzilla-editusers-gain-privileges(16672) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 Unknown vulnerability in (1) duplicates.cgi and (2) buglist.cgi in Bugzilla 2.16.x before 2.16.6, 2.18 before 2.18rc1, when configured to hide products, allows remote attackers to view hidden products. 10698 bugzilla-product-name-disclosure(16671) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 Multiple cross-site scripting (XSS) vulnerabilities in (1) editcomponents.cgi, (2) editgroups.cgi, (3) editmilestones.cgi, (4) editproducts.cgi, (5) editusers.cgi, and (6) editversions.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allow remote attackers to execute arbitrary JavaScript as other users via a URL parameter. 10698 bugzilla-edit-xss(16670) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 http://bugzilla.mozilla.org/show_bug.cgi?id=235265 Bugzilla 2.17.5 through 2.17.7 embeds the password in an image URL, which could allow local users to view the password in the web server log files. 10698 bugzilla-chart-view-password(16669) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 http://bugzilla.mozilla.org/show_bug.cgi?id=235510 SQL injection vulnerability in editusers.cgi in Bugzilla 2.16.x before 2.16.6, and 2.18 before 2.18rc1, allows remote attackers with privileges to grant membership to any group to execute arbitrary SQL. 10698 bugzilla-editusers-sql-injection(16668) 20040710 [BUGZILLA] Multiple vulnerabilities in Bugzilla 2.16.5 and 2.17.7 http://bugzilla.mozilla.org/show_bug.cgi?id=244272 MoinMoin 1.2.1 and earlier allows remote attackers to gain privileges by creating a user with the same name as an existing group that has higher privileges. 10568 GLSA-200407-09 moinmoin-gain-admin-access(16465) 6704 http://www.osvdb.org/6704 http://sourceforge.net/tracker/index.php?func=detail&aid=948103&group_id=8482&atid=108482 11807 HP OpenView Select Access 5.0 through 6.0 does not correctly decode UTF-8 encoded unicode characters in a URL, which could allow remote attackers to bypass access restrictions. VU#205766 10414 openview-select-gain-access(16247) SSRT4719 IP Security VPN Services Module (VPNSM) in Cisco Catalyst 6500 Series Switch and the Cisco 7600 Series Internet Routers running IOS before 12.2(17b)SXA, before 12.2(17d)SXB, or before 12.2(14)SY03 could allow remote attackers to cause a denial of service (device crash and reload) via a malformed Internet Key Exchange (IKE) packet. VU#904310 20040408 Cisco IPSec VPN Services Module Malformed IKE Packet Vulnerability cisco-vpnsm-ike-dos(15797) 10083 oval:org.mitre.oval:def:5696 The URL pattern matching feature in BEA WebLogic Server 6.x matches illegal patterns ending in "*" as wildcards as if they were the legal "/*" pattern, which could cause WebLogic 7.x to allow remote attackers to bypass intended access restrictions because the illegal patterns are properly rejected. VU#184558 10184 weblogic-urlpattern-obtain-information(15927) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_56.00.jsp The configuration tools (1) config.sh in Unix or (2) config.cmd in Windows for BEA WebLogic Server 8.1 through SP2 create a log file that contains the administrative username and password in cleartext, which could allow local users to gain privileges. VU#574222 10188 weblogic-admin-password-plaintext(15926) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_58.00.jsp The remove method in a stateful Enterprise JavaBean (EJB) in BEA WebLogic Server and WebLogic Express version 8.1 through SP2, 7.0 through SP4, and 6.1 through SP6, does not properly check EJB permissions before unexporting a bean, which allows remote authenticated users to remove EJB objects from remote views before the security exception is thrown. VU#658878 10185 weblogic-ejb-object-deletion(15928) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_57.00.jsp Cisco Internetwork Operating System (IOS) 12.0S through 12.3T attempts to process SNMP solicited operations on improper ports (UDP 162 and a randomly chosen UDP port), which allows remote attackers to cause a denial of service (device reload and memory corruption). VU#162451 TA04-111B 10186 20040420 Vulnerabilities in SNMP Message Processing cisco-ios-snmp-udp-dos(15921) oval:org.mitre.oval:def:5845 The WebLogic Authentication provider for BEA WebLogic Server and WebLogic Express 8.1 through SP2 and 7.0 through SP4 does not properly clear member relationships when a group is deleted, which can cause a new group with the same name to have the members of the old group, which allows group members to gain privileges. VU#470470 10130 weblogic-authentication-gain-privileges(15861) http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_52.01.jsp 5299 1009763 11356 Buffer overflow in the DCE daemon (DCED) for the DCE endpoint mapper (epmap) on HP-UX 11 allows remote attackers to execute arbitrary code via a request with a small fragment length and a large amount of data. http://support.entegrity.com/private/patches/dce/ssrt4741.asp A072204-1 Opera 7.51 for Windows and 7.50 for Linux does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 11978 The (1) Mozilla 1.6, (2) Firebird 0.7, (3) Firefox 0.8, and (4) Netscape 7.1 web browsers do not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) RHSA-2004:421 SUSE-SA:2004:036 http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 11978 oval:org.mitre.oval:def:9997 FLSA:2089 http://bugzilla.mozilla.org/show_bug.cgi?id=246448 15495 MDKSA-2004:082 DSA-810 DSA-777 SCOSA-2005.49 oval:org.mitre.oval:def:4756 Internet Explorer for Mac 5.2.3, Internet Explorer 6 on Windows XP, and possibly other versions, does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. 11966 http-frame-spoof(1598) http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 11978 Safari 1.2.2 does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 11978 Konqueror 3.1.3, 3.2.2, and possibly other versions does not properly prevent a frame in one domain from injecting content into a frame that belongs to another domain, which facilitates web site spoofing and other attacks, aka the frame injection vulnerability. http-frame-spoof(1598) http://www.kde.org/info/security/advisory-20040811-3.txt 200408-13 http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ 11978 oval:org.mitre.oval:def:11371 20040811 KDE Security Advisories: Temporary File and Konqueror Frame Injection Vulnerabilities CLA-2004:864 Integer overflow in the SOAPParameter object constructor in (1) Netscape version 7.0 and 7.1 and (2) Mozilla 1.6, and possibly earlier versions, allows remote attackers to execute arbitrary code. mozilla-netscape-soapparameter-bo(16862) RHSA-2004:421 SUSE-SA:2004:036 oval:org.mitre.oval:def:9378 http://bugzilla.mozilla.org/show_bug.cgi?id=236618 15495 http://www.idefense.com/application/poi/display?id=117&type=vulnerabilities SCOSA-2005.49 oval:org.mitre.oval:def:4629 Microsoft Java virtual machine (VM) 5.0.0.3810 allows remote attackers to bypass sandbox restrictions to read or write certain data between applets from different domains via the "GET/Key" and "PUT/Key/Value" commands, aka "cross-site Java." msjvm-sandbox-bypass(16666) 10688 20040710 Covert Channels allow Cross-Site-Java in Microsoft VM The Half-Life engine before July 7 2004 allows remote attackers to cause a denial of service (server or client crash) via an empty fragmented packet. halflife-packet-dos(16674) 10700 20040712 Remote crash of Half-Life servers and clients (versions before the 07 July 2004) Cross-site scripting (XSS) vulnerability in help.php in Moodle 1.3.2 and 1.4 dev allows remote attackers to inject arbitrary web script or HTML via the file parameter. 10718 20040713 Moodle XSS Vulnerability moodle-help-file-xss(16684) http://cvs.sourceforge.net/viewcvs.py/moodle/moodle/help.php The Windows Media Player control in Microsoft Windows 2000 allows remote attackers to execute arbitrary script in the local computer zone via an ASX filename that contains javascript, which is executed in the local context in a preview panel. win2k-media-code-execution(16704) 10693 20040711 Media Preview Script Execution Vulnerability Microsoft Internet Explorer 6.0.2800.1106 on Microsoft Windows XP SP2, and other versions including 5.01 and 5.5, allows remote web servers to bypass zone restrictions and execute arbitrary code in the local computer zone by redirecting a function to another function with the same name, as demonstrated by SimilarMethodNameRedir, aka the "Similar Method Name Redirection Cross Domain Vulnerability." TA04-293A VU#207264 ie-function-redirect-xss(16681) MS04-038 20040711 MSIE Similar Method Name Redirection Cross Site/Zone Scripting http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm 12048 oval:org.mitre.oval:def:7906 oval:org.mitre.oval:def:7496 oval:org.mitre.oval:def:7448 oval:org.mitre.oval:def:7084 oval:org.mitre.oval:def:6829 oval:org.mitre.oval:def:4702 The Remote Control Client service in Microsoft's Systems Management Server (SMS) 2.50.2726.0 allows remote attackers to cause a denial of service (crash) via a data packet to TCP port 2702 that causes the server to read or write to an invalid memory address. sms-remote-service-dos(16696) 20040714 [HV-MED] DoS in Microsoft SMS Client PhpBB 2.0.8 allows remote attackers to gain sensitive information via an invalid (1) category_rows parameter to index.php, (2) faq parameter to faq.php, or (3) ranksrow parameter to profile.php, which reveal the full path in an error message. 20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8] phpbb-usercpviewprofile-path-disclosure(16723) phpbb-lang-faq-path-disclosure(16720) phpbb-indexphp-path-disclosure(16716) http://www.waraxe.us/index.php?modname=sa&id=34 Multiple cross-site scripting (XSS) vulnerabilities in PhpBB 2.0.8 allow remote attackers to inject arbitrary web script or HTML via (1) the cat_title parameter in index.php, (2) the faq[0][0] parameter in lang_faq.php as accessible from faq.php, or (3) the faq[0][0] parameter in lang_bbcode.php as accessible from faq.php. 20040716 [waraxe-2004-SA#034 - XSS and path full path disclosure in PhpBB 2.0.8] phpbb-lang-bbcode-xss(16726) phpbb-lang-faq-xss(16725) phpbb-indexphp-xss(16724) http://www.waraxe.us/index.php?modname=sa&id=34 10738 Cross-site scripting (XSS) vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary script as other users via the input field. phpnuke-search-module-xss(16721) http://www.waraxe.us/index.php?modname=sa&id=35 20040716 [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2] SQL injection vulnerability in index.php in the Search module for Php-Nuke allows remote attackers to execute arbitrary SQL statements via the instory parameter. phpnuke-search-module-sql-injection(16728) http://www.waraxe.us/index.php?modname=sa&id=35 20040716 [waraxe-2004-SA#035 - Multiple security holes in PhpNuke - part 2] Format string vulnerability in OllyDbg 1.10 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers that are directly provided to the OutputDebugString function call. ollydbg-outputdebugstring-format-string(16711) 10742 20040717 [FMADV] Format String Bug in OllyDbg 1.10 20040717 [FMADV] Format String Bug in OllyDbg 1.10 3757 Web_Store.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the page parameter. extropia-webstore-command-execution(16710) 10744 20040717 Web_Store.cgi allows Command Execution Buffer overflow in Medal of Honor (1) Allied Assault 1.11v9 and earlier, (2) Breakthrough 2.40b and earlier, and (3) Spearhead 2.15 and earlier, when playing on a Local Area Network (LAN), allows remote attackers to execute arbitrary code via vectors such as (1) the getinfo query, (2) the connect packet, and other unknown vectors. 10743 medalofhonor-packet-bo(16715) 20040717 Medal of Honor remote buffer-overflow The search module in Php-Nuke allows remote attackers to gain sensitive information via the (1) "**" or (2) "+" search patterns, which reveals the path in an error message. phpnuke-asterisk-plus-path-disclosure(16736) 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] Multiple cross-site scripting vulnerabilities in index.php in the Search module for Php-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) max, (3) sel1, (4) sel2, (5) sel3, (6) sel4, (7) sel5, (8) match, (9) mod1, (10) mod2, or (11) mod3 parameters. phpnuke-search-module-xss(16721) 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] Multiple SQL injection vulnerabilities in the Search module in Php-Nuke allow remote attackers to execute arbitrary SQL via the (1) min or (2) categ parameters. phpnuke-search-min-sql-injection(16737) 20040718 [waraxe-2004-SA#036 - Multiple security holes in PhpNuke - part 3] Buffer overflow in Whisper FTP Surfer 1.0.7 allows remote FTP servers to cause a denial of service (client crash) and possibly execute arbitrary code via a long filename. whisper-long-file-name-bo(16742) 20040719 Buffer overflow in Whisper FTP Surfer 1.0.7 20040719 Buffer overflow in Whisper FTP Surfer 1.0.7 The HTTP server in Lexmark T522 and possibly other models allows remote attackers to cause a denial of service (server crash, reload, or hang) via an HTTP header with a long Host field, possibly triggering a buffer overflow. lexmark-long-host-bo(16752) 20040720 Denial of Service vulnerability in several Lexmark HTTP servers LionMax Software WWW File Share Pro 2.60 allows remote attackers to cause a denial of service (crash or hang) via a long URL, possibly triggering a buffer overflow. wwwfilesharepro-http-get-dos(16754) 20040720 dos_in_file_share_2.6 Sun Java System Portal Server 6.2 (formerly Sun ONE) allows remote authenticated users to obtain Calendar Server privileges and modify Calendar data by changing the display options to a non-default view. VU#881254 57586 sunjavaportal-calendar-gain-access(16776) 10788 12134 Safari in Mac OS X before 10.3.5, after sending form data using the POST method, may re-send the data to a GET method URL if that URL is redirected after the POST data and the user uses the forward or backward buttons, which may cause an information leak. VU#128414 safari-web-info-disclosure(16944) APPLE-SA-2004-09-09 The TCP/IP Networking component in Mac OS X before 10.3.5 allows remote attackers to cause a denial of service (memory and resource consumption) via a "Rose Attack" that involves sending a subset of small IP fragments that do not form a complete, larger packet. macos-tcp-ip-dos(16946) APPLE-SA-2004-09-09 20040427 Source Code To Test IPv4 fragmentation --> The Rose Attack 20040331 IPv4 fragmentation --> The Rose Attack http://digital.net/~gandalf/Rose_Frag_Attack_Explained.txt LHA 1.14 and earlier allows attackers to execute arbitrary commands via a directory with shell metacharacters in its name. lha-metacharacter-command-execution(17198) RHSA-2004:440 FLSA:1833 RHSA-2004:323 GLSA-200409-13 oval:org.mitre.oval:def:11088 Konqueror in KDE 3.2.3 and earlier allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk and .firm.in, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. kde-konqueror-cookie-set(17063) 10991 20040823 KDE Security Advisory: Konqueror Cross-Domain Cookie Injection MDKSA-2004:086 http://www.kde.org/info/security/advisory-20040823-1.txt 12341 oval:org.mitre.oval:def:11281 CLA-2004:864 Buffer overflow in Apache 2.0.50 and earlier allows local users to gain apache privileges via a .htaccess file that causes the overflow during expansion of environment variables. VU#481998 RHSA-2004:463 apache-env-configuration-bo(17384) ADV-2009-1233 2004-0047 SUSE-SA:2004:032 MDKSA-2004:096 GLSA-200409-21 http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=205147 1011303 34920 12540 oval:org.mitre.oval:def:11561 mod_ssl in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (CPU consumption) by aborting an SSL connection in a way that causes an Apache child process to enter an infinite loop. apache-modssl-dos(17200) RHSA-2004:349 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=130750 2004-0047 SUSE-SA:2004:030 MDKSA-2004:096 GLSA-200409-21 oval:org.mitre.oval:def:11126 The mod_authz_svn module in Subversion 1.0.7 and earlier does not properly restrict access to all metadata on unreadable paths, which could allow remote attackers to gain sensitive information via (1) svn log -v, (2) svn propget, or (3) svn blame, and other commands that follow renames. subversion-information-disclosure(17472) 11243 GLSA-200409-35 http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt FEDORA-2004-318 Unknown vulnerability in redhat-config-nfs before 1.0.13, when shares are exported to multiple hosts, can produce incorrect permissions and prevent the all_squash option from being applied. RHSA-2004:434 red-hat-permission-gain-privileges(17478) oval:org.mitre.oval:def:10696 11240 FLSA:152787 The char_buffer_read function in the mod_ssl module for Apache 2.x, when using reverse proxying to an SSL server, allows remote attackers to cause a denial of service (segmentation fault). apache-modssl-speculative-dos(17273) RHSA-2004:463 2004-0047 SUSE-SA:2004:030 MDKSA-2004:096 GLSA-200409-21 oval:org.mitre.oval:def:11864 http://issues.apache.org/bugzilla/show_bug.cgi?id=30134 20040911 Remote buffer overflow in Apache mod_ssl when reverse proxying SSL OpenOffice (OOo) 1.1.2 creates predictable directory names with insecure permissions during startup, which may allow local users to read or list files of other users. RHSA-2004:446 http://www.openoffice.org/issues/show_bug.cgi?id=33357 1011205 oval:org.mitre.oval:def:10294 openofficeorg-tmpfile-insecure-permissions(17312) 11151 9804 12932 12914 12668 12546 12302 20040910 OpenOffice World-Readable Temporary Files Disclose Files to Local Users The BMP image processor for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted BMP file. VU#825374 RHSA-2004:466 RHSA-2004:447 FLSA:2005 gtk-bmp-dos(17383) MDKSA-2004:095 DSA-546 oval:org.mitre.oval:def:10585 11195 FLSA-2005:155510 MDKSA-2005:214 17657 CLA-2004:875 Integer overflow in Gaim before 0.82 allows remote attackers to cause a denial of service and possibly execute arbitrary code via the size variable in Groupware server messages. FEDORA-2004-279 FEDORA-2004-278 RHSA-2004:400 GLSA-200408-27 oval:org.mitre.oval:def:10220 http://gaim.sourceforge.net/security/?id=2 gaim-groupware-integer-overflow(17140) 11056 9260 1011083 13101 12480 12383 The FileStore capability in CGI::Session for Ruby before 1.8.1, and possibly PStore, creates files with insecure permissions, which can allow local users to steal session information and hijack sessions. ruby-filestore-pstore-insecure-permission(16996) GLSA-200409-08 DSA-537 12290 oval:org.mitre.oval:def:11128 MDKSA-2004:128 Heap-based buffer overflow in the SendUidl in the POP3 capability for Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, may allow remote POP3 mail servers to execute arbitrary code. VU#561022 http://bugzilla.mozilla.org/show_bug.cgi?id=229374 mozilla-senduidl-pop3-bo(16869) RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 10856 oval:org.mitre.oval:def:11042 FLSA:2089 15495 SCOSA-2005.49 oval:org.mitre.oval:def:3250 Mozilla 1.5 through 1.7 allows a CA certificate to be imported even when their DN is the same as that of the built-in CA root certificate, which allows remote attackers to cause a denial of service to SSL pages because the malicious certificate is treated as invalid. VU#784278 http://bugzilla.mozilla.org/show_bug.cgi?id=249004 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=127186 mozilla-certificate-dos(16706) RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html GLSA-200408-22 oval:org.mitre.oval:def:10304 15495 FLSA:2089 SCOSA-2005.49 oval:org.mitre.oval:def:3134 Mozilla before 1.7 allows remote web servers to read arbitrary files via Javascript that sets the value of an <input type="file"> tag. http://bugzilla.mozilla.org/show_bug.cgi?id=241924 mozilla-warning-file-upload(16870) 15495 RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 oval:org.mitre.oval:def:11153 FLSA:2089 SCOSA-2005.49 Mozilla allows remote attackers to cause Mozilla to open a URI as a different MIME type than expected via a null character (%00) in an FTP URI. http://bugzilla.mozilla.org/show_bug.cgi?id=250906 mozilla-modify-mime-type(16691) RHSA-2004:421 SUSE-SA:2004:036 oval:org.mitre.oval:def:11090 15495 FLSA:2089 SCOSA-2005.49 oval:org.mitre.oval:def:1227 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote attackers to use certain redirect sequences to spoof the security lock icon that makes a web page appear to be encrypted. http://bugzilla.mozilla.org/show_bug.cgi?id=240053 mozilla-redirect-ssl-spoof(16871) RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 oval:org.mitre.oval:def:9240 FLSA:2089 15495 SCOSA-2005.49 oval:org.mitre.oval:def:3603 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to install arbitrary extensions by using interactive events to manipulate the XPInstall Security dialog box. http://bugzilla.mozilla.org/show_bug.cgi?id=162020 mozilla-dialog-code-execution(16623) RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 11999 oval:org.mitre.oval:def:10032 FLSA:2089 http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ 15495 20040407 Race conditions in security dialogs SCOSA-2005.49 oval:org.mitre.oval:def:4403 Mozilla Firefox 0.9.1 and 0.9.2 allows remote web sites to spoof certificates of trusted web sites via redirects and Javascript that uses the "onunload" method. http://bugzilla.mozilla.org/show_bug.cgi?id=253121 mozilla-ssl-certificate-spoofing(16796) RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html GLSA-200408-22 http://www.cipher.org.uk/index.php?p=advisories/Certificate_Spoofing_Mozilla_FireFox_25-07-2004.advisory 12160 oval:org.mitre.oval:def:9436 20040726 Mozilla Firefox Certificate Spoofing 20040725 Mozilla Firefox Certificate Spoofing 15495 FLSA:2089 SCOSA-2005.49 oval:org.mitre.oval:def:3989 Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, allow remote web sites to hijack the user interface via the "chrome" flag and XML User Interface Language (XUL) files. VU#262350 http://bugzilla.mozilla.org/show_bug.cgi?id=244965 mozilla-user-interface-spoofing(16837) 10832 RHSA-2004:421 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 12188 oval:org.mitre.oval:def:9419 FLSA:2089 15495 SCOSA-2005.49 oval:org.mitre.oval:def:2418 The cert_TestHostName function in Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7, only checks the hostname portion of a certificate when the hostname portion of the URI is not a fully qualified domain name (FQDN), which allows remote attackers to spoof trusted certificates. RHSA-2004:421 http://bugzilla.mozilla.org/show_bug.cgi?id=234058 mozilla-certtesthostname-certificate-spoof(16868) SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 oval:org.mitre.oval:def:11162 FLSA:2089 NGSEC StackDefender 2.0 allows attackers to cause a denial of service (system crash) via an invalid address for the BaseAddress parameter to the hooks for the (1) ZwAllocateVirtualMemory or (2) ZwProtectVirtualMemory functions. stackdefender-baseaddress-dos(16892) http://www.idefense.com/application/poi/display?id=119&type=vulnerabilities&flashstatus=false NGSEC StackDefender 1.10 allows attackers to cause a denial of service (system crash) via an invalid address for the ObjectAttribues parameter to the hooks for the (1) ZwCreateFile or (2) ZwOpenFile functions. stackdefender-objectattributes-dos(16879) http://www.idefense.com/application/poi/display?id=118&type=vulnerabilities&flashstatus=false libpng 1.2.5 and earlier does not properly calculate certain buffer offsets, which could allow remote attackers to execute arbitrary code via a buffer overflow attack. libpng-offset-bo(16914) DSA-536 FLSA:1943 GLSA-200812-15 33137 Buffer overflow in LHA allows remote attackers to execute arbitrary code via long pathnames in LHarc format 2 headers for a .LHZ archive, as originally demonstrated using the "x" option but also exploitable through "l" and "v", and fixed in header.c, a different issue than CVE-2004-0771. http://bugs.gentoo.org/show_bug.cgi?id=51285 FLSA:1833 lha-long-pathname-bo(16917) RHSA-2004:440 RHSA-2004:323 GLSA-200409-13 oval:org.mitre.oval:def:11047 http://lw.ftw.zamosc.pl/lha-exploit.txt 20040616 Re: [SECURITY] [DSA 515-1] New lha packages fix several vulnerabilities; Re: romload.c in DGen Emulator 1.23 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files during decompression of (1) gzip or (2) bzip ROM files. dgen-rom-decompression-symlink(16884) 10855 12214 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=263282&archive=yes Buffer overflow in the extract_one function from lhext.c in LHA may allow attackers to execute arbitrary code via a long w (working directory) command line option, a different issue than CVE-2004-0769. NOTE: this issue may be REJECTED if there are not any cases in which LHA is setuid or is otherwise used across security boundaries. 10354 FLSA:1833 lha-extractone-bo(16196) 20040515 lha buffer overflow(s) again RHSA-2004:440 RHSA-2004:323 GLSA-200409-13 oval:org.mitre.oval:def:9595 20040606 Re: [SECURITY] [DSA 515-1] New lha packages fix several http://bugs.gentoo.org/show_bug.cgi?id=51285 Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. TA04-247A VU#350792 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt kerberos-krb524d-double-free(17158) 2004-0045 11078 MDKSA-2004:088 GLSA-200409-09 DSA-543 20040913 [OpenPKG-SA-2004.039] OpenPKG Security Advisory (kerberos) CLA-2004:860 oval:org.mitre.oval:def:4661 RealNetworks Helix Universal Server 9.0.2 for Linux and 9.0.3 for Windows allows remote attackers to cause a denial of service (CPU and memory exhaustion) via a POST request with a Content-Length header set to -1. helix-post-dos(17648) 20041007 RealNetworks Helix Server Content-Length Denial of Service Vulnerability Buffer overflow in WIDCOMM Bluetooth Connectivity Software, as used in products such as BTStackServer 1.3.2.7 and 1.4.2.10, Windows XP and Windows 98 with MSI Bluetooth Dongles, and HP IPAQ 5450 running WinCE 3.0, allows remote attackers to execute arbitrary code via certain service requests. http://www.pentest.co.uk/documents/ptl-2004-03.html bluetooth-btw-service-bo(16953) 20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows 20051204 have you ever been BluePIMped? http://www.internetnews.com/security/article.php/3394181 20040811 ptl-2004-03: WIDCOMM Bluetooth Connectivity Software Buffer Overflows Format string vulnerability in the auth_debug function in Courier-IMAP 1.6.0 to 2.2.1, when login debugging (DEBUG_LOGIN) is enabled, allows remote attackers to execute arbitrary code. courierimap-authdebug-format-string(17034) 20040818 Courier-IMAP Remote Format String Vulnerability 2004-0043 GLSA-200408-19 10976 CVS 1.11.x before 1.11.17, and 1.12.x before 1.12.9, allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. VU#579225 cvs-history-info-disclosure(17001) 10955 MDKSA-2004:108 20040816 CVS Undocumented Flag Information Disclosure Vulnerability oval:org.mitre.oval:def:10688 The (1) Mozilla 1.6, (2) Firebird 0.7 and (3) Firefox 0.8 web browsers do not properly verify that cached passwords for SSL encrypted sites are only sent via SSL encrypted sessions to the site, which allows a remote attacker to cause a cached password to be sent in cleartext to a spoofed site. mozilla-plaintext-password(17018) http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7 http://bugzilla.mozilla.org/show_bug.cgi?id=226278 MDKSA-2004:082 Buffer overflow in uustat in Sun Solaris 8 and 9 allows local users to execute arbitrary code via a long -S command line argument. 16193 101933 18371 ADV-2006-0113 20060110 Sun Solaris uustat Buffer Overflow Vulnerability solaris-uustat-bo(24045) http://support.avaya.com/elmodocs2/security/ASA-2006-056.htm 1015455 19087 Cross-site scripting (XSS) vulnerability in list.cgi in the Icecast internal web server (icecast-server) 1.3.12 and earlier allows remote attackers to inject arbitrary web script via the UserAgent parameter. icecast-list-useragent-xss(17086) 11021 DSA-541 Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687). VU#729894 RHSA-2004:466 RHSA-2004:447 FLSA:2005 gtk-xpm-pixbufcreatefromxpm-bo(17386) MDKSA-2004:095 DSA-546 http://scary.beasts.org/security/CESA-2004-005.txt oval:org.mitre.oval:def:11539 20040915 CESA-2004-005: gtk+ XPM decoder 11195 FLSA-2005:155510 MDKSA-2005:214 101776 17657 CLA-2004:875 oval:org.mitre.oval:def:1617 Stack-based buffer overflow in xpm_extract_color (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, may allow remote attackers to execute arbitrary code via a certain color string. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0688). VU#369358 RHSA-2004:466 RHSA-2004:447 FLSA:2005 gtk-xpm-xpmextractcolor-bo(17385) MDKSA-2004:096 MDKSA-2004:095 http://scary.beasts.org/security/CESA-2004-005.txt oval:org.mitre.oval:def:9348 20040915 CESA-2004-005: gtk+ XPM decoder 11195 FLSA-2005:155510 MDKSA-2005:214 101776 17657 CLA-2004:875 oval:org.mitre.oval:def:1786 The smiley theme functionality in Gaim before 0.82 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename of the tar file that is dragged to the smiley selector. gaim-smiley-command-execution(17144) FEDORA-2004-279 FEDORA-2004-278 http://gaim.sourceforge.net/security/?id=1 RHSA-2004:400 GLSA-200408-27 oval:org.mitre.oval:def:10008 Multiple buffer overflows in Gaim before 0.82 allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) Rich Text Format (RTF) messages, (2) a long hostname for the local system as obtained from DNS, or (3) a long URL that is not properly handled by the URL decoder. FEDORA-2004-279 FEDORA-2004-278 http://gaim.sourceforge.net/security/?id=3 RHSA-2004:400 GLSA-200408-27 oval:org.mitre.oval:def:10907 http://gaim.sourceforge.net/security/?id=5 http://gaim.sourceforge.net/security/?id=4 gaim-url-bo(17143) gaim-hostname-bo(17142) gaim-rtf-bo(17141) 11056 9263 9262 9261 1011083 13101 12929 12480 12383 The IPv6 URI parsing routines in the apr-util library for Apache 2.0.50 and earlier allow remote attackers to cause a denial of service (child process crash) via a certain URI, as demonstrated using the Codenomicon HTTP Test Tool. RHSA-2004:463 apache-ipv6-aprutil-dos(17382) 2004-0047 SUSE-SA:2004:032 MDKSA-2004:096 GLSA-200409-21 12540 oval:org.mitre.oval:def:11380 Cross-site scripting (XSS) vulnerability in the web frontend in OpenCA 0.9.1-8 and earlier, and 0.9.2 RC6 and earlier, allows remote attackers to inject arbitrary web script or HTML via the form input fields. openca-frontend-xss(17274) 11113 http://www.openca.org/news/CAN-2004-0787.txt 20040906 OpenCA Security Advisory: Cross Site Scripting vulnerability Integer overflow in the ICO image decoder for (1) gdk-pixbuf before 0.22 and (2) gtk2 before 2.2.4 allows remote attackers to cause a denial of service (application crash) via a crafted ICO file. VU#577654 RHSA-2004:466 RHSA-2004:447 FLSA:2005 gtk-ico-integer-bo(17387) MDKSA-2004:095 DSA-546 oval:org.mitre.oval:def:10506 11195 FLSA-2005:155510 MDKSA-2005:214 17657 CLA-2004:875 Multiple implementations of the DNS protocol, including (1) Poslib 1.0.2-1 and earlier as used by Posadis, (2) Axis Network products before firmware 3.13, and (3) Men & Mice Suite 2.2x before 2.2.3 and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (CPU and network bandwidth consumption) by triggering a communications loop via (a) DNS query packets with localhost as a spoofed source address, or (b) a response packet that triggers a response packet. dns-localhost-dos(17997) 11642 http://www.posadis.org/advisories/pos_adv_006.txt 1012157 13145 http://www.niscc.gov.uk/niscc/docs/re-20041109-00957.pdf http://www.niscc.gov.uk/niscc/docs/al-20041130-00862.html?lang=en Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (reset TCP connections) via spoofed ICMP error messages, aka the "blind connection-reset attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. MS05-019 http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt ADV-2006-3983 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en HPSBST02161 SSRT4884 http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 57746 HPSBTU01210 13124 SSRT061264 HPSBUX01164 MS06-064 101658 57 19 22341 18317 SSRT4743 SCOSA-2006.4 oval:org.mitre.oval:def:622 oval:org.mitre.oval:def:53 oval:org.mitre.oval:def:514 oval:org.mitre.oval:def:4804 oval:org.mitre.oval:def:412 oval:org.mitre.oval:def:3458 oval:org.mitre.oval:def:211 oval:org.mitre.oval:def:1910 oval:org.mitre.oval:def:176 oval:org.mitre.oval:def:1177 Multiple TCP/IP and ICMP implementations allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via a blind throughput-reduction attack using spoofed Source Quench packets, aka the "ICMP Source Quench attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.watersprings.org/pub/id/draft-gont-tcpm-icmp-attacks-03.txt http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 57746 oval:org.mitre.oval:def:10228 HPSBTU01210 SSRT4884 13124 FLSA:157459-2 FLSA:157459-1 HPSBUX01164 RHSA-2005:043 RHSA-2005:017 RHSA-2005:016 101658 57 19 18317 SSRT4743 SCOSA-2006.4 oval:org.mitre.oval:def:726 oval:org.mitre.oval:def:688 oval:org.mitre.oval:def:596 oval:org.mitre.oval:def:464 oval:org.mitre.oval:def:184 oval:org.mitre.oval:def:1112 Directory traversal vulnerability in the sanitize_path function in util.c for rsync 2.6.2 and earlier, when chroot is disabled, allows attackers to read or write certain files. GLSA-200408-17 DSA-538 2004-0042 SUSE-SA:2004:026 http://samba.org/rsync/#security_aug04 oval:org.mitre.oval:def:10561 20040817 LNSA-#2004-0017: rsync (Aug, 17 2004) 20040816 TSSA-2004-020-ES - rsync MDKSA-2004:083 The calendar program in bsdmainutils 6.0 through 6.0.14 does not drop root privileges when executed with the -a flag, which allows attackers to execute arbitrary commands via a calendar event file. bsdmainutils-calendar-gain-privileges(17162) 11077 20040830 Possible root compromose with bsdmainutils 6.0.x < 6.0.15 (Debian testing/unstable) Multiple signal handler race conditions in lukemftpd (aka tnftpd before 20040810) allow remote authenticated attackers to cause a denial of service or execute arbitrary code. NetBSD-SA2004-009 tnftpd-gain-access(17020) http://www.vuxml.org/freebsd/c4b025bb-f05d-11d8-9837-000c41e2cdad.html DSA-551 20040817 Multiple remote vulnerabilities in lukemftpd aka. tnftpd DB2 8.1 remote command server (DB2RCMD.EXE) executes the db2rcmdc.exe program as the db2admin administrator, which allows local users to gain privileges via the DB2REMOTECMD named pipe. db2-rcs-gain-privileges(15420) 9821 20040309 IBM DB2 Remote Command Execution Privilege Upgrade (#NISR09032004) http://www.nextgenss.com/advisories/db2rmtcmd.txt IY53894 SpamAssassin 2.5x, and 2.6x before 2.64, allows remote attackers to cause a denial of service via certain malformed messages. 10957 FLSA:2268 spamassassin-dos(16938) GLSA-200408-06 oval:org.mitre.oval:def:10413 [spamassassin-announce] 20040805 [SA-Announce] SpamAssassin 2.64 is released! http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=129337 MDKSA-2004:084 The error handling in the (1) inflate and (2) inflateBack functions in ZLib compression library 1.2.x allows local users to cause a denial of service (application crash). VU#238678 20040825 [OpenPKG-SA-2004.038] OpenPKG Security Advisory (zlib) FLSA:2043 zlib-inflate-inflateback-dos(17119) SSA:2004-278 11051 9361 9360 SUSE-SA:2004:029 1011085 GLSA-200408-26 18377 17054 11129 CLA-2004:878 CLA-2004:865 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=252253 SCOSA-2004.17 SCOSA-2006.6 MDKSA-2004:090 Buffer overflow in the _maincfgret.cgi script for Ipswitch WhatsUp Gold before 8.03 Hotfix 1 allows remote attackers to execute arbitrary code via a long instancename parameter. whatsup-maincfgret-bo(17111) http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html 20040825 Ipswitch WhatsUp Gold Remote Buffer Overflow Vulnerability 11043 The HTTP daemon in Ipswitch WhatsUp Gold 8.03 and 8.03 Hotfix 1 allows remote attackers to cause a denial of service (server crash) via a GET request containing an MS-DOS device name, as demonstrated using "prn.htm". http://www.ipswitch.com/Support/WhatsUp/patch-upgrades.html 20040916 Ipswitch WhatsUp Gold Remote Denial of Service Vulnerability whatsup-get-prn-dos(17418) Format string vulnerability in CDE Mailer (dtmail) on Solaris 8 and 9 allows local users to gain privileges via format strings in the argv[0] value. VU#928598 20040824 CDE Mailer argv[0] Format String Vulnerability dtmail-argv-format-string(17095) 11027 O-202 oval:org.mitre.oval:def:4030 Unknown vulnerability in foomatic-rip in Foomatic before 3.0.2 allows local users or remote attackers with access to CUPS to execute arbitrary commands. foomatic-command-execution(17388) 2004-0047 SUSE-SA:2004:031 12557 SCOSA-2005.12 1000757 201005 CLA-2004:880 11184 20312 SUSE-SA:2006:026 Buffer overflow in the BMP loader in imlib2 before 1.1.2 allows remote attackers to execute arbitrary code via a specially-crafted BMP image, a different vulnerability than CVE-2004-0817. imlib2-bmp-bo(17183) 11084 GLSA-200409-12 CLA-2004:870 http://www.vuxml.org/freebsd/ba005226-fb5b-11d8-9837-000c41e2cdad.html 201611 http://cvs.sourceforge.net/viewcvs.py/enlightenment/e17/libs/imlib2/ChangeLog?rev=1.20&view=markup Multiple vulnerabilities in the RLE (run length encoding) decoders for libtiff 3.6.1 and earlier, related to buffer overflows and integer overflows, allow remote attackers to execute arbitrary code via TIFF files. VU#948752 libtiff-library-decoding-bo(17703) RHSA-2004:577 DSA-567 11406 RHSA-2005:354 RHSA-2005:021 SUSE-SA:2004:038 http://www.kde.org/info/security/advisory-20041209-2.txt GLSA-200410-11 201072 101677 12818 http://scary.beasts.org/security/CESA-2004-006.txt oval:org.mitre.oval:def:8896 20041013 CESA-2004-006: libtiff CLA-2004:888 MDKSA-2005:052 MDKSA-2004:109 oval:org.mitre.oval:def:100114 Vulnerability in tif_dirread.c for libtiff allows remote attackers to cause a denial of service (application crash) via a TIFF image that causes a divide-by-zero error when the number of row bytes is zero, a different vulnerability than CVE-2005-2452. VU#555304 libtiff-dos(17755) RHSA-2004:577 RHSA-2005:354 SUSE-SA:2004:038 http://www.kde.org/info/security/advisory-20041209-2.txt DSA-567 201072 oval:org.mitre.oval:def:11711 CLA-2004:888 http://bugzilla.remotesensing.org/show_bug.cgi?id=111 RHSA-2005:021 MDKSA-2005:052 MDKSA-2004:109 101677 oval:org.mitre.oval:def:100115 Buffer overflow in layer2.c in mpg123 0.59r and possibly mpg123 0.59s allows remote attackers to execute arbitrary code via a certain (1) mp3 or (2) mp2 file. mpg123-layer2c-bo(17287) DSA-564 11121 20040916 mpg123 buffer overflow vulnerability MDKSA-2004:100 GLSA-200409-20 http://www.alighieri.org/advisories/advisory-mpg123.txt 20040907 mpg123 buffer overflow vulnerability cdrecord in the cdrtools package before 2.01, when installed setuid root, does not properly drop privileges before executing a program specified in the RSH environment variable, which allows local users to gain privileges. VU#700326 cdrecord-rsh-gain-privileges(17303) 11075 FLSA:2058 20040910 CAU-EX-2004-0002: cdrecord-suidshell.sh 1011091 12481 20040909 Bugtraq: cdrecord local root exploit oval:org.mitre.oval:def:9805 MDKSA-2004:091 19532 20060401-01-U Samba 3.0.6 and earlier allows remote attackers to cause a denial of service (infinite loop and memory exhaustion) via certain malformed requests that cause new processes to be spawned and enter an infinite loop. 2004-0046 RHSA-2004:467 20040913 Samba 3.x SMBD Remote Denial of Service Vulnerability GLSA-200409-16 20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba) 20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808) CLA-2004:873 oval:org.mitre.oval:def:11141 The process_logon_packet function in the nmbd server for Samba 3.0.6 and earlier, when domain logons are enabled, allows remote attackers to cause a denial of service via a SAM_UAS_CHANGE request with a length value that is larger than the number of structures that are provided. 2004-0046 RHSA-2004:467 20040913 Samba nmbd Invalid Length Denial of Service Vulnerability GLSA-200409-16 20040915 [OpenPKG-SA-2004.040] OpenPKG Security Advisory (samba) 20040913 Samba 3.0 DoS Vulberabilities (CAN-2004-0807 & CAN-2004-0808) CLA-2004:873 oval:org.mitre.oval:def:10344 The mod_dav module in Apache 2.0.50 and earlier allows remote attackers to cause a denial of service (child process crash) via a certain sequence of LOCK requests for a location that allows WebDAV authoring access. apache-moddav-lock-dos(17366) 2004-0047 GLSA-200409-21 DSA-558 RHSA-2004:463 oval:org.mitre.oval:def:9588 http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/dav/fs/lock.c?r1=1.32&r2=1.33 Buffer overflow in Netopia Timbuktu 7.0.3 allows remote attackers to cause a denial of service (server process crash) via a certain data string that is sent to multiple simultaneous client connections to TCP port 407. timbuktu-multiple-connections-dos(18172) http://www.uniras.gov.uk/vuls/2004/190204/index.htm 11714 http://www.corsaire.com/advisories/c040720-001.txt 13250 20041119 Corsaire Security Advisory - Netopia Timbuktu remote buffer overflow issue Unknown vulnerability in Apache 2.0.51 prevents "the merging of the Satisfy directive," which could allow attackers to obtain access to restricted resources contrary to the specified authentication configuration. apache-satisfy-gain-access(17473) http://www.apache.org/dist/httpd/patches/apply_to_2.0.51/CAN-2004-0811.patch http://www.apacheweek.com/features/security-20 2004-0049 11239 GLSA-200409-33 FEDORA-2004-313 Unknown vulnerability in the Linux kernel before 2.4.23, on the AMD AMD64 and Intel EM64T architectures, associated with "setting up TSS limits," allows local users to cause a denial of service (crash) and possibly execute arbitrary code. 11794 RHSA-2004:549 P-047 linux-tss-gain-privilege(18346) 13359 oval:org.mitre.oval:def:11375 http://linux.bkbits.net:8080/linux-2.6/cset@3fad673ber4GuU7iWppydzNIyLntEQ Unknown vulnerability in the SG_IO functionality in ide-cd allows local users to bypass read-only access and perform unauthorized write and erase operations. linux-sgio-gain-privileges(17505) ADV-2007-3229 oval:org.mitre.oval:def:10011 http://lkml.org/lkml/2004/7/30/147 25749 RHSA-2007:0465 GLSA-200711-23 27706 26909 25894 25631 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player 20070602-01-P Multiple race conditions in the terminal layer in Linux 2.4.x, and 2.6.x before 2.6.9, allow (1) local users to obtain portions of kernel data via a TIOCSETD ioctl call to a terminal interface that is being accessed by another thread, or (2) remote attackers to cause a denial of service (panic) by switching from console to PPP line discipline, then quickly sending data that is received during the switch. linux-tiocsetd-race-condition(17816) 11492 11491 FLSA:2336 20041020 CAN-2004-0814: Linux terminal layer races oval:org.mitre.oval:def:10728 20041214 [USN-38-1] Linux kernel vulnerabilities http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=133110 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=131672 RHSA-2005:293 MDKSA-2005:022 The unix_clean_name function in Samba 2.2.x through 2.2.11, and 3.0.x before 3.0.2a, trims certain directory names down to absolute paths, which could allow remote attackers to bypass the specified share restrictions and read, write, or list arbitrary files via "/.////" style sequences in pathnames. 11281 DSA-600 20040930 Samba Security Announcement -- Potential Arbitrary File Access CLA-2004:873 FLSA:2102 samba-file-access(17556) 2004-0051 SUSE-SA:2004:035 MDKSA-2004:104 20040930 Samba Arbitrary File Access Vulnerability http://us4.samba.org/samba/news/#security_2.2.12 200529 20041005 ERRATA: Potential Arbitrary File Access (CAN-2004-0815) RHSA-2004:498 57664 101584 Integer underflow in the firewall logging rules for iptables in Linux before 2.6.8 allows remote attackers to cause a denial of service (application crash) via a malformed IP packet. linux-ip-packet-dos(17800) 11488 SUSE-SA:2004:037 11202 MDKSA-2005:022 Multiple heap-based buffer overflows in the imlib BMP image handler allow remote attackers to execute arbitrary code via a crafted BMP file. imlib-bmp-bo(17182) 11084 RHSA-2004:465 GLSA-200409-12 DSA-548 CLA-2004:870 201611 oval:org.mitre.oval:def:8843 MDKSA-2004:089 The bridge functionality in OpenBSD 3.4 and 3.5, when running a gateway configured as a bridging firewall with the link2 option for IPSec enabled, allows remote attackers to cause a denial of service (crash) via an ICMP echo (ping) packet. 20040826 028: RELIABILITY FIX: August 26, 2004 20040826 028: RELIABILITY FIX: August 26, 2004 20040825 Vulnerability: OpenBSD 3.5 Kernel Panic. Winamp before 5.0.4 allows remote attackers to execute arbitrary script in the Local computer zone via script in HTML files that are referenced from XML files contained in a .wsz skin file. winamp-wsz-execute-code(17124) http://www.frsirt.com/exploits/08252004.skinhead.php ESB-2004.0537 12381 The CFPlugIn in Core Foundation framework in Mac OS X allows user supplied libraries to be loaded, which could allow local users to gain privileges. VU#704110 ESB-2004.0559 macos-corefoundation-gain-privileges(17291) 11135 12491 O-212 APPLE-SA-0024-09-07 Buffer overflow in The Core Foundation framework (CoreFoundation.framework) in Mac OS X 10.2.8, 10.3.4, and 10.3.5 allows local users to execute arbitrary code via a certain environment variable. VU#545446 macos-corefoundation-bo(17295) 11136 APPLE-SA-2004-09-07 O-212 12491 OpenLDAP 1.0 through 2.1.19, as used in Apple Mac OS 10.3.4 and 10.3.5 and possibly other operating systems, may allow certain authentication schemes to use hashed (crypt) passwords in the userPassword attribute as if they were plaintext passwords, which allows remote attackers to re-use hashed passwords without decrypting them. openldap-crypt-gain-access(17300) 11137 APPLE-SA-2004-09-07 ESB-2004.0559 12491 oval:org.mitre.oval:def:10703 RHSA-2005:751 http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm 21520 17233 PPPDialer for Mac OS X 10.2.8 through 10.3.5 allows local users to overwrite system files via a symlink attack on PPPDialer log files. macosx-pppdialer-symlink(17298) 11139 APPLE-SA-2004-09-07 ESB-2004.0559 1011175 O-212 QuickTime Streaming Server in Mac OS X Server 10.2.8, 10.3.4, and 10.3.5 allows remote attackers to cause a denial of service (application deadlock) via a certain sequence of operations. VU#914870 quicktime-dos(17294) 11138 APPLE-SA-2004-09-07 1011176 12491 O-212 20040908 Re: Apple, Apple Remote Desktop client [Multiple vulnerabilities] Heap-based buffer overflow in Netscape Network Security Services (NSS) library allows remote attackers to execute arbitrary code via a modified record length field in an SSLv2 client hello message. sslv2-client-hello-overflow(16314) 20040823 Netscape NSS Library Remote Compromise 11015 SSRT4779 Multiple buffer overflows in the ImageMagick graphics library 5.x before 5.4.4, and 6.x before 6.0.6.2, allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via malformed (1) AVI, (2) BMP, or (3) DIB files. RHSA-2004:494 RHSA-2004:480 DSA-547 imagemagick-bmp-Bo(17173) ADV-2008-0412 201006 oval:org.mitre.oval:def:11123 231321 28800 The ctstrtcasd program in RSCT 2.3.0.0 and earlier on IBM AIX 5.2 and 5.3 does not properly drop privileges before executing the -f option, which allows local users to modify or create arbitrary files. ctstrtcasd-file-overwrite(17514) 11264 1011429 12664 smbd in Samba before 2.2.11 allows remote attackers to cause a denial of service (daemon crash) by sending a FindNextPrintChangeNotify request without a previous FindFirstPrintChangeNotify, as demonstrated by the SMB client in Windows XP SP2. samba-findnextprintchangenotify-dos(17138) 20040831 Samba FindNextPrintChangeNotify() Error Lets Remote Authenticated Users Crash smbd http://samba.org/samba/history/samba-2.2.11.html 2004-0043 GLSA-200409-14 The Content Scanner Server in F-Secure Anti-Virus for Microsoft Exchange 6.21 and earlier, F-Secure Anti-Virus for Microsoft Exchange 6.01 and earlier, and F-Secure Internet Gatekeeper 6.32 and earlier allow remote attackers to cause a denial of service (service crash due to unhandled exception) via a certain malformed packet. fsecure-content-scanner-dos(17307) 11145 20040909 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability http://www.f-secure.com/security/fsc-2004-2.shtml 20040910 F-Secure Internet Gatekeeper Content Scanning Server Denial of Service Vulnerability McAfee VirusScan 4.5.1 does not drop SYSTEM privileges before allowing users to browse for files via the "System Scan" properties of the System Tray applet, which could allow local users to gain privileges. 20040914 McAfee VirusScan Privilege Escalation Vulnerability mcafee-virusscan-gain-privileges(17367) 20040915 McAfee VirusScan Privilege Escalation Vulnerability [iDEFENSE] The (1) ntlm_fetch_string and (2) ntlm_get_string functions in Squid 2.5.6 and earlier, with NTLM authentication enabled, allow remote attackers to cause a denial of service (application crash) via an NTLMSSP packet that causes a negative value to be passed to memcpy. squid-ntlmssp-dos(17218) 2004-0047 11098 GLSA-200409-04 http://www1.uk.squid-cache.org/squid/Versions/v2/2.5/bugs/#squid-2.5.STABLE6-ntlm_fetch_string http://www.squid-cache.org/bugs/show_bug.cgi?id=1045 oval:org.mitre.oval:def:10489 MDKSA-2004:093 FLSA-2006:152809 Sendmail before 8.12.3 on Debian GNU/Linux, when using sasl and sasl-bin, uses a Sendmail configuration script with a fixed username and password, which could allow remote attackers to use Sendmail as an open mail relay and send spam messages. sendmail-mail-relay(17531) 11262 DSA-554 12667 Format string vulnerability in Speedtouch USB driver before 1.3.1 allows local users to execute arbitrary code via (1) modem_run, (2) pppoa2, or (3) pppoa3. speedtouch-format-string(17792) http://www.mail-archive.com/speedtouch@ml.free.fr/msg06688.html http://speedtouch.sourceforge.net/index.php?/news.en.html http://sourceforge.net/project/showfiles.php?group_id=32758&package_id=28264&release_id=271734 MySQL 3.x before 3.23.59, 4.x before 4.0.19, 4.1.x before 4.1.2, and 5.x before 5.0.1, checks the CREATE/INSERT rights of the original table instead of the target table in an ALTER TABLE RENAME operation, which could allow attackers to conduct unauthorized activities. mysql-alter-restriction-bypass(17666) 11357 RHSA-2004:611 RHSA-2004:597 GLSA-200410-22 DSA-562 12783 2004-0054 P-018 1011606 http://lists.mysql.com/internals/13073 CLA-2004:892 http://bugs.mysql.com/bug.php?id=3270 http://www.mysql.org/doc/refman/4.1/en/news-4-1-2.html http://www.mysql.org/doc/refman/4.1/en/news-4-0-19.html 101864 Buffer overflow in the mysql_real_connect function in MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows remote DNS servers to cause a denial of service and possibly execute arbitrary code via a DNS response with a large address length (h_length). mysql-realconnect-bo(17047) RHSA-2004:611 RHSA-2004:597 DSA-562 2004-0054 10981 GLSA-200410-22 P-018 12305 20041125 [USN-32-1] mysql vulnerabilities http://lists.mysql.com/internals/14726 CLA-2004:892 http://bugs.mysql.com/bug.php?id=4017 MySQL 4.x before 4.0.21, and 3.x before 3.23.49, allows attackers to cause a denial of service (crash or hang) via multiple threads that simultaneously alter MERGE table UNIONs. mysql-union-dos(17667) RHSA-2004:597 DSA-562 2004-0054 11357 RHSA-2004:611 GLSA-200410-22 1011606 12783 http://mysql.bkbits.net:8080/mysql-3.23/diffs/myisammrg/myrg_open.c@1.15 http://lists.mysql.com/internals/16174 http://lists.mysql.com/internals/16173 http://lists.mysql.com/internals/16168 http://bugs.mysql.com/2408 P-018 101864 20041125 [USN-32-1] mysql vulnerabilities CLA-2004:892 Lexar Safe Guard for JumpDrive Secure 1.0 stores the password insecurely in memory using XOR encryption, which allows local users to read the password directly from the device and access the password protected part of the drive. jumpdrive-safeguard-obtain-password(17342) 11162 A091304-1 12522 Internet Explorer in Windows XP SP2, and other versions including 5.01 and 5.5, allows remote attackers to install arbitrary programs via a web page that uses certain styles and the AnchorClick behavior, popup windows, and drag-and-drop capabilities to drop the program in the local startup folder, as demonstrated by "wottapoop.html". TA04-293A VU#526089 ie-dragdrop-code-execution(17044) 10973 MS04-038 20040818 What A Drag II XP SP2 20040824 What A Drag! -revisited- 20040818 What A Drag II XP SP2 oval:org.mitre.oval:def:7721 oval:org.mitre.oval:def:6272 oval:org.mitre.oval:def:4152 oval:org.mitre.oval:def:3773 oval:org.mitre.oval:def:2073 oval:org.mitre.oval:def:1563 The SMTP (Simple Mail Transfer Protocol) component of Microsoft Windows XP 64-bit Edition, Windows Server 2003, Windows Server 2003 64-bit Edition, and the Exchange Routing Engine component of Exchange Server 2003, allows remote attackers to execute arbitrary code via a malicious DNS response message containing length values that are not properly validated. VU#394792 win-ms04035-patch(17660) win2k3-smtp-execute-code(17621) MS04-035 11374 oval:org.mitre.oval:def:5509 oval:org.mitre.oval:def:3460 oval:org.mitre.oval:def:2300 Internet Explorer 6.x allows remote attackers to install arbitrary programs via mousedown events that call the Popup.show method and use drag-and-drop actions in a popup window, aka "HijackClick 3" and the "Script in Image Tag File Download Vulnerability." TA04-293A VU#413886 ie-popupshow-perform-actions(16675) 10690 20040711 HijackClick 3 MS04-038 20040712 Re: HijackClick 3 20040712 Brand New Hole: Internet Explorer: HijackClick 3 7774 1010679 12048 oval:org.mitre.oval:def:8077 oval:org.mitre.oval:def:6048 oval:org.mitre.oval:def:6031 oval:org.mitre.oval:def:5620 oval:org.mitre.oval:def:4363 oval:org.mitre.oval:def:2611 Internet Explorer 6.0 SP1 and earlier, and possibly other versions, allows remote attackers to cause a denial of service (application crash from "memory corruption") via certain malformed Cascading Style Sheet (CSS) elements that trigger heap-based buffer overflows, as demonstrated using the "<STYLE>@;/*" string, possibly due to a missing comment terminator that may cause an invalid length to trigger a large memory copy operation, aka the "CSS Heap Memory Corruption Vulnerability." TA04-293A VU#291304 10816 http://www.securiteam.com/exploits/5NP042KF5A.html MS04-038 http://www.ecqurity.com/adv/IEstyle.html 20040728 Re: Crash IE with 11 bytes ;) ie-popupshow-perform-actions(16675) P-006 12806 20040728 Re: Crash IE with 11 bytes ;) 20040723 Crash IE with 11 bytes ;) oval:org.mitre.oval:def:6579 oval:org.mitre.oval:def:5592 oval:org.mitre.oval:def:4169 oval:org.mitre.oval:def:3372 oval:org.mitre.oval:def:2906 Internet Explorer 5.5 and 6 does not properly handle plug-in navigation, which allows remote attackers to alter displayed address bars and thereby spoof web pages, facilitating phishing attacks, aka the "Plug-in Navigation Address Bar Spoofing Vulnerability." TA04-293A VU#625616 ie-plugin-address-spoofing(17655) ie-ms04038-patch(17651) MS04-038 oval:org.mitre.oval:def:7194 oval:org.mitre.oval:def:7095 oval:org.mitre.oval:def:6313 oval:org.mitre.oval:def:3949 oval:org.mitre.oval:def:2537 oval:org.mitre.oval:def:2487 Internet Explorer 6 on Double Byte Character Set (DBCS) systems allows remote attackers to alter displayed address bars and spoof web pages via a URL containing special characters, facilitating phishing attacks, aka the "Address Bar Spoofing on Double Byte Character Set Systems Vulnerability." TA04-293A VU#431576 ie-dbcs-obtain-information(17652) ie-ms04038-patch(17651) MS04-038 20041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038 20041128 Address Bar Spoofing on Double Byte Character Set Locale Vulnerability (CAN-2004-0844) Patched in MS04-038 oval:org.mitre.oval:def:8127 oval:org.mitre.oval:def:2448 Internet Explorer 5.01, 5.5, and 6 does not properly cache SSL content, which allows remote attackers to obtain information or spoof content via a web site with the same host name as the target web site, whose content is cached and reused when the user visits the target web site. TA04-293A VU#795720 ie-cache-ssl-obtain-information(17654) MS04-038 20041013 ACROS Security: Poisoning Cached HTTPS Documents in Internet Explorer ie-ms04038-patch(17651) http://www.acrossecurity.com/aspr/ASPR-2004-10-13-1-PUB.txt oval:org.mitre.oval:def:7611 oval:org.mitre.oval:def:5740 oval:org.mitre.oval:def:5520 oval:org.mitre.oval:def:5150 oval:org.mitre.oval:def:3872 oval:org.mitre.oval:def:2219 Unknown vulnerability in Microsoft Excel 2000, 2002, 2001 for Mac, and v.X for Mac allows remote attackers to execute arbitrary code via a malicious file containing certain parameters that are not properly validated. VU#274496 excel-execute-code(17653) MS04-033 excel-ms04033-patch(17683) P-009 12800 20041013 Buffer Overflow In Microsoft Excel oval:org.mitre.oval:def:4226 oval:org.mitre.oval:def:2673 The Microsoft .NET forms authentication capability for ASP.NET allows remote attackers to bypass authentication for .aspx files in restricted directories via a request containing a (1) "\" (backslash) or (2) "%5C" (encoded backslash), aka "Path Validation Vulnerability." TA05-039A VU#283646 windows-forms-security-bypass(17644) MS05-004 20040914 Security bug in .NET Forms Authentication 11342 http://sourceforge.net/mailarchive/forum.php?thread_id=5671607&forum_id=24754 oval:org.mitre.oval:def:4987 oval:org.mitre.oval:def:3556 Buffer overflow in Microsoft Office XP allows remote attackers to execute arbitrary code via a link with a URL file location containing long inputs after (1) "%00 (null byte) in .doc filenames or (2) "%0a" (carriage return) in .rtf filenames. TA05-039A VU#416001 ms-url-bo(19107) MS05-005 oval:org.mitre.oval:def:4022 oval:org.mitre.oval:def:2738 oval:org.mitre.oval:def:2348 Integer overflow in the asn_decode_string() function defined in asn1.c in radiusd for GNU Radius 1.1 and 1.2 before 1.2.94, when compiled with the --enable-snmp option, allows remote attackers to cause a denial of service (daemon crash) via certain SNMP requests. radius-asndecodestring-bo(17391) 20040915 GNU Radius SNMP String Length Integer Overflow Denial of Service Vulnerability [Info-gnu-radius] 20040915 GNU Radius 1.2.94. Star before 1.5_alpha46 does not drop the effective user ID (euid) before calling external programs, which could allow local users to gain privileges by modifying the RSH environment variable to reference a malicious program. VU#339089 star-ssh-gain-privileges(17297) 11141 GLSA-200409-11 1011195 The (1) write_list and (2) dump_curr_list functions in Net-Acct before 0.71 allows local users to overwrite arbitrary files via a symlink attack on temporary files. net-acct-tmp-symlink(17283) 11125 DSA-559 12476 20040908 Insecure Temporary File Creation Vulnerability in Net-Acct http://exorsus.net/projects/net-acct/net-acct-notempfiles.patch Buffer overflow in htget 0.93 allows remote attackers to execute arbitrary code via a crafted URL. htget-bo(18603) DSA-611 13579 Internet Explorer 6.0 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. 11186 web-browser-session-hijack(17415) 1011332 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities Mozilla Firefox 0.9.2 allows web sites to set cookies for country-specific top-level domains, such as .ltd.uk, .plc.uk, and .sch.uk, which could allow remote attackers to perform a session fixation attack and hijack a user's HTTP session. NOTE: it was later reported that 2.x is also affected. https://bugzilla.mozilla.org/show_bug.cgi?id=252342 web-browser-session-hijack(17415) 11186 1011331 12580 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities http://kuza55.blogspot.com/2008/02/understanding-cookie-security.html ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0866. Reason: This candidate is a duplicate of CVE-2004-0866. Notes: The description for CVE-2004-0866 was inadvertently attached to this issue instead. All CVE users should reference CVE-2004-0866 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Internet Explorer does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities web-browser-cookie-session-hijack(17417) 1011332 KDE Konqueror does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities web-browser-cookie-session-hijack(17417) 1011330 Mozilla does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities web-browser-cookie-session-hijack(17417) 1011331 Opera does not prevent cookies that are sent over an insecure channel (HTTP) from also being sent over a secure channel (HTTPS/SSL) in the same domain, which could allow remote attackers to steal cookies and conduct unauthorized activities, aka "Cross Security Boundary Cookie Injection." http://www.westpoint.ltd.uk/advisories/wp-04-0001.txt 20040916 wp-04-0001: Multiple Browser Cookie Injection Vulnerabilities web-browser-cookie-session-hijack(17417) 1011329 Apple iChat AV 2.1, AV 2.0, and 1.0.1 allows remote attackers to execute arbitrary programs via a "link" that references the program. ichatav-link-app-execute(17420) APPLE-SA-2004-09-16 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1123. Reason: This candidate is a reservation duplicate of CVE-2004-1123. Notes: All CVE users should reference CVE-2004-1123 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple cross-site scripting (XSS) vulnerabilities in Phpgroupware (aka webdistro) 0.9.16.002 and earlier allow remote attackers to insert arbitrary HTML or web script, as demonstrated with a request to the wiki module. phpgroupware-xss(17289) GLSA-200409-22 http://downloads.phpgroupware.org/changelog getmail 4.x before 4.2.0, when run as root, allows local users to overwrite arbitrary files via a symlink attack on an mbox file. 20040919 Local root compromise possible with getmail getmail-mbox-race-condition(17437) http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG DSA-553 GLSA-200409-32 getmail 4.x before 4.2.0, and other versions before 3.2.5, when run as root, allows local users to write files in arbitrary directories via a symlink attack on subdirectories in the maildir. 20040919 Local root compromise possible with getmail getmail-maildir-race-condition(17439) http://www.qcc.ca/~charlesc/software/getmail-4/CHANGELOG DSA-553 GLSA-200409-32 Buffer overflow in the QFILEPATHINFO request handler in Samba 3.0.x through 3.0.7 may allow remote attackers to execute arbitrary code via a TRANSACT2_QFILEPATHINFO request with a small "maximum data bytes" value. VU#457622 2004-0058 samba-qfilepathinfo-bo(18070) 11782 SUSE-SA:2004:040 P-038 1012235 http://security.e-matters.de/advisories/132004.html 13189 oval:org.mitre.oval:def:9969 APPLE-SA-2005-03-21 20041201-01-P SCOSA-2005.17 20041217 [OpenPKG-SA-2004.054] OpenPKG Security Advisory (samba) 20041115 [SAMBA] CAN-2004-0882: Possiebl Buffer Overrun in smbd 20041115 Advisory 13/2004: Samba 3.x QFILEPATHINFO unicode filename buffer overflow CLA-2004:899 Multiple vulnerabilities in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 allow remote samba servers to cause a denial of service (crash) or gain sensitive information from kernel memory via a samba server (1) returning more data than requested to the smb_proc_read function, (2) returning a data offset from outside the samba packet to the smb_proc_readX function, (3) sending a certain TRANS2 fragmented packet to the smb_receive_trans2 function, (4) sending a samba packet with a certain header size to the smb_proc_readX_data function, or (5) sending a certain packet based offset for the data in a packet to the smb_receive_trans2 function. VU#726198 11695 RHSA-2004:537 FLSA:2336 linux-smbreceivetrans2-dos(18136) linux-smbprocreadxdata-dos(18135) linux-smb-response-dos(18134) http://security.e-matters.de/advisories/142004.html 13232 oval:org.mitre.oval:def:10330 20041118 [USN-30-1] Linux kernel vulnerabilities RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities The (1) libsasl and (2) libsasl2 libraries in Cyrus-SASL 2.1.18 and earlier trust the SASL_PATH environment variable to find all available SASL plug-ins, which allows local users to execute arbitrary code by modifying the SASL_PATH to point to malicious programs. 11347 DSA-563 FLSA:2137 cyrus-sasl-saslpath(17643) 2004-0053 GLSA-200410-05 DSA-568 P-003 RHSA-2004:546 oval:org.mitre.oval:def:11678 APPLE-SA-2005-03-21 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=134657 MDKSA-2004:106 20050128 [OpenPKG-SA-2005.004] OpenPKG Security Advisory (sasl) The mod_ssl module in Apache 2.0.35 through 2.0.52, when using the "SSLCipherSuite" directive in directory or location context, allows remote clients to bypass intended restrictions by using any cipher suite that is allowed by the virtual host configuration. apache-sslciphersuite-restriction-bypass(17671) RHSA-2004:600 HPSBUX01123 ADV-2006-0789 http://www.apacheweek.com/features/security-20 oval:org.mitre.oval:def:10384 http://issues.apache.org/bugzilla/show_bug.cgi?id=31505 USN-177-1 11360 RHSA-2008:0261 RHSA-2005:816 RHSA-2004:562 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 19072 20041015 [OpenPKG-SA-2004.044] OpenPKG Security Advisory (modssl) APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Multiple integer overflows in libtiff 3.6.1 and earlier allow remote attackers to cause a denial of service (crash or memory corruption) via TIFF images that lead to incorrect malloc calls. VU#687568 11406 RHSA-2004:577 libtiff-bo(17715) 2004-0054 RHSA-2005:354 SUSE-SA:2004:038 http://www.kde.org/info/security/advisory-20041209-2.txt DSA-567 P-015 201072 1011674 12818 oval:org.mitre.oval:def:9907 RHSA-2005:021 MDKSA-2005:052 MDKSA-2004:109 101677 OpenPKG-SA-2004.043 CLA-2004:888 oval:org.mitre.oval:def:100116 SUSE Linux Enterprise Server 9 on the S/390 platform does not properly handle a certain privileged instruction, which allows local users to gain root privileges. 11489 linux-instruction-gain-privileges(17801) SUSE-SA:2004:037 DSA-1018 19369 Multiple integer overflows in xpdf 2.0 and 3.0, and other packages that use xpdf code such as CUPS, gpdf, and kdegraphics, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0889. 11501 RHSA-2004:543 FLSA:2353 xpdf-pdf-bo(17818) RHSA-2005:354 RHSA-2005:066 RHSA-2004:592 GLSA-200410-30 GLSA-200410-20 DSA-599 DSA-581 DSA-573 oval:org.mitre.oval:def:9714 MDKSA-2004:116 MDKSA-2004:115 MDKSA-2004:114 MDKSA-2004:113 FLSA:2352 USN-9-1 SUSE-SA:2004:039 CLA-2004:886 Multiple integer overflows in xpdf 3.0, and other packages that use xpdf code such as CUPS, allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, a different set of vulnerabilities than those identified by CVE-2004-0888. GLSA-200410-20 xpdf-pdf-file-bo(17819) GLSA-200410-30 11501 MDKSA-2004:113 SUSE-SA:2004:039 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reasons: This candidate is a reservation duplicate of another candidate. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the MSN protocol handler for gaim 0.79 to 1.0.1 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an "unexpected sequence of MSNSLP messages" that results in an unbounded copy operation that writes to the wrong buffer. FLSA:2188 gaim-file-transfer-dos(17790) gaim-msn-slp-dos(17787) gaim-msn-slp-bo(17786) RHSA-2004:604 GLSA-200410-23 oval:org.mitre.oval:def:11790 http://gaim.sourceforge.net/security/?id=9 USN-8-1 Microsoft Proxy Server 2.0 and Microsoft ISA Server 2000 (which is included in Small Business Server 2000 and Small Business Server 2003 Premium Edition) allows remote attackers to spoof trusted Internet content on a specially crafted webpage via spoofed reverse DNS lookup results. 11605 MS04-039 isa-cache-reverse-spoof(17906) oval:org.mitre.oval:def:4859 oval:org.mitre.oval:def:4264 The Local Procedure Call (LPC) interface of the Windows Kernel for Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 does not properly validate the lengths of messages sent to the LPC port, which allows local users to gain privileges, aka "Windows Kernel Vulnerability." MS04-044 win-kernel-lpc-gain-privileges(18339) oval:org.mitre.oval:def:450 oval:org.mitre.oval:def:4458 oval:org.mitre.oval:def:4021 oval:org.mitre.oval:def:2008 oval:org.mitre.oval:def:1886 oval:org.mitre.oval:def:1581 oval:org.mitre.oval:def:1561 oval:org.mitre.oval:def:1321 LSASS (Local Security Authority Subsystem Service) of Windows 2000 Server and Windows Server 2003 does not properly validate connection information, which allows local users to gain privileges via a specially-designed program. MS04-044 win-lsass-gain-privileges(18340) oval:org.mitre.oval:def:778 oval:org.mitre.oval:def:4368 oval:org.mitre.oval:def:3325 oval:org.mitre.oval:def:3312 oval:org.mitre.oval:def:2062 oval:org.mitre.oval:def:1888 The Indexing Service for Microsoft Windows XP and Server 2003 does not properly validate the length of a message, which allows remote attackers to execute arbitrary code via a buffer overflow attack. VU#657118 MS05-003 P-095 12228 1012833 13802 oval:org.mitre.oval:def:2447 oval:org.mitre.oval:def:2128 The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service (application crash) via a malformed DHCP message, aka "Logging Vulnerability." MS04-042 winnt-dhcp-machinename-dos(18341) oval:org.mitre.oval:def:4282 oval:org.mitre.oval:def:2280 The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages, which allows remote attackers to execute arbitrary code via a malformed DHCP message, aka the "DHCP Request Vulnerability." MS04-042 winnt-dhcp-hardwareaddress-code-execution(18342) oval:org.mitre.oval:def:4846 oval:org.mitre.oval:def:3577 Microsoft Word for Windows 6.0 Converter (MSWRD632.WPC), as used in WordPad, does not properly validate certain data lengths, which allows remote attackers to execute arbitrary code via a .wri, .rtf, and .doc file sent by email or malicious web site, aka "Font Conversion Vulnerability," a different vulnerability than CVE-2004-0571. MS04-041 win-converter-font-code-execution(18338) P-055 20041214 Microsoft Word 6.0/95 Document Converter Buffer Overflow Vulnerability oval:org.mitre.oval:def:539 oval:org.mitre.oval:def:4749 oval:org.mitre.oval:def:4576 oval:org.mitre.oval:def:4076 oval:org.mitre.oval:def:3882 oval:org.mitre.oval:def:3310 oval:org.mitre.oval:def:1655 oval:org.mitre.oval:def:1241 Multiple heap-based buffer overflows in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to cause a denial of service (application crash) or execute arbitrary code via (1) the "Send page" functionality, (2) certain responses from a malicious POP3 server, or (3) a link containing a non-ASCII hostname. TA04-261A mozilla-nspop3protocol-bo(17379) mozilla-netscape-nonascii-bo(17378) SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 oval:org.mitre.oval:def:11201 FLSA:2089 SSRT4826 http://bugzilla.mozilla.org/show_bug.cgi?id=258005 http://bugzilla.mozilla.org/show_bug.cgi?id=256316 http://bugzilla.mozilla.org/show_bug.cgi?id=245066 http://bugzilla.mozilla.org/show_bug.cgi?id=226669 Stack-based buffer overflow in the writeGroup function in nsVCardObj.cpp for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to execute arbitrary code via malformed VCard attachments that are not properly handled when previewing a message. TA04-261A VU#414240 mozilla-netscape-nsvcardobj-bo(17380) 11174 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 oval:org.mitre.oval:def:10873 FLSA:2089 SSRT4826 http://bugzilla.mozilla.org/show_bug.cgi?id=257314 Integer overflow in the bitmap (BMP) decoder for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allow remote attackers to execute arbitrary code via wide bitmap files that trigger heap-based buffer overflows. TA04-261A VU#847200 mozilla-netscape-bmp-bo(17381) 11171 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 oval:org.mitre.oval:def:10952 FLSA:2089 SSRT4826 http://bugzilla.mozilla.org/show_bug.cgi?id=255067 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows remote attackers to perform cross-domain scripting and possibly execute arbitrary code by convincing a user to drag and drop javascript: links to a frame or page in another domain. TA04-261A VU#651928 mozilla-netscape-sameorigin-bypass(17374) 11177 SUSE-SA:2004:036 GLSA-200409-26 http://bugzilla.mozilla.org/show_bug.cgi?id=250862 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 oval:org.mitre.oval:def:10378 FLSA:2089 SSRT4826 The XPInstall installer in Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 sets insecure permissions for certain installed files within xpi packages, which could allow local users to overwrite arbitrary files or execute arbitrary code. VU#653160 http://bugzilla.mozilla.org/show_bug.cgi?id=235781 http://bugzilla.mozilla.org/show_bug.cgi?id=231083 mozilla-insecure-file-permissions(17375) 11192 RHSA-2005:323 SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 12526 oval:org.mitre.oval:def:11668 The Linux install .tar.gz archives for Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8, create certain files with insecure permissions, which could allow local users to overwrite those files and execute arbitrary code. http://bugzilla.mozilla.org/show_bug.cgi?id=254303 mozilla-tar-insecure-permissions(17373) http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 allows untrusted Javascript code to read and write to the clipboard, and possibly obtain sensitive information, via script-generated events such as Ctrl-Ins. VU#460528 11179 SUSE-SA:2004:036 FLSA:2089 http://bugzilla.mozilla.org/show_bug.cgi?id=257523 mozilla-shortcut-clipboard-access(17376) http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 12526 oval:org.mitre.oval:def:9745 SSRT4826 Mozilla Firefox before the Preview Release, Mozilla before 1.7.3, and Thunderbird before 0.8 may allow remote attackers to trick users into performing unexpected actions, including installing software, via signed scripts that request enhanced abilities using the enablePrivilege parameter, then modify the meaning of certain security-relevant dialog messages. VU#113192 mozilla-enableprivilege-modify-dialog(17377) SUSE-SA:2004:036 http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 GLSA-200409-26 12526 SSRT4826 http://bugzilla.mozilla.org/show_bug.cgi?id=253942 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0815. Reason: This candidate is a reservation duplicate of CVE-2004-0815. Notes: All CVE users should reference CVE-2004-0815 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. telnetd for netkit 0.17 and earlier, and possibly other versions, on Debian GNU/Linux allows remote attackers to cause a denial of service (free of an invalid pointer), a different vulnerability than CVE-2001-0554. telnetd-netkit-bo(17540) 20040918 Debian netkit telnetd vulnerability DSA-556 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=273694 Unknown vulnerability in ecartis 0.x before 0.129a+1.0.0-snap20020514-1.3 and 1.x before 1.0.0+cvs.20030911-8 allows attackers in the same domain to gain administrator privileges and modify configuration. 11487 DSA-572 ESB-2004.0669 ecartis-gain-privileges(17809) 12918 Multiple vulnerabilities in libXpm for 6.8.1 and earlier, as used in XFree86 and other packages, include (1) multiple integer overflows, (2) out-of-bounds memory accesses, (3) directory traversal, (4) shell metacharacter, (5) endless loops, and (6) memory leaks, which could allow remote attackers to obtain sensitive information, cause a denial of service (application crash), or execute arbitrary code via a certain XPM image file. NOTE: it is highly likely that this candidate will be SPLIT into other candidates in the future, per CVE's content decisions. 11694 GLSA-200411-28 DSA-607 libxpm-dos(18147) libxpm-directory-traversal(18146): libxpm-command-execution(18145): libxpm-improper-memory-access(18144): libxpm-image-bo(18142): HPSBTU01228 http://www.x.org/pub/X11R6.8.1/patches/README.xorg-681-CAN-2004-0914.patch USN-83-2 USN-83-1 RHSA-2005:004 RHSA-2004:610 FLSA-2006:152803 MDKSA-2004:137 FEDORA-2004-433 GLSA-200502-07 GLSA-200502-06 13224 RHSA-2004:537 oval:org.mitre.oval:def:9943 Multiple unknown vulnerabilities in viewcvs before 0.9.2, when exporting a repository as a tar archive, does not properly implement the hide_cvsroot and forbidden settings, which could allow remote attackers to gain sensitive information. DSA-605 viewcvs-repository-weak-security(18369) Directory traversal vulnerability in cabextract before 1.1 allows remote attackers to overwrite arbitrary files via a cabinet file containing .. (dot dot) sequences in a filename. DSA-574 12882 cabextract-directory-traversal(17766) 11460 http://www.kyz.uklinux.net/cabextract.php#changes The default installation of Vignette Application Portal installs the diagnostic utility without authentication requirements, which allows remote attackers to gain sensitive information, such as server and OS version, and conduct unauthorized activities via an HTTP request to /diag. vignette-diagnostic-obtain-info(17530) 11267 A092804-1 1011447 The asn_parse_header function (asn1.c) in the SNMP module for Squid Web Proxy Cache before 2.4.STABLE7 allows remote attackers to cause a denial of service (server restart) via certain SNMP packets with negative length fields that trigger a memory allocation error. 11385 RHSA-2004:591 FEDORA-2008-6045 squid-snmp-asnparseheader-dos(17688) ADV-2008-1969 http://www.squid-cache.org/Advisories/SQUID-2008_1.txt http://www.squid-cache.org/Advisories/SQUID-2004_3.txt 20041011 Squid Web Proxy Cache Remote Denial of Service Vulnerability GLSA-200410-15 30967 30914 oval:org.mitre.oval:def:10931 OpenPKG-SA-2004.048 SUSE-SR:2008:014 SCOSA-2005.16 The syscons CONS_SCRSHOT ioctl in FreeBSD 5.x allows local users to read arbitrary kernel memory via (1) negative coordinates or (2) large coordinates. VU#969078 11321 12722 FreeBSD-SA-04:15 syscons-consscrshot-info-disclosure(17584) Symantec Norton AntiVirus 2004, and earlier versions, allows a virus or other malicious code to avoid detection or cause a denial of service (application crash) using a filename containing an MS-DOS device name. nav-antivirus-security-bypass(17603) http://www.seifried.org/security/advisories/kssa-010.html 20041005 Symantec Norton AntiVirus Reserved Device Name Handling Vulnerability AFP Server on Mac OS X 10.3.x to 10.3.5, when a guest has mounted an AFP volume, allows the guest to "terminate authenticated user mounts" via modified SessionDestroy packets. 11322 APPLE-SA-2004-09-30 AFP Server on Mac OS X 10.3.x to 10.3.5, under certain conditions, does not properly set the guest group ID, which causes AFP to change a write-only AFP Drop Box to be read-write when the Drop Box is on a share that is mounted by a guest, which allows attackers to read the Drop Box. 11322 APPLE-SA-2004-09-30 CUPS 1.1.20 and earlier records authentication information for a device URI in the error_log file, which allows local users to obtain user names and passwords. VU#557062 11324 RHSA-2004:543 cups-password-disclosure(17593) DSA-566 P-002 oval:org.mitre.oval:def:10710 APPLE-SA-2004-09-30 MDKSA-2004:116 NetInfo Manager on Mac OS X 10.3.x through 10.3.5, after an initial root login, reports the root account as being disabled, even when it has not. APPLE-SA-2004-09-30 11322 Postfix on Mac OS X 10.3.x through 10.3.5, with SMTPD AUTH enabled, does not properly clear the username between authentication attempts, which allows users with the longest username to prevent other valid users from being able to authenticate. APPLE-SA-2004-09-30 Heap-based buffer overflow in Apple QuickTime on Mac OS 10.2.8 through 10.3.5 may allow remote attackers to execute arbitrary code via a certain BMP image. 11322 APPLE-SA-2004-09-30 APPLE-SA-2004-10-27 ServerAdmin in Mac OS X 10.2.8 through 10.3.5 uses the same example self-signed certificate on each system, which allows remote attackers to decrypt sessions. APPLE-SA-2004-09-30 11322 The Microsoft IIS Connector in JRun 4.0 and Macromedia ColdFusion MX 6.0, 6.1, and 6.1 J2EE allows remote attackers to bypass authentication and view source files, such as .asp, .pl, and .php files, via an HTTP request that ends in ";.cfm". VU#977440 coldfusion-jrun-restriction-bypass(17484) 11245 http://www.macromedia.com/devnet/security/security_zone/mpsb04-09.html http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html 20041005 ColdFusion MX 6.1 on IIS File Contents Disclosure 12647 12638 20040923 New Macromedia Security Zone Bulletins Posted Heap-based buffer overflow in the OJPEGVSetField function in tif_ojpeg.c for libtiff 3.6.1 and earlier, when compiled with the OJPEG_SUPPORT (old JPEG support) option, allows remote attackers to execute arbitrary code via a malformed TIFF image. VU#129910 20041022 Novell SuSe Linux LibTIFF Heap Overflow Vulnerability libtiff-ojpegvsetfield-bo(17843) SUSE-SA:2004:038 The ms_fnmatch function in Samba 3.0.4 and 3.0.7 and possibly other versions allows remote authenticated users to cause a denial of service (CPU consumption) via a SAMBA request that contains multiple * (wildcard) characters. 11624 20041108 Samba SMBD Remote Denial of Service Vulnerability samba-msfnmatch-dos(17987) SUSE-SA:2004:040 GLSA 200411-21 oval:org.mitre.oval:def:10936 APPLE-SA-2005-03-21 20041201-01-P SCOSA-2005.17 MDKSA-2004:131 101783 OpenPKG-SA-2004.054 USN-22-1 20041108 [SECURITY] CAN-2004-0930: Potential Remote Denial of Service Vulnerability CLA-2004:899 MySQL MaxDB before 7.5.00.18 allows remote attackers to cause a denial of service (crash) via an HTTP request to webdbm with high ASCII values in the Server field, which triggers an assert error in the IsAscii7 function. 11346 12756 maxdb-isascii7dos(17633) 10532 20041006 MySQL MaxDB Web Agent WebDBMServer Name Denial of Service Vulnerability McAfee Anti-Virus Engine DATS drivers before 4398 released on Oct 13th 2004 and DATS Driver before 4397 October 6th 2004 allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability Computer Associates (CA) InoculateIT 6.0, eTrust Antivirus r6.0 through r7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, EZ-Armor 2.0 through 2.4, and EZ-Antivirus 6.1 through 6.3 allow remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability http://supportconnectw.ca.com/public/ca_common_docs/arclib_vuln.asp Kaspersky 3.x to 4.x allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. VU#968818 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability Eset Anti-Virus before 1.020 (16th September 2004) allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. VU#968818 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability RAV antivirus allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. VU#968818 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability Sophos Anti-Virus before 3.87.0, and Sophos Anti-Virus for Windows 95, 98, and Me before 3.88.0, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. VU#968818 11448 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (server crash) by sending an Ascend-Send-Secret attribute without the required leading packet. VU#541574 freeradius-dos(17440) 11222 10178 GLSA-200409-29 oval:org.mitre.oval:def:10837 oval:org.mitre.oval:def:1347 changepassword.cgi in Neoteris Instant Virtual Extranet (IVE) 3.x and 4.x, with LDAP authentication or NT domain authentication enabled, does not limit the number of times a bad password can be entered, which allows remote attackers to guess passwords via a brute force attack. 20041006 [GoSecure Advisory] Neoteris IVE Vulnerability juniper-netscreen-password-bruteforce(17629) http://www.gosecure.ca/SecInfo/gosecure-2004-10.txt 1011552 8365 12752 Buffer overflow in the get_tag function in mod_include for Apache 1.3.x to 1.3.32 allows local users who can create SSI documents to execute arbitrary code as the apache user via SSI (XSSI) documents that trigger a length calculation error. 11471 OpenPKG-SA-2004.047 apache-modinclude-bo(17785) ADV-2006-0789 RHSA-2005:816 RHSA-2004:600 MDKSA-2004:134 DSA-594 http://www.apacheweek.com/features/security-13 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102197 1011783 19073 12898 Multiple buffer overflows in the gd graphics library (libgd) 2.0.21 and earlier may allow remote attackers to execute arbitrary code via malformed image files that trigger the overflows due to improper calls to the gdMalloc function, a different set of vulnerabilities than CVE-2004-0990. 2004-0058 11663 13179 USN-25-1 oval:org.mitre.oval:def:11176 gd-graphics-gdmalloc-bo(18048) USN-33-1 RHSA-2006:0194 RHSA-2004:638 MDKSA-2006:122 MDKSA-2006:114 MDKSA-2006:113 DSA-601 P-071 21050 20824 18686 oval:org.mitre.oval:def:1195 Apache webserver 2.0.52 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request with a MIME header containing multiple lines with a large number of space characters. apache-http-get-dos(17930) HPSBUX01123 ADV-2006-0789 2004-0061 oval:org.mitre.oval:def:10962 SSRT4876 20041101 DoS in Apache 2.0.52 ? RHSA-2004:562 MDKSA-2004:135 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 19072 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 generates easily predictable web session IDs, which allows remote attackers to hijack other sessions via the parentsessionid cookie. http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en http://www.mitel.com/DocController?documentId=14223 http://www.corsaire.com/advisories/c040817-002.txt The web management interface for Mitel 3300 Integrated Communications Platform (ICP) before 4.2.2.11 allows remote authenticated users to cause a denial of service (resource exhaustion) via a large number of active sessions, which exceeds ICP's maximum. http://www.niscc.gov.uk/niscc/docs/re-20050228-00178.pdf?lang=en http://www.mitel.com/DocController?documentId=14223 http://www.corsaire.com/advisories/c040817-003.txt rquotad in nfs-utils (rquota_server.c) before 1.0.6-r6 on 64-bit architectures does not properly perform an integer conversion, which leads to a stack-based buffer overflow and allows remote attackers to execute arbitrary code via a crafted NFS request. VU#698302 11911 RHSA-2004:583 GLSA-200412-08 nfsutils-getquotainfo-bo(18455) RHSA-2005:014 13440 oval:org.mitre.oval:def:10464 http://bugs.gentoo.org/show_bug.cgi?id=72113 FLSA-2006:138098 MDKSA-2005:005 Buffer overflow in unarj before 2.63a-r2 allows remote attackers to execute arbitrary code via an arj archive that contains long filenames. 11665 GLSA-200411-29 unarj-longfilename-bo(18044) RHSA-2005:007 DSA-652 FLSA:2272 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. It was a duplicate assignment before public disclosure. Notes: none. The smb_recv_trans2 function call in the samba filesystem (smbfs) in Linux kernel 2.4 and 2.6 does not properly handle the re-assembly of fragmented packets correctly, which could allow remote samba servers to (1) read arbitrary kernel information or (2) raise a counter value to an arbitrary number by sending the first part of the fragmented packet multiple times. 11695 RHSA-2004:537 FLSA:2336 linux-smbrecvtrans2-memory-leak(18137) 2004-0061 http://security.e-matters.de/advisories/142004.html 13232 oval:org.mitre.oval:def:10360 20041117 Advisory 14/2004: Linux 2.x smbfs multiple remote vulnerabilities RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 USN-30-1 NetOp Host before 7.65 build 2004278 allows remote attackers to obtain sensitive hostname, username and local IP address information via (1) a NetOp HELO request, or (2) when responses are disabled, a "custom" HELO request. 11710 danware-helo-obtain-information(18171) http://www.corsaire.com/advisories/c040619-001.txt 20041119 Corsaire Security Advisory - Danware NetOp Host multiple information disclosure issues The make_recovery command for the TFTP server in HP Ignite-UX before C.6.2.241 makes a copy of the password file in the TFTP directory tree, which allows remote attackers to obtain sensitive information. hpigniteux-makerecovery-bypass-security(21858) http://www.corsaire.com/advisories/c041123-001.txt 16456 14568 1014711 HP-UX B.11.00 through B.11.23, when running Ignite-UX and using the add_new_client command, causes the TFTP server to set world-writable permissions on part of the directory tree, which allows remote attackers to modify data or cause disk consumption. hpigniteux-addnewclient-gain-access(21857) 16456 HPSBUX01219 oval:org.mitre.oval:def:5775 HPSBUX01219 20050816 Corsaire Security Advisory: HP Ignite-UX filesystem permissions issue 1014711 Buffer overflow in the C2S module in the open source Jabber 2.x server (Jabberd) allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long username. 11741 jabberd2-c2s-bo(18238) 20041124 Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows 20041124 Jabberd2.x remote BuffJabberd2.x remote Buffer Overflowser Overflows ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0597. Reason: This candidate is a reservation duplicate of CVE-2004-0597. Notes: All CVE users should reference CVE-2004-0597 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0599. Reason: This candidate is a reservation duplicate of CVE-2004-0599 (the first item listed in that candidate). Notes: All CVE users should reference CVE-2004-0599 instead of this candidate. All references and descriptions have been removed from this candidate to prevent accidental usage. MySQL before 4.0.20 allows remote attackers to cause a denial of service (application crash) via a MATCH AGAINST query with an opening double quote but no closing double quote. GLSA-200410-22 mysql-match-against-dos(17768) 2004-0054 SUSE-SR:2004:001 http://lists.mysql.com/packagers/202 http://bugs.mysql.com/bug.php?id=3870 Unknown vulnerability in MySQL 3.23.58 and earlier, when a local user has privileges for a database whose name includes a "_" (underscore), grants privileges to other databases that have similar names, which can allow the user to conduct unauthorized activities. mysql-underscore-gain-priv(17783) RHSA-2004:611 RHSA-2004:597 MDKSA-2005:070 DSA-707 P-018 USN-32-1 CLA-2005:947 php_variables.c in PHP before 5.0.2 allows remote attackers to read sensitive memory contents via (1) GET, (2) POST, or (3) COOKIE GPC variables that end in an open bracket character, which causes PHP to calculate an incorrect string length. php-phpinfo-disclose-memory(17393) RHSA-2004:687 FLSA:2344 1011279 12560 oval:org.mitre.oval:def:10863 20040915 [VulnWatch] PHP Vulnerability N. 1 20040915 PHP Vulnerability N. 1 rfc1867.c in PHP before 5.0.2 allows local users to upload files to arbitrary locations via a PHP script with a certain MIME header that causes the "$_FILES" array to be modified. php-mime-array-execute-code(17392) RHSA-2004:687 FLSA:2344 1011307 12560 oval:org.mitre.oval:def:10961 20040915 Php Vulnerability N. 2 20040915 Php Vulnerability N. 2 FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (core dump) via malformed USR vendor-specific attributes (VSA) that cause a memcpy operation with a -1 argument. VU#541574 11222 freeradius-dos(17440) GLSA-200409-29 oval:org.mitre.oval:def:11023 Memory leak in FreeRADIUS before 1.0.1 allows remote attackers to cause a denial of service (memory exhaustion) via a series of Access-Request packets with (1) Ascend-Send-Secret, (2) Ascend-Recv-Secret, or (3) Tunnel-Password attributes. VU#541574 11222 freeradius-dos(17440) GLSA-200409-29 oval:org.mitre.oval:def:10024 Apple Remote Desktop Client 1.2.4 executes a GUI application as root when it is started by an Apple Remote Desktop Administrator application, which allows remote authenticated users to execute arbitrary code when loginwindow is active via Fast User Switching. APPLE-SA-2004-10-27 Buffer overflow in Microsoft Word 2002 (10.6612.6714) SP3, and possibly other versions, allows remote attackers to cause a denial of service (application exception) and possibly execute arbitrary code in winword.exe via certain unexpected values in a .doc file, including (1) an offset that triggers an out-of-bounds memory access, (2) a certain value that causes a large memory copy as triggered by an integer conversion error, and other values. word-file-parsing-bo(17635) MS05-023 20041006 [HV-HIGH] MS Word multiple exceptions, at least one exploitable oval:org.mitre.oval:def:420 oval:org.mitre.oval:def:2216 oval:org.mitre.oval:def:2105 oval:org.mitre.oval:def:1795 Buffer overflow in Zinf 2.2.1 on Windows, and other older versions for Linux, allows remote attackers or local users to execute arbitrary code via certain values in a .pls file. 11248 DSA-587 zinf-pls-bo(17491) 8341 12656 20040927 Re: Buffer overflow in Zinf 2.2.1 for Win32+exploit 20040924 Buffer overflow in Zinf 2.2.1 for Win32 stmkfont in HP-UX B.11.00 through B.11.23 relies on the user-specified PATH when executing certain commands, which allows local users to execute arbitrary code by modifying the PATH environment variable to point to malicious programs. 11493 hpux-stmkfont-gain-privileges(17813) SSRT4807 http://www.nsfocus.com/english/homepage/research/0402.htm oval:org.mitre.oval:def:5538 20041021 NSFOCUS SA2004-02 : HP-UX stmkfont Local Privilege Escalation Vulnerability The (1) autopoint and (2) gettextize scripts in the GNU gettext package 1.14 and later versions, as used in Trustix Secure Linux 1.5 through 2.1 and other operating systems, allows local users to overwrite files via a symlink attack on temporary files. 11282 script-temporary-file-overwrite(17583) 2004-0050 GLSA-200410-10 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136323 MDKSA-2006:051 FLSA:136323 OpenPKG-SA-2004.055 USN-5-1 The (1) pj-gs.sh, (2) ps2epsi, (3) pv.sh, and (4) sysvlp.sh scripts in the ESP Ghostscript (espgs) package in Trustix Secure Linux 1.5 through 2.1, and other operating systems, allow local users to overwrite files via a symlink attack on temporary files. 11285 script-temporary-file-overwrite(17583) 2004-0050 RHSA-2005:081 20056 19799 17135 16997 oval:org.mitre.oval:def:10284 USN-3-1 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136321 SCOSA-2006.23 SCOSA-2006.19 The catchsegv script in glibc 2.3.2 and earlier allows local users to overwrite files via a symlink attack on temporary files. 11286 script-temporary-file-overwrite(17583) 2004-0050 RHSA-2005:261 RHSA-2004:586 DSA-636 GLSA-200410-19 oval:org.mitre.oval:def:9523 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136318 USN-4-1 The groffer script in the Groff package 1.18 and later versions, as used in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. 11287 GLSA-200411-15 script-temporary-file-overwrite(17583) 2004-0050 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136313 MDKSA-2006:038 18764 The (1) gzexe, (2) zdiff, and (3) znew scripts in the gzip package, as used by other packages such as ncompress, allows local users to overwrite files via a symlink attack on temporary files. NOTE: the znew vulnerability may overlap CVE-2003-0367. 11288 script-temporary-file-overwrite(17583) 2004-0050 DSA-588 http://www.zataz.net/adviso/ncompress-09052005.txt 13131 The krb5-send-pr script in the kerberos5 (krb5) package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. 11289 GLSA-200410-24 script-temporary-file-overwrite(17583) 2004-0050 RHSA-2005:012 oval:org.mitre.oval:def:10497 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136304 The lvmcreate_initrd script in the lvm package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. 2004-0050 11290 script-temporary-file-overwrite(17583) oval:org.mitre.oval:def:10632 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136308 RHBA-2004:232 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0457. Reason: This candidate is a reservation duplicate of CVE-2004-0457. Notes: All CVE users should reference CVE-2004-0457 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The netatalk package in Trustix Secure Linux 1.5 through 2.1, and possibly other operating systems, allows local users to overwrite files via a symlink attack on temporary files. GLSA-200410-25 script-temporary-file-overwrite(17583) 2004-0050 The der_chop script in the openssl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. 11293 script-temporary-file-overwrite(17583) 2004-0050 GLSA-200411-15 DSA-603 12973 oval:org.mitre.oval:def:10621 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136302 RHSA-2005:476 oval:org.mitre.oval:def:164 Multiple scripts in the perl package in Trustix Secure Linux 1.5 through 2.1 and other operating systems allows local users to overwrite files via a symlink attack on temporary files. 11294 script-temporary-file-overwrite(17583) 2004-0050 DSA-620 oval:org.mitre.oval:def:9752 RHSA-2005:881 MDKSA-2005:031 18075 17661 OpenPKG-SA-2005.001 FLSA-2006:152845 The make_oidjoins_check script in PostgreSQL 7.4.5 and earlier allows local users to overwrite files via a symlink attack on temporary files. 11295 DSA-577 script-temporary-file-overwrite(17583) 2004-0050 RHSA-2004:489 GLSA-200410-16 oval:org.mitre.oval:def:11360 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=136300 MDKSA-2004:149 OpenPKG-SA-2004.046 USN-6-1 Heap-based buffer overflow in the Hrtbeat.ocx (Heartbeat) ActiveX control for Internet Explorer 5.01 through 6, when users who visit online gaming sites that are associated with MSN, allows remote attackers to execute arbitrary code via the SetupData parameter. VU#673134 heartbeat-activex(17714) 11367 http://www.ngssoftware.com/advisories/heartbeatfull.txt MS04-038 20050119 MSN Heartbeat Control Buffer Overflow Internet Explorer on Windows XP does not properly modify the "Drag and Drop or copy and paste files" setting when the user sets it to "Disable" or "Prompt," which may enable security-sensitive operations that are inconsistent with the user's intended configuration. TA04-293A VU#630720 ie-dragdrop-security-bypass(17820) MS04-038 Format string vulnerability in ez-ipupdate.c for ez-ipupdate 3.0.10 through 3.0.11b8, when running in daemon mode with certain service types in use, allows remote servers to execute arbitrary code. 11657 GLSA-200411-20 eziupdate-showmessage-format-string(18032) DSA-592 13167 20041111 ez-ipupdate format string bug MDKSA-2004:129 Buffer overflow in the EXIF parsing routine in ImageMagick before 6.1.0 allows remote attackers to execute arbitrary code via a certain image file. imagemagick-exif-image-bo(17903) 11548 http://www.imagemagick.org/www/Changelog.html GLSA-200411-11 12995 oval:org.mitre.oval:def:10472 USN-7-1 Buffer overflow in the getauthfromURL function in httpget.c in mpg123 pre0.59s and mpg123 0.59r could allow remote attackers or local users to execute arbitrary code via an mp3 file that contains a long string before the @ (at sign) in a URL. 11468 DSA-578 mpg123-getauthfromurl-bo(17574) 11023 GLSA-200410-27 http://www.barrossecurity.com/advisories/mpg123_getauthfromurl_bof_advisory.txt 1011832 12908 20041019 mpg123 "getauthfromurl" buffer overflow The CGI module in Ruby 1.6 before 1.6.8, and 1.8 before 1.8.2, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a certain HTTP request. 11618 ruby-cgi-dos(17985) USN-20-1 RHSA-2004:635 DSA-586 oval:org.mitre.oval:def:10268 MDKSA-2004:128 Unknown vulnerability in the dotlock implementation in mailutils before 1:0.5-4 on Debian GNU/Linux allows attackers to gain privileges. http://packages.debian.org/changelogs/pool/main/m/mailutils/mailutils_0.6-2/changelog Internet Explorer 6.x on Windows XP SP2 allows remote attackers to execute arbitrary code, as demonstrated using a document with a draggable file type such as .xml, .doc, .py, .cdf, .css, .pdf, or .ppt, and using ADODB.Connection and ADODB.recordset to write to a .hta file that is interpreted in the Local Zone by HTML Help. ie-anchorclick-command-execution(17824) 20041020 How to Break Windows XP SP2 + Internet Explorer 6 SP2 20041020 How to Break Windows XP SP2 + Internet Explorer 6 SP2 20041020 Re: How to Break Windows XP SP2 + Internet Explorer 6 SP2 Iptables before 1.2.11, under certain conditions, does not properly load the required modules at system startup, which causes the firewall rules to fail to load and protect the system from remote attackers. 11570 FLSA:2252 iptables-module-dos(17928) DSA-580 P-026 MDKSA-2004:125 http://rpmfind.net/linux/RPM/suse/updates/9.2/i386/rpm/i586/iptables-1.2.11-4.2.i586.html USN-81-1 Buffer overflow in the process_menu function in yardradius 1.0.20 allows remote attackers to execute arbitrary code. 11753 DSA-598 yardradius-processmenu-bo(18270) http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278384 Integer overflow on Apple QuickTime before 6.5.2, when running on Windows systems, allows remote attackers to cause a denial of service (memory consumption) via certain inputs that cause a large memory operation. APPLE-SA-2004-10-27 Multiple buffer overflows in libXML 2.6.12 and 2.6.13 (libxml2), and possibly other versions, may allow remote attackers to execute arbitrary code via (1) a long FTP URL that is not properly handled by the xmlNanoFTPScanURL function, (2) a long proxy URL containing FTP data that is not properly handled by the xmlNanoFTPScanProxy function, and other overflows related to manipulation of DNS length values, including (3) xmlNanoFTPConnect, (4) xmlNanoHTTPConnectHost, and (5) xmlNanoHTTPConnectHost. 11526 libxml2-xmlnanoftpscanproxy-bo(17875) libxml2-xmlnanoftpscanurl-bo(17870) DSA-582 oval:org.mitre.oval:def:10505 APPLE-SA-2005-01-25 libxml2-nanohttp-file-bo(17876) libxml2-nanoftp-file-bo(17872) RHSA-2004:650 RHSA-2004:615 11324 11180 11179 SUSE-SR:2005:001 GLSA-200411-05 P-029 1011941 13000 USN-89-1 20041026 libxml2 remote buffer overflows (not in xml parsing code though) CLA-2004:890 oval:org.mitre.oval:def:1173 Integer overflow in GD Graphics Library libgd 2.0.28 (libgd2), and possibly other versions, allows remote attackers to cause a denial of service and possibly execute arbitrary code via PNG image files with large image rows values that lead to a heap-based buffer overflow in the gdImageCreateFromPngCtx function, a different set of vulnerabilities than CVE-2004-0941. 11523 gd-png-bo(17866) 2004-0058 11190 DSA-602 DSA-601 DSA-591 DSA-589 oval:org.mitre.oval:def:9952 20041026 libgd integer overflow https://issues.rpath.com/browse/RPL-939 RHSA-2004:638 MDKSA-2006:122 MDKSA-2006:114 MDKSA-2006:113 MDKSA-2004:132 P-071 23783 21050 20866 20824 18717 USN-25-1 USN-11-1 SUSE-SR:2006:003 oval:org.mitre.oval:def:1260 Buffer overflow in mpg123 before 0.59s-r9 allows remote attackers to execute arbitrary code via frame headers in MP2 or MP3 files. GLSA-200501-14 13779 12218 MDKSA-2005:009 13899 13788 Format string vulnerability in the -a option (daemon mode) in Proxytunnel before 1.2.3 allows remote attackers to execute arbitrary code via format string specifiers in an invalid proxy answer. 11592 GLSA-200411-07 proxytunnel-message-format-string(17945) http://proxytunnel.sourceforge.net/news.html Buffer overflow in hpsockd before 0.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code. DSA-604 hpsockd-bo(18359) 11800 13371 Multiple integer overflows in xzgv 0.8 and earlier allow remote attackers to execute arbitrary code via images with large width and height values, which trigger a heap-based buffer overflow, as demonstrated in the read_prf_file function in readprf.c. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct. xzgv-readprffile-bo(18454) DSA-614 http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff 20041213 Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability main.c in cscope 15-4 and 15-5 creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack. 11697 DSA-610 cscope-tmp-race-condition(18125) ADV-2007-2732 20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. 20041118 Re: RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. 20041117 RX171104 Cscope v15.5 and minors - symlink vulnerability - advisory, exploit and patch. GLSA-200412-11 25159 26235 20041124 STG Security Advisory: [SSA-20041122-09] cscope insecure temp file creation vulnerability APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 Unspecified vulnerability in the ptrace MIPS assembly code in Linux kernel 2.4 before 2.4.17 allows local users to gain privileges via unknown vectors. This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.17 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20202 20163 20162 http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes 18176 http://svn.debian.org/wsvn/kernel/patch-tracking/CVE-2004-0997?op=file&rev=0&sc=0 20338 Format string vulnerability in telnetd-ssl 0.17 and earlier allows remote attackers to execute arbitrary code. VU#995038 netkit-telnetssl-format-string(18654) DSA-616 13663 zgv 5.5.3 allows remote attackers to cause a denial of service (application crash via segmentation fault) via crafted multiple-image (animated) GIF images. DSA-608 zgv-multiple-image-dos(18480) 11915 lintian 1.23 and earlier removes the working directory even if it was not created by lintian, which may allow local users to delete arbitrary files or directories via a symlink attack. lintian-symlink(18808) 13771 Unknown vulnerability in the passwd_check function in Shadow 4.0.4.1, and possibly other versions before 4.0.5, allows local users to conduct unauthorized activities when an error from a pam_chauthtok function call is not properly handled. shadow-pwdcheck-modify-account(17902) DSA-585 13028 CLA-2004:894 Integer underflow in pppd in cbcp.c for ppp 2.4.1 allows remote attackers to cause a denial of service (daemon crash) via a CBCP packet with an invalid length value that causes pppd to access an incorrect memory location. ppp-ccp-headers-dos(17874) 20041026 pppd out of bounds memory access, possible DOS USN-12-1 Trend ScanMail allows remote attackers to obtain potentially sensitive information or disable the anti-virus capability via the smency.nsf file. scanmail-file-access(17962) http://cgi.nessus.org/plugins/dump.php3?id=14312 Multiple format string vulnerabilities in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. RHSA-2005:217 13863 midnightcommander-format-string(18902) GLSA-200502-24 DSA-639 Multiple buffer overflows in Midnight Commander (mc) 4.5.55 and earlier allow remote attackers to have an unknown impact. RHSA-2005:217 13863 midnight-commander-bo(18898) GLSA-200502-24 DSA-639 Format string vulnerability in the log functions in dhcpd for dhcp 2.x allows remote DNS servers to execute arbitrary code via certain DNS messages, a different vulnerability than CVE-2002-0702. VU#448384 11591 DSA-584 dhcp-log-format-string(17963) 20041105 Re: debian dhcpd, old format string bug 20041102 Re: debian dhcpd, old format string bug 20041025 debian dhcpd, old format string bug RHSA-2005:212 The quoted-printable decoder in bogofilter 0.17.4 to 0.92.7 allows remote attackers to cause a denial of service (application crash) via mail headers that cause a line feed (LF) to be replaced by a null byte that is written to an incorrect memory address. bogofilter-dos(17916) http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01 Integer signedness error in the ssh2_rdpkt function in PuTTY before 0.56 allows remote attackers to execute arbitrary code via a SSH2_MSG_DEBUG packet with a modified stringlen parameter, which leads to a buffer overflow. 11549 GLSA-200410-29 putty-ssh2msgdebug-bo(17886) http://www.chiark.greenend.org.uk/~sgtatham/putty/ 13012 20041027 PuTTY SSH client vulnerability 20041027 PuTTY SSH2_MSG_DEBUG Buffer Overflow Vulnerability http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414 17214 12987 Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. DSA-639 13863 midnight-commander-dos(18903) RHSA-2005:512 Buffer overflow in Info-Zip 2.3 and possibly earlier versions, when using recursive folder compression, allows remote attackers to execute arbitrary code via a ZIP file containing a long pathname. 11603 FLSA:2255 http://www.hexview.com/docs/20041103-1.txt DSA-624 oval:org.mitre.oval:def:9848 20041103 [HV-MED] Zip/Linux long path buffer overflow infozip-compressed-folder-bo(17956) USN-18-1 TLSA-2005-18 RHSA-2004:634 MDKSA-2004:141 P-072 GLSA-200411-16 20041103 [HV-MED] Zip/Linux long path buffer overflow Stack-based buffer overflow in Cyrus IMAP Server 2.2.4 through 2.2.8, with the imapmagicplus option enabled, allows remote attackers to execute arbitrary code via a long (1) PROXY or (2) LOGIN command, a different vulnerability than CVE-2004-1015. cyrus-imap-username-bo(18198) GLSA-200411-34 http://security.e-matters.de/advisories/152004.html 13274 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://asg.web.cmu.edu/cyrus/download/imapd/changes.html MDKSA-2004:139 [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released The argument parser of the PARTIAL command in Cyrus IMAP Server 2.2.6 and earlier allows remote authenticated users to execute arbitrary code via a certain command ("body[p") that is treated as a different command ("body.peek") and causes an index increment error that leads to an out-of-bounds memory corruption. cyrus-imap-commands-execute-code(18199) DSA-597 GLSA-200411-34 http://security.e-matters.de/advisories/152004.html 13274 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://asg.web.cmu.edu/cyrus/download/imapd/changes.html MDKSA-2004:139 USN-31-1 [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released The argument parser of the FETCH command in Cyrus IMAP Server 2.2.x through 2.2.8 allows remote authenticated users to execute arbitrary code via certain commands such as (1) "body[p", (2) "binary[p", or (3) "binary[p") that cause an index increment error that leads to an out-of-bounds memory corruption. DSA-597 GLSA-200411-34 http://security.e-matters.de/advisories/152004.html 13274 20041122 Advisory 15/2004: Cyrus IMAP Server multiple remote vulnerabilities http://asg.web.cmu.edu/cyrus/download/imapd/changes.html MDKSA-2004:139 USN-31-1 [cyrus-announce] 20041122 Cyrus IMAPd 2.2.9 Released statd in nfs-utils 1.257 and earlier does not ignore the SIGPIPE signal, which allows remote attackers to cause a denial of service (server process crash) via a TCP connection that is prematurely terminated. 11785 nfs-utils-statd-dos(18332) 2004-0065 RHSA-2005:014 RHSA-2004:583 DSA-606 oval:org.mitre.oval:def:10899 USN-36-1 FLSA-2006:138098 http://cvs.sourceforge.net/viewcvs.py/nfs/nfs-utils/ChangeLog?rev=1.258&view=markup Buffer overflow in proxyd for Cyrus IMAP Server 2.2.9 and earlier, with the imapmagicplus option enabled, may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2004-1011. GLSA-200411-34 cyrus-magic-plus-bo(18274) http://asg.web.cmu.edu/cyrus/download/imapd/changes.html MDKSA-2004:139 [cyrus-announce] 20041123 Cyrus IMAPd 2.2.10 Released The scm_send function in the scm layer for Linux kernel 2.4.x up to 2.4.28, and 2.6.x up to 2.6.9, allows local users to cause a denial of service (system hang) via crafted auxiliary messages that are passed to the sendmsg function, which causes a deadlock condition. 11921 FLSA:2336 linux-scmsend-dos(18483) RHSA-2004:689 oval:org.mitre.oval:def:11816 http://isec.pl/vulnerabilities/isec-0019-scm.txt RHSA-2005:017 RHSA-2005:016 SUSE-SA:2004:044 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 USN-38-1 Multiple "overflows" in the io_edgeport driver for Linux kernel 2.4.x have unknown impact and unknown attack vectors. FLSA:2336 linux-ioedgeport-bo(18433) RHSA-2004:689 oval:org.mitre.oval:def:9786 12102 RHSA-2005:017 RHSA-2005:016 DSA-1082 DSA-1070 DSA-1069 DSA-1067 DSA-1017 20338 20202 20163 20162 19374 Multiple integer handling errors in PHP before 4.3.10 allow attackers to bypass safe mode restrictions, cause a denial of service, or execute arbitrary code via (1) a negative offset value to the shmop_write function, (2) an "integer overflow/underflow" in the pack function, or (3) an "integer overflow/underflow" in the unpack function. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. FLSA:2344 php-shmopwrite-outofbounds-memory(18515) 12045 20041219 PHP shmop.c module permits write of arbitrary memory. RHSA-2005:032 http://www.php.net/release_4_3_10.php http://www.hardened-php.net/advisories/012004.txt oval:org.mitre.oval:def:10949 HPSBMA01212 RHSA-2005:816 12411 MDKSA-2005:072 MDKSA-2004:151 USN-99-1 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 The deserialization code in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to cause a denial of service and execute arbitrary code via untrusted data to the unserialize function that may trigger "information disclosure, double-free and negative reference index array underflow" results. RHSA-2004:687 FLSA:2344 php-unserialize-code-execution(18514) HPSBMA01212 RHSA-2005:816 RHSA-2005:032 http://www.php.net/release_4_3_10.php SUSE-SA:2005:002 MDKSA-2004:151 http://www.hardened-php.net/advisories/012004.txt oval:org.mitre.oval:def:10511 OpenPKG-SA-2004.053 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 The addslashes function in PHP 4.3.9 does not properly escape a NULL (/0) character, which may allow remote attackers to read arbitrary files in PHP applications that contain a directory traversal vulnerability in require or include statements, but are otherwise protected by the magic_quotes_gpc mechanism. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. 11981 php-addslashes-view-files(18516) 20041216 PHP Input Validation Vulnerabilities HPSBMA01212 http://www.php.net/release_4_3_10.php GLSA-200412-14 CLA-2005:915 MDKSA-2004:151 iCal before 1.5.4 on Mac OS X 10.2.3, and other later versions, does not alert the user when handling calendars that use alarms, which allows attackers to execute programs and send e-mail via alarms. ical-calendar-authorization-bypass(18209) APPLE-SA-2004-11-22 Kerio Winroute Firewall before 6.0.7, ServerFirewall before 1.0.1, and MailServer before 6.0.5 use symmetric encryption for user passwords, which allows attackers to decrypt the user database and obtain the passwords by extracting the secret key from within the software. kerio-weak-encryption(18470) 20041214 [CAN-2004-1022] Insecure Credential Storage on Kerio Software Kerio Winroute Firewall before 6.0.9, ServerFirewall before 1.0.1, and MailServer before 6.0.5, when installed on Windows based systems, do not modify the ACLs for critical files, which allows local users with Power Users privileges to modify programs, install malicious DLLs in the plug-ins folder, and modify XML files related to configuration. kerio-insecure-permissions(18471) 20041214 [CAN-2004-1023] Insecure default file system permissions on Microsoft versions of Kerio Software Multiple heap-based buffer overflows in imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files. RHSA-2004:651 11830 oval:org.mitre.oval:def:10786 MDKSA-2005:007 Multiple integer overflows in the image handler for imlib 1.9.14 and earlier, which is used by gkrellm and several window managers, allow remote attackers to cause a denial of service (application crash) and execute arbitrary code via certain image files. RHSA-2004:651 11830 GLSA-200412-03 DSA-628 oval:org.mitre.oval:def:10771 MDKSA-2005:007 Directory traversal vulnerability in the -x (extract) command line option in unarj allows remote attackers to overwrite arbitrary files via an arj archive with filenames that contain .. (dot dot) sequences. 11436 unarj-directory-traversal(17684) RHSA-2005:007 DSA-652 DSA-628 GLSA-200411-29 FLSA:2272 20041010 unarj dir-transversal bug (../../../..) Untrusted execution path vulnerability in chcod on AIX IBM 5.1.0, 5.2.0, and 5.3.0 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious "grep" program, which is executed from chcod. aix-chcod-gain-privileges(18625) 20041220 IBM AIX chcod Local Privilege Escalation Vulnerability IY64356 IY64355 IY64354 The Sun Java Plugin capability in Java 2 Runtime Environment (JRE) 1.4.2_01, 1.4.2_04, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code by using the reflection API to access private Java packages. VU#760344 12317 57591 101523 sdk-jre-applet-restriction-bypass(18188) ADV-2008-0599 20041122 Sun Java Plugin Arbitrary Package Access Vulnerability http://www-1.ibm.com/support/docview.wss?uid=swg21257249 61 29035 13271 http://rpmfind.net/linux/RPM/suse/updates/9.3/i386/rpm/i586/java-1_4_2-sun-src-1.4.2.08-0.1.i586.html oval:org.mitre.oval:def:5674 APPLE-SA-2005-02-22 http://jouko.iki.fi/adv/javaplugin.html fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to gain sensitive information by calling fcronsighup with an arbitrary file, which reveals the contents of the file that can not be parsed in an error message. 11684 fcron-fcronsighup-obtain-info(18075) 20041115 Multiple Security Vulnerabilities in Fcron GLSA-200411-27 fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to bypass access restrictions and load an arbitrary configuration file by starting an suid process and pointing the fcronsighup configuration file to a /proc entry that is owned by root but modifiable by the user, such as /proc/self/cmdline or /proc/self/environ. 11684 fcron-fcronsighup-restrictions-bypass(18076) 20041115 Multiple Security Vulnerabilities in Fcron GLSA-200411-27 fcronsighup in Fcron 2.0.1, 2.9.4, and possibly earlier versions allows local users to delete arbitrary files or create arbitrary empty files via a target filename with a large number of leading slash (/) characters such that fcronsighup does not properly append the intended fcrontab.sig to the resulting string. GLSA-200411-27 fcron-fcronsighup-create-files(18077) 20041115 Multiple Security Vulnerabilities in Fcron Fcron 2.0.1, 2.9.4, and possibly earlier versions leak file descriptors of open files, which allows local users to bypass access restrictions and read fcron.allow and fcron.deny via the EDITOR environment variable. 11684 fcron-fcrontab-obtain-info(18078) 20041115 Multiple Security Vulnerabilities in Fcron GLSA-200411-27 Buffer overflow in the http_open function in Kaffeine before 0.5, whose code is also used in gxine before 0.3.3, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long Content-Type header for a Real Audio Media (.ram) playlist file. 11528 kaffeine-ram-bo(17849) http://sourceforge.net/tracker/index.php?func=detail&aid=1060299&group_id=9655&atid=109655 GLSA-200411-14 13117 20041025 Kaffeine Media Player Conteny Type overflow Multiple integer signedness errors in (1) imapcommon.c, (2) main.c, (3) request.c, and (4) select.c for up-imapproxy IMAP proxy 1.2.2 allow remote attackers to cause a denial of service (server crash) and possibly leak sensitive information via certain literal values that are not properly handled when using the IMAP_Line_Read function. upimapproxy-dos(17999) 20041107 up-imapproxy DoS vulnerabilities Cross-site scripting (XSS) vulnerability in the decoding of encoded text in certain headers in mime.php for SquirrelMail 1.4.3a and earlier, and 1.5.1-cvs before 23rd October 2004, allows remote attackers to execute arbitrary web script or HTML. GLSA-200411-25 20041110 [SquirrelMail Security Advisory] Cross Site Scripting in encoded text squirrelmail-mime-xss(18031) http://www.squirrelmail.org/ http://voxel.dl.sourceforge.net/sourceforge/squirrelmail/sm143a-xss.diff oval:org.mitre.oval:def:9592 APPLE-SA-2005-03-21 APPLE-SA-2005-01-25 CLA-2004:905 The search function in TWiki 20030201 allows remote attackers to execute arbitrary commands via shell metacharacters in a search string. 11674 twik-search-command-execution(18062) P-039 http://twiki.org/cgi-bin/view/Codev/SecurityAlertExecuteCommandsWithSearch GLSA-200411-33 20041116 Re: [Full-Disclosure] TWiki search function allows arbitrary shell command execution 20041112 TWiki search function allows arbitrary shell command execution CLA-2005:918 A design error in the IEEE1394 specification allows attackers with physical access to a device to read and write to sensitive memory using a modified FireWire/IEEE 1394 client, thus bypassing intended restrictions that would normally require greater degrees of physical access to exploit. NOTE: this was reported in 2008 to affect Windows Vista, but some Linux-based operating systems have protection mechanisms against this attack. firewire-ieee1394-interface-installed(18041) http://www.theage.com.au/news/security/hack-into-a-windows-pc-no-password-needed/2008/03/04/1204402423638.html 20080310 Re: [Full-disclosure] Firewire Attack on Windows Vista 20080309 Re: Firewire Attack on Windows Vista 20080310 RE: [Full-disclosure] Firewire Attack on Windows Vista 20080309 Re: [Full-disclosure] Firewire Attack on Windows Vista 20080305 RE: Firewire Attack on Windows Vista 20080305 Re: Firewire Attack on Windows Vista 20080305 Firewire Attack on Windows Vista http://www.sec-consult.com/fileadmin/Whitepapers/Vista_Physical_Attacks.pdf http://storm.net.nz/static/files/ab_firewire_rux2k6-final.pdf http://storm.net.nz/projects/16 http://pacsec.jp/advisories.html http://md.hudora.de/presentations/firewire/2005-firewire-cansecwest.pdf 20041026 pacsec.jp advisory: Firewire/IEEE 1394 Considered Harmful to Physical Security http://it.slashdot.org/article.pl?sid=08/03/04/1258210 20080308 RE: [Full-disclosure] Firewire Attack on Windows Vista 20080308 Re: [Full-disclosure] Firewire Attack on Windows Vista 20080307 Re: Firewire Attack on Windows Vista 20080306 RE: Firewire Attack on Windows Vista 20080306 Re: Firewire Attack on Windows Vista The NFS mountd service on SCO UnixWare 7.1.1, 7.1.3, 7.1.4, and 7.0.1, and possibly other versions, when run from inetd, allows remote attackers to cause a denial of service (memory exhaustion) via a series of requests, which causes inetd to launch a separate process for each request. 20050111 [NILESA-20050101]: Denial of Service vulnerability due to the mountd bug SCOSA-2005.1 12225 13805 Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to execute arbitrary code by using the "Related Topics" command in the Help ActiveX Control (hhctrl.ocx) to open a Help popup window containing the PCHealth tools.htm file in the local zone and injecting Javascript to be executed, as demonstrated using "writehta.txt" and the ADODB recordset, which saves a .HTA file to the local system, aka the "HTML Help ActiveX control Cross Domain Vulnerability." TA05-012B VU#972415 ie-helpactivexcontrol-save-file(18311) MS05-001 20041225 Microsoft Internet Explorer SP2 Fully Automated Remote Compromise oval:org.mitre.oval:def:3496 oval:org.mitre.oval:def:2830 oval:org.mitre.oval:def:1963 oval:org.mitre.oval:def:1349 Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." TA05-012A VU#625856 http://www.xfocus.net/flashsky/icoExp/index.html MS05-002 20041223 Microsoft Windows LoadImage API Integer Buffer overflow win-loadimage-bo(18668) 12095 12623 P-094 1012684 13645 oval:org.mitre.oval:def:4671 oval:org.mitre.oval:def:3355 oval:org.mitre.oval:def:3220 oval:org.mitre.oval:def:3097 oval:org.mitre.oval:def:2956 Heap-based buffer overflow in Internet Explorer 6 allows remote attackers to execute arbitrary code via long (1) SRC or (2) NAME attributes in IFRAME, FRAME, and EMBED elements, as originally discovered using the mangleme utility, aka "the IFRAME vulnerability" or the "HTML Elements Vulnerability." TA04-336A TA04-315A VU#842160 ie-iframe-src-name-bo(17889) 11515 20041024 python does mangleme (with IE bugs!) MS04-040 12959 20041102 MSIE <IFRAME> and <FRAME> tag NAME property bufferoverflow PoC 20041025 python does mangleme (with IE bugs!) 20041023 python does mangleme (with IE bugs!) oval:org.mitre.oval:def:1294 sudo before 1.6.8p2 allows local users to execute arbitrary commands by using "()" style environment variables to create functions that have the same name as any program within the bash script that is called without using the program's full pathname. 11668 sudo-bash-command-execution(18055) 2004-0061 http://www.sudo.ws/sudo/alerts/bash_functions.html DSA-596 APPLE-SA-2005-05-03 MDKSA-2004:133 OpenPKG-SA-2005.002 USN-28-1 20041112 Sudo version 1.6.8p2 now available (fwd) Buffer overflow in the getnickuserhost function in BNC 2.8.9, and possibly other versions, allows remote IRC servers to execute arbitrary code via an IRC server response that contains many (1) ! (exclamation) or (2) @ (at sign) characters. 11647 bnc-irc-getnickuserhost-bo(18013) DSA-595 13149 http://security.lss.hr/en/index.php?page=details&ID=LSS-2004-11-03 20041110 BNC 2.8.9 remote buffer overflow Integer overflow in fetch on FreeBSD 4.1 through 5.3 allows remote malicious servers to execute arbitrary code via certain HTTP headers in an HTTP response, which lead to a buffer overflow. 11702 fetch-http-header-bo(18160) FreeBSD-SA-04:16 Untrusted execution path vulnerability in invscout in IBM AIX 5.1.0, 5.2.0, and 5.3.0 allows local users to gain privileges by modifying the PATH environment variable to point to a malicious "uname" program, which is executed from lsvpd after lsvpd has been invoked by invscout. aix-invscout-gain-privileges(18619) 20041220 IBM AIX invscout Local Command Execution Vulnerability IY64976 IY64852 IY64820 Multiple cross-site scripting (XSS) vulnerabilities in phpMyAdmin 2.6.0-pl2 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the PmaAbsoluteUri parameter, (2) the zero_rows parameter in read_dump.php, (3) the confirm form, or (4) an error message generated by the internal phpMyAdmin parser. phpmyadmin-multiple-xss(18158) http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2004-3 http://www.netvigilance.com/html/advisory0005.htm Direct Rendering Manager (DRM) driver in Linux kernel 2.6 does not properly check the DMA lock, which could allow remote attackers or local users to cause a denial of service (X Server crash) and possibly modify the video output. FLSA:2336 linux-i810-dma-dos(15972) ADV-2005-1878 RHSA-2005:092 oval:org.mitre.oval:def:9795 USN-38-1 RHSA-2005:663 RHSA-2005:551 RHSA-2005:529 17002 Multiple drivers in Linux kernel 2.4.19 and earlier do not properly mark memory with the VM_IO flag, which causes incorrect reference counts and may lead to a denial of service (kernel panic) when accessing freed kernel pages. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=137821 linux-kernel-vmio-dos(19275) RHSA-2005:016 12338 RHSA-2006:0140 RHSA-2005:017 http://www.kernel.org/pub/linux/kernel/people/andrea/kernels/v2.4/2.4.23aa3/00_VM_IO-4 18562 oval:org.mitre.oval:def:11474 Race condition in Linux kernel 2.6 allows local users to read the environment variables of another process that is still spawning via /proc/.../cmdline. 11937 FLSA:152532 linux-spawning-race-condition(17151) USN-38-1 GLSA-200408-24 oval:org.mitre.oval:def:10427 11052 RHSA-2006:0191 RHSA-2006:0190 RHSA-2005:293 MDKSA-2005:022 DSA-1018 21476 19607 19369 19038 18684 SUSE-SA:2006:012 20060402-01-U Multiple cross-site scripting (XSS) vulnerabilities in mnoGoSearch 3.2.26 and earlier allow remote attackers to inject arbitrary HTML and web script via the (1) next and (2) prev result search pages, and the (3) extended and (4) simple search forms. mnogosearch-search-xss(18434) 11895 http://www.mnogosearch.org/history.html http://www.mikx.de/index.php?p=6 20041223 Cross-Site Scripting - an industry-wide problem Multiple TCP/IP and ICMP implementations, when using Path MTU (PMTU) discovery (PMTUD), allow remote attackers to cause a denial of service (network throughput reduction for TCP connections) via forged ICMP ("Fragmentation Needed and Don't Fragment was Set") packets with a low next-hop MTU value, aka the "Path MTU discovery attack." NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. MS05-019 http://www.uniras.gov.uk/niscc/docs/al-20050412-00308.html?lang=en http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 20050412 Crafted ICMP Messages Can Cause Denial of Service oval:org.mitre.oval:def:5386 SSRT4884 SSRT4743 13124 HPSBUX01164 57 19 18317 HPSBTU01210 SCOSA-2006.4 oval:org.mitre.oval:def:899 oval:org.mitre.oval:def:780 oval:org.mitre.oval:def:651 oval:org.mitre.oval:def:405 oval:org.mitre.oval:def:3826 oval:org.mitre.oval:def:2188 oval:org.mitre.oval:def:196 oval:org.mitre.oval:def:181 Cross-site scripting (XSS) vulnerability in Bugzilla before 2.18, including 2.16.x before 2.16.11, allows remote attackers to inject arbitrary HTML and web script via forced error messages, as demonstrated using the action parameter. bugzilla-xss(18728) https://bugzilla.mozilla.org/show_bug.cgi?id=272620 12154 http://www.mikx.de/index.php?p=6 20041223 Cross-Site Scripting - an industry-wide problem CLSA-2005:1040 Multiple cross-site scripting (XSS) vulnerabilities in ViewCVS 0.9.2 allow remote attackers to inject arbitrary HTML and web script via certain error messages. viewcvs-xss(18718) GLSA-200412-26 http://www.mikx.de/index.php?p=6 20041223 Cross-Site Scripting - an industry-wide problem SUSE-SR:2005:001 PHP 4.x to 4.3.9, and PHP 5.x to 5.0.2, when running in safe mode on a multithreaded Unix webserver, allows local users to bypass safe_mode_exec_dir restrictions and execute commands outside of the intended safe_mode_exec_dir via shell metacharacters in the current directory name. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. php-safemodeexecdir-restriction-bypass(18511) 11964 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 http://www.php.net/release_4_3_10.php http://www.hardened-php.net/advisories/012004.txt GLSA-200412-14 HPSBMA01212 12412 MDKSA-2005:072 MDKSA-2004:151 USN-99-1 CLA-2005:915 The safe mode checks in PHP 4.x to 4.3.9 and PHP 5.x to 5.0.2 truncate the file path before passing the data to the realpath function, which could allow attackers to bypass safe mode. NOTE: this issue was originally REJECTed by its CNA before publication, but that decision is in active dispute. This candidate may change significantly in the future as a result of further discussion. php-realpath-safemode-bypass(18512) 11964 20041215 Advisory 01/2004: Multiple vulnerabilities in PHP 4/5 http://www.php.net/release_4_3_10.php http://www.hardened-php.net/advisories/012004.txt GLSA-200412-14 USN-99-2 USN-99-1 CLA-2005:915 HPSBMA01212 MDKSA-2005:072 MDKSA-2004:151 Buffer overflow in the exif_read_data function in PHP before 4.3.10 and PHP 5.x up to 5.0.2 allows remote attackers to execute arbitrary code via a long section name in an image file. RHSA-2004:687 FLSA:2344 php-exifreaddata-bo(18517) RHSA-2005:032 http://www.php.net/release_4_3_10.php SUSE-SA:2005:002 oval:org.mitre.oval:def:10877 OpenPKG-SA-2004.053 HPSBMA01212 MDKSA-2004:151 The cmdline pseudofiles in (1) procfs on FreeBSD 4.8 through 5.3, and (2) linprocfs on FreeBSD 5.x through 5.3, do not properly validate a process argument vector, which allows local users to cause a denial of service (panic) or read portions of kernel memory. NOTE: this candidate might be SPLIT into 2 separate items in the future. freebsd-profs-linprocfs-info-disclosure(18321) FreeBSD-SA-04:17 Off-by-one error in the mysasl_canon_user function in Cyrus IMAP Server 2.2.9 and earlier leads to a buffer overflow, which may allow remote attackers to execute arbitrary code via the username. 11738 cyrus-mysaslcanonuser-offbyone-bo(18333) http://asg.web.cmu.edu/cyrus/download/imapd/changes.html USN-37-1 A "missing serialization" error in the unix_dgram_recvmsg function in Linux 2.4.27 and earlier, and 2.6.x up to 2.6.9, allows local users to gain privileges via a race condition. 11715 FLSA:2336 linux-afunix-race-condition(18230) 20041119 Addendum, recent Linux <= 2.4.27 vulnerabilities RHSA-2004:537 oval:org.mitre.oval:def:11384 RHSA-2004:505 RHSA-2004:504 SUSE-SA:2004:044 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 19607 20041214 [USN-38-1] Linux kernel vulnerabilities 20060402-01-U Race condition in SELinux 2.6.x through 2.6.9 allows local users to cause a denial of service (kernel crash) via SOCK_SEQPACKET unix domain sockets, which are not properly handled in the sock_dgram_sendmsg function. linux-sockdgramsendmsg-race-condition(18312) [linux-kernel] 20041114 [PATCH] linux 2.9.10-rc1: Fix oops in unix_dgram_sendmsg when using 20041214 [USN-38-1] Linux kernel vulnerabilities MDKSA-2005:022 The load_elf_binary function in the binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly check return values from calls to the kernel_read function, which may allow local users to modify sensitive memory in a setuid program and execute arbitrary code. FLSA:2336 linux-elf-setuid-gain-privileges(18025) 11646 RHSA-2004:549 RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 19607 oval:org.mitre.oval:def:9450 20060402-01-U The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, does not properly handle a failed call to the mmap function, which causes an incorrect mapped image and may allow local users to execute arbitrary code. RHSA-2004:537 FLSA:2336 linux-elf-setuid-gain-privileges(18025) http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt oval:org.mitre.oval:def:9917 11646 RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 19607 20060402-01-U The binfmt_elf loader (binfmt_elf.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, may create an interpreter name string that is not NULL terminated, which could cause strings longer than PATH_MAX to be used, leading to buffer overflows that allow local users to cause a denial of service (hang) and possibly execute arbitrary code. RHSA-2004:537 FLSA:2336 linux-elf-setuid-gain-privileges(18025) RHSA-2005:275 http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt oval:org.mitre.oval:def:11195 11646 RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 19607 20060402-01-U The open_exec function in the execve functionality (exec.c) in Linux kernel 2.4.x up to 2.4.27, and 2.6.x up to 2.6.8, allows local users to read non-readable ELF binaries by using the interpreter (PT_INTERP) functionality. RHSA-2004:549 FLSA:2336 linux-elf-setuid-gain-privileges(18025) http://www.isec.pl/vulnerabilities/isec-0017-binfmt_elf.txt oval:org.mitre.oval:def:11503 11646 RHSA-2006:0191 RHSA-2006:0190 RHSA-2005:293 RHSA-2004:505 RHSA-2004:504 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 18684 The binfmt functionality in the Linux kernel, when "memory overcommit" is enabled, allows local users to cause a denial of service (kernel oops) via a malformed a.out binary. 11754 FLSA:2336 linux-aout-binary-dos(18290) 2005-0001 oval:org.mitre.oval:def:9751 20041216 [USN-39-1] Linux amd64 kernel vulnerability CLA-2005:930 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 [linux-kernel] 20041111 a.out issue Cross-site scripting (XSS) vulnerability in standard_error_message.dtml for Zwiki after 0.10.0rc1 to 0.36.2 allows remote attackers to inject arbitrary HTML and web script via a malformed URL, which is not properly cleansed when generating an error message. 11745 http://zwiki.org/925ZwikiXSSVulnerability zwiki-link-xss(18237) GLSA-200412-23 20041126 Re: STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability 20041124 STG Security Advisory: [SSA-20041122-12] Zwiki XSS vulnerability Multiple buffer overflows in the RtConfigLoad function in rt-config.c for Atari800 before 1.3.4 allow local users to execute arbitrary code via large values in the configuration file. 11756 DSA-609 20041126 Re: Atari800 - local root. (fwd) 20041125 Atari800 - local root. 12610 13670 http://cvs.sourceforge.net/viewcvs.py/atari800/atari800/DOC/ChangeLog?view=markup Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and MetaFrame Presentation Server client for WinCE before 8.33 allows remote servers to create arbitrary shortcuts on the client via a full UNC path in the AppInStartmenu directive. 20050426 Citrix Program Neighborhood Agent Arbitrary Shortcut Creation Vulnerability 15108 http://support.citrix.com/kb/entry.jspa?externalID=CTX105650 Stack-based buffer overflow in the client for Citrix Program Neighborhood Agent for Win32 8.00.24737 and earlier and Citrix MetaFrame Presentation Server client for WinCE before 8.33 allows remote attackers to execute arbitrary code via a long cached icon filename in the InName XML element. 20050426 Citrix Program Neighborhood Agent Buffer Overflow http://support.citrix.com/kb/entry.jspa?externalID=CTX105650 15108 Buffer overflow in (1) ncplogin and (2) ncpmap in nwclient.c for ncpfs 2.2.4, and possibly other versions, may allow local users to gain privileges via a long -T option. 11945 ncpfs-nwclientc-bo(18283) GLSA-200412-09 20041129 ncpfs buffer overflow FLSA:152904 MDKSA-2005:028 20041129 ncpfs buffer overflow The WINS service (wins.exe) on Microsoft Windows NT Server 4.0, Windows 2000 Server, and Windows Server 2003 allows remote attackers to write to arbitrary memory locations and possibly execute arbitrary code via a modified memory pointer in a WINS replication packet to TCP port 42, aka the "Association Context Vulnerability." VU#145134 11763 wins-memory-pointer-hijack(18259) 20041129 Microsoft WINS Server Vulnerability 12378 MS04-045 http://www.immunitysec.com/downloads/instantanea.pdf P-054 890710 1012516 13328 20041126 Immunity, Inc Advisor oval:org.mitre.oval:def:4831 oval:org.mitre.oval:def:4372 oval:org.mitre.oval:def:3677 oval:org.mitre.oval:def:2734 oval:org.mitre.oval:def:2541 oval:org.mitre.oval:def:1549 The Application Framework (AppKit) for Apple Mac OS X 10.2.8 and 10.3.6 does not properly restrict access to a secure text input field, which allows local users to read keyboard input from other applications within the same window session. 11802 P-049 13362 APPLE-SA-2004-12-02 macos-appkit-obtain-info(18350) mod_digest_apple for Apache 1.3.31 and 1.3.32 on Mac OS X Server does not properly verify the nonce of a client response, which allows remote attackers to replay credentials. macos-moddigest-response-replay(18347) 1012414 9571 P-049 APPLE-SA-2004-12-02 Apache for Apple Mac OS X 10.2.8 and 10.3.6 restricts access to files in a case sensitive manner, but the Apple HFS+ filesystem accesses files in a case insensitive manner, which allows remote attackers to read .DS_Store files and files beginning with ".ht" using alternate capitalization. apache-hfs-file-disclosure(18348) P-049 13362 APPLE-SA-2004-12-02 11802 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Apache for Apple Mac OS X 10.2.8 and 10.3.6 allows remote attackers to read files and resource fork content via HTTP requests to certain special file names related to multiple data streams in HFS+, which bypass Apache file handles. apache-hfs-obtain-info(18349) P-049 13362 APPLE-SA-2004-12-02 11802 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Human Interface Toolbox (HIToolBox) for Apple Mac 0S X 10.3.6 allows local users to exit applications via the force-quit key combination, even when the system is running in kiosk mode. macos-hitoolbox-kiosk-dos(18352) P-049 13362 APPLE-SA-2004-12-02 11802 Buffer overflow in PSNormalizer for Apple Mac OS X 10.3.6 allows remote attackers to execute arbitrary code via a crafted PostScript input file. macos-psnormalizer-bo(18354) P-049 13362 APPLE-SA-2004-12-02 11802 Terminal for Apple Mac OS X 10.3.6 may indicate that "Secure Keyboard Entry" is enabled even when it is not, which could result in a false sense of security for the user. macos-terminal-secure-improper(18355) P-049 13362 APPLE-SA-2004-12-02 11802 Postfix server for Apple Mac OS X 10.3.6, when using CRAM-MD5, allows remote attackers to send mail without authentication by replaying authentication information. postfix-crammd5-auth-replay(18353) P-049 13362 APPLE-SA-2004-12-02 11802 Unknown vulnerability in Apple Mac OS X 10.3.6 server, when using Kerberos authentication and Cyrus IMAP allows local users to access mailboxes of other users. cyrus-kerberos-gain-access(18351) P-049 13362 APPLE-SA-2004-12-02 11802 Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "a corrupt section header." DSA-639 13863 midnight-commander-section-dos(18907) RHSA-2005:512 Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by triggering a null dereference. DSA-639 13863 midnight-commander-find-dos(18908) RHSA-2005:512 Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service by causing mc to free unallocated memory. DSA-639 13863 midnight-commander-memory-allocation(18904) GLSA-200502-24 Midnight commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service via "use of already freed memory." DSA-639 13863 midnight-commander-key-dos(18905) RHSA-2005:512 Buffer overflow in InnerMedia DynaZip DUNZIP32.dll file version 5.00.03 and earlier allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, as demonstrated using (1) a .rjs (skin) file in RealPlayer 10 through RealPlayer 10.5 (6.0.12.1053), RealOne Player 1 and 2, (2) the Restore Backup function in CheckMark Software Payroll 2004/2005 3.9.6 and earlier, (3) CheckMark MultiLedger before 7.0.2, (4) dtSearch 6.x and 7.x, (5) mcupdmgr.exe and mghtml.exe in McAfee VirusScan 10 Build 10.0.21 and earlier, (6) IBM Lotus Notes before 6.5.5, and other products. NOTE: it is unclear whether this is the same vulnerability as CVE-2004-0575, although the data manipulations are the same. VU#582498 20041027 High Risk Vulnerability in RealPlayer payroll-dunzip32-bo(22737) realplayer-dunzip32-bo(17879) ADV-2006-1176 ADV-2005-2057 11555 20060906 IBM Lotus Notes DUNZIP32.dll Buffer Overflow Vulnerability 20060330 McAfee VirusScan DUNZIP32.dll Buffer Overflow Vulnerability 20051223 dtSearch DUNZIP32.dll Buffer Overflow Vulnerability http://www.securiteam.com/windowsntfocus/6Z00W00EAM.html 19906 http://www.networksecurity.fi/advisories/payroll.html http://www.networksecurity.fi/advisories/multiledger.html http://www.networksecurity.fi/advisories/mcafee-virusscan.html http://www.networksecurity.fi/advisories/lotus-notes.html http://www.networksecurity.fi/advisories/dtsearch.html http://service.real.com/help/faq/security/041026_player/EN/ 1016817 1012297 1011944 19451 18194 17394 17096 20041027 EEYE: RealPlayer Zipped Skin File Buffer Overflow 653 296 Multiple integer overflows in (1) readbmp.c, (2) readgif.c, (3) readgif.c, (4) readmrf.c, (5) readpcx.c, (6) readpng.c,(7) readpnm.c, (8) readprf.c, (9) readtiff.c, (10) readxbm.c, (11) readxpm.c in zgv 5.8 allow remote attackers to execute arbitrary code via certain image headers that cause calculations to be overflowed and small buffers to be allocated, leading to buffer overflows. NOTE: CVE-2004-0994 and CVE-2004-1095 identify sets of bugs that only partially overlap, despite having the same developer. Therefore, they should be regarded as distinct. 11556 zgv-image-header-bo(17871) http://www.svgalib.org/rus/zgv/zgv-5.8-integer-overflow-fix.diff http://www.svgalib.org/rus/zgv/ GLSA-200411-12 20041028 Re: zgv image viewing heap overflows 20041026 zgv image viewing heap overflows Archive::Zip Perl module before 1.14, when used by antivirus programs such as amavisd-new, allows remote attackers to bypass antivirus protection via a compressed file with both local and global headers set to zero, which does not prevent the compressed file from being opened on a target system. VU#492545 11448 GLSA-200410-31 antivirus-zip-protection-bypass(17761) 20041018 Multiple Vendor Anti-Virus Software Detection Evasion Vulnerability 13038 MDKSA-2004:118 Format string vulnerability in the cherokee_logger_ncsa_write_string function in Cherokee 0.4.17 and earlier, when authenticating via auth_pam, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via format string specifiers in the URL. 11574 GLSA-200411-02 cherokee-format-string(17934) http://bugs.gentoo.org/show_bug.cgi?id=67667 MIMEDefang in MIME-tools 5.414 allows remote attackers to bypass virus scanning capabilities via an e-mail attachment with a virus that contains an empty boundary string in the Content-Type header. 11563 GLSA-200411-06 mimetools-boundary-virus-bypass(17940) 20041026 [Mimedefang] SECURITY: Patch for MIME-tools MDKSA-2004:123 Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) 3.3.1, when the EAP-TLS protocol is enabled, does not properly handle expired or untrusted certificates, which allows remote attackers to bypass authentication and gain unauthorized access via a "cryptographically correct" certificate with valid fields such as the username. 11577 P-028 ciscosecure-eaptls-auth-bypass(17936) 20041102 Vulnerability in Cisco Secure Access Control Server EAP-TLS Authentication Cross-site scripting (XSS) vulnerability in mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to execute arbitrary web script or HTML via the append parameter. Successful exploitation requires that debug mode is enabled. VU#107998 mailpost-append-xss(17953) 11596 http://www.procheckup.com/security_info/vuln_pr0410.html mailpost.exe in MailPost 5.1.1sv, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash), leak sensitive pathname information in the resulting error message, and execute a cross-site scripting (XSS) attack via an HTTP request that contains a / (backslash) and arbitrary webscript before the requested file, which leaks the pathname and does not quote the script in the resulting Visual Basic error message. VU#596046 mailpost-slash-xss(17951) 11598 http://www.procheckup.com/security_info/vuln_pr0411.html MailPost 5.1.1sv, and possibly earlier versions, displays a different error message depending on whether the requested file exists or not, which allows remote attackers to gain sensitive information. VU#306086 mailpost-get-info-disclosure(17954) 11599 http://www.procheckup.com/security_info/vuln_pr0408.html MailPost 5.1.1sv, and possibly earlier versions, when debug mode is enabled, allows remote attackers to gain sensitive information via the debug parameter, which reveals information such as the path to the web root and the web server version. VU#858726 mailpost-information-disclosure(17952) 11595 http://www.procheckup.com/security_info/vuln_pr0409.html Microsoft Internet Explorer 6.0 SP2 allows remote attackers to spoof a legitimate URL in the status bar and conduct a phishing attack via a web page that contains a BASE element that points to the legitimate site, followed by an anchor (a) element with an empty "href" attribute, and a FORM whose action points to a malicious URL, and an INPUT submit element that is modified to look like a legitimate URL. VU#702086 ie-ahref-status-spoofing(17938) 11565 20060223 Re: Internet Explorer Phishing mouseover issue 20060218 Re: Internet Explorer Phishing mouseover issue 20041030 Re: New URL spoofing bug in Microsoft Internet Explorer 11273 Nortel Networks Contivity VPN Client displays a different error message depending on whether the username is valid or invalid, which could allow remote attackers to gain sensitive information. http://www.kb.cert.org/vuls/id/CRDY-626N7F VU#830214 11623 nortel-contivity-info-disclosure(17988) http://www.nii.co.in/vuln/contivity.html 20041110 Nortel Networks Contivity VPN Client information leakage vulnerability Cross-site scripting (XSS) vulnerability in Gallery 1.4.4-pl3 and earlier allows remote attackers to execute arbitrary web script or HTML via "specially formed URLs," possibly via the include parameter in index.php. gallery-script-xss(17948) 11602 GLSA-200411-10 DSA-642 http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=142&mode=thread&order=0&thold=0 http://g3cko.info/gallery2-4.patch dispatch-conf in Portage 2.0.51-r2 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files. 11616 GLSA-200411-13 portage-dispatchconf-symlink(17986) 13108 http://bugs.gentoo.org/show_bug.cgi?id=69147 qpkg in Gentoolkit 0.2.0_pre10 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary directory. 11617 GLSA-200411-13 13108 gentoolkit-symlink(17968) http://bugs.gentoo.org/show_bug.cgi?id=68846 The FWDRV.SYS driver in Kerio Personal Firewall 4.1.1 and earlier allows remote attackers to cause a denial of service (CPU consumption and system freeze from infinite loop) via a (1) TCP, (2) UDP, or (3) ICMP packet with a zero length IP Option field. 11639 kerio-pf-packet-dos(17992) http://www.kerio.com/security_advisory.html AD20041109 The mtink status monitor before 1.0.5 for Epson printers allows local users to overwrite arbitrary files via a symlink attack on the epson temporary file. 11640 GLSA-200411-17 mtink-tmp-file-symlink(18011) http://bugs.gentoo.org/show_bug.cgi?id=70310 Cisco IOS 2.2(18)EW, 12.2(18)EWA, 12.2(14)SZ, 12.2(18)S, 12.2(18)SE, 12.2(18)SV, 12.2(18)SW, and other versions without the "no service dhcp" command, keep undeliverable DHCP packets in the queue instead of dropping them, which allows remote attackers to cause a denial of service (dropped traffic) via multiple undeliverable DHCP packets that exceed the input queue size. VU#630104 TA04-316A cisco-ios-dhcp-dos(18021) 20041110 Cisco Security Advisory: Cisco IOS DHCP Blocked Interface Denial-of-Service P-034 oval:org.mitre.oval:def:5632 The buffer overflow trigger in Cisco Security Agent (CSA) before 4.0.3 build 728 waits five minutes for a user response before terminating the process, which could allow remote attackers to bypass the buffer overflow protection by sending additional buffer overflow attacks within the five minute timeout period. csa-buffer-protection-bypass(18037) 11659 20041111 Crafted Timed Attack Evades Cisco Security Agent Protections P-036 SQL injection vulnerability in SQLgrey Postfix greylisting service before 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) sender or (2) recipient e-mail addresses. 2004-0058 11633 sqlgrey-postfix-sql-injection(17998) http://sourceforge.net/project/shownotes.php?release_id=281256 13135 Buffer overflow in the handling of command line arguments in Skype 1.0.x.94 through 1.0.x.98 allows remote attackers to execute arbitrary code via a callto:// URL with a long non-existent username, a different vulnerability than CVE-2004-1777. 11682 skype-callto-uri-bo(18063) http://www.skype.com/security/ssa-2004-02.html http://www.skype.com/products/skype/windows/changelog.html 11786 13191 20041115 Re: Skype callto:// BoF technical details 20041116 Skype callto:// BoF technical details 20041116 Skype callto:// BoF technical details The init scripts in Search for Extraterrestrial Intelligence (SETI) project 3.08-r3 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) The init scripts in Great Internet Mersenne Prime Search (GIMPS) 23.9 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) The init scripts in ChessBrain 20407 and earlier execute user-owned programs with root privileges, which allows local users to gain privileges by modifying the programs. GLSA-200411-26 seti@home-gain-privileges(18149) Buffer overflow in the WodFtpDLX.ocx (WeOnlyDo!) ActiveX component before 2.3.2.97, as used by CoffeeCup Direct FTP 6.2.0.62 and CoffeeCup Free FTP 3.0.0.10, and possibly other applications, allows remote attackers to execute arbitrary code via a long filename. wodftpdlx-long-filename-bo(18190) 11721 20041122 WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability 20041122 CoffeeCup FTP Clients Buffer Overflow Vulnerability 20041122 WeOnlyDo! COM Ftp DELUXE ActiveX Control Buffer Overflow Vulnerability Stack-based buffer overflow in IN_CDDA.dll in Winamp 5.05, and possibly other versions including 5.06, allows remote attackers to execute arbitrary code via a certain .m3u playlist file. VU#986504 11730 winamp-incddadll-bo(18197) http://www.security-assessment.com/Papers/Winamp_IN_CDDA_Buffer_Overflow.pdf 13269 20041123 Winamp - Buffer Overflow In IN_CDDA.dll 20041126 Re: Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched 20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] 20041123 Winamp - Buffer Overflow In IN_CDDA.dll 20041124 Winamp - Buffer Overflow In IN_CDDA.dll [Unpatched] Mulitple buffer overflows in (1) http.c, (2) http-retr.c, (3) main.c and other code that handles network protocols in ProZilla 1.3.6-r2 and earlier allow remote servers to execute arbitrary code via a long Location header. prozilla-bo(18210) 11734 20041124 Prozilla Remote Exploit GLSA-200411-31 DSA-663 http://bugs.gentoo.org/show_bug.cgi?id=70090 Apple Safari 1.0 through 1.2.3 allows remote attackers to spoof the URL displayed in the status bar via TABLE tags. VU#925430 ie-table-status-spoofing(17909) 11573 13047 APPLE-SA-2004-12-02 Safari 1.x to 1.2.4, and possibly other versions, allows inactive windows to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows, aka the "Dialog Box Spoofing Vulnerability," a different vulnerability than CVE-2004-1314. http://secunia.com/secunia_research/2004-10/ http://secunia.com/multiple_browsers_dialog_box_spoofing_test/ 12892 APPLE-SA-2004-12-02 Darwin Streaming Server 5.0.1, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via a DESCRIBE request with a location that contains a null byte. 20041203 Apple Darwin Streaming Server DESCRIBE Null Byte Denial of Service Vulnerability darwin-describe-dos(18357) Unknown vulnerability in chroot on SCO UnixWare 7.1.1 through 7.1.4 allows local users to escape the chroot jail and conduct unauthorized activities. chroot-jail-security-bypass(18970) SCOSA-2005.2 12300 15339 13915 SCOSA-2005.22 Buffer overflow in the Gfx::doImage function in Gfx.cc for xpdf 3.00, and other products that share code such as tetex-bin and kpdf in KDE 3.2.x to 3.2.3 and 3.3.x to 3.3.2, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted PDF file that causes the boundaries of a maskColors array to be exceeded. 12070 FLSA:2353 FLSA:2352 xpdf-gfx-doimage-bo(18641) USN-50-1 RHSA-2005:354 RHSA-2005:066 RHSA-2005:057 RHSA-2005:053 RHSA-2005:034 RHSA-2005:026 RHSA-2005:018 RHSA-2005:013 SUSE-SR:2005:001 http://www.kde.org/info/security/advisory-20041223-1.txt 20041221 Multiple Vendor xpdf PDF Viewer Buffer Overflow Vulnerability GLSA-200501-17 GLSA-200501-13 GLSA-200412-25 1012646 17277 oval:org.mitre.oval:def:10830 20041228 KDE Security Advisory: kpdf Buffer Overflow Vulnerability 20041223 [USN-48-1] xpdf, tetex-bin vulnerabilities CLA-2005:921 SCOSA-2005.42 ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl2.patch Buffer overflow in Open Dc Hub 0.7.14 allows remote attackers, with administrator privileges, to execute arbitrary code via a long RedirectAll command. 11747 20041124 Buffer Overflow in Open Dc Hub 0.7.14 open-hub-redirectall-bo(18254) GLSA-200411-37 20041124 Buffer Overflow in Open Dc Hub 0.7.14 Buffer overflow in CMailCOM.dll in CMailServer 5.2 allows remote attackers to execute arbitrary code via an attachment with a long filename. cmailserver-cmailcomdll-bo(18276) 11742 http://www.security.org.sg/vuln/cmailserver52.html 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities SQL injection vulnerability in (1) fdelmail.asp, (2) addressc.asp, and possibly (3) postmail.asp and (4) fmvmail.asp in CMailServer 5.2 allow remote attackers to inject arbitrary SQL commands and delete mail metadata or e-mail addresses of contacts via the indexOfMail parameter. cmailserver-fdelmail-addressc-sql-injection(18281) 11742 http://www.security.org.sg/vuln/cmailserver52.html 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in admin.asp in CMailServer 5.2 allows remote attackers to execute arbitrary web script or HTML via personal information fields, such as (1) username, (2) name, or (3) comments. This vulnerability is addressed in the following product release: YoungZSoft, CMailServer, 5.2.1 cmailserver-adminasp-xss(18280) 11742 http://www.security.org.sg/vuln/cmailserver52.html 20041124 [SIG^2 G-TEC] CMailServer WebMail v5.2 Multiple Vulnerabilities Multiple buffer overflows in the enable command for SCO OpenServer 5.0.6 and 5.0.7 allow local users to execute arbitrary code via long command line arguments. SCOSA-2005.13 openserver-enable-bo(19243) 12474 Multiple cross-site scripting (XSS) vulnerabilities in Microsoft W3Who ISAPI (w3who.dll) allow remote attackers to inject arbitrary HTML and web script via (1) HTTP headers such as "Connection" or (2) invalid parameters whose values are echoed in the resulting error message. w3who-http-error-xss(18375) 20041206 Multiple vulnerabilities in w3who ISAPI DLL Buffer overflow in the Microsoft W3Who ISAPI (w3who.dll) allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long query string. w3who-bo(18377) http://www.exaprobe.com/labs/advisories/esa-2004-1206.html 20041206 Multiple vulnerabilities in w3who ISAPI DLL Multiple buffer overflows in WS_FTP Server 5.03 2004.10.14 allow remote attackers to cause a denial of service (service crash) via long (1) SITE, (2) XMKD, (3) MKD, and (4) RNFR commands. wsftp-ftp-commands-bo(18296) http://www.securiteam.com/exploits/6D00L2KBPG.html 20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14. 20041129 Multiple buffer overlows in WS_FTP Server Version 5.03, 2004.10.14. Buffer overflow in CuteFTP Professional 6.0, and possibly other versions, allows remote FTP servers to cause a denial of service (application crash) via large replies to FTP commands. cuteftp-reply-bo(18309) 20041129 CuteFTP 6.0 Professional Remote Buffer Overflow Vulnerability Multiple vulnerabilities in the IGMP functionality for Linux kernel 2.4.22 to 2.4.28, and 2.6.x to 2.6.9, allow local and remote attackers to cause a denial of service or execute arbitrary code via (1) the ip_mc_source function, which decrements a counter to -1, or (2) the igmp_marksources function, which does not properly validate IGMP message parameters and performs an out-of-bounds read. FLSA:2336 linux-igmpmarksources-dos(18482) linux-ipmcsource-code-execution(18481) RHSA-2005:092 oval:org.mitre.oval:def:11144 20041214 [USN-38-1] Linux kernel vulnerabilities http://isec.pl/vulnerabilities/isec-0018-igmp.txt SUSE-SA:2004:044 MDKSA-2005:022 CLA-2005:930 VIM before 6.3 and gVim before 6.3 allow local users to execute arbitrary commands via a file containing a crafted modeline that is executed when the file is viewed using options such as (1) termcap, (2) printdevice, (3) titleold, (4) filetype, (5) syntax, (6) backupext, (7) keymap, (8) patchmode, or (9) langmenu. GLSA-200412-10 OpenPKG-SA-2004.052 FLSA:2343 vim-modeline-gain-privileges(18503) RHSA-2005:036 RHSA-2005:010 oval:org.mitre.oval:def:9571 Unknown vulnerability in the DICOM dissector in Ethereal 0.10.4 through 0.10.7 allows remote attackers to cause a denial of service (application crash). ethereal-dicom-dos(18484) 11943 RHSA-2005:037 GLSA-200412-15 http://www.ethereal.com/appnotes/enpa-sa-00016.html P-061 13468 oval:org.mitre.oval:def:11319 CLA-2005:916 FLSA-2006:152922 MDKSA-2004:152 Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (application hang) and possibly fill available disk space via an invalid RTP timestamp. 11943 GLSA-200412-15 13468 Ethereal-rtp-dos(18485) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00016.html P-061 oval:org.mitre.oval:def:10484 CLA-2005:916 FLSA-2006:152922 MDKSA-2004:152 The HTTP dissector in Ethereal 0.10.1 through 0.10.7 allows remote attackers to cause a denial of service (application crash) via a certain packet that causes the dissector to access previously-freed memory. 11943 GLSA-200412-15 13468 ethereal-http-dissector-dos(18487) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00016.html P-061 oval:org.mitre.oval:def:9473 CLA-2005:916 FLSA-2006:152922 MDKSA-2004:152 Ethereal 0.9.0 through 0.10.7 allows remote attackers to cause a denial of service (CPU consumption) via a certain malformed SMB packet. ethereal-smb-dos(18488) 11943 RHSA-2005:037 GLSA-200412-15 http://www.ethereal.com/appnotes/enpa-sa-00016.html DSA-613 P-061 13468 oval:org.mitre.oval:def:11278 CLA-2005:916 FLSA-2006:152922 MDKSA-2004:152 The password generation in mailman before 2.1.5 generates only 5 million unique passwords, which makes it easier for remote attackers to guess passwords via a brute force attack. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286796 mailman-weak-encryption(18857) 13603 20050110 [USN-59-1] mailman vulnerabilities SUSE-SA:2005:007 Unknown vulnerability in the 32bit emulation code in Linux 2.4 on AMD64 systems allows local users to gain privileges. SUSE-SA:2004:046 linux-32bit-emulation-gain-privileges(18686) RHSA-2004:689 oval:org.mitre.oval:def:10439 Multiple vulnerabilities in Konqueror in KDE 3.3.1 and earlier (1) allow access to restricted Java classes via JavaScript and (2) do not properly restrict access to certain Java classes from the Java applet, which allows remote attackers to bypass sandbox restrictions and read or write arbitrary files. VU#420222 konqueror-sandbox-restriction-bypass(18596) RHSA-2005:065 http://www.kde.org/info/security/advisory-20041220-1.txt GLSA-200501-16 13586 20041220 KDE Security Advisory: Konqueror Java Vulnerability http://www.heise.de/security/dienste/browsercheck/tests/java.shtml oval:org.mitre.oval:def:10173 MDKSA-2004:154 Multiple cross-site scripting (XSS) vulnerabilities in (1) main.c and (2) login.c for CVSTrac before 1.1.5 allow remote attackers to inject arbitrary HTML and web script. 12017 http://www.cvstrac.org/cvstrac/chngview?cn=321 http://www.cvstrac.org/cvstrac/chngview?cn=320 OpenPKG-SA-2004.056 cvstrac-main-login-xss(18726) http://www.mikx.de/index.php?p=6 20041223 Cross-Site Scripting - an industry-wide problem phpMyAdmin 2.6.0-pl2, and other versions before 2.6.1, with external transformations enabled, allows remote attackers to execute arbitrary commands via shell metacharacters. phpmyadmin-command-execute(18441) http://www.exaprobe.com/labs/advisories/esa-2004-1213.html 20041213 Multiple vulnerabilities in phpMyAdmin phpMyAdmin before 2.6.1, when configured with UploadDir functionality, allows remote attackers to read arbitrary files via the sql_localfile parameter. phpmyadmin-command-execute(18441) http://www.exaprobe.com/labs/advisories/esa-2004-1213.html 20041213 Multiple vulnerabilities in phpMyAdmin Computer Associates eTrust EZ Antivirus 7.0.0 to 7.0.4, including 7.0.1.4, installs its files with insecure permissions (ACLs), which allows local users to gain privileges by replacing critical programs with malicious ones, as demonstrated using VetMsg.exe. etrust-antivirus-insecure-permissions(18502) 20041215 Computer Associates eTrust EZ Antivirus Insecure File Permission Vulnerability http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter Stack-based buffer overflow in the in_cdda.dll plugin for Winamp 5.0 through 5.08c allows attackers to execute arbitrary code via a cda:// URL with a long (1) device name or (2) sound track number, as demonstrated with a .m3u or .pls playlist file. winamp-incdda-bo(18840) http://www.winamp.com/player/version_history.php http://www.nsfocus.com/english/homepage/research/0501.htm 20050127 NSFOCUS SA2005-01 : Buffer Overflow in WinAMP in_cdda.dll CDA Device Name 12381 13781 Multiple buffer overflows in the (1) sys32_ni_syscall and (2) sys32_vm86_warning functions in sys_ia32.c for Linux 2.6.x may allow local attackers to modify kernel memory and gain privileges. [linux-kernel] 20041130 Buffer overrun in arch/x86_64/sys_ia32.c:sys32_ni_syscall() 20041214 [USN-38-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/gnupatch@41ae6af1cR3mJYlW6D8EHxCKSxuJiQ http://linux.bkbits.net:8080/linux-2.6/cset@1.2079 SUSE-SA:2004:044 MDKSA-2005:022 Buffer overflow in the mailListIsPdf function in Adobe Acrobat Reader 5.09 for Unix allows remote attackers to execute arbitrary code via an e-mail message with a crafted PDF attachment. VU#253024 20041214 Adobe Acrobat Reader 5.0.9 mailListIsPdf() Buffer Overflow Vulnerability adobe-acrobat-maillistlspdf-bo(18477) http://www.adobe.com/support/techdocs/331153.html 13474 SUSE-SR:2005:001 Format string vulnerability in Adobe Acrobat Reader 6.0.0 through 6.0.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an .ETD document containing format string specifiers in (1) title or (2) baseurl fields. 20041214 Adobe Reader 6.0 .ETD File Format String Vulnerability adobe-acrobat-etd-format-string(18478) http://www.adobe.com/support/downloads/detail.jsp?ftpID=2679 oval:org.mitre.oval:def:2919 Integer overflow in the Samba daemon (smbd) in Samba 2.x and 3.0.x through 3.0.9 allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a Samba request with a large number of security descriptors that triggers a heap-based buffer overflow. VU#226184 samba-msrpc-heap-corruption(18519) http://www.samba.org/samba/security/CAN-2004-1154.html RHSA-2005:020 SUSE-SA:2004:045 DSA-701 13453 oval:org.mitre.oval:def:10236 APPLE-SA-2005-03-21 SCOSA-2005.17 11973 20041216 Samba smbd Security Descriptor Integer Overflow Vulnerability 57730 101643 oval:org.mitre.oval:def:642 oval:org.mitre.oval:def:1459 Internet Explorer 5.01 through 6 allows remote attackers to spoof arbitrary web sites by injecting content from one window into another window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. NOTE: later research shows that Internet Explorer 7 on Windows XP SP2 is also vulnerable. 11855 http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ 22628 13251 20061025 IE7 status: 8 days after release, 3 unfixed issues Mozilla before 1.7.6, and Firefox before 1.0.1, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. RHSA-2005:384 RHSA-2005:176 http://www.mozilla.org/security/announce/mfsa2005-13.html GLSA-200503-30 GLSA-200503-10 http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ 13129 oval:org.mitre.oval:def:10117 oval:org.mitre.oval:def:100045 Opera 7.x up to 7.54, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. GLSA-200502-17 http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ 13253 Konqueror 3.x up to 3.2.2-6, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window or tab whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. 11853 20041213 KDE Security Advisory: Konqueror Window Injection Vulnerability RHSA-2005:009 http://www.kde.org/info/security/advisory-20041213-1.txt http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ 13254 oval:org.mitre.oval:def:11056 SUSE-SR:2005:001 13560 13486 13477 13254 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1122, CVE-2004-1314. Reason: this was an out-of-band assignment duplicate intended for one issue, but the description and references inadvertently combined multiple issues. Notes: All CVE users should consult CVE-2004-1122 and CVE-2004-1314 to determine which ID is appropriate. All references and descriptions in this candidate have been removed to prevent accidental usage. Netscape 7.x to 7.2, and possibly other versions, allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability. 11852 http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ 13402 rssh 2.2.2 and earlier does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via (1) rdist -P, (2) rsync, or (3) scp -S. GLSA-200412-01 11792 20041202 rssh and scponly arbitrary command execution 20050115 Re: rssh and scponly arbitrary command execution The unison command in scponly before 4.0 does not properly restrict programs that can be run, which could allow remote authenticated users to bypass intended access restrictions and execute arbitrary programs via the (1) -rshcmd or (2) -sshcmd flags. 11791 scponly-commandline-command-execution(18362) http://www.sublimation.org/scponly/#relnotes GLSA-200412-01 20050115 Re: rssh and scponly arbitrary command execution 20041202 rssh and scponly arbitrary command execution Cisco CNS Network Registrar Central Configuration Management (CCM) server 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (CPU consumption) by ending a connection after sending a certain sequence of packets. cisco-cns-ccm-dos(18327) 20041202 Cisco Network Registrar Denial of Service Vulnerability The lock manager in Cisco CNS Network Registrar 6.0 through 6.1.1.3 allows remote attackers to cause a denial of service (process crash) via a certain "unexpected packet sequence." cisco-cns-lock-dos(18328) 11793 20041202 Cisco Network Registrar Denial of Service Vulnerability Konqueror 3.3.1 allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. web-browser-ftp-command-execution(18384) RHSA-2005:065 RHSA-2005:009 GLSA-200501-18 DSA-631 oval:org.mitre.oval:def:9645 MDKSA-2005:045 20041205 7a69Adv#16 - Konqueror FTP command injection CRLF injection vulnerability in Microsoft Internet Explorer 6.0.2800.1106 and earlier allows remote attackers to execute arbitrary FTP commands via an ftp:// URL that contains a URL-encoded newline ("%0a") before the FTP command, which causes the commands to be inserted into the resulting FTP session, as demonstrated using a PORT command. web-browser-ftp-command-execution(18384) ADV-2008-0870 ADV-2006-3212 28208 11826 20080313 Rapid7 Advisory R7-0032: Microsoft Internet Explorer FTP Command Injection Vulnerability http://www.rapid7.com/advisories/R7-0032.jsp 12299 MS06-042 1012444 29346 13404 20041207 7a69Adv#15 - Internet Explorer FTP command injection oval:org.mitre.oval:def:462 mirrorselect before 0.89 creates temporary files in a world-writable location with predictable file names, which allows remote attackers to overwrite arbitrary files via a symlink attack. GLSA-200412-05 mirrorselect-symlink(18382) 13392 Stack-based buffer overflow in the WebDav handler in MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to execute arbitrary code via a long Overwrite header. 20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service maxdb-webdav-bo(18386) MaxDB WebTools 7.5.00.18 and earlier allows remote attackers to cause a denial of service (application crash) via an HTTP GET request for a file that does not exist, followed by two carriage returns, which causes a NULL dereference. 20041207 MaxDB WebTools <= 7.5.00.18 buffer overflow and Denial of Service maxdb-dos(18387) a2ps 4.13 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename. 11025 20040824 a2ps executing shell commands from file name gnu-a2ps-gain-privileges(17127) http://www.securiteam.com/unixfocus/5MP0N2KDPA.html SUSE-SA:2004:034 12375 http://bugs.debian.org/283134 FLSA:152870 MDKSA-2004:140 57649 OpenPKG-SA-2005.003 KDE 3.2.x and 3.3.0 through 3.3.2, when saving credentials that are (1) manually entered by the user or (2) created by the SMB protocol handler, stores those credentials for plaintext in the user's .desktop file, which may be created with world-readable permissions, which could allow local users to obtain usernames and passwords for remote resources such as SMB shares. VU#305294 11866 http://www.sec-consult.com/index.php?id=118 http://www.kde.org/info/security/advisory-20041209-1.txt 20041129 Password Disclosure for SMB Shares in KDE's Konqueror kde-smb-password-plaintext(18267) 12248 MDKSA-2004:150 GLSA-200412-16 P-051 1012471 13560 13486 13477 20041209 KDE Security Advisory: plain text password exposure 20041129 Password Disclosure for SMB Shares in KDE's Konqueror Stack-based buffer overflow in the Agent Browser in Veritas Backup Exec 8.x before 8.60.3878 Hotfix 68, and 9.x before 9.1.4691 Hotfix 40, allows remote attackers to execute arbitrary code via a registration request with a long hostname. VU#907729 11974 netbackup-agent-browser-bo(18506) 20041216 Veritas Backup Exec Agent Browser Registration Request Buffer Overflow Vulnerability http://www.frsirt.com/exploits/20050111.101_BXEC.cpp.php http://seer.support.veritas.com/docs/273850.htm http://seer.support.veritas.com/docs/273422.htm http://seer.support.veritas.com/docs/273420.htm http://seer.support.veritas.com/docs/273419.htm 13495 Internet Explorer 6 allows remote attackers to bypass the popup blocker via the document object model (DOM) methods in the DHTML Dynamic HTML (DHTML) Editing Component (DEC) and Javascript that calls showModalDialog. ie-popup-blocking-bypass(18444) 20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut ! 20041210 HOW TO BREAK XP SP2 POPUP BLOCKER: kick it in the nut ! direntry.c in Midnight Commander (mc) 4.5.55 and earlier allows attackers to cause a denial of service by "manipulating non-existing file handles." DSA-639 13863 midnight-commander-direntry-dos(18909) 1012903 RHSA-2005:512 fish.c in midnight commander allows remote attackers execute arbitrary programs via "insecure filename quoting," possibly using shell metacharacters. DSA-639 13863 midnight-commander-command-execution(18906) 1012903 RHSA-2005:512 Buffer underflow in extfs.c in Midnight Commander (mc) 4.5.55 and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code. DSA-639 13863 midnight-commander-extfs-dos(18911) RHSA-2005:217 GLSA-200502-24 1012903 Cross-site scripting (XSS) vulnerability in the driver script in mailman before 2.1.5 allows remote attackers to inject arbitrary web script or HTML via a URL, which is not properly escaped in the resulting error page. DSA-674 20050110 [USN-59-1] mailman vulnerabilities http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=287555 mailman-script-driver-xss(18854) 13603 oval:org.mitre.oval:def:11113 RHSA-2005:235 SUSE-SA:2005:007 MDKSA-2005:015 The debstd script in debmake 3.6.x before 3.6.10 and 3.7.x before 3.7.7 allows local users to overwrite arbitrary files via a symlink attack on temporary directories. 12078 20041223 [USN-49-1] debmake vulnerability DSA-615 13633 debmake-debstd-symlink(18646) Unknown vulnerability in the rwho daemon (rwhod) before 0.17, on little endian architectures, allows remote attackers to cause a denial of service (application crash). DSA-678 MDKSA-2005:039 14309 htmlheadline before 21.8 allows local users to overwrite arbitrary files via a symlink attack on temporary files. 12147 DSA-622 htmlheadline-symlink(18737) 1012756 13715 hfaxd in HylaFAX before 4.2.1, when installed with a "weak" hosts.hfaxd file, allows remote attackers to authenticate and bypass intended access restrictions via a crafted (1) username or (2) hostname that satisfies a regular expression that is matched against a hosts.hfaxd entry without a password. GLSA-200501-21 [hylafax-announce] 20050111 **ANOUNCE** hylafax-4.2.1 released 20050111 HylaFAX hfaxd unauthorized login vulnerability MDKSA-2005:006 13812 Integer overflow in the tiffdump utility for libtiff 3.7.1 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted TIFF file. SUSE-SA:2005:001 GLSA-200501-06 20050106 [USN-54-1] TIFF library tool vulnerability libtiff-tiffdump-bo(18782) RHSA-2005:035 RHSA-2005:019 13728 oval:org.mitre.oval:def:9743 CLA-2005:920 12173 MDKSA-2005:052 MDKSA-2005:002 MDKSA-2005:001 13776 The EPSF pipe support in enscript 1.6.3 allows remote attackers or local users to execute arbitrary commands via shell metacharacters. TA09-133A enscript-epsf-command-ececution(19012) RHSA-2005:040 GLSA-200502-03 DSA-654 ADV-2009-1297 http://support.apple.com/kb/HT3549 35074 oval:org.mitre.oval:def:9658 APPLE-SA-2009-05-12 USN-68-1 12329 20060526 rPSA-2006-0083-1 enscript FLSA:152892 MDKSA-2005:033 1012965 Enscript 1.6.3 does not sanitize filenames, which allows remote attackers or local users to execute arbitrary commands via crafted filenames. TA09-133A GLSA-200502-03 DSA-654 enscript-filename-command-execution(19029) ADV-2009-1297 RHSA-2005:040 http://support.apple.com/kb/HT3549 35074 oval:org.mitre.oval:def:10808 APPLE-SA-2009-05-12 USN-68-1 12329 20060526 rPSA-2006-0083-1 enscript FLSA:152892 MDKSA-2005:033 1012965 Multiple buffer overflows in enscript 1.6.3 allow remote attackers or local users to cause a denial of service (application crash). TA09-133A GLSA-200502-03 DSA-654 enscript-multiple-bo(19033) ADV-2009-1297 RHSA-2005:040 http://support.apple.com/kb/HT3549 35074 oval:org.mitre.oval:def:11134 APPLE-SA-2009-05-12 USN-68-1 12329 20060526 rPSA-2006-0083-1 enscript FLSA:152892 MDKSA-2005:033 1012965 Heap-based buffer overflow in the pnm_get_chunk function for xine 0.99.2, and other packages such as MPlayer that use the same code, allows remote attackers to execute arbitrary code via long PNA_TAG values, a different vulnerability than CVE-2004-1188. 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler PNA_TAG Heap Overflow Vulnerability xine-pnatag-bo(18640) http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff MDKSA-2005:011 http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21 The pnm_get_chunk function in xine 0.99.2 and earlier, and other packages such as MPlayer that use the same code, does not properly verify that the chunk size is less than the PREAMBLE_SIZE, which causes a read operation with a negative length that leads to a buffer overflow via (1) RMF_TAG, (2) DATA_TAG, (3) PROP_TAG, (4) MDPR_TAG, and (5) CONT_TAG values, a different vulnerability than CVE-2004-1187. 20041221 Multiple Vendor Xine version 0.99.2 PNM Handler Negative Read Length Heap Overflow Vulnerability xine-pnmgetchunk-bo(18638) http://www.mplayerhq.hu/MPlayer/patches/pnm_fix_20041215.diff MDKSA-2005:011 http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/pnm.c?r1=1.20&r2=1.21 The add_to_history function in svr_principal.c in libkadm5srv for MIT Kerberos 5 (krb5) up to 1.3.5, when performing a password change, does not properly track the password policy's history count and the maximum number of keys, which can cause an array index out-of-bounds error and may allow authenticated users to execute arbitrary code via a heap-based buffer overflow. http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt 20041220 MITKRB5-SA-2004-004: heap overflow in libkadm5srv kerberos-libkadm5srv-bo(18621) 2004-0069 RHSA-2005:045 RHSA-2005:012 oval:org.mitre.oval:def:11911 20050110 [USN-58-1] MIT Kerberos server vulnerability CLA-2005:917 MDKSA-2004:156 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 SUSE Linux before 9.1 and SUSE Linux Enterprise Server before 9 do not properly check commands sent to CD devices that have been opened read-only, which could allow local users to conduct unauthorized write activities to modify the firmware of associated SCSI devices. SUSE-SA:2004:042 suse-scsi-firmware-overwrite(18370) oval:org.mitre.oval:def:9369 11784 RHSA-2006:0101 18510 Race condition in SuSE Linux 8.1 through 9.2, when run on SMP systems that have more than 4GB of memory, could allow local users to read unauthorized memory from "foreign memory pages." linux-smbrecvtrans2-memory-leak(18137) SUSE-SA:2004:042 Format string vulnerability in the lprintf function in Citadel/UX 6.27 and earlier allows remote attackers to execute arbitrary code via format string specifiers sent to the server. citadel-format-string(18429) http://www.nosystem.com.ar/advisories/advisory-09.txt 20041214 Re: Citadel/UX <= v6.27 Remote Format String Vulnerability 20041213 Citadel/UX <= v6.27 Remote Format String Vulnerability Prevx Home 1.0 allows local users with administrator privileges to bypass the intrusion prevention features by directly writing to \device\physicalmemory, which restores the running kernel's original SDT ServiceTable. prevx-home-settings-disable(18195) 1012294 20041124 Re: [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration 20041122 [SIG^2 G-TEC] Prevx Home v1.0 Instrusion Prevention Features Can Be Disabled by Direct Service Table Restoration Buffer overflow in Star Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a long nickname. star-wars-nickname-bo(18256) 11750 20041124 Limited buffer-overflow and arbitrary memory access in Star Wars Star Wars Battlefront 1.11 and earlier allows remote attackers to cause a denial of service (application crash) via a join request that contains a memory address that causes the server to read arbitrary memory. star-wars-packet-dos(18257) 11750 20041124 Limited buffer-overflow and arbitrary memory access in Star Wars Battlefront 1.1 Cross-site scripting (XSS) vulnerability in inmail.pl in Insite Inmail allows remote attackers to inject arbitrary web script or HTML via the acao parameter. insite-inmail-inshop-xss(18268) 11758 13188 20041124 XSS in Brazilian Insite products Cross-site scripting (XSS) vulnerability in inshop.pl in Insite inShop allows remote attackers to inject arbitrary web script or HTML via the screen parameter. insite-inmail-inshop-xss(18268) 11758 13188 20041124 XSS in Brazilian Insite products Microsoft Internet Explorer allows remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. web-browser-array-dos(18282) 11751 20041125 MSIE flaws: nested array sort() loop Stack overflow exception 20041125 MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway Safari 1.2.4 on Mac OS X 10.3.6 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. web-browser-array-dos(18282) 11759 20041125 More Browser flaws on MACOSX: nested array sort() loop Stack overflow exception Firefox and Mozilla allow remote attackers to cause a denial of service (application crash from memory consumption), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. web-browser-array-dos(18282) 11760 11752 20041125 MSIE & FIREFOX flaws: "detailed" advisory and comments that you probably don't want to read anyway 20041125 FIREFOX flaws: nested array sort() loop Stack overflow exception Opera 7.54 allows remote attackers to cause a denial of service (application crash from memory exhaustion), as demonstrated using Javascript code that continuously creates nested arrays and then sorts the newly created arrays. web-browser-array-dos(18282) 11762 20041125 Re: MSIE flaws: nested array sort() loop Stack overflow exception 20041125 Re: Opera flaws: nested array sort() loop Stack overflow exception Cross-site scripting (XSS) vulnerability in parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to inject arbitrary web script or HTML via the file parameter. Successful exploitation requires that both the non-stealth and the debug modes are enabled. phpcms-parser-xss(18272) 11765 http://www.phpcms.de/download/index.en.html 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure parser.php in phpCMS 1.2.1 and earlier, with non-stealth and debug modes enabled, allows remote attackers to gain sensitive information via an invalid file parameter, which reveals the web server's installation path. 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure phpcms-parser-path-disclosure(18279) phpcms-parser-xss(18272) 20041126 phpCMS <= 1.2.1 Xss Vulnerability, Information disclosure FluxBox 0.9.10 and earlier versions allows local users to cause a denial of service (application crash) by calling Xman with a long -title value, possibly triggering a buffer overflow. fluxbox-xman-dos(18264) 20041126 FluxBox crash vulnerability codebrowserpntm.php in PnTresMailer 6.03 allows remote attackers to gain sensitive information via an invalid filetohighlight parameter, which reveals the full path in an error message. pntresmailer-information-disclosure(18263) 20041126 PnTresMailer code browser 6.03 Vulnerabilities Directory traversal vulnerability in codebrowserpntm.php in pnTresMailer 6.0.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the filetodownload parameter. pntresmailer-information-disclosure(18263) 11767 20041126 PnTresMailer code browser 6.03 Vulnerabilities The Serious engine, as used in (1) Alpha Black Zero Intrepid Protocol 1.04 and earlier, (2) Nitro family, and (3) Serious Sam Second Encounter 1.07 allows remote attackers to cause a denial of service (server crash) via a large number of UDP join requests that exceeds the maximum player limit, as originally reported for Alpha Black Zero. alphablackzero-udp-packet-dos(17545) 11279 1011454 12687 20040929 Crash in Alpha Black Zero 1.04 20041128 Players overflow in Serious engine UDP (was Alpha Black Zero, 29 Sep 2004) Buffer overflow in Orbz 2.10 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long password field in a join request. orbz-join-password-bo(18298) 11774 20041129 Buffer-overflow in Orbz 2.10 Verisign Payflow Link, when running with empty Accepted URL fields, does not properly verify the data in the hidden AMOUNT field, which allows remote attackers to modify the price of the items that they purchase. 20041129 [SHK-001]Payflow Link Default Config may lead to Hidden Field Modification payflow-link-modification(18299) Cross-site scripting (XSS) vulnerability in proxylog.dat in IPCop 1.4.1 and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the (1) url or (2) part variables. ipcop-proxylogdat-xss(18301) 11779 20041201 [KA Advisory 0411291] IPCop Cross Site Scripting Vulnerability in proxylog.dat Multiple buffer overflows in the IMAP service in Mercury/32 4.01a allow remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via long arguments to the (1) EXAMINE, (2) SUBSCRIBE, (3) STATUS, (4) APPEND, (5) CHECK, (6) CLOSE, (7) EXPUNGE, (8) FETCH, (9) RENAME, (10) DELETE, (11) LIST, (12) SEARCH, (13) CREATE, or (14) UNSUBSCRIBE commands. 11775 mercury-command-bo(18318) 12508 13348 20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003. 20041201 Multiple buffer overflows exist in Mercury/32, v4.01a, Dec 8 2003. http://home.kabelfoon.nl/~jaabogae/han/m_401b.html Directory traversal vulnerability in btdownload.php in Blog Torrent preview 0.8 allows remote attackers to download arbitrary files via a .. (dot dot) in the file argument. 11795 20041202 Blog Torrent preview 0.8 - arbitary file download blogtorrent-btdownloadphp-dir-traversal(18356) http://cvs.sourceforge.net/viewcvs.py/battletorrent/btorrent_server/btdownload.php?r1=1.6&r2=1.7 Cross-site scripting (XSS) vulnerability in index.php in Advanced Guestbook 2.3.1, 2.2, and possibly other versions allows remote attackers to inject arbitrary web script or HTML via the entry parameter. advguestbook-indexphp-xss(18334) 11798 20041204 Re: Advanced Guestbook 20041202 Advanced Guestbook Format string vulnerability in Kreed 1.05 and earlier allows remote attackers to execute arbitrary code via format specifiers in (1) a nickname or (2) message text. kreed-message-nickname-format-string(18343) 11799 20041202 Multiple vulnerabilities in Kreed 1.05 Kreed 1.05 and earlier allows remote attackers to cause a denial of service (server disconnect) via a long UDP packet, which causes a "message too long" socket error. kreed-udp-packet-dos(18344) 11799 20041202 Multiple vulnerabilities in Kreed 1.05 The scripts that handle players in Kreed 1.05 and earlier allow remote attackers to cause a denial of service (server freeze) via a long (1) nickname or (2) model type, which generates dialog boxes on the server that must be manually handled before the server continues the game. kreed-nickname-modeltype-dos(18345) 11799 20041202 Multiple vulnerabilities in Kreed 1.05 Hosting Controller 6.1 Hotfix 1.4, and possibly other versions, allows remote attackers to view arbitrary directories by specifying the target pathname in the FilePath parameter to (1) Statsbrowse.asp or (2) Generalbrowse.asp. hosting-controller-view-files(18363) 11822 20041205 Hosting Controller Remote Execute 2.30 allows remote attackers to cause a denial of service (application crash) by making 7 simultaneous connections. VU#136424 11821 20041206 DoS leading to crash of client in Remote Execute 2.30 remote-execute-dos(18380) paFileDB 3.1, when using sessions authentication and while the administrator logs on, allows remote attackers to read the administrator's password hash and conduct brute force password guessing attacks by listing the contents of the sessions directory and reading the associated file for the administrator session. pafiledb-session-information-disclosure(18364) 11818 20041207 Multiple Vulnerabilities in paFileDB 3.1 http://echo.or.id/adv/adv09-y3dips-2004.txt Battlefield 1942 1.6.19 and earlier, and Battlefield Vietnam 1.2 and earlier, allows a remote master server to cause a denial of service (client crash) via a server reply that contains a large numplayers value, which triggers a null dereference. battlefieldvietnam-numplayers-dos(18402) battlefield-numplayers-dos(18400) 11838 20041207 Broadcast client crash in Battlefield 1942 1.6.19 and Vietnam 1.2 Directory traversal vulnerability in weblibs.pl in WebLibs 1.0 allows remote attackers to read arbitrary files via .. sequences in the TextFile parameter. 20041207 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0 weblibs-directory-traversal(18399) 11848 13400 weblibs.pl in WebLibs 1.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the TextFile parameter. 20041207 Remote Web Server Text File Viewing Vulnerability in WebLibs 1.0 weblibs-directory-traversal(18399) 11848 The Management Agent in F-Secure Policy Manager 5.11.2810 allows remote attackers to gain sensitive information, such as the absolute path for the web server, via an HTTP request to fsmsh.dll without any parameters. fsecure-url-obtain-information(18413) 11869 http://www.oliverkarow.de/research/f-secure.txt 20041209 =?iso-8859-1?Q?F-Secure_Policy_Manager_-__physical_path_disclosure?= Off-by-one error in the mtr_curses_keyaction function for mtr 0.55 through 0.65 allows local users to hijack raw sockets, as demonstrated using the "s" keybinding, which leaves a buffer without a NULL terminator. 20041211 Local off-by-one in mtr versions 0.55 to 0.65 mtr-mtrcurseskeyaction-offbyone-bo(18428) SQL injection vulnerability in SugarCRM Sugar Sales before 2.0.1a allows remote attackers to execute arbitrary SQL commands and gain privileges via the record parameter in a DetailView action to index.php, and record parameters in other functionality. sugarcrm-record-sql-injection(18325) 11740 20041213 SugarSales Multiple Vulnerabilities http://www.gulftech.org/?node=research&article_id=00053-120104 SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to gain sensitive information via certain requests to scripts that contain invalid input, which reveals the path in an error message, as demonstrated using phprint.php with an empty module parameter. sugar-sales-path-disclosure(18447) 20041213 SugarSales Multiple Vulnerabilities Directory traversal vulnerability in SugarCRM Sugar Sales 2.0.1c and earlier allows remote attackers to read arbitrary files and possibly execute arbitrary PHP code via .. (dot dot) sequences in the (1) module, (2) action, or (3) theme parameters to index.php, (4) the theme parameter to Login.php, and possibly other parameters or scripts. sugarcrm-directory-traversal(18326) 11740 20041213 SugarSales Multiple Vulnerabilities http://www.gulftech.org/?node=research&article_id=00053-120104 The install scripts in SugarCRM Sugar Sales 2.0.1c and earlier are not removed after installation, which allows attackers to obtain the MySQL administrative password in cleartext from an installation form, or to cause a denial of service by changing database settings to the default. sugar-sales-password-plaintext(18449) 20041213 SugarSales Multiple Vulnerabilities Cross-site scripting vulnerability in the parser for Gadu-Gadu allows remote attackers to inject arbitrary web script or HTML via (1) http:// or (2) news:// URLs, a different vulnerability than CVE-2004-1410. 11899 12517 http://www.man.poznan.pl/~security/gg-adv.txt 13450 20041213 Gadu-Gadu several vulnerabilities Gadu-Gadu allows remote attackers to gain sensitive information and read files from the _cache directory of other users via a DCC connection and a CTCP packet that contains a 1 as the type and a 4 as the subtype. gadu-gadu-dcc-ctcp-obtain-files(18461) http://www.man.poznan.pl/~security/gg-adv.txt 20041213 Gadu-Gadu several vulnerabilities Directory traversal vulnerability in Gadu-Gadu allows remote attackers to read arbitrary files via .. (dot dot) sequences in a DCC connection with a CTCP packet that contains a 1 as the type and a 4 as the subtype. gadu-gadu-dcc-ctcp-obtain-files(18461) http://www.man.poznan.pl/~security/gg-adv.txt 20041213 Gadu-Gadu several vulnerabilities Stack-based buffer overflow in the code that sends images in Gadu-Gadu allows remote attackers to execute arbitrary code via a large image filename. gadu-gadu-image-filename-bo(18462) http://www.man.poznan.pl/~security/gg-adv.txt 20041213 Gadu-Gadu several vulnerabilities Integer overflow in Gadu-Gadu allows remote attackers to cause a denial of service (disk consumption) via a user packet to the DCC file transfer capability with an invalid file length. gadu-gadu-dcc-bo(18465) http://www.man.poznan.pl/~security/gg-adv.txt 20041213 Gadu-Gadu several vulnerabilities load_elf_binary in Linux before 2.4.26 allows local users to cause a denial of service (system crash) via an ELF binary in which the interpreter is NULL. FLSA:2336 12101 http://linux.bkbits.net:8080/linux-2.4/cset@4076466d_SqUm4azg4_v3FIG2-X6XQ linux-loadelfbinary-dos(18687) RHSA-2004:689 oval:org.mitre.oval:def:10608 http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=142965 RHSA-2005:017 RHSA-2005:016 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 Race condition in the (1) load_elf_library and (2) binfmt_aout function calls for uselib in Linux kernel 2.4 through 2.429-rc2 and 2.6 through 2.6.10 allows local users to execute arbitrary code by manipulating the VMA descriptor. 12190 RHSA-2005:043 FLSA:2336 linux-uselib-gain-privileges(18800) 2005-0001 FEDORA-2005-013 FEDORA-2005-014 http://www.securityfocus.com/advisories/7804 RHSA-2005:092 oval:org.mitre.oval:def:9567 http://isec.pl/vulnerabilities/isec-0021-uselib.txt CLA-2005:930 RHSA-2005:017 RHSA-2005:016 SUSE-SR:2005:001 MDKSA-2005:022 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 20050107 Linux kernel sys_uselib local root vulnerability Buffer overflow in the LDAP component for Netscape Directory Server (NDS) 3.6 on HP-UX and other operating systems allows remote attackers to execute arbitrary code. VU#258905 12099 P-083 57754 14960 SSRT4867 Unknown vulnerability in the system call filtering code in the audit subsystem for Red Hat Enterprise Linux 3 allows local users to cause a denial of service (system crash) via unknown vectors. RHSA-2005:043 oval:org.mitre.oval:def:11282 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was in a CNA pool that was not assigned to any issues during 2004. Notes: none. Windows Media Player 9 allows remote attackers to execute arbitrary code via a PNG file containing large (1) width or (2) height values, aka the "PNG Processing Vulnerability." TA05-039A VU#259890 win-ms05kb890261-update(19096) MS05-009 oval:org.mitre.oval:def:2379 oval:org.mitre.oval:def:1568 oval:org.mitre.oval:def:1306 WinRAR 3.40, and possibly earlier versions, allows remote attackers to execute arbitrary code via a ZIP file containing a file with a long filename, possibly causing an integer overflow that leads to a buffer overflow. winrar-zip-file-bo(18569) http://www.frsirt.com/exploits/20041217.Winrar.c.php Buffer overflow in the expandtabs function in 2fax 3.04 allows remote attackers to execute arbitrary code via a text file that is converted to TIFF. 2fax-bpcx-bo(10901) http://tigger.uic.edu/~jlongs2/holes/2fax.txt Multiple buffer overflows in the (1) event_text and (2) event_specific functions in abc2midi 2004.12.04 allow remote attackers to execute arbitrary code via crafted ABC files. abc2midi-eventspecific-bo(18574) abc2midi-eventtext-bo(18573) http://tigger.uic.edu/~jlongs2/holes/abc2midi.txt Buffer overflow in the process_abc function in abc.c for abc2mtex 1.6.1 allows remote attackers to execute arbitrary code via crafted ABC files. abc2mtex-processabc-bo(18578) http://tigger.uic.edu/~jlongs2/holes/abc2mtex.txt Buffer overflow in the put_words function in subs.c for abcm2ps 3.7.20 allows remote attackers to execute arbitrary code via crafted ABC files. abcm2ps-putwords-bo(18579) http://tigger.uic.edu/~jlongs2/holes/abcm2ps.txt Multiple buffer overflows in the handle_directive function in abcpp.c for abcpp 1.3.0 allow remote attackers to execute arbitrary code via crafted ABC files. abcpp-handledirective-bo(18581) http://tigger.uic.edu/~jlongs2/holes/abcpp.txt Multiple buffer overflows in the (1) write_heading function in subs.cpp or (2) trim_title function in parse.cpp for abctab2ps 1.6.3 allow remote attackers to execute arbitrary code via crafted ABC files. abctab2ps-trimtitle-bo(18584) abctab2ps-writeheading-bo(18583) http://tigger.uic.edu/~jlongs2/holes/abctab2ps.txt Multiple buffer overflows in the preparse function in asp2php 0.76.23 allow remote attackers to execute arbitrary code via crafted ASP scripts. asp2php-preparse-bo(18585) http://tigger.uic.edu/~jlongs2/holes/asp2php.txt Buffer overflow in the bsb_open_header function in libbsb for bsb2ppm 0.0.6 allows remote attackers to execute arbitrary code via crafted BSB pictures. bsb2ppm-bsbopenheader-bo(18586) http://tigger.uic.edu/~jlongs2/holes/bsb2ppm.txt changepassword.cgi in ChangePassword 0.8, when installed setuid, allows local users to execute arbitrary code by modifying the PATH environment variable to point to a malicious "make" program. changepassword-gain-privileges(18593) http://tigger.uic.edu/~jlongs2/holes/changepassword.txt Buffer overflow in the simplify_path function in config.c for ChBg 1.5 allows remote attackers to execute arbitrary code via a crafted chbg scenario file. chbg-simplifypath-bo(18595) DSA-644 http://tigger.uic.edu/~jlongs2/holes/chbg.txt MDKSA-2005:027 Buffer overflow in the readObjectChunk function in 3dsimp.cpp for the convex-tool program in Convex 3D 0.8pre1 allows remote attackers to execute arbitrary code via a crafted 3DS file. convex-3d-readobjectchunk-bo(18601) http://tigger.uic.edu/~jlongs2/holes/convex3d.txt Buffer overflow in the get_field_headers function in csv2xml.cpp for csv2xml 0.5.1 allows remote attackers to execute arbitrary code via a crafted CSV file. csv2xml-getfieldheaders-bo(18602) http://tigger.uic.edu/~jlongs2/holes/csv2xml.txt Buffer overflow in the ParseCommand function in hpgl-input.c in the hpgltops program for CUPS 1.1.22 allows remote attackers to execute arbitrary code via a crafted HPGL file. cups-parsecommand-hpgl-bo(18604) USN-50-1 RHSA-2005:053 RHSA-2005:013 MDKSA-2005:008 GLSA-200412-25 http://tigger.uic.edu/~jlongs2/holes/cups.txt oval:org.mitre.oval:def:10620 lppasswd in CUPS 1.1.22 ignores write errors when modifying the CUPS passwd file, which allows local users to corrupt the file by filling the associated file system and triggering the write errors. cups-lppasswd-passwd-truncate(18606) RHSA-2005:053 RHSA-2005:013 http://tigger.uic.edu/~jlongs2/holes/cups2.txt oval:org.mitre.oval:def:10398 USN-50-1 MDKSA-2005:008 GLSA-200412-25 lppasswd in CUPS 1.1.22 does not remove the passwd.new file if it encounters a file-size resource limit while writing to passwd.new, which causes subsequent invocations of lppasswd to fail. cups-lppasswd-dos(18608) RHSA-2005:053 RHSA-2005:013 http://tigger.uic.edu/~jlongs2/holes/cups2.txt oval:org.mitre.oval:def:9545 USN-50-1 MDKSA-2005:008 GLSA-200412-25 lppasswd in CUPS 1.1.22, when run in environments that do not ensure that file descriptors 0, 1, and 2 are open when lppasswd is called, does not verify that the passwd.new file is different from STDERR, which allows local users to control output to passwd.new via certain user input that triggers an error message. cups-lppasswd-passwd-modify(18609) RHSA-2005:053 RHSA-2005:013 http://tigger.uic.edu/~jlongs2/holes/cups2.txt oval:org.mitre.oval:def:11507 USN-50-1 MDKSA-2005:008 GLSA-200412-25 Buffer overflow in the dxfin function in d.c for dxfscope 0.2 allows remote attackers to execute arbitrary code via a crafted DXF file. dxfscope-dxfin-bo(18558) http://tigger.uic.edu/~jlongs2/holes/dxfscope.txt Buffer overflow in the save_embedded_address function in filter.c for elm/bolthole filter 2.6.1 allows remote attackers to execute arbitrary code via a crafted email message. elm-bolthole-bo(18607) http://tigger.uic.edu/~jlongs2/holes/elm-bolthole-filter.txt Buffer overflow in the DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a long filename. greed-downloadloop-bo(18633) http://tigger.uic.edu/~jlongs2/holes/greed.txt The DownloadLoop function in main.c for greed 0.81p allows remote attackers to execute arbitrary code via a GRX file containing a filename with shell metacharacters. greed-downloadloop-command-execution(18634) http://tigger.uic.edu/~jlongs2/holes/greed.txt Buffer overflow in the remove_quote function in convert.c for html2hdml 1.0.3 allows remote attackers to execute arbitrary code via a crafted HTML file. html2hdml-removequote-bo(18556) http://tigger.uic.edu/~jlongs2/holes/html2hdml.txt IglooFTP 0.6.1, when recursively uploading a directory, allows local users to overwrite the files that are being uploaded by creating temporary files with names generated by the tmpnam function, before the files are opened by IglooFTP. iglooftp-file-overwrites(18632) http://tigger.uic.edu/~jlongs2/holes/iglooftp.txt The download_selection_recursive() function in ftplist.c for IglooFTP 0.6.1 allows remote malicious FTP servers to overwrite arbitrary files via filenames that contain / (slash) characters. iglooftp-file-overwrite(18561) http://tigger.uic.edu/~jlongs2/holes/iglooftp2.txt Buffer overflow in the switch_voice function in parse.c for jcabc2ps 20040902 allows remote attackers to execute arbitrary code via a crafted ABC file. jcabc2ps-switchvoice-bo(18563) http://tigger.uic.edu/~jlongs2/holes/jcabc2ps.txt Buffer overflow in the get_file_list_stdin function in jpegtoavi 1.5 allows remote attackers to execute arbitrary code via a crafted set of JPEG files and filenames. jpegtoavi-getfileliststdin-bo(18565) http://tigger.uic.edu/~jlongs2/holes/jpegtoavi.txt The gui_popup_view_fly function in gui_tview_popup.c for junkie 0.3.1 allows remote malicious FTP servers to execute arbitrary commands via shell metacharacters in a filename. junkie-command-execution(18567) http://tigger.uic.edu/~jlongs2/holes/junkie.txt The ftp_retr function in junkie 0.3.1 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in a filename. junkie-ftpretr-command-execution(18568) http://tigger.uic.edu/~jlongs2/holes/junkie.txt Buffer overflow in the strexpand function in string.c for LinPopUp 1.2.0 allows remote attackers to execute arbitrary code via a crafted message that is not properly handled during a Reply operation. linpopup-strexpand-bo(18627) DSA-632 http://tigger.uic.edu/~jlongs2/holes/linpopup.txt Buffer overflow in the Mesh::type method in mesh.c for the mview program in Mesh Viewer 0.2.2 allows remote attackers to execute arbitrary code via crafted mesh files. mesh-type-bo(18616) http://tigger.uic.edu/~jlongs2/holes/meshviewer.txt Buffer overflow in the find_next_file function in playlist.c for mpg123 0.59r allows remote attackers to execute arbitrary code via a crafted MP3 playlist. mpg123-findnextfile-bo(18626) http://tigger.uic.edu/~jlongs2/holes/mpg123.txt SUSE-SR:2005:001 Buffer overflow in the get_header function in asf_mmst_streaming.c for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a crafted ASF video stream. mplayer-getdata-bo(18631) http://tigger.uic.edu/~jlongs2/holes/mplayer.txt Buffer overflow in the auto_filter_extern function in auto.c for NapShare 1.2, with the extern filter enabled, allows remote attackers to execute arbitrary code via a crafted gnutella response. napshare-autofilterextern-bo(18630) http://tigger.uic.edu/~jlongs2/holes/napshare.txt Buffer overflow in the error function in preproc.c for NASM 0.98.38 1.2 allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2005-1194. nasm-preprocc-bo(18540) RHSA-2005:381 http://tigger.uic.edu/~jlongs2/holes/nasm.txt oval:org.mitre.oval:def:11299 Buffer overflow in the parse_html function in o3read.c for o3read 0.0.3 allows remote attackers to execute arbitrary code via a crafted SXW file. o3read-parsehtml-bo(18547) GLSA-200501-20 http://tigger.uic.edu/~jlongs2/holes/o3read.txt Multiple buffer overflows in (1) the getline function in pcalutil.c and (2) the get_holiday function in readfile.c for pcal 4.7.1 allow remote attackers to execute arbitrary code via a crafted calendar file. pcal-getline-pcalutil-bo(18552) http://tigger.uic.edu/~jlongs2/holes/pcal.txt Buffer overflow in the process_moves function in pgn2web.c for pgn2web 0.3 allows remote attackers to execute arbitrary code via a crafted PGN file. pgn2web-pgn2webc-bo(18554) http://tigger.uic.edu/~jlongs2/holes/pgn2web.txt Buffer overflow in qwik-smtpd allows remote attackers to use the server as an SMTP spam relay via a long HELO command, which overwrites the adjacent localIP data buffer. qwilmail-smtp-helo-open-relay(18555) http://tigger.uic.edu/~jlongs2/holes/qwik-smtpd.txt Buffer overflow in the parse_emelody function in parse_emelody.c for ringtonetools 2.22 allows remote attackers to execute arbitrary code via a crafted eMelody file. ringtonetools-parseemelody-bo(18557) GLSA-200503-18 http://tigger.uic.edu/~jlongs2/holes/ringtonetools.txt Buffer overflow in the ReadFontTbl function in reader.c for rtf2latex2e 1.0fc2 allows remote attackers to execute arbitrary code via a crafted RTF file. rtf2latex2e-reader-bo(18559) http://tigger.uic.edu/~jlongs2/holes/rtf2latex2e.txt The mget function in cmds.c for tnftp 20030825 allows remote FTP servers to overwrite arbitrary files via FTP responses containing file names with / (slash) characters. tnftp-mget-cmds-file-overwrite(18560) http://tigger.uic.edu/~jlongs2/holes/tnftp.txt The slip_down function in slip.c for the uml_net program in uml-utilities 20030903, when uml_net is installed setuid root, does not verify whether the calling user has sufficient permission to disable an interface, which allows local users to cause a denial of service (network service disabled). umlutilities-umtnet-slipdown-dos(18562) http://tigger.uic.edu/~jlongs2/holes/uml-utilites.txt The (1) eqn2graph and (2) pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files. 20041220 [USN-43-1] groff utility vulnerabilities groff-eqn2graph-pic2graph-symlink(18660) MDKSA-2006:038 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286372 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286371 Buffer overflow in the process_font_table function in convert.c for unrtf 0.19.3 allows remote attackers to execute arbitrary code via a crafted RTF file. unrtf-processfonttable-convert-bo(18566) http://tigger.uic.edu/~jlongs2/holes/unrtf.txt Buffer overflow in the parse function in vb2c.c for vb2c 0.02 allows remote attackers to execute arbitrary code via a crafted FRM file. vb2c-gettoken-bo(18605) http://tigger.uic.edu/~jlongs2/holes/vb2c.txt Buffer overflow in the get_attr function in html.c for vilistextum 2.6.6 allows remote attackers to execute arbitrary code via a crafted web page. vilistextum-getattr-bo(18610) http://tigger.uic.edu/~jlongs2/holes/vilistextum.txt Buffer overflow in the open_aiff_file function in demux_aiff.c for xine-lib (libxine) 1-rc7 allows remote attackers to execute arbitrary code via a crafted AIFF file. xine-openaifffile-bo(18611) http://tigger.uic.edu/~jlongs2/holes/xine-lib.txt MDKSA-2005:011 Buffer overflow in the book_format_sql function in format.c for xlreader 0.9.0 allows remote attackers to execute arbitrary code via a crafted Excel (XLS) file. xlreader-bookformatsql-bo(18612) http://tigger.uic.edu/~jlongs2/holes/xlreader.txt The id3tag_sort function in id3tag.c for YAMT 0.5 allows remote attackers to execute arbitrary commands via an MP3 file with double quotes in the Artist tag. yamt-id3tagsort-bo(18614) 11999 http://tigger.uic.edu/~jlongs2/holes/yamt.txt 1012583 13554 http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html Buffer overflow in the get function in get.c for Yanf 0.4 allows remote malicious web servers to execute arbitrary code via crafted HTTP responses. yanf-get-bo(18615) http://tigger.uic.edu/~jlongs2/holes/yanf.txt Stack-based buffer overflow in the ELF header parsing code in file before 4.12 allows attackers to execute arbitrary code via a crafted ELF file. 11771 file-elf-header-bo(18368) 2004-0063 GLSA-200412-07 1012433 The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allow remote attackers to cause a denial of service via (1) the frame number set to zero, which causes an invalid memory address to be used and leads to a kernel crash, or (2) the rate number set to zero, which leads to resource exhaustion and hang. TA05-012A VU#697136 VU#177584 win-ani-ratenumber-dos(18667) MS05-002 http://www.xfocus.net/flashsky/icoExp/ 20041223 Microsoft Windows Kernel ANI File Parsing Crash and DOS Vulnerability oval:org.mitre.oval:def:712 oval:org.mitre.oval:def:3957 oval:org.mitre.oval:def:3216 oval:org.mitre.oval:def:2580 oval:org.mitre.oval:def:1304 Heap-based buffer overflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a crafted .hlp file. win-winhlp32-bo(18678) http://www.xfocus.net/flashsky/icoExp/ 12092 20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerability Integer overflow in the TIFFFetchStripThing function in tif_dirread.c for libtiff 3.6.1 allows remote attackers to execute arbitrary code via a TIFF file with the STRIPOFFSETS flag and a large number of strips, which causes a zero byte buffer to be allocated and leads to a heap-based buffer overflow. VU#539110 TA05-136A 20041221 libtiff STRIPOFFSETS Integer Overflow Vulnerability APPLE-SA-2005-05-03 201072 oval:org.mitre.oval:def:11175 101677 Integer overflow in (1) tif_dirread.c and (2) tif_fax3.c for libtiff 3.5.7 and 3.7.0 allows remote attackers to execute arbitrary code via a TIFF file containing a TIFF_ASCII or TIFF_UNDEFINED directory entry with a -1 entry count, which leads to a heap-based buffer overflow. VU#125598 TA05-136A 20041221 libtiff Directory Entry Count Integer Overflow Vulnerability libtiff-tiff-tdircount-bo(18637) RHSA-2005:035 RHSA-2005:019 SUSE-SA:2005:001 DSA-617 201072 oval:org.mitre.oval:def:9392 APPLE-SA-2005-05-03 MDKSA-2005:052 101677 13776 CLA-2005:920 oval:org.mitre.oval:def:100117 Heap-based buffer overflow in the demux_open_bmp function in demux_bmp.c for Unix MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a bitmap (BMP) file containing a large biClrUsed field. mplayer-bitmap-bo(18527) http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog 20041216 MPlayer Bitmap Parsing Remote Heap Overflow Vulnerability MDKSA-2004:157 Stack-based buffer overflow in the asf_mmst_streaming.c functionality for MPlayer 1.0pre5 allows remote attackers to execute arbitrary code via a large MMST stream packet. mplayer-mmst-bo(18526) http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog http://www1.mplayerhq.hu/MPlayer/patches/mmst_fix_20041215.diff 20041216 MPlayer MMST Streaming Stack Overflow Vulnerability MDKSA-2004:157 Integer overflow in the real_setup_and_get_header function in real.c for Unix MPlayer 1.0pre5 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a Real RTSP streaming media file with a -1 content-length field, which leads to a heap-based buffer overflow. mplayer-rtsp-bo(18525) http://www1.mplayerhq.hu/MPlayer/releases/ChangeLog http://www1.mplayerhq.hu/MPlayer/patches/rtsp_fix_20041215.diff 20041216 MPlayer Remote RTSP Heap Overflow Vulnerability MDKSA-2004:157 A bug in the HTML parser in a certain Microsoft HTML library, as used in various third party products, may allow remote attackers to cause a denial of service via certain strings, as reported in GFI MailEssentials for Exchange 9 and 10, and GFI MailSecurity for Exchange 8, which causes emails to remain in IIS or Exchange mail queues. http://kbase.gfi.com/showarticle.asp?id=KBID002249 12148 http://www.csis.dk/default.asp?m=1&a=194 13708 The Smc.exe process in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before invoking help, which allows local users to gain privileges. my-firewall-plus-gain-privileges(18622) http://secunia.com/secunia_research/2004-16/ Safari 1.x allows remote attackers to spoof arbitrary web sites by injecting content from one window into a target window whose name is known but resides in a different domain, as demonstrated using a pop-up window on a trusted web site, aka the "window injection" vulnerability, a different vulnerability than CVE-2004-1122. web-browser-popup-spoofing(18397) http://secunia.com/secunia_research/2004-13/advisory/ http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ APPLE-SA-2005-01-25 13252 viewtopic.php in phpBB 2.x before 2.0.11 improperly URL decodes the highlight parameter when extracting words and phrases to highlight, which allows remote attackers to execute arbitrary PHP code by double-encoding the highlight value so that special characters are inserted into the result, which is then processed by PHP exec, as exploited by the Santy.A worm. TA04-356A VU#497400 phpbb-view-sql-injection(18052) 13239 GLSA-200411-32 10701 20041222 Re: phpBB Worm http://www.phpbb.com/phpBB/viewtopic.php?t=240513 20041118 EXEC exploit in phpBB - fix 20041220 phpBB Worm 20041112 phpBB Code EXEC (v2.0.10) Heap-based buffer overflow in MSG_UnEscapeSearchUrl in nsNNTPProtocol.cpp for Mozilla 1.7.3 and earlier allows remote attackers to cause a denial of service (application crash) via an NNTP URL (news:) with a trailing '\' (backslash) character, which prevents a string from being NULL terminated. http://www.mozilla.org/security/announce/mfsa2005-06.html mozilla-nntp-bo(18711) RHSA-2005:038 SUSE-SA:2006:004 oval:org.mitre.oval:def:9808 HPSBTU01114 20041229 Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. http://isec.pl/vulnerabilities/isec-0020-mozilla.txt 12131 SUSE-SA:2006:022 19823 oval:org.mitre.oval:def:100052 Stack-based buffer overflow in doexec.c in Netcat for Windows 1.1, when running with the -e option, allows remote attackers to execute arbitrary code via a long DNS command. netcat-doexec-bo(18681) 20041228 Re: [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included 20041228 Netcat v1.11 For Windows , New fixed version http://www.hat-squad.com/en/000142.html 20041227 [HAT-SQUAD] NetCat Remote Critical Vulnerability, Poc included Cross-site scripting (XSS) vulnerability in namazu.cgi for Namazu 2.0.13 and earlier allows remote attackers to inject arbitrary HTML and web script via a query that starts with a tab ("%09") character, which prevents the rest of the query from being properly sanitized. http://www.namazu.org/security.html.en#xss-tab namazu-tab-query-xss(18623) 12053 HPSBMA01212 12516 FEDORA-2004-557 DSA-627 1012805 1012802 13600 http://jvn.jp/jp/JVN%23904429FE.html SUSE-SR:2005:001 The DHTML Edit Control (dhtmled.ocx) allows remote attackers to inject arbitrary web script into other domains by setting a name for a window, opening a child page whose target is the window with the given name, then injecting the script from the parent into the child using execScript, as demonstrated by "AbusiveParent" in Internet Explorer 6.0.2900.2180. TA05-039A VU#356600 ie-dhtml-xss(18504) 11950 MS05-013 13482 20041215 MSIE DHTML Edit Control Cross Site Scripting Vulnerability oval:org.mitre.oval:def:4758 oval:org.mitre.oval:def:3851 oval:org.mitre.oval:def:3464 oval:org.mitre.oval:def:1701 oval:org.mitre.oval:def:1114 Asante FM2008 running firmware 1.06 is shipped with a default username and password, which could allow remote attackers to gain unauthorized access. asante-fm2008-default-account(18521) 11947 20041215 Asante FM2008 10/100 Ethernet switch backdoor login The configuration backup in Asante FM2008 running firmware 1.06 stores the username and password in cleartext, which could allow remote attackers to gain unauthorized access. 20041215 Asante FM2008 10/100 Ethernet switch backdoor login Cisco Unity 2.x, 3.x, and 4.x, when integrated with Microsoft Exchange, has several hard coded usernames and passwords, which allows remote attackers to gain unauthorized access and change configuration settings or read outgoing or incoming e-mail messages. cisco-unity-exchange-default-accounts(18489) 11954 20041215 Cisco Unity Integrated with Exchange Has Default Passwords P-060 Multiple syscalls in the compat subsystem for NetBSD before 2.0 allow local users to cause a denial of service (kernel crash) via a large signal number to (1) xxx_sys_kill, (2) xxx_sys_sigaction, and possibly other translation functions. netbsd-compat-gain-privileges(18564) 13501 http://gleg.net/advisory_netbsd2.shtml The Microsoft Windows Media Player 9.0 ActiveX control may allow remote attackers to execute arbitrary web script in the Local computer zone via the (1) artist or (2) song fields of a music file, if the file is processed using Internet Explorer. mediaplayer-mp3-code-execution(18576) 12031 20041218 MS Windows Media Player 9 Vulns (2) The getItemInfoByAtom function in the ActiveX control for Microsoft Windows Media Player 9.0 returns a 0 if the file does not exist and the size of the file if the file exists, which allows remote attackers to determine the existence of files on the local system. mediaplayer-activex-information-disclosure(18587) 12032 20041218 MS Windows Media Player 9 Vulns (2) Buffer overflow in dxterm in Ultrix 4.5 allows local users to execute arbitrary code via a long -setup parameter. ultrix-dxterm-bo(18613) 12049 http://www.frsirt.com/exploits/20041220.ultrix_dxterm_4.5_exploit.c.php 20041219 Exploit for Ultrix 4.5 dxterm Buffer overflow in Crystal FTP Client 2.8 allows remote malicious servers to execute arbitrary code via a response to a LIST command that contains a file name with a long extension. crystal-ftp-list-bo(18594) 12038 13583 20041220 Crystal FTP Pro Client Buffer Overflow Unknown vulnerability in newgrp in HP-UX B.11.00, B.11.04, and B.11.11 allows local users to gain elevated privileges. 12029 13565 SSRT4687 hp-newgrp-gain-privileges(18577) oval:org.mitre.oval:def:5622 Untrusted execution path vulnerability in the diag commands (1) lsmcode, (2) diag_exec, (3) invscout, and (4) invscoutd in AIX 5.1 through 5.3 allows local users to execute arbitrary programs by modifying the DIAGNOSTICS environment variable to point to a malicious Dctrl program. aix-diagnostics-gain-privileges(18620) 12041 IY64389 IY64277 20041220 AIX 5.1/5.2/5.3 local root exploits 20070402 Re: AIX 4.3 lsmcode local root command execution 20070330 AIX 4.3 lsmcode local root command execution 701 Buffer overflow in paginit in AIX 5.1 through 5.3 allows local users to execute arbitrary code via a long username. 12043 aix-paginit-username-bo(18618) http://www.frsirt.com/exploits/20041220.paginit.c.php IY64522 IY64358 IY64312 20041220 AIX 5.1/5.2/5.3 local root exploits The execCommand method in Microsoft Internet Explorer 6.0 SP2 allows remote attackers to bypass the "File Download - Security Warning" dialog and save arbitrary files with arbitrary extensions via the SaveAs command. VU#743974 ie-execommand-warning-bypass(18181) 11686 http://www.frsirt.com/exploits/20041119.IESP2Unpatched.php 13203 20041119 Microsoft Internet Explorer 6 SP2 Vulnerabilities / Full disclosure Vs. Security by Obscurity... 3220 Stack-based buffer overflow in the FTP daemon in HP-UX 11.11i, with the -v (debug) option enabled, allows remote attackers to execute arbitrary code via a long command request. VU#647438 12077 13608 SSRT4883 hp-ftpd-bo(18636) 20041221 Hewlett Packard HP-UX ftpd Remote Buffer Overflow Vulnerability 1012650 oval:org.mitre.oval:def:5701 HPSBUX01118 Integer overflow in the vc_resize function in the Linux kernel 2.4 and 2.6 before 2.6.10 allows local users to cause a denial of service (kernel crash) via a short new screen value, which leads to a buffer overflow. FLSA:152532 linux-vcresize-dos(18523) USN-47-1 11956 SUSE-SA:2005:018 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html MDKSA-2005:219 MDKSA-2005:219 MDKSA-2005:218 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 20162 17826 Integer overflow in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (kernel crash) via a cmsg_len that contains a -1, which leads to a buffer overflow. linux-ipoptionsget-dos(18522) 20041215 fun with linux kernel 11956 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html 20041215 [USN-47-1] Linux kernel vulnerabilities Memory leak in the ip_options_get function in the Linux kernel before 2.6.10 allows local users to cause a denial of service (memory consumption) by repeatedly calling the ip_cmsg_send function. linux-ipoptionsget-memory-leak(18524) 20041215 fun with linux kernel 11956 http://www.guninski.com/where_do_you_want_billg_to_go_today_2.html 20041215 [USN-47-1] Linux kernel vulnerabilities oval:org.mitre.oval:def:11085 RHSA-2005:017 RHSA-2005:016 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 The xdvizilla script in tetex-bin 2.0.2 creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack. xdvizilla-symlink(18708) 12100 20041223 [USN-51-1] teTeX auxiliary script vulnerability http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286370 The POSIX Capability Linux Security Module (LSM) for Linux kernel 2.6 does not properly handle the credentials of a process that is launched before the module is loaded, which allows local users to gain privileges. linux-security-module-gain-privileges(18673) 12093 20041223 Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation CLA-2005:930 The triggers in Oracle 9i and 10g allow local users to gain privileges by using a sequence of partially privileged actions: using CCBKAPPLROWTRIG or EXEC_CBK_FN_DML to add arbitrary functions to the SDO_CMT_DBK_FN_TABLE and SDO_CMT_CBK_DML_TABLE, then performing a DELETE on the SDO_TXN_IDX_INSERTS table, which causes the SDO_CMT_CBK_TRIG trigger to execute the user-supplied functions. oracle-triggers-gain-privileges(18655) http://www.ngssoftware.com/advisories/oracle23122004I.txt 20041223 Oracle Trigger Abuse (#NISR2122004I) SQL injection vulnerability in the (1) MDSYS.SDO_GEOM_TRIG_INS1 and (2) MDSYS.SDO_LRS_TRIG_INS default triggers in Oracle 9i and 10g allows remote attackers to execute arbitrary SQL commands via the new.table_name or new.column_name parameters. oracle-triggers-gain-privileges(18655) http://www.ngssoftware.com/advisories/oracle23122004I.txt 20041223 Oracle Trigger Abuse (#NISR2122004I) Debian GNU/Linux 3.0 installs the libpam-radius-auth package with the pam_radius_auth.conf set to be world-readable, which allows local users to obtain sensitive information. libpamradiusauth-insecure-permission(19087) DSA-659 1013030 14046 Cross-site scripting (XSS) vulnerability in info2www before 1.2.2.9 allows remote attackers to inject arbitrary web script or HTML via the arguments to info2www. info2www-url-xss(20179) DSA-711 CVS 1.12 and earlier on Debian GNU/Linux, when using the repouid patch, allows remote attackers to bypass authentication via the pserver access method. DSA-715 CVS 1.12 and earlier on Debian GNU/Linux does not properly handle when a mapping for the current repository does not exist in the cvs-repouids file, which allows remote attackers to cause a denial of service (server crash). DSA-715 Unknown vulnerability in Sun StorEdge Enterprise Storage Manager (ESM) 2.1 for Solaris 8 and Solaris 9 allows local users with the "ESMUser" role to gain root access. VU#976470 esm-esmuser-gain-privileges(16463) 10580 O-166 57581 11935 oval:org.mitre.oval:def:1707 The Sun Solaris Volume Manager (SVM) on Solaris 9 allows local users to cause a denial of service (kernel panic) via a malformed probe request to the SVM. VU#390742 solaris-svm-dos(16729) 10747 ESB-2004.0463 57598 12104 oval:org.mitre.oval:def:3465 X Display Manager (XDM) on Solaris 8 allows remote attackers to cause a denial of service (XDM crash) via an invalid X Display Manager Control Protocol (XDMCP) request. VU#139504 xdm-xdmcp-dos(16940) 10911 57619 12257 101549 oval:org.mitre.oval:def:100113 Unknown vulnerability in in.named on Solaris 8 allows remote attackers to cause a denial of service (process crash). solaris-innamed-dynamic-dos(17269) 11118 ESB-2004.0565 57614 12470 oval:org.mitre.oval:def:3960 gzip before 1.3 in Solaris 8, when called with the -f or -force flags, will change the permissions of files that are hard linked to the target files, which allows local users to view or modify these files. VU#635998 solaris-gzip-modify-privileges(17577) 11318 57600 12744 oval:org.mitre.oval:def:1654 Multiple buffer overflows in Sun Java System Web Proxy Server (formerly Sun ONE Proxy Server) 3.6 through 3.6 SP4 allow remote attackers to execute arbitrary code via unknown vectors, possibly CONNECT requests. VU#964401 sun-web-proxy-bo(17920) 11566 11304 1012005 13036 http://www.pentest.co.uk/documents/ptl-2004-06.html P-027 ESB-2004.0691 57606 Unknown vulnerability in the rwho daemon (in.rwhod) for Solaris 7 through 9 allows remote attackers to execute arbitrary code. solaris-inrwhod-command-execution(18385) 11840 P-050 ESB-2004.0759 57659 oval:org.mitre.oval:def:592 Buffer overflow in the ping daemon of Sun Solaris 7 through 9 may allow local users to execute arbitrary code. 11782 12168 1012368 solaris-ping-bo(18310) P-045 ESB-2004.0749 13340 57675 oval:org.mitre.oval:def:3400 Unknown vulnerability in LDAP on Sun Solaris 8 and 9, when using Role Based Access Control (RBAC), allows local users to execute certain commands with additional privileges. solaris-ldap-rbac-gain-priv(17757) 11459 P-017 ESB-2004.0661 57657 1011789 12873 10939 oval:org.mitre.oval:def:4834 The Solaris Management Console (SMC) in Sun Solaris 8 and 9 generates different 404 error messages when a file does not exist versus when a file exists but is otherwise inacessible, which could allow remote attackers to obtain sensitive information in conjunction with a directory traversal (..) attack. smc-dotdot-directory-traversal(16146) 10349 6119 ESB-2004.0347 57559 http://spoofed.org/files/text/solaris-smc-advisory.txt 11616 8873 [focus-sun] 20031022 Information disclosure with SMC webserver on Solaris 9 oval:org.mitre.oval:def:1482 Unknown vulnerability in the TCP/IP stack for Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. solaris-tcp-ip-dos(15955) 10216 5665 ESB-2004.0308 57545 11483 oval:org.mitre.oval:def:2972 Unknown vulnerability in the sendfilev function in Sun Solaris 8 and 9 allows local users to cause a denial of service (system panic) via unknown vectors. solaris-sendfilev-dos(15946) 10202 5619 ESB-2004.0307 57470 11457 oval:org.mitre.oval:def:1684 The Secure Shell (SSH) Daemon (SSHD) in Sun Solaris 9 does not properly log IP addresses when SSHD is configured with the ListenAddress as 0.0.0.0, which makes it easier for remote attackers to hide the source of their activities. VU#737548 solaris-sshd-log-bypass(15784) 10080 ESB-2004.0263 57538 11316 oval:org.mitre.oval:def:3505 The patches (1) 114332-08 and (2) 114929-06 for Sun Solaris 9 disable the auditing functionality of the Basic Security Module (BSM), which allows attackers to avoid having their activity logged. solaris-patches-disable-bsm(14918) 9852 O-099 ESB-2004.0069 57478 oval:org.mitre.oval:def:3567 Multiple buffer overflows in uucp for Sun Solaris 2.6, 7, 8, and 9 allow local users to execute arbitrary code as the uucp user. solaris-uucp-multiple-bo(15425) ESB-2004.0201 57508 9837 oval:org.mitre.oval:def:1127 Unknown vulnerability in conv_fix in Sun Solaris 7 through 9, when invoked by conv_lpd, allows local users to overwrite arbitrary files. VU#412566 solaris-covfix-gain-privileges(15331) O-089 ESB-2004.0169 57509 10991 4071 9759 oval:org.mitre.oval:def:1732 Integer underflow in winhlp32.exe in Windows NT, Windows 2000 through SP4, Windows XP through SP2, and Windows 2003 allows remote attackers to execute arbitrary code via a malformed .hlp file, which leads to a heap-based buffer overflow. win-winhlp32-bo(18678) http://www.xfocus.net/flashsky/icoExp/ 12091 20041223 Microsoft Windows winhlp32.exe Heap Overflow Vulnerability The PL/SQL module for the Oracle HTTP Server in Oracle Application Server 10g, when using the WE8ISO8859P1 character set, does not perform character conversions properly, which allows remote attackers to bypass access restrictions for certain procedures via an encoded URL with "%FF" encoded sequences that are improperly converted to "Y" characters. TA04-245A VU#435974 oracle-character-conversion-gain-privileges(18657) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004G.txt 20041223 Oracle Character Conversion Bugs (#NISR2122004G) 101782 Buffer overflow in extproc in Oracle 10g allows remote attackers to execute arbitrary code via environment variables in the library name, which are expanded after the length check is performed. TA04-245A VU#316206 oracle-extproc-library-bo(18659) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004.txt 20041223 Oracle extproc buffer overflow (#NISR23122004A) 101782 Directory traversal vulnerability in extproc in Oracle 9i and 10g allows remote attackers to access arbitrary libraries outside of the $ORACLE_HOME\bin directory. TA04-245A VU#316206 oracle-extproc-directory-traversal(18658) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004B.txt 20041223 Oracle extproc directory traversal (#NISR23122004B) 20061219 Oracle <= 9i / 10g (extproc) Local/Remote Command Execution Exploit http://www.0xdeadbeef.info/exploits/raptor_oraextproc.sql 101782 Extproc in Oracle 9i and 10g does not require authentication to load a library or execute a function, which allows local users to execute arbitrary commands as the Oracle user. TA04-245A VU#316206 oracle-extproc-command-execution(18662) 10871 http://www.ngssoftware.com/advisories/oracle23122004C.txt 20041223 Oracle extproc local command execution (#NISR23122004C) 101782 Oracle 10g Database Server stores the password for the SYSMAN account in cleartext in the world-readable emoms.properties file, which could allow local users to gain DBA privileges. TA04-245A VU#316206 oracle-sysman-password-plaintext(18661) 10871 20041223 Oracle clear text passwords (#NISR2122004D) http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004D.txt 101782 Oracle 10g Database Server, when installed with a password that contains an exclamation point ("!") for the (1) DBSNMP or (2) SYSMAN user, generates an error that logs the password in the world-readable postDBCreation.log file, which could allow local users to obtain that password and use it against SYS or SYSTEM accounts, which may have been installed with the same password. TA04-245A VU#316206 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004D.txt 20041223 Oracle clear text passwords (#NISR2122004D) 101782 ISQL*Plus in Oracle 10g Application Server allows remote attackers to execute arbitrary files via an absolute pathname in the file parameter to the load.uix script. TA04-245A VU#435974 oracle-isqlplus-file-access(18656) 10871 http://www.ngssoftware.com/advisories/oracle23122004E.txt 20041223 Oracle ISQLPlus file access vulnerability (#NISR2122004E) 101782 The TNS Listener in Oracle 10g allows remote attackers to cause a denial of service (listener crash) via a malformed service_register_NSGR request containing a value that is used as an invalid offset for a pointer that references incorrect memory. TA04-245A VU#316206 oracle-tnslsnr-nsgr-dos(18664) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004F.txt 20041223 Oracle TNS Listener DoS (#NISR2122004F) 101782 Multiple SQL injection vulnerabilities in PL/SQL procedures that run with definer rights in Oracle 9i and 10g allow remote attackers to execute arbitrary SQL commands and gain privileges via (1) DBMS_EXPORT_EXTENSION, (2) WK_ACL.GET_ACL, (3) WK_ACL.STORE_ACL, (4) WK_ADM.COMPLETE_ACL_SNAPSHOT, (5) WK_ACL.DELETE_ACLS_WITH_STATEMENT, or (6) DRILOAD.VALIDATE_STMT. TA04-245A VU#316206 oracle-procedure-sql-injection(18665) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004H.txt 20041223 Oracle multiple PL/SQL injection vulnerabilities (#NISR2122004H) 101782 Stack-based buffer overflow in Oracle 9i and 10g allows remote attackers to execute arbitrary code via a long token in the text of a wrapped procedure. TA04-245A VU#316206 oracle-wrapped-procedure-bo(18666) 10871 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.ngssoftware.com/advisories/oracle23122004J.txt 20041223 Oracle wrapped procedure overflow (#NISR2122004J) 101782 Multiple stack-based buffer overflows in IBM DB2 7.x and 8.1 allow local users to execute arbitrary code via (1) a long third argument to the rec2xml function or (2) a long filename argument to the generate_distfile procedure. db2-rec2xml-bo(18682) db2-generatedistfile-bo(18663) 11089 http://www.ngssoftware.com/advisories/db223122004L.txt http://www.ngssoftware.com/advisories/db223122004K.txt 20041223 IBM DB2 rec2xml buffer overflow vulnerability (#NISR2122004J) 20041223 IBM DB2 generate_distfile buffer overflow vulnerability (#NISR2122004L) Format string vulnerability in SHOUTcast 1.9.4 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via format string specifiers in a content URL, as demonstrated in the filename portion of a .mp3 file. shoutcast-format-string(18669) 12096 GLSA-200501-04 1012675 20050219 exwormshoucast part of PTjob project: SHOUTcast v1.9.4 remote 20041223 SHOUTcast remote format string vulnerability Multiple buffer overflows in NetBSD kernel may allow local users to execute arbitrary code and gain privileges. http://gleg.net/advisory_netbsd2.shtml Unknown vulnerability in System Administration Manager (SAM) in HP-UX B.11.00, B.11.11, B.11.22, and B.11.23 allows local users to gain privileges. hp-sam-gain-privileges(18674) 12098 P-085 SSRT4699 oval:org.mitre.oval:def:5435 Directory traversal vulnerability in Microsoft Internet Explorer 5.01, 5.5, and 6.0 allows remote malicious FTP servers to overwrite arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. 13704 http://www.7a69ezine.org/node/view/176 20041230 7a69Adv#17 - Internet Explorer FTP download path disclosure The (1) fixps (aka fixps.in) and (2) psmandup (aka psmandup.in) scripts in a2ps before 4.13 allow local users to overwrite arbitrary files via a symlink attack on temporary files. 12109 12108 GLSA-200501-02 gnu-a2ps-psmanupin-symlink(18672) gnu-a2ps-fixpsin-symlink(18671) http://www.vuxml.org/freebsd/9168253c-5a6d-11d9-a9e7-0001020eed82.html 13641 The expat XML parser code, as used in the open source Jabber (jabberd) 1.4.3 and earlier, jadc2s 0.9.0 and earlier, and possibly other packages, allows remote attackers to cause a denial of service (application crash) via a malformed packet to a socket that accepts XML connections. jabberd-xml-dos(17466) 11231 GLSA-200409-31 20040920 Possible DoS attack against jabberd 1.4.3 and jadc2s 0.9.0 http://devel.amessage.info/jabberd14/ http://www.vuxml.org/freebsd/2e25d38b-54d1-11d9-b612-000c6e8f12ef.html [jabberd] 20040919 Jabberd 1.4 critical bug jadc2s-xml-dos(17467) 10257 1011384 1011383 12636 Heap-based buffer overflow in the DVD subpicture decoder in xine xine-lib 1-rc5 and earlier allows remote attackers to execute arbitrary code via a (1) DVD or (2) MPEG subpicture header where the second field reuses RLE data from the end of the first field. http://xinehq.de/index.php/security/XSA-2004-5 xine-dvd-subpicture-bo(17423) 11205 GLSA-200409-30 DSA-657 SSA:2004-266 http://www.vuxml.org/freebsd/131bd7c4-64a3-11d9-829a-000a95bc6fae.html 20040906 XSA-2004-5: heap overflow in DVD subpicture decoder Firefox before 1.0 and Mozilla before 1.7.5 allows inactive (background) tabs to launch dialog boxes, which can allow remote attackers to spoof the dialog boxes from web sites in other windows and facilitate phishing attacks, aka the "Dialog Box Spoofing Vulnerability." web-browser-modal-spoofing(18864) RHSA-2005:335 RHSA-2005:323 http://www.mozilla.org/security/announce/mfsa2005-05.html 12712 http://secunia.com/multiple_browsers_form_field_focus_test/ http://secunia.com/multiple_browsers_dialog_box_spoofing_test/ oval:org.mitre.oval:def:10211 oval:org.mitre.oval:def:100050 Firefox before 1.0 and Mozilla before 1.7.5 allow inactive (background) tabs to focus on input being entered in the active tab, as originally reported using form fields, which allows remote attackers to steal sensitive data that is intended for other sites, which could facilitate phishing attacks. http://www.mozilla.org/security/announce/mfsa2005-05.html 12712 web-browser-inactive-info-disclosure(17789) http://secunia.com/multiple_browsers_form_field_focus_test/ http://secunia.com/multiple_browsers_dialog_box_spoofing_test/ oval:org.mitre.oval:def:100053 The glibcbug script in glibc 2.3.4 and earlier allows local users to overwrite arbitrary files via a symlink attack on temporary files, a different vulnerability than CVE-2004-0968. DSA-636 20041028 [USN-4-1] Standard C library script vulnerabilities RHSA-2005:261 MDKSA-2004:159 Multiple SQL injection vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to execute arbitrary SQL statements via the (1) order, (2) project_id, (3) pro_main, or (4) hours_id parameters to index.php or (5) ticket_id to viewticket_details.php. 11952 GLSA-200501-08 phpgroupware-projectid-sql-injection(18498) http://www.gulftech.org/?node=research&article_id=00054-12142004 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] Multiple cross-site scripting (XSS) vulnerabilities in phpGroupWare 0.9.16.003 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) kp3, (2) type, (3) msg, (4) forum_id, (5) pos, (6) cats_app, (7) cat_id, (8) msgball[msgnum], (9) fldball[acctnum] parameters to index.php or (10) ticket_id to viewticket_details.php. 11952 GLSA-200501-08 phpgroupware-index-preferences-xss(18496) http://www.gulftech.org/?node=research&article_id=00054-12142004 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] phpGroupWare 0.9.16.003 and earlier allows remote attackers to gain sensitive information via (1) unexpected characters in the session ID such as shell metacharacters, (2) an invalid appname parameter to preferences.php or (3) an invalid menuaction parameter to index.php, which reveals the web server path in an error message. GLSA-200501-08 phpgroupware-path-disclosure(18497) http://www.gulftech.org/?node=research&article_id=00054-12142004 20041215 Multiple phpGroupWare Vulnerabilities [ phpGroupWare 0.9.16.003 && Earlier ] TikiWiki before 1.8.4.1 does not properly verify uploaded images, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2005-0200. 12110 GLSA-200501-12 http://tikiwiki.org/tiki-read_article.php?articleId=97 tikiwiki-image-command-execution(18691) P-084 12628 1012700 The check_forensic script in apache-utils package 1.3.31 allows local users to overwrite or create arbitrary files via a symlink attack on temporary files. apache-checkforensic-symlink(18993) 13925 USN-65-1 [debian-apache] 20050119 Bug#290974: marked as done (apache: Temporary usage bugs that can be used in symlink attacks) Format string vulnerability in the gpsd_report function for BerliOS GPD daemon (gpsd, formerly pygps) 1.9.0 through 2.7 allows remote attackers to execute arbitrary code via certain GPS requests containing format string specifiers that are not properly handled in syslog calls. [Gpsd-announce] 20050127 Announcing release 2.8 of gpsd gpsd-format-string(19079) http://www.mail-archive.com/debian-bugs-closed@lists.debian.org/msg02103.html http://www.digitalmunition.com/DMA%5B2005-0125a%5D.txt 20050126 DMA[2005-0125a] - 'berlios gpsd format string vulnerability' Unknown vulnerability in the Veritas NetBackup Administrative Assistant interface for NetBackup BusinesServer 3.4, 3.4.1, and 4.5, DataCenter 3.4, 3.4.1, and 4.5, Enterprise Server 5.1, and NetBackup Server 5.0 and 5.1, allows attackers to execute arbitrary commands via the bpjava-susvc process, possibly related to the call-back feature. VU#685456 nebackup-bpjavasusvc-gain-privileges(17811) P-020 http://seer.support.veritas.com/docs/271727.htm 11494 12901 Multiple buffer overflows in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allow remote attackers to execute arbitrary code via a long argument to the (1) -F, (2) name, (3) en, (4) upscript, (5) downscript, (6) retries, (7) timeout, (8) scriptdetach, (9) noscript, (10) nodetach, (11) remote_mac, or (12) local_mac flags. VU#961686 Qnx-rtp-pppoed-flags-bo(17280) 11104 20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilities Untrusted execution path vulnerability in the PPPoE daemon (PPPoEd) in QNX RTP 6.1 allows local users to execute arbitrary programs by modifying the PATH environment variable to point to a malicious mount program. VU#577566 qnx-rtp-mount-command-execute(17284) 11105 9661 20040903 [RLSA_01-2004] QNX PPPoEd local root vulnerabilities PHP 4.0 with cURL functions allows remote attackers to bypass the open_basedir setting and read arbitrary files via a file: URL argument to the curl_init function. FLSA:2344 11557 20050120 [USN-66-1] PHP vulnerabilities php-openbasedir-restriction-bypass(17900) RHSA-2005:406 RHSA-2005:405 1011984 oval:org.mitre.oval:def:9279 20041027 PHP4 cURL functions bypass open_basedir Unknown vulnerability in the tcsetattr function for Sun Solaris for SPARC 2.6, 7, and 8 allows local users to cause a denial of service (system hang). VU#379390 57474 10730 solaris-tcsetattr-dos(14998) 3786 ESB-2004.0085 9548 The pfexec function for Sun Solaris 8 and 9 does not properly handle when a custom profile contains an invalid entry in the exec_attr database, which may allow local users with custom rights profiles to execute profile commands with additional privileges. 57453 10755 solaris-pfexec-gain-privileges(14988) 3764 ESB-2004.0079 1008893 9534 The Lithtech engine, as used in (1) Contract Jack 1.1 and earlier, (2) No one lives forever 2 1.3 and earlier, (3) Tron 2.0 1.042 and earlier, (4) F.E.A.R. (First Encounter Assault and Recon), and possibly other games, allows remote attackers to cause a denial of service (connection refused) via a UDP packet that causes recvfrom to generate a return code that causes the listening loop to exit, as demonstrated using zero byte packets or packets between 8193 and 12280 bytes, which result in conditions that are not "Operation would block." 20041213 Socket unreacheable in the Lithtech engine (new protocol) http://aluigi.altervista.org/adv/lithsock-adv.txt lithtech-engine-communication-dos(18456) 11902 17317 13446 20041213 Socket unreacheable in the Lithtech engine (new protocol) 20051021 F.E.A.R. 1.01 likes lithsock Winamp 5.07 and possibly other versions, allows remote attackers to cause a denial of service (application crash or CPU consumption) via (1) an mp4 or m4a playlist file that contains invalid tag data or (2) an invalid .nsv or .nsa file. VU#372968 winamp-mp4-m4a-dos(18466) 11909 20041213 Winamp 5.07 (latest version) Remote Crash + other stupid shizle http://forums.winamp.com/showthread.php?s=&threadid=202007 winamp-nsa-nsv-dos(18467) 1012525 20041213 Winamp 5.07 (latest version) Remote Crash + other Cross-site scripting (XSS) vulnerability in UseModWiki 1.0 allows remote attackers to inject arbitrary web script or HTML via an argument to wiki.pl. usemodwiki-wiki-xss(18458) 11924 13441 20041214 STG Security Advisory: [SSA-20041209-13] UseModWiki XSS vulnerability Format string vulnerability in prelink.c in kextload in Apple OS X, as used by TDIXSupport in Roxio Toast Titanium and possibly other products, allows local users to execute arbitrary code via format string specifiers in the extension argument. roxio-toast-tdixsupport-format-string(18472) 20031 11926 http://www.netragard.com/pdfs/research/apple-kext-tools-20060822.txt 20041214 Possible local root vulnerability in Roxio Toast on Mac OS X 20060913 [NETRAGARD-20060822 SECURITY ADVISORY] [ APPLE COMPUTER CORPORATION KEXTLOAD VULNERABILITY + ROXIO TOAST TITANUM 7 HELPER APP - LOCAL ROOT COMROMISE] Directory traversal vulnerability in the Attachment module 2.3.10 and earlier for phpBB allows remote attackers to read arbitrary files via a .. (dot dot) in the filename. 11893 13421 attachment-mod-directory-traversal(18437) 20041214 phpBB Attachment Mod Directory Traversal HTTP POST Injection The control panel in ASP Calendar does not require authentication to access, which allows remote attackers to gain unauthorized access via a direct request to main.asp. asp-calendar-gain-access(18474) 11931 20041214 ASP Calendar Vulnerability <www.ashiyane.com> SQL injection vulnerability in verify.asp in Asp-rider allows remote attackers to execute arbitrary SQL statements and bypass authentication via the username parameter. asp-rider-verify-sql-injection(18479) 13470 11933 20041214 ASP-rider is vulnerable to sql injection attack SQL injection vulnerability in iWebNegar allows remote attackers to execute arbitrary SQL commands via (1) the string parameter for index.php, (2) comments.php, or (3) the administrator login page. iwebnegar-sql-injection(18505) 11946 20041215 iwebnegar is vulnerable to all kind of sql injections PHP remote file inclusion vulnerability in index.php in GNUBoard 3.39 and earlier allows remote attackers to execute arbitrary PHP code by modifying the doc parameter to reference a URL on a remote web server that contains the code. 13479 20041215 STG Security Advisory: [SSA-20041214-14] GNUBoard PHP injection vulnerability gnuboard-doc-index-file-include(18494) 11948 http://sir.co.kr/?doc=bbs/gnuboard.php&bo_table=pds&page=1&wr_id=1871 Attachment Mod 2.3.10 module for phpBB, when used with Apache mod_mime, does not properly handle files with multiple file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. 11893 http://www.opentools.de/board/viewtopic.php?t=3590 13421 20041216 STG Security Advisory: [SSA-20041215-18] Vulnerability of uploading files with multiple extensions in phpBB Attachment Mod attachment-mod-file-upload(18438) MediaWiki 1.3.8 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.rar, which allows remote attackers to upload and execute arbitrary code. 11985 http://wikipedia.sourceforge.net/ 20041216 STG Security Advisory: [SSA-20041215-19] Vulnerability of uploading files with multiple extensions in MediaWiki 13478 SQL injection vulnerability in ikonboard.cgi in Ikonboard 3.1.0 through 3.1.3 allows remote attackers to inject arbitrary SQL commands via the (1) st or (2) keywords parameter. 11982 ikonboard-ikonboard-sql-injection(18533) 13513 20041216 [MaxPatrol] SQL-injection in Ikonboard 3.1.x Multiple directory traversal vulnerabilities in singapore Image Gallery Web Application 0.9.10 allow remote attackers to (1) read arbitrary files via the showThumb method for thumb.php, or (2) delete arbitrary files via admin.class.php. 11990 singapore-adminclass-directory-traversal(18532) singapore-thumb-directory-traversal(18528) http://www.security.org.sg/vuln/singapore0910.html 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities The addImage method for admin.class.php in Image Gallery Web Application 0.9.10 does not properly check filenames, which allows remote attackers to upload and execute arbitrary files. 11990 singapore-adminclass-file-upload(18531) 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities Multiple cross-site scripting vulnerabilities in Image Gallery Web Application 0.9.10 allow remote attackers to inject arbitrary web script or HTML. 11990 20041216 [SIG^2 G-TEC] singapore Image Gallery Web Application v0.9.10 Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in Gadu-Gadu build 155 and earlier allows remote attackers to inject arbitrary web script via a URL, which is echoed in a popup window that displays a parsing error message, a different vulnerability than CVE-2004-1229. 20041217 Gadu-Gadu, another two bugs 11998 12524 13450 Gadu-Gadu build 155 and earlier allows remote attackers to cause a denial of service (infinite loop) via a message that contains an image whose filename does not start with restricted characters. gadu-gadu-image-dos(18580) 11998 20041217 Gadu-Gadu, another two bugs Cross-site scripting (XSS) vulnerability in index.php in Kayako eSupport 2.x allows remote attackers to inject arbitrary web script or HTML via the searchm parameter. kayako-index-xss(18571) 12037 http://www.gulftech.org/?node=research&article_id=00056-12182004 20041218 Multiple Vulnerabilities In Kayako eSupport v2.x Multiple SQL injection vulnerabilities in Kayako eSupport 2.x allow remote attackers to execute arbitrary SQL commands via the (1) subcat, (2) rate, (3) questiondetails, (4) ticketkey22, (5) email22 parameters to index.php, or (6) the e-mail field of the Forgot Key feature. kayako-sql-injection(18572) 12037 http://www.gulftech.org/?node=research&article_id=00056-12182004 20041218 Multiple Vulnerabilities In Kayako eSupport v2.x Gadu-Gadu 6.1 build 156 allows remote attackers to cause a denial of service (application hang) via a message that contains many special strings that are converted to images. http://www.soltysiak.com/gg-dos.txt 20041220 Gadu-Gadu Remote DoS (all versions) SQL injection vulnerability in (1) disp_album.php and possibly (2) disp_img.php in 2Bgal 2.4 and 2.5.1 allows remote attackers to execute arbitrary SQL commands via the id_album parameter. 12083 2bgal-dispalbum-sql-injection(18645) 13620 20041222 2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability pnxr3260.dll in the RealOne 2.0 build 6.0.11.868 browser plugin, as used in Internet Explorer, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted embed tag. 12660 20041222 Realone2.0 "pnxr3260.dll" Lets Remote Users IE Browser Crash Cross-site scripting (XSS) vulnerability in login.php in PsychoStats 2.2.4 Beta and earlier allows remote attackers to inject arbitrary web script or HTML via the login parameter. 12089 http://www.psychostats.com/forums/viewtopic.php?t=11022 http://www.gulftech.org/?node=research&article_id=00057-12222004 13619 20041223 Cross Site Scripting In PsychoStats 2.2.4 Beta && Earlier psychostats-login-xss(18651) Cross-site scripting (XSS) vulnerability in WPKontakt 3.0.1 and earlier allows remote attackers to inject arbitrary web script or HTML via an e-mail address, which is not quoted when a parsing error is generated. 12097 20041223 WPkontakt message parsing error wpkontakt-email-command-execution(18685) PHP remote file inclusion vulnerability in ZeroBoard 4.1pl4 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) _zb_path parameter to outlogin.php or (2) dir parameter to write.php to reference a URL on a remote web server that contains the code. requires that register_globals be enabled 20041224 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard 20041223 STG Security Advisory: [SSA-20041220-16] PHP source injection and cross-site scripting vulnerabilities in ZeroBoard zeroboard-write-file-include(18679) zeroboard-outlogin-file-include(18677) 12103 12581 12580 1012677 13649 Multiple cross-site scripting (XSS) vulnerabilities in header.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) site_title or (2) http_images parameter. http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html 13673 whm-autopilot-header-xss(18700) 12119 http://www.gulftech.org/?node=research&article_id=00059-12272004 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] 20041228 Multiple WHM Autopilot Vulnerabilities Multiple PHP remote file inclusion vulnerabilities (1) step_one.php, (2) step_one_tables.php, (3) step_two_tables.php in WHM AutoPilot 2.4.6.5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the server_inc parameter to reference a URL on a remote web server that contains the code. http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html http://www.gulftech.org/?node=research&article_id=00059-12272004 13673 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] whm-autopilot-php-file-include(18699) 12119 20041228 Multiple WHM Autopilot Vulnerabilities 12695 1012707 WHM AutoPilot 2.4.6.5 and earlier allows remote attackers to gain sensitive information via phpinfo, which reveals php settings. http://www.whmautopilot.com/forum/lofiversion/index.php/t6785.html 13673 whm-autopilot-information-disclosure(18701) 12119 http://www.gulftech.org/?node=research&article_id=00059-12272004 20041231 WHM AutoPilot Security Release [ Plus Upgrade Instructions ] 20041228 Multiple WHM Autopilot Vulnerabilities Multiple PHP remote file inclusion vulnerabilities in Sean Proctor PHP-Calendar before 0.10.1, as used in Commonwealth of Massachusetts Virtual Law Office (VLO) and other products, allow remote attackers to execute arbitrary PHP code via a URL in the phpc_root_path parameter to (1) includes/calendar.php or (2) includes/setup.php. http://www.gulftech.org/?node=research&article_id=00060-12292004 20041229 php-Calendar File Include Vulnerability [ Command Exec ] vlo-phpcrootpath-file-include(29710) php-calendar-file-include(18710) ADV-2006-4145 20657 12127 20061021 Virtual Law Office (phpc_root_path) Remote File Include Vulnerability 2608 http://sourceforge.net/project/shownotes.php?release_id=296020&group_id=46800 1017107 22516 Cross-site scripting (XSS) vulnerability in view.php in Moodle 1.4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter. 12120 moodle-view-search-xss(18702) 13694 20041230 Re: Multiple Vulnerabilities in Moodle 20041227 Multiple Vulnerabilities in Moodle Directory traversal vulnerability in file.php in Moodle 1.4.2 and earlier allows remote attackers to read arbitrary session files for known session IDs via a .. (dot dot) in the file parameter. 12120 moodle-directory-traversal(18550) 20041230 Re: Multiple Vulnerabilities in Moodle 20041227 Multiple Vulnerabilities in Moodle Directory traversal vulnerability in index.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to read arbitrary files and execute arbitrary PHP files via .. (dot dot) sequences in the lng parameter. 20041230 KorWeblog php injection Vulnerability 12132 PHP remote file inclusion vulnerability in main.inc in KorWeblog 1.6.2-cvs and earlier allows remote attackers to execute arbitrary PHP code by modifying the G_PATH parameter to reference a URL on a remote web server that contains the code, as demonstrated in index.php when using .. (dot dot) sequences in the lng parameter to cause main.inc to be loaded. 20041230 KorWeblog php injection Vulnerability korweblog-install-file-include(18717) 12132 13700 ArGoSoft FTP before 1.4.2.1 generates an error message if the user name does not exist instead of prompting for a password, which allows remote attackers to determine valid usernames. argosoft-information-disclosure(18721) 12139 http://www.lovebug.org/argosoft_advisory.txt 20041231 ArGoSoft FTP Server reveals valid usernames and allows for brute force attacks 11335 http://www.argosoft.com/ftpserver/changelist.aspx 1012744 13063 ArGoSoft FTP 1.4.2.4 and earlier does not limit the number of times that a bad password can be entered, which makes it easier for remote attackers to guess passwords via a brute force attack. argosoft-bruteforce(18722) 20041231 ArGoSoft FTP Server reveals valid usernames and allows for brute SQL injection vulnerability in the show_stats module in Arcade.php in IbProArcade allows remote attackers to execute arbitrary SQL code via the gameid parameter. 20041231 SQL Injection Vulnerability In IBProArcade ibproarcade-gameid-sql-injection(18720) 12138 13260 FormMail.php 5.0, and possibly other versions, allows remote attackers to read arbitrary files via a full pathname in the ar_file (auto-reply) parameter. 20041231 Jacks FormMail.php remote file access vulnerability jack-formmail-arfile-view-files(18724) 12145 10815 Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed (1) IP or (2) ICMP packets. VU#969344 VU#918920 cisco-ons-icmp-dos(16761) cisco-ons-ip-dos(16760) 10768 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities 12117 Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, and ONS 15600 1.x(x), allows remote attackers to cause a denial of service (control card reset) via malformed (1) TCP and (2) UDP packets. VU#800384 VU#486224 cisco-ons-udp-dos(16764) cisco-ons-tcp-dos(16762) 10768 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities 12117 Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.1(0) to 4.1(2), 4.5(x), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via malformed SNMP packets. VU#548968 cisco-ons-snmp-dos(16765) 10768 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities 12117 Multiple versions of Cisco ONS 15327, ONS 15454, and ONS 15454 SDH, including 4.6(0) and 4.6(1), 4.5(x), 4.1(0) to 4.1(3), 4.0(0) to 4.0(2), and earlier versions, allows remote attackers to cause a denial of service (control card reset) via a large number of TCP connections with an invalid response instead of the final ACK (TCP-ACK). VU#277048 cisco-ons-tcp-ack-dos(16763) 10768 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities 12117 The Transaction Language 1 (TL1) login interface in Cisco ONS 15327 4.6(0) and 4.6(1) and 15454 and 15454 SDH 4.6(0) and 4.6(1), when a user account is configured with a blank password, allows remote attackers to gain unauthorized access by logging in with a password larger than 10 characters. VU#760432 cisco-ons-tl1-auth-bypass(16766) 10768 20040721 Cisco ONS 15327, ONS 15454, ONS 15454 SDH, and ONS 15600 Malformed Packet Vulnerabilities 12117 Multiple buffer overflows in the digest authentication functionality in Pavuk 0.9.28-r2 and earlier allow remote attackers to execute arbitrary code. 10797 GLSA-200407-19 pavuk-digest-auth-bo(16807) The mod_authz_svn Apache module for Subversion 1.0.4-r1 and earlier allows remote authenticated users, with write access to the repository, to read unauthorized parts of the repository via the svn copy command. 10800 GLSA-200407-20 subversion-modauthzsvn-restriction-bypass(16803) http://svn.collab.net/repos/svn/tags/1.0.6/CHANGES 1010779 60 Buffer overflow in BlackJumboDog 3.x allows remote attackers to execute arbitrary code via long FTP commands such as (1) USER, (2) PASS, (3) RETR,(4) CWD, (5) XMKD, and (6) XRMD. VU#714584 10834 blackjumbodog-long-string-bo(16842) http://www.security.org.sg/vuln/bjd361.html 20040910 BlackJumboDog FTP Server version 3.6.1 Buffer Overflow [Exploit included] 12203 Multiple heap-based buffer overflows in the modpow function in PuTTY before 0.55 allow (1) remote attackers to execute arbitrary code via an SSH2 packet with a base argument that is larger than the mod argument, which causes the modpow function to write memory before the beginning of its buffer, and (2) remote malicious servers to cause a denial of service (client crash) and possibly execute arbitrary code via a large bignum during authentication. 10850 GLSA-200408-04 12212 20040804 CORE-2004-0705: Vulnerabilities in PuTTY and PSCP putty-code-execution(16885) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-modpow.html http://www.chiark.greenend.org.uk/~sgtatham/putty/changes.html Cross-site scripting (XSS) vulnerability in icq.cgi in Board Power 2.04PF allows remote attackers to inject arbitrary web script or HTML via the action parameter. VU#744590 boardpower-icq-xss(16698) 10734 20040715 XSS in Board Power forum Cross-site scripting (XSS) vulnerability in db2www CGI interpreter in IBM Net.Data 7 and 7.2 allows remote attackers to inject arbitrary web script or HTML via a macro filename, which is not properly handled by error emssages such as "DTWP001E." http://www.kb.cert.org/vuls/id/DMOA-5VNPEL VU#197318 ibm-netdata-db2wwwcomponent-xss(14925) 9488 10709 1008845 3712 http://secunia.com/secunia_research/2004-1/advisory/ 20040126 Secunia Research: IBM Net.Data Macro Name Cross-Site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in the inline MIME viewer in Horde-IMP (Internet Messaging Program) 3.2.4 and earlier, when used with Internet Explorer, allows remote attackers to inject arbitrary web script or HTML via an e-mail message. 10845 GLSA-200408-07 12202 imp-html-viewer-xss(16866) http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.106&r2=1.389.2.109&ty=h Directory traversal vulnerability in Roundup 0.6.4 and earlier allows remote attackers to view arbitrary files via .. (dot dot) sequences in an @@ command in an HTTP GET request. 10495 GLSA-200408-09 11801 roundup-get-view-file(16350) 1010415 http://packetstormsecurity.nl/0406-exploits/roundUP.txt http://sourceforge.net/tracker/index.php?func=detail&aid=961511&group_id=31577&atid=402788 A race condition in nessus-adduser in Nessus 2.0.11 and possibly earlier versions, if the TMPDIR environment variable is not set, allows local users to gain privileges. 10784 GLSA-200408-11 12127 nessus-adduser-race-condition(16768) Unknown vulnerability in ScreenOS in Juniper Networks NetScreen firewall 3.x through 5.x allows remote attackers to cause a denial of service (device reboot or hang) via a crafted SSH v1 packet. VU#749870 10854 http://www.juniper.net/support/security/alerts/screenos-sshv1-2.txt 12208 netscreen-screenos-sshv1-dos(16876) Jetbox One 2.0.8 and possibly other versions stores passwords in the database in plaintext, which could allow attackers to gain sensitive information. VU#586720 jetbox-one-plaintext-password(16898) 10858 20040804 vulnerabilities in JetboxOne CMS 12230 http://echo.or.id/adv/adv03-y3dips-2004.txt 8325 Jetbox One 2.0.8 and possibly other versions allow remote attackers with Author privileges in the IMAGES module to upload PHP files and execute arbitrary code. VU#417408 jetbox-one-file-upload(16900) 10859 20040804 vulnerabilities in JetboxOne CMS 12230 http://echo.or.id/adv/adv03-y3dips-2004.txt Mozilla before 1.7, Firefox before 0.9, and Thunderbird before 0.7 allows remote attackers to determine the location of files on a user's hard drive by obscuring a file upload control and tricking the user into dragging text into that control. http://bugzilla.mozilla.org/show_bug.cgi?id=206859#c0 Unknown vulnerability in LiveConnect in Mozilla 1.7 beta allows remote attackers to read arbitrary files in known locations. http://bugzilla.mozilla.org/show_bug.cgi?id=239122 http://www.mozilla.org/projects/security/known-vulnerabilities.html Mozilla before 1.6 does not display the entire URL in the status bar when a link contains %00, which could allow remote attackers to trick users into clicking on unknown or untrusted sites and facilitate phishing attacks. http://bugzilla.mozilla.org/show_bug.cgi?id=228176 http://www.mozilla.org/projects/security/known-vulnerabilities.html 10419 Tomcat before 5.0.27-r3 in Gentoo Linux sets the default permissions on the init scripts as tomcat:tomcat, but executes the scripts with root privileges, which could allow local users in the tomcat group to execute arbitrary commands as root by modifying the scripts. 10951 GLSA-200408-15 12296 gentoo-tomcat-gain-privileges(16993) GNU glibc 2.3.4 before 2.3.4.20040619, 2.3.3 before 2.3.3.20040420, and 2.3.2 before 2.3.2-r10 does not restrict the use of LD_DEBUG for a setuid program, which allows local users to gain sensitive information, such as the list of symbols used by the program. 10963 12306 glibc-suid-info-disclosure(17006) RHSA-2005:261 RHSA-2005:256 GLSA-200408-16 oval:org.mitre.oval:def:10762 http://bugs.gentoo.org/show_bug.cgi?id=59526 Cisco IOS 12.0S, 12.2, and 12.3, with Open Shortest Path First (OSPF) enabled, allows remote attackers to cause a denial of service (device reload) via a malformed OSPF packet. VU#989406 cisco-ios-ospf-dos(17033) 10971 20040818 Cisco IOS Malformed OSPF Packet Causes Reload O-199 12322 Stack-based buffer overflow in Xine-lib-rc5 in xine-lib 1_rc5-r2 and earlier allows remote attackers to execute arbitrary code via crafted playlists that result in a long vcd:// URL. 10890 GLSA-200408-18 xine-vcd-identifier-bo(16930) 12194 20040817 Open Security Group Advisory #6 filediff in CVStrac allows remote attackers to execute arbitrary commands via shell metacharacters in rcsinfo. VU#770816 http://www.cvstrac.org/cvstrac/chngview?cn=316 12090 cvstrac-command-execute(16929) 10878 8373 http://www.cvstrac.org/cvstrac/tktview?tn=339 20040805 CVStrac Remote Arbitrary Code Execution exploit The Virtual Private Network (VPN) capability in Novell Bordermanager 3.8 allows remote attackers to cause a denial of service (ABEND in IKE.NLM) via a malformed IKE packet, as sent by the Striker ISAKMP Protocol Test Suite. VU#432097 10727 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10093576.htm 12067 novell-bordermanger-ikenlm-dos(16697) The CSAdmin web administration interface for Cisco Secure Access Control Server (ACS) 3.2(2) build 15 allows remote attackers to cause a denial of service (hang) via a flood of TCP connections to port 2002. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server 11047 ciscosecure-csadmin-tcp-dos(17114) O-203 12386 9182 Cisco Secure Access Control Server (ACS) 3.2, when configured as a Light Extensible Authentication Protocol (LEAP) RADIUS proxy, allows remote attackers to cause a denial of service (device crash) via certain LEAP authentication requests. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server ciscosecure-leap-radius-dos(17116) 11047 Cisco Secure Access Control Server (ACS) 3.2(3) and earlier, when configured with an anonymous bind in Novell Directory Services (NDS) and authenticating NDS users with NDS, allows remote attackers to gain unauthorized access to AAA clients via a blank password. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server ciscosecure-nds-blank-authentication(17117) 11047 Cisco Secure Access Control Server (ACS) 3.2(3) and earlier spawns a separate unauthenticated TCP connection on a random port when a user authenticates to the ACS GUI, which allows remote attackers to bypass authentication by connecting to that port from the same IP address. 20040825 Multiple Vulnerabilities in Cisco Secure Access Control Server ciscosecure-csadmin-auth-bypass(17118) 11047 Unknown vulnerability in MoinMoin 1.2.2 and earlier allows remote attackers to gain unauthorized access to administrator functions such as (1) revert and (2) delete. https://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801 10805 GLSA-200408-25 moinmoin-acl-gain-privileges(16833) 8194 Unknown vulnerability in the PageEditor in MoinMoin 1.2.2 and earlier, related to Access Control Lists (ACL), has unknown impact. 10801 GLSA-200408-25 http://sourceforge.net/project/shownotes.php?group_id=8482&release_id=254801 moinmoin-pageeditor-gain-privilege(16832) 8195 Cisco IOS 12.2(15) and earlier allows remote attackers to cause a denial of service (refused VTY (virtual terminal) connections), via a crafted TCP connection to the Telnet or reverse Telnet port. VU#384230 cisco-ios-telnet-dos(17131) 11060 20040827 Cisco Telnet Denial of Service Vulnerability 1011079 12395 Multiple buffer overflows in WinZip 9.0 and earlier may allow attackers to execute arbitrary code via multiple vectors, including the command line. http://www.winzip.com/wz90sr1.htm 11092 1011132 winzip-command-line-bo(17197) winzip-code-execution(17192) O-211 20040901 WinZip Unspecified Buffer Overflows May Let Remote or Local Users Execute Arbitrary Code The set_time_limit function in Gallery before 1.4.4_p2 deletes non-image files in a temporary directory every 30 seconds after they have been uploaded using save_photos.php, which allows remote attackers to upload and execute execute arbitrary scripts before they are deleted, if the temporary directory is under the web root. 10968 GLSA-200409-05 http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=134&mode=thread&order=0&thold=0 gallery-savephotos-file-upload(17021) 20040817 Gallery 1.4.4 save_photos.php PHP Insertion Proof of Concept Multiple cross-site scripting (XSS) vulnerabilities in eGroupWare 1.0.00.003 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) date or search text field in the calendar module, (2) Field parameter, Filter parameter, QField parameter, Start parameter or Search field in the address module, (3) Subject field in the message module or (4) Subject field in the Ticket module. 11013 GLSA-200409-06 egroupware-mult-modules-xss(17078) 20040822 Multiple Cross Site Scripting Vulnerabilities in eGroupWare http://sourceforge.net/forum/forum.php?forum_id=401807 The web mail functionality in Usermin 1.x and Webmin 1.x allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail message. 1122 GLSA-200409-15 12488 usermin-web-mail-command-execution(17293) http://www.lac.co.jp/security/csl/intelligence/SNSadvisory_e/77_e.html Format string vulnerability in the log function in SUS 2.0.2, and other versions before 2.0.6, allows local users to execute arbitrary code via format string specifiers in a command line argument that is passed directly to syslog. 11176 GLSA-200409-17 http://security.lss.hr/index.php?page=details&ID=LSS-2004-09-01 20040914 SUS 2.0.2 local root vulnerability sus-log-format-string(17361) http://pdg.uow.edu.au/sus/CHANGES CRLF injection vulnerability in SnipSnap 0.5.2a, and other versions before 1.0b1, allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server. 11180 GLSA-200409-23 snipsnap-response-splitting(17364) http://www.snipsnap.org/space/start 20040914 ADVISORY: http response splitting in snipsnap Format string vulnerability in wrapper.c in CVS 1.12.x through 1.12.8, and 1.11.x through 1.11.16 allows remote attackers with CVSROOT commit access to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a wrapper line. Failed exploit attempts will likely cause a denial of service condition. 10499 cvs-wrapper-format-string(16365) 20040609 Advisory 09/2004: More CVS remote vulnerabilities FreeBSD-SA-04:14 Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 allow remote attackers to cause a denial of service (device freeze) via a fast UDP port scan on the WAN interface. VU#441078 symantec-firewallvpn-udp-dos(17469) 11237 http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html 10204 12635 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 allow remote attackers to bypass filtering and determine whether the device is running services such as tftpd, snmpd, or isakmp via a UDP port scan with a source port of UDP 53. VU#329230 symantec-udp-obtain-info(17470) http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html 11237 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products 10205 12635 Symantec Enterprise Firewall/VPN Appliances 100, 200, and 200R running firmware before 1.63 and Gateway Security 320, 360, and 360R running firmware before 622 uses a default read/write SNMP community string, which allows remote attackers to alter the firewall's configuration file. VU#173910 11237 http://securityresponse.symantec.com/avcenter/security/Content/2004.09.22.html 20040922 Multiple Vulnerabilities in Symantec Enterprise Firewall/Gateway Security Products symantec-default-snmp(17471) 10206 12635 Multiple stack-based buffer overflows in xine-lib 1-rc2 through 1-rc5 allow attackers to execute arbitrary code via (1) long VideoCD vcd:// MRLs or (2) long subtitle lines. 11206 GLSA-200409-30 GLSA-200408-18 http://xinehq.de/index.php/security/XSA-2004-4 xine-subtitle-bo(17432) xine-videocd-mrl-bo(17430) 20040907 XSA-2004-4: multiple string overflows Stack-based buffer overflow in the VideoCD (VCD) code in xine-lib 1-rc2 through 1-rc5, as derived from libcdio, allows attackers to execute arbitrary code via a VideoCD with an unterminated disk label. http://xinehq.de/index.php/security/XSA-2004-4 11206 20040907 XSA-2004-4: multiple string overflows GLSA-200409-30 Cross-site scripting (XSS) vulnerability in the Management Console in JRun 4.0 allows remote attackers to execute arbitrary web script or HTML and possibly hijack a user's session. VU#668206 11245 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html jrun-management-console-xss(17483) 12638 20040923 New Macromedia Security Zone Bulletins Posted JRun 4.0 does not properly generate and handle the JSESSIONID, which allows remote attackers to perform a session fixation attack and hijack a user's HTTP session. VU#584958 jrun-jsessionid-hijack(17481) 11245 http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html 12638 20040923 New Macromedia Security Zone Bulletins Posted ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-0928. Reason: This candidate is a duplicate of CVE-2004-0928. Notes: All CVE users should reference CVE-2004-0928 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in the management station in HP StorageWorks Command View XP 1.8B and earlier allows remote attackers to bypass access restrictions. 1011407 hp-storageworks-restriction-bypass(17490) 11249 SSRT4794 Integer overflow in pnen3260.dll in RealPlayer 8 through 10.5 (6.0.12.1040) and earlier, and RealOne Player 1 or 2 on Windows or Mac OS, allows remote attackers to execute arbitrary code via a SMIL file and a .rm movie file with a large length field for the data chunk, which leads to a heap-based buffer overflow. http://www.service.real.com/help/faq/security/040928_player/EN/ 11309 realplayer-rm-code-execution(17549) 12672 20041001 EEYE: RealPlayer pnen3260.dll Heap Overflow The sbuf_getmsg function in BNC incorrectly handles backspace characters, which could allow remote attackers to bypass authentication and gain access to arbitrary scripts. 11355 GLSA-200410-13 12770 bnc-backspace-command-execution(17672) 10596 Multiple unknown vulnerabilities in the ActiveX and HTML file browsers in Symantec Clientless VPN Gateway 4400 Series 5.0 have unknown attack vectors and unknown impact. VU#760256 12254 symantec-clientless-file-browsers(16933) 10903 8508 ftp://ftp.symantec.com/public/english_us_canada/products/sym_clientless_vpn/sym_clientless_vpn_5/updates/hf3-readme.txt Format string vulnerability in the _msg function in error.c in socat 1.4.0.3 and earlier, when used as an HTTP proxy client and run with the -ly option, allows remote attackers or local users to execute arbitrary code via format string specifiers in a syslog message. socat-format-string(17822) 11505 http://www.nosystem.com.ar/advisories/advisory-07.txt GLSA-200410-26 12936 http://www.dest-unreach.org/socat/advisory/socat-adv-1.html Buffer overflow in the TFTP client in InetUtils 1.4.2 allows remote malicious DNS servers to execute arbitrary code via a large DNS response that is handled by the gethostbyname function. inetutils-tftp-dns-bo(17878) 11527 20041026 inetutils tftp client, DNS resolving bofs Unknown vulnerability in Serviceguard A.11.13 through A.11.16.00 and Cluster Object Manager A.01.03 and B.01.04 through B.03.00.01 on HP-UX, Serviceguard A.11.14.04 and A.11.15.04 and Cluster Object Manager B.02.01.02 and B.02.02.02 on HP Linux, allow remote attackers to gain privileges via unknown attack vectors. hp-cluster-serviceguard-gain-privileges(17867) 11507 12946 SSRT3526 wget 1.8.x and 1.9.x allows a remote malicious web server to overwrite certain files via a redirection URL containing a ".." that resolves to the IP address of the malicious server, which bypasses wget's filtering for ".." sequences. wget-file-overwrite(18420) USN-145-1 11871 1012472 oval:org.mitre.oval:def:11682 20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261755 RHSA-2005:771 wget 1.8.x and 1.9.x does not filter or quote control characters when displaying HTTP responses to the terminal, which may allow remote malicious web servers to inject terminal escape sequences and execute arbitrary code. wget-terminal-overwrite(18421) USN-145-1 11871 1012472 oval:org.mitre.oval:def:9750 20041209 wget: Arbitrary file overwriting/appending/creating and other vulnerabilities http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=261755 RHSA-2005:771 SUSE-SR:2006:016 20960 Opera 7.54 and earlier does not properly limit an applet's access to internal Java packages from Sun, which allows remote attackers to gain sensitive information, such as user names and the installation directory. GLSA-200502-17 http://www.opera.com/linux/changelogs/754u1/ 20041119 Java Vulnerabilities in Opera 7.54 Opera 7.54 and earlier allows remote attackers to spoof file types in the download dialog via dots and non-breaking spaces (ASCII character code 160) in the (1) Content-Disposition or (2) Content-Type headers. 11883 GLSA-200502-17 http://secunia.com/secunia_research/2004-19/advisory/ 12981 opera-file-type-spoofing(18423) http://www.opera.com/linux/changelogs/754u1/ Opera 7.54 and earlier uses kfmclient exec to handle unknown MIME types, which allows remote attackers to execute arbitrary code via a shortcut or launcher that contains an Exec entry. 11901 GLSA-200502-17 13447 pera-kfmclient-command-execution(18457) http://www.zone-h.org/advisories/read/id=6503 http://www.opera.com/linux/changelogs/754u2/ SUSE-SR:2005:008 Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (game exit) via a data packet that contains a large size specifier, which causes a large memory allocation to fail. master-of-orion-size-dos(17908) 11550 13008 20041027 Crashs in Master of Orion III 1.2.5 Master of Orion III 1.2.5 and earlier allows remote attackers to cause a denial of service (server crash) via multiple connections with long nicknames, possibly triggering a buffer overflow. master-of-orion-nickname-dos(17884) 11550 13008 http://packetstormsecurity.nl/0410-advisories/masterOrionIII.txt 20041027 Crashs in Master of Orion III 1.2.5 Buffer overflow in the Screen Fetch option in XDICT 2002 through 2005 allows remote attackers to cause a denial of service ( CPU consumption or application exit) and possibly execute arbitrary code via a long string. xdict-screen-fetch-bo(17929) http://secway.org/Advisory/Ad20041026EN.txt 20041101 XDICT Buffer OverRun Vulnerability,funny :-) 20041101 XDICT Buffer OverRun Vulnerability,funny :-) The Repair Archive command in WinRAR 3.40 allows remote attackers to cause a denial of service (application crash) via a corrupt ZIP archive. 11581 13070 winrar-repair-archive(17937) http://www.rarlabs.com/rarnew.htm 20041102 Medium Risk Vulnerability in WinRAR Directory traversal vulnerability in Web Forums Server 1.6 and 2.0 Power Pack allows remote attackers to read arbitrary files via a URL containing (1) "..\" (dot dot backslash), (2) "../" (dot dot slash), (3) "/%2E%2E%5C" (encoded dot dot backslash), or (4) "%2E%2E%2F" (encoded dot dot slash). 20041102 Multiple Vulnerabilities in Web Forums Server Web Forums Server 1.6 and 2.0 Power Pack stores passwords in plaintext in the Username.ini file, which allows local users to gain privileges. 20041102 Multiple Vulnerabilities in Web Forums Server SQL injection vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary SQL commands via the messageToUserAccNum parameter. 13079 11586 http://www.hat-squad.com/en/000077.html 20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM Cross-site scripting (XSS) vulnerability in the compose message form in HELM 3.1.19 and earlier allows remote attackers to execute arbitrary web script or HTML via the Subject field. 13079 helm-subject-xss(17943) 11586 http://www.hat-squad.com/en/000077.html 20041102 [Hat-Squad] SQL injection and XSS Vulnerabilities in HELM Format string vulnerability in the Lithtech engine, as used in multiple games, allows remote authenticated users to cause a denial of service (application crash) via format string specifiers in (1) a nickname or (2) a message. lithtech-format-string(17972) 11610 17317 13116 20041105 In-game format string bug in the Lithtech engine http://aluigi.altervista.org/adv/lithfs-adv.txt The webmail service in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (CPU and memory consumption) by sending a POST request with a large Content-Length value, then disconnecting without sending that amount of data. 602pro-mail-post-dos(17977) 20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909 The Telnet proxy in 602 Lan Suite 2004.0.04.0909 and earlier allows remote attackers to cause a denial of service (socket exhaustion) via a Telnet request to an IP address of the proxy's network interface, which causes a loop. 602pro-telnet-loopback-dos(17979) 20041106 Resources consumption in 602 Lan Suite 2004.0.04.0909 Integer overflow in the InitialDirContext in Java Runtime Environment (JRE) 1.4.2, 1.5.0 and possibly other versions allows remote attackers to cause a denial of service (Java exception and failed DNS requests) via a large number of DNS requests, which causes the xid variable to wrap around and become negative. sun-jre-dns-dos(17990) 11619 13142 20041108 DOS against Java JNDI/DNS The displaycontent function in config.php for Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to gain sensitive information via a blank show parameter, which reveals the installation path in an error message, as demonstrated using index.php. jaf-cms-path-disclosure(18006) 20041109 Vulnerabilities in JAF CMS http://echo.or.id/adv/adv08-y3dips-2004.txt Directory traversal vulnerability in index.php in Just Another Flat file (JAF) CMS 3.0RC allows remote attackers to read arbitrary files and possibly execute PHP code via a .. (dot dot) in the show parameter. jaf-cms-file-inlcude(17983) 11627 13104 20041109 Vulnerabilities in JAF CMS http://echo.or.id/adv/adv08-y3dips-2004.txt Multiple cross-site scripting (XSS) vulnerabilities in WebCalendar allow remote attackers to inject arbitrary web script via (1) view_entry.php, (2) view_d.php, (3) usersel.php, (4) datesel.php, (5) trailer.php, or (6) styles.php, as demonstrated using img srg tags. webcalendar-img-src-xss(18026) 11651 13164 20041109 Multiple Vulnerabilities in WebCalendar CRLF injection vulnerability in login.php in WebCalendar allows remote attackers to inject CRLF sequences via the return_path parameter and perform HTTP Response Splitting attacks to modify expected HTML content from the server. webcalendar-response-splitting(18027) 11651 13164 20041109 Multiple Vulnerabilities in WebCalendar init.php in WebCalendar allows remote attackers to execute arbitrary local PHP scripts via the user_inc parameter. webcalendar-init-file-include(18028) 11651 13164 20041109 Multiple Vulnerabilities in WebCalendar validate.php in WebCalendar allows remote attackers to gain sensitive information via an invalid encoded_login parameter, which reveals the full path in an error message. webcalendar-encodedlogin-path-disclosure(18029) 11651 13164 20041109 Multiple Vulnerabilities in WebCalendar WebCalendar allows remote attackers to gain privileges by modifying critical parameters to (1) view_entry.php or (2) upcoming.php. webcalendar-scripts-gain-access(18030) 11651 13164 20041109 Multiple Vulnerabilities in WebCalendar Hotfoon 4.0 does not notify users before opening links in web browsers, which could allow remote attackers to execute arbitrary code via a certian link sent in a chat window. hotfoon-url-command-execution(18038) 13173 20041110 Hotfoon Ver 4.0 Highv Risk Cross-site scripting (XSS) vulnerability in Response_default.html in 04WebServer 1.42 allows remote attackers to execute arbitrary web script or HTML via script code in the URL, which is not quoted in the resulting default error page. 04webserver-error-xss(18033) 11652 http://www.security.org.sg/vuln/04webserver142.html 13159 20041115 Re: 04WebServer Three Vulnerabilities 20041110 04WebServer Three Vulnerabilities http://www.soft3304.net/04WebServer/Security.html 04WebServer 1.42 does not adequately filter data that is written to log files, which could allow remote attackers to inject carriage return characters into the log file and spoof log entries. 04webserver-web-log-spoofing(18034) 11652 http://www.security.org.sg/vuln/04webserver142.html 13159 20041115 Re: 04WebServer Three Vulnerabilities 20041110 04WebServer Three Vulnerabilities http://www.soft3304.net/04WebServer/Security.html 04WebServer 1.42 allows remote attackers to cause a denial of service (fail to restart properly) via an HTTP request for an MS-DOS device name such as COM2. 04webserver-dos-devices-dos(18036) 11652 20041115 Re: 04WebServer Three Vulnerabilities http://www.security.org.sg/vuln/04webserver142.html 13159 20041110 04WebServer Three Vulnerabilities http://www.soft3304.net/04WebServer/Security.html SQL injection vulnerability in (1) ttlast.php and (2) last10.php in vBulletin 3.0.x allows remote attackers to execute arbitrary SQL statements via the fsel parameter, as demonstrated using last.php. 20041111 SQL injection in vBulletin forums (last10.php) CRLF injection vulnerability in index.php in phpWebSite 0.9.3-4 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the block_username parameter in the user module. phpwebsite-response-splitting(18046) 11673 GLSA-200411-35 13172 http://phpwebsite.appstate.edu/index.php?module=announce&ANN_id=863&ANN_user_op=view 20041111 security hole (http response splitting) in phpwebsite Zone Labs IMsecure and IMsecure Pro before 1.5 allow remote attackers to bypass Active Link Filtering via an instant message containing a URL with hex encoded file extenstions. imsecure-active-link-bypass(18042) 11662 http://download.zonelabs.com/bin/free/securityAlert/16.html 13169 20041111 Zone Labs IMsecure Active Link Filter Bypass SQL injection vulnerability in follow.php in Phorum 5.0.12 and earlier allows remote authenticated users to execute arbitrary SQL command via the forum_id parameter. phorum-followphp-sql-injection(18045) 11660 13174 20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions] 20041111 [waraxe-2004-SA#037 - Sql injection bug in Phorum 5.0.12 and older versions] SQL injection vulnerability in bug.php in phpBugTracker 0.9.1 allows remote attackers to execute arbitrary SQL commands via (1) the bug_id parameter in a viewvotes operation or (2) the project parameter in an add operation. phpbugtracker-bug-sql-injection(18053) phpbugtracker-project-sql-injection(18079) 11718 20041112 SQL Injection in phpBT (bug.php) add project 20041112 SQL Injection in phpBT (bug.php - Add) 20041112 SQL Injection in phpBT (bug.php) Stack-based buffer overflow in IPSwitch IMail 8.13 allows remote authenticated users to execute arbitrary code via a long IMAP DELETE command. 11675 13200 ipswitch-delete-bo(18058) 20041112 IPSwitch-IMail-8.13 Stack Overflow in the DELETE Command Eudora 6.2.0.14 does not issue a warning when a user forwards an e-mail message that contains base64 or quoted-printable encoded attachments, which makes it easier for remote attackers to read arbitrary files via spoofed "Converted" headers. eudora-base64-attach-spoof-variant(18064) http://packetstormsecurity.nl/0411-exploits/eudora62014.txt 20041113 Eudora 6.2 attachment spoof 20041113 Eudora 6.2 attachment spoof Format string vulnerability in Army Men RTS 1.0 allows remote attackers to cause a denial of service (application crash) via a nickname that contains format strings. army-men-rts-format-string(18065) 11679 13186 20041114 Format string bug in Army Men RTS 20041114 Format string bug in Army Men RTS Format string vulnerability in the game console in Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via format string specifiers in a message. hired-team-format-string(18083) 11683 13207 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (game interruption) via a malformed UDP packet sent to a game port, such as port 29200. hired-team-udp-dos(18085) 11683 13207 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) Hired Team: Trial 2.0 and earlier and 2.200 allows remote attackers to cause a denial of service (application crash) via the status command. hired-team-status-dos(18086) 11683 13207 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) Hired Team: Trial 2.0 and earlier and 2.200 does not limit how game players can kick other players off the server, including the administrator. 13207 20041115 Multiple vulnerabilities in Hired Team: Trial (Shine engine) Microsoft Internet Explorer 6.0 SP1 does not properly handle certain character strings in the Path attribute, which can cause it to modify cookies in other domains when the attacker's domain name is within the target's domain name or when wildcard DNS is being used, which allows remote attackers to hijack web sessions. http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/79_e.html 13208 ie-path-cookie-overwrite(18073) 11680 20041115 [SNS Advisory No.79] A Possibility of Cookie Overwrite in Microsoft Internet Explorer The Event Calendar module 2.13 for PHP-Nuke allows remote attackers to gain sensitive information via an HTTP request to (1) config.php, (2) index.php, or (3) submit.php, which reveal the full path in an error message. event-calendar-path-disclosure(18105) http://www.waraxe.us/index.php?modname=sa&id=38 11693 13213 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] Cross-site scripting (XSS) vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary web script via the (1) type, (2) day, (3) month, or (4) year parameters in a Preview operation, or (5) event comments. event-calendar-comment-xss(18107) event-calendar-xss(18106) http://www.waraxe.us/index.php?modname=sa&id=38 11693 13213 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] SQL injection vulnerability in the Event Calendar module 2.13 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the (1) eid or (2) cid parameters. event-calendar-sql-injection(18104) http://www.waraxe.us/index.php?modname=sa&id=38 11693 13213 20041116 [waraxe-2004-SA#038 - Multiple vulnerabilities in Event Calendar module for PhpNuke] SQL injection vulnerability in post.php in Invision Power Board (IPB) 2.0.0 through 2.0.2 allows remote attackers to execute arbitrary SQL commands via the qpid parameter. 13245 http://forums.invisionpower.com/index.php?showtopic=154916 invisionpowerboard-sql-injection(18164) 11703 20050427 Re: SQL-injections in Invision Power Board v2.0.1 20050425 SQL-injections in Invision Power Board v2.0.1 20041118 [MaxPatrol] SQL-injection in Invision Power Board 2.x AppServ 2.5.x and earlier installs a default username and password, which allows remote attackers to gain access. appserv-default-account(18163) 11704 20041118 AppServ 2.5.x and Prior Exploit Buffer overflow in pop3svr.exe for DMS POP3 1.5.3.27 and earlier allows remote attackers to cause a denial of service (service crash) via a long (1) username or (2) password. dms-pop3-username-bo(18161) 11705 http://www.digitalmapping.sk.ca/pop3srv/Update.asp 13248 20041118 Buffer overlow in DMS POP3 Server for Windows 2000/XP 1.5.3 build ZoneAlarm and ZoneAlarm Pro before 5.5.062, with ad-blocking enabled, allows remote web sites to cause a denial of service (application instability or system hang) via certain JavaScript. zonealarm-adblock-dos(18159) 11706 13244 http://download.zonelabs.com/bin/free/securityAlert/18.html 20041118 Zone Labs Ad-Blocking Instability PHP remote file inclusion vulnerability in admin_cash.php for the Cash Mod module for phpBB allows remote attackers to execute arbitrary PHP code by modifying the phpbb_root_path parameter to reference a URL on a remote web server that contains the code. phpbb-admincashphp-file-include(18151) 20041118 Re: Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) 20041118 Vulnerabilities in forum phpBB2 with Cash_Mod (all ver.) SQL injection vulnerability in index.php in the ibProArcade module for Invision Power Board (IPB) 1.x and 2.x allows remote attackers to execute arbitrary SQL commands via the cat parameter. ibproarcade-category-sql-injection(18180) 11719 1012292 13260 20041120 IpbProArace 2.5.x SQL injection. Cross-site scripting (XSS) vulnerability in popup.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary web script via the img parameter. phpkit-popup-xss(18204) 11725 13262 20041122 PHPKIT SQL Injection, XSS SQL injection vulnerability in include.php in PHPKIT 1.6.03 through 1.6.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. phpkit-include-sql-injection(18205) 11725 13262 20041122 PHPKIT SQL Injection, XSS Halo: Combat Evolved 1.05 and earlier allows remote game servers to cause a denial of service (client crash) via a long value in a game server reply, which triggers a NULL dereference. halo-long-reply-dos(18196) 13273 11724 20041122 Broadcast client crash in Halo 1.05 ZyXEL Prestige 623, 650, and 652 HW Routers, and possibly other versions, with HTTP Remote Administration enabled, does not require a password to access rpFWUpload.html, which allows remote attackers to reset the router configuration file. zyxel-configuration-reset(18202) 11723 1012298 13278 12108 20041124 Re: Router ZyXEL Prestige 650 HW http remote admin. 20041121 Router ZyXEL Prestige 650 HW http remote admin. SecureCRT 4.0, 4.1, and possibly other versions, allows remote attackers to execute arbitrary commands via a telnet:// URL that uses the /F option to specify a configuration file on a samba share. securecrt-folder-command-execution(18201) 11731 13275 20041123 SecureCRT - Remote Command Execution Buffer overflow in Soldier of Fortune II 1.03 Gold and earlier allows remote attackers to cause a denial of service (server or client crash) via a long (1) query or (2) reply. soldier-fortune-bo(18211) 11735 13289 20041123 Broadcast memory corruption in Soldier of Fortune II 1.03 Directory traversal vulnerability in viewimg.php in KorWeblog 1.6.2-cvs and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the path parameter. korweblog-viewimg-directory-traversal(18234) 11744 13286 20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability 20041124 STG Security Advisory: [SSA-20041122-10] KorWeblog directory traversal vulnerability Cross-site scripting (XSS) vulnerability in Search.jsp in JSPWiki 2.1.120-cvs and earlier allows remote attackers to execute arbitrary web script as other users via the query parameter. jspwiki-query-xss(18236) 11746 13285 20041124 STG Security Advisory: [SSA-20041122-11] JSPWiki XSS vulnerability UploadFile.php in MoniWiki 1.0.9.2 and earlier, when used with Apache mod_mime, does not properly handle files with two file extensions, such as .php.hwp, which allows remote attackers to upload and execute arbitrary code. moniwiki-file-upload(18493) 11951 20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWiki 13478 20041215 STG Security Advisory: [SSA-20041215-15] Vulnerability of uploading files with multiple extensions in MoniWiki http://kldp.net/scm/cvsweb.php/moniwiki/plugin/UploadFile.php.diff?cvsroot=moniwiki&only_with_tag=HEAD&r1=text&tr1=1.17&r2=text&tr2=1.16&f=h Multiple buffer overflows in MDaemon 6.5.1 allow remote attackers to cause a denial of service (application crash) via a long (1) SAML, SOML, SEND, or MAIL command to the SMTP server or (2) LIST command to the IMAP server. mdaemon-smtp-bo(17477) 11238 20040922 Remote buffer overflow in MDaemon IMAP and SMTP server mdaemon-imap-list-bo(17476) http://www.securitylab.ru/48146.html 10224 10223 20040922 Remote buffer overflow in MDaemon IMAP and SMTP server The file server in ActivePost Standard 3.1 and earlier allows remote authenticated users to cause a denial of service (application crash) via a long filename, possibly triggering a buffer overflow. activepost-long-filename-dos(17482) 11244 1011406 12642 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 http://aluigi.altervista.org/adv/actp-adv.txt Directory traversal vulnerability in the file server in ActivePost Standard 3.1 allows remote authenticated users to upload arbitrary files via a .. (dot dot) in the filename. activepost-dotdot-directory-traversal(17488) 11244 1011406 12642 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 http://aluigi.altervista.org/adv/actp-adv.txt The conference menu in ActivePost Standard 3.1 sends passwords of password-protected rooms in cleartext, which could allow remote attackers to gain sensitive information by sniffing the network connection. activepost-plaintext-password(17486) 11244 1011406 12642 20040923 Multiple vulnerabilities in ActivePost Standard 3.1 http://aluigi.altervista.org/adv/actp-adv.txt Motorola Wireless Router WR850G running firmware 4.03 allows remote attackers to bypass authentication, log on as an administrator, and obtain sensitive information by repeatedly making an HTTP request for ver.asp until an administrator logs on. 11241 motorola-wr850g-gain-access(17474) 20040924 Motorola Wireless Router WR850G Authentication Circumvention 20040923 Motorola Wireless Router WR850G Authentication Circumvention Cross-site scripting (XSS) vulnerability in the (1) email or (2) file modules in paFileDB 3.1 Final allows remote attackers to execute arbitrary web script or HTML via the id parameter. pafiledb-pafiledb-xss(17504) 20040925 New XSS vulnerabilities in paFileDB 3.1 final SQL injection vulnerability in aspWebCalendar allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the eventid parameter to calendar.asp. aspwebcalendar-sql-injection(17506) ADV-2007-1093 11246 12651 20040923 aspWebCalendar /aspWebAlbum: SQL injection aspwebcalendar-calendar-sql-injection(33157) 23098 3546 24622 SQL injection vulnerability in aspWebAlbum allows remote attackers to execute arbitrary SQL statements via (1) the username field on the login page or (2) the cat parameter to album.asp. NOTE: it was later reported that vector 1 affects aspWebAlbum 3.2, and the vector involves the txtUserName parameter in a processlogin action to album.asp, as reachable from the login action. aspwebalbum-album-sql-injection(44877) aspwebalbum-image-file-upload(44876) aspwebalbum-sql-injection(17507) 30996 11246 6420 6357 31649 47914 47913 20040923 aspWebCalendar /aspWebAlbum: SQL injection PHP remote file inclusion vulnerability in livre_include.php in @lex Guestbook allows remote attackers to execute arbitrary PHP code by modifying the chem_absolu parameter to reference a URL on a remote web server that contains the code. 11260 @lex-guestbook-file-include(17516) 1011432 http://packetstormsecurity.nl/0410-exploits/alexPHP.txt 20040926 @lex Guestbook (PHP) Include file Multiple SQL injection vulnerabilities in BroadBoard Instant ASP Message Board allow remote attackers to run arbitrary SQL commands via the (1) keywords parameter to search.asp, (2) handle parameter to profile.asp, (3) txtUserHandle parameter to reg2.asp or (4) txtUserEmail parameter to forgot.asp. broadboard-forgotasp-sql-injection(17502) broadboard-reg2asp-sql-injection(17501) broadboard-profileasp-sql-injection(17500) broadboard-searchasp-sql-injection(17498) 11250 12658 20040926 SQL injection in BroadBoard Instant ASP Message Board 1011419 MyWebServer 1.0.3 allows remote attackers to cause a denial of service (application crash) via a large number of connections within a short time. mywebserver-mult-connections-dos(17519) 11254 12689 20040927 MyWebServer 1.0.3 1011461 MyWebServer 1.0.3 allows remote attackers to bypass authentication, modify configuration, and read arbitrary files via a direct HTTP request to (1) /admin or (2) ServerProperties.html. mywebserver-admin-access(17520) 11254 20040927 MyWebServer 1.0.3 1011461 Multiple stack-based buffer overflows in YPOPs! (aka YahooPOPS) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request. ypops-smtp-bo(17518) ypops-pop3-bo(17515) 11256 http://www.hat-squad.com/en/000075.html 20061020 vendor ACK for old YPOPs! issue 1011426 20040927 [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS http://dbeusee.home.comcast.net/history.html 10367 10366 12660 Multiple cross-site scripting (XSS) vulnerabilities in Wordpress 1.2 allow remote attackers to inject arbitrary web script or HTML via the (1) redirect_to, text, popupurl, or popuptitle parameters to wp-login.php, (2) redirect_url parameter to admin-header.php, (3) popuptitle, popupurl, content, or post_title parameters to bookmarklet.php, (4) cat_ID parameter to categories.php, (5) s parameter to edit.php, or (6) s or mode parameter to edit-comments.php. wordpress-multiple-scripts-xss(17532) 11268 12683 20040927 Multiple XSS Vulnerabilities in Wordpress 1.2 1011440 Microsoft SQL Server 7.0 allows remote attackers to cause a denial of service (mssqlserver service halt) via a long request to TCP port 1433, possibly triggering a buffer overflow. mssql-data-buffer-dos(17542) 11265 1011434 12680 http://packetstormsecurity.nl/0410-exploits/mssql.7.0.dos.c 20040928 MSSQL 7.0 DoS Buffer overflow in Icecast 2.0.1 and earlier allows remote attackers to execute arbitrary code via an HTTP request with a large number of headers. icecast-http-bo(17538) 11271 12666 http://www.securiteam.com/exploits/6X00315BFM.html 20041002 Re:2. Code execution in Icecast 2.0.1(exploit with shellcode) http://aluigi.altervista.org/adv/iceexec-adv.txt 10446 1011439 20040928 Code execution in Icecast 2.0.1 SQL injection vulnerability in redir_url.php in w-Agora 4.1.6a allows remote attackers to execute arbitrary SQL commands via the key parameter. wagora-redirurl-sql-injection(17557) 12695 11283 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 Multiple cross-site scripting (XSS) vulnerabilities in w-Agora 4.1.6a allow remote attackers to execute arbitrary web script or HTML via the (1) thread parameter to download_thread.php, (2) loginuser parameter to login.php, or (3) userid parameter to forgot_password.php. wagora-get-post-xss(17553) 12695 11283 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 CRLF injection vulnerability in subscribe_thread.php in w-Agora 4.1.6a allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the thread parameter. 12695 wagora-response-splitting(17558) 11283 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 list.php in w-Agora 4.1.6a allows remote attackers to reveal the full path via a crafted HTTP request, possibly involving a malformed id parameter. 12695 11283 20040930 Multiple vulnerabilities in w-agora forum 20040930 Multiple vulnerabilities in w-agora forum 1011463 Cross-site scripting (XSS) vulnerability in index.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to execute arbitrary web script or HTML via the module parameter. silent-storm-xss(17554) 11284 12704 20040930 Multiple Vulnerabilities in Silent Storm Portal 1011470 profile.php in Silent Storm Portal 2.1 and 2.2 allows remote attackers to gain privileges by setting the mail parameter to 1, which is the value for an administrator. silent-storm-gain-admin(17555) 11284 12704 20040930 Multiple Vulnerabilities in Silent Storm Portal 1011470 Directory traversal vulnerability in ParaChat Server 5.5 allows remote attackers to read arbitrary files via a ..%5C (hex-encoded dot dot) in the URL. parachat-directory-traversal(17541) 11272 12678 20040930 Re: directory traversal in ParaChat Server 5.5 20040929 directory traversal in ParaChat Server 5.5 10436 1011438 20040929 Re: directory traversal in ParaChat Server 5.5 20040928 directory traversal in ParaChat Server 5.5 Buffer overflow in (1) MusicConverter.exe, (2) playlist.exe, and (3) amp.exe in dBpowerAMP Audio Player 2.0 and dbPowerAmp Music Converter 10.0 allows remote attackers to cause a denial of service or execute arbitrary code via a .pls or .m3u playlist that contains long File1 (filename) fields. dbpoweramp-converter-filename-bo(17539) dbpoweramp-player-filename-bo(17535) 11266 http://www.gulftech.org/?node=research&article_id=00052-09272004 12684 20040930 dbPowerAmp Buffer Overflow And Dos Vulnerabilities SQL injection vulnerability in bBlog 0.7.2 and 0.7.3 allows remote attackers to execute arbitrary SQL commands via the p parameter. 20041001 SQL Injection vulnerability in bBlog 0.7.3 bblog-array-sql-injection(17552) http://www.servers.co.nz/security/SCN200409-1.php 11303 12691 AJ-Fork 167 allows remote attackers to gain sensitive information via a direct request to (1) auto-acronyms.php, (2) auto-archive.php, (3) ount-article-views.php, (4) kses.php, (5) custom-quick-tags.php, (6) disable-all-comments.php, (7) easy-date-format.php, (8) enable-disable-comments.php, (9) filter-by-author.php, (10) format-switcher.php, (11) long-to-short.php, (12) prospective-posting.php, or (13) sort-by-xfield.php, which displays the full path in an error message. aj-fork-path-disclosure(17568) 20041001 Multiple Vulnerabilities in AJ-Fork http://echo.or.id/adv/adv07-y3dips-2004.txt AJ-Fork 167 does not restrict access to directories such as (1) data, (2) inc, (3) plugins, (4) skins, or (5) tools, which allows remote attackers to list files in those directories via a direct HTTP request. af-fork-directory-disclosure(17569) 11301 1011484 20041001 Multiple Vulnerabilities in AJ-Fork http://echo.or.id/adv/adv07-y3dips-2004.txt The documentation for AJ-Fork 167 implies that users should set permissions for users.db.php to 777, which allows local users to execute arbitrary PHP code and gain privileges as the administrator. aj-fork-usersdbphp-write-access(17571) 11301 20041001 Multiple Vulnerabilities in AJ-Fork http://echo.or.id/adv/adv07-y3dips-2004.txt 1011484 Buffer overflow in Vypress Messenger 3.5.1 and earlier allows remote attackers to execute arbitrary code via a message with a long first field. 11310 12605 http://aluigi.altervista.org/adv/vymesbof-adv.txt vypress-visual-bo(17572) 10451 1011489 20041001 Broadcast buffer-overflow in Vypress Messenger 3.5.1 The XML parser in Xerces-C++ 2.5.0 allows remote attackers to cause a denial of service (CPU consumption) via XML attributes in a crafted XML document. 11312 12715 xercescplusplus-xml-parser-dos(17575) 20041002 Security advisory - Xerces-C++ 2.5.0: Attribute blowup Format string vulnerability in Judge Dredd: Dredd vs. Death 1.01 and earlier allows remote attackers to cause a denial of service (application crash) via format string specifiers in a chat message. judge-dredd-death-format-string(17579) 12710 20041002 In-game format string in Judge Dredd vs. Death 1.01 index.php in PHP Links allows remote attackers to gain sensitive information via an invalid show parameter, which reveals the full path in an error message. phplinks-path-disclosure(17588) 20041003 Full path disclosure in PHP Links Cross-site scripting (XSS) vulnerability in index.php in Invision Power Board 2.0.0 allows remote attackers to execute arbitrary web script or HTML via the Referer field in the HTTP header. invision-referer-header-xss(17604) 11332 12740 20041005 [MAXPATROL Security Advisories] Cross site scripting in Invision Power Board index.php in CubeCart 2.0.1 allows remote attackers to gain sensitive information via an HTTP request with an invalid cat_id parameter, which reveals the full path in a PHP error message. cubecart-catid-path-disclosure(17630) 20041006 Full path disclosure and sql injection on CubeCart 2.0.1 SQL injection vulnerability in index.php in CubeCart 2.0.1 allows remote attackers to execute arbitrary SQL commands via the cat_id parameter. 12764 cubecart-catid-sql-injection(17632) 11337 15278 20041006 Full path disclosure and sql injection on CubeCart 2.0.1 BlackBoard 1.5.1 allows remote attackers to gains sensitive information via a direct request to (1) checkdb.inc.php, (2) admin.inc.php or (3) cp.inc.php, which reveals the path in a PHP error message. blackboard-directory-traversal(17636) 20041006 Multiple vulnerabilities in BlackBoard PHP remote file inclusion vulnerability in BlackBoard 1.5.1 allows remote attackers to execute arbitrary PHP code by modifying the libpath parameter (incorrectly called "libpach") to reference a URL on a remote web server that contains _more.php, as demonstrated using checkdb.inc.php. blackboard-lang-file-include(17637) 11336 12757 http://blackboard.unclassified.de/70,1#1031 20041006 Multiple vulnerabilities in BlackBoard Directory traversal vulnerability in the FTP server in TriDComm 1.3 and earlier allows remote attackers read or write arbitrary files via a .. (dot dot) in FTP commands such as (1) DIR, (2) GET, or (3) PUT. 12755 tridcomm-dotdot-directory-traversal(17631) 11343 20041006 Directory traversal in Tridcomm 1.3 CRLF injection vulnerability in wp-login.php in WordPress 1.2 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the text parameter. 11348 GLSA-200410-12 http://wordpress.org/development/2004/10/wp-121/ 12773 20041006 HTTP Response Splitting Vulnerability in Wordpress 1.2 wordpress-response-splitting(17649) Flash Messaging 5.2.0g (rev 1.1.2) and earlier allows remote attackers to cause a denial of service (application crash) via certain wide characters. flash-messaging-dos(17647) 11351 1011569 12759 20041007 Server crash in Flash Messaging 5.2.0g Flash Messaging clients can ignore disconnecting commands such as "shutdown" from the Flash Messaging Server 5.2.0g (rev 1.1.2), which could allow remote attackers to stay connected. 1011569 12759 20041007 Server crash in Flash Messaging 5.2.0g Buffer overflow in Monolith games including (1) Alien versus Predator 2 1.0.9.6 and earlier, (2) Blood 2 2.1 and earlier, (3) No one lives forever 1.004 and earlier and (4) Shogo 2.2 and earlier allows remote attackers to cause a denial of service (application crash) via a long secure Gamespy query. 11354 20041008 Limited \secure\ buffer-overflow in some old Monolith games shogo-long-query-bo(17670) blood2-long-query-bo(17668) 12776 nolf-long-query-bo(17669) avp2-long-query-bo(17665) 10635 1011603 20041008 Limited \secure\ buffer-overflow in some old Monolith games SQL injection vulnerability in GoSmart Message Board allows remote attackers to execute arbitrary SQL code via the (1) QuestionNumber and Category parameters to Forum.asp or (2) Username and Password parameter to Login_Exec.asp. gosmart-forum-loginexec-sql-injection(17678) 11361 12790 20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board Cross-site scripting (XSS) vulnerability in GoSmart Message Board allows remote attackers to execute inject web script or HTML via the (1) Category parameter to Forum.asp or (2) MainMessageID parameter to ReplyToQuestion.asp. gosmart-forum-mainmessageid-xss(17679) 11361 12790 20041011 [MAxpatrol Security Advisory] Multiple vulnerabilities in GoSmart Message Board Clientexec allows remote attackers to gain sensitive information via an HTTP request to phpinfo.php, which calls the phpinfo function. clientexec-phpinfo-info-disclosure(17741) 12862 20041012 Clientexec Billing Software The web interface for Micronet Wireless Broadband Router SP916BM running firmware before 1.9 08/04/2004 resets the password to the default password when the router is shut off, which could allow remote attackers to gain access. micronet-router-password-reset(17697) 20041012 Micronet wireless broadband router SP916BM admin password reset when power off PHP remote file inclusion vulnerability in index.php in ocPortal 1.0.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the req_path parameter to reference a URL on a remote web server that contains a malicious funcs.php script. 11368 12811 ocportal-reqpath-file-include(17699) http://www.hackgen.org/advisories/hackgen-2004-002.txt 20041012 [hackgen-2004-#002] - Remote file inclusion bug in ocPortal 1.0.3. Cross-site scripting (XSS) vulnerability in render.UserLayoutRootNode.uP in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via the utf parameter. sct-campus-userlayoutrootnode-xss(17704) 11392 12826 20041013 XXS in SCT email client Cross-site scripting (XSS) vulnerability in FuseTalk 4.0 allows remote attackers to execute arbitrary web script via an img src tag. 12823 20041013 XXS in fusetalk forum fusetalk-imgsrc-xss(17701) 12823 Buffer overflow in ShixxNote 6.net build 117 allows remote attackers to execute arbitrary code via a long font field. shixxnote-font-bo(17705) 11409 12822 20041013 Buffer-overflow in ShixxNOTE 6.net The 3COM Wireless router 3CRADSL72 running Boot Code 1.3d allows remote attackers to gain sensitive information such as passwords and router settings via a direct HTTP request to app_sta.stm. 3com-officeconnect-obtain-info(17723) 11408 20041015 More details on BID 11408 (3com 3cradsl72 wireless router) 20041015 Re: 3COM Wireless router (3CRADSL72) information disclosure 20041013 3COM Wireless router (3CRADSL72) information disclosure RIM Blackberry 7230 running RIM Blackberry OS 3.7 SP1 allows remote attackers to cause a denial of service (device reboot and possibly data corruption) via a calendar message with a long Location field, which triggers a watchdog while the message is being stored. blackberry-calendar-bo(17700) 11389 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/Known_%20Issues_-_HexView_advisory_on_BlackBerry_buffer_overflow,_DoS,_and_data_loss.html?nodeid=737173&vernum=0 12814 http://www.hexview.com/docs/20041012-1.txt 20041014 [HV-MED] UPDATE: RIM Blackberry DoS, data loss 20041013 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss 20041012 [HV-HIGH] RIM Blackberry buffer overflow, DoS, data loss Adobe Acrobat and Acrobat Reader 6.0 allow remote attackers to read arbitrary files via a PDF file that contains an embedded Shockwave (swf) file that references files outside of the temporary directory. adobe-acrobat-swf-read-files(17694) 11386 20041015 Re: Adobe acrobat / Adobe Reader 6 can read local files 20041014 Re: Adobe acrobat / Adobe Reader 6 can read local files 20041012 Adobe acrobat / Adobe Reader 6 can read local files Cross-site scripting (XSS) vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to execute arbitrary web script or HTML via the (1) query or (2) nick parameters. coolphp-multiple-xss(17742) 11437 1011748 12850 20041016 Multiple Vulnerabilities in CoolPHP index.php in CoolPHP 1.0-stable allows remote attackers to gain sensitive information via an invalid op parameter, which reveals the path in an error message. coolphp-path-disclosure(17744) 1011748 12850 20041016 Multiple Vulnerabilities in CoolPHP Directory traversal vulnerability in index.php in CoolPHP 1.0-stable allows remote attackers to access arbitrary files and execute local PHP scripts via a .. (dot dot) in the op parameter. coolphp-dotdot-directory-traversal(17745) 11437 1011748 12850 20041016 Multiple Vulnerabilities in CoolPHP ProFTPD 1.2.x, including 1.2.8 and 1.2.10, responds in a different amount of time when a given username exists, which allows remote attackers to identify valid usernames by timing the server response. 1011687 http://security.lss.hr/index.php?page=details&ID=LSS-2004-10-02 20041015 ProFTPD 1.2.x remote users enumeration bug proftpd-info-disclosure(17724) 11430 cPanel 9.4.1-RELEASE-64 follows hard links, which allows local users to (1) read arbitrary files via the backup feature or (2) chown arbitrary files via the .htaccess file when Front Page extensions are enabled or disabled. 11455 11449 12865 cpanel-htaccess-modify-ownership(17780) cpanel-backup-view-file(17779) 20041018 cPanel hardlink chown issue 20041018 cPanel hardlink backup issue cPanel 9.9.1-RELEASE-3 allows remote authenticated users to chmod arbitrary files via a symlink attack on the _private directory, which is created when Front Page extensions are enabled. 20041018 cPanel symlink chmod issue SalesLogix 6.1 allows remote attackers to bypass authentication by modifying the slxweb cookie to set user=Admin, teams=ADMIN!, and usertype=Administrator. saleslogix-cookie-admin-access(17749) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10942 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix slxweb.dll in SalesLogix 6.1 allows remote attackers to cause a denial service (application crash) via an invalid HTTP request, which might also leak sensitive information in the ErrorLogMsg cookie. saleslogix-info-disclosure(17750) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10943 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix slxweb.dll in SalesLogix 6.1 allows remote attackers to obtain sensitive information via a (1) Library or (2) Attachment request with an invalid file parameter, which reveals the path in an error message. saleslogix-filename-path-disclosure(17751) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10944 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix SQL injection vulnerability in SalesLogix 6.1 allows remote attackers to execute arbitrary SQL statements via the id parameter in a view operation. saleslogix-sql-injection(17752) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10945 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix SalesLogix 6.1 includes usernames, passwords, and other sensitive information in the headers of an HTTP response, which could allow remote attackers to gain access. saleslogix-obtain-passwords(17753) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10946 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix SalesLogix 6.1 uses client-specified pathnames for writing certain files, which might allow remote authenticated users to create arbitrary files and execute code via the (1) vMME.AttachmentPath or (2) vMME.LibraryPath variables. 20041018 Multiple vulnerabilities in Sage Saleslogix SalesLogix 6.1 does not verify if a user is authenticated before performing sensitive operations, which could allow remote attackers to (1) execute arbitrary SLX commands on the server or spoof the server via a man-in-the-middle (MITM) attack, or (2) obtain the database password via a GetConnection request to TCP port 1707. saleslogix-getconnection-account-disclosure(17754) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10948 10947 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix Directory traversal vulnerability in SalesLogix 6.1 allows remote attackers to upload arbitrary files via a .. (dot dot) in a ProcessQueueFile request. saleslogix-processqueuefile-file-upload(17765) 11450 12883 20041018 Multiple vulnerabilities in Sage Saleslogix 10949 1011769 20041018 Multiple vulnerabilities in Sage Saleslogix Mozilla allows remote attackers to cause a denial of service (application crash from null dereference or infinite loop) via a web page that contains a (1) TEXTAREA, (2) INPUT, (3) FRAMESET or (4) IMG tag followed by a null character and some trailing characters, as demonstrated by mangleme. 11439 RHSA-2005:323 mozilla-html-tags-dos(17805) 1011810 oval:org.mitre.oval:def:10227 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce http://lcamtuf.coredump.cx/mangleme/gallery/ Mozilla allows remote attackers to cause a denial of service (application crash from invalid memory access) via an "unusual combination of visual elements," including several large MARQUEE tags with large height parameters, as demonstrated by mangleme. 11440 1011810 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce http://lcamtuf.coredump.cx/mangleme/gallery/ Opera allows remote attackers to cause a denial of service (invalid memory reference and application crash) via a web page or HTML email that contains a TBODY tag with a large COL SPAN value, as demonstrated by mangleme. This was fixed in version 7.60. 11441 opera-colspan-tbody-dos(17806) 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce http://lcamtuf.coredump.cx/mangleme/gallery/ Links allows remote attackers to cause a denial of service (memory consumption) via a web page or HTML email that contains a table with a td element and a large rowspan value,as demonstrated by mangleme. links-large-table-dos(17803) 11442 1011808 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce http://lcamtuf.coredump.cx/mangleme/gallery/ Lynx, lynx-ssl, and lynx-cur before 2.8.6dev.8 allow remote attackers to cause a denial of service (infinite loop) via a web page or HTML email that contains invalid HTML including (1) a TEXTAREA tag with a large COLS value and (2) a large tag name in an element that is not terminated, as demonstrated by mangleme. NOTE: a followup suggests that the relevant trigger for this issue is the large COLS value. lynx-dos(17804) 11443 20060602 Re: [SECURITY] [DSA 1085-1] New lynx-cur packages fix several vulnerabilities DSA-1085 DSA-1077 DSA-1076 1011809 20383 20041018 Web browsers - a mini-farce 20041018 Web browsers - a mini-farce http://lcamtuf.coredump.cx/mangleme/gallery/ Vypress Tonecast 1.3 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed mp2 stream. vypress-tonecast-dos(17775) 11462 12890 http://aluigi.altervista.org/adv/toneboom-adv.txt 20041019 Broadcast crash in Vypress Tonecast 1.3 Buffer overflow in Privateer's Bounty: Age of Sail II allows remote attackers to execute arbitrary code via a long nickname. age-of-sail-bo(17791) 11479 12905 20041020 Buffer-overflow in Age of Sail II 1.04.151 CRLF injection vulnerability in Serendipity before 0.7rc1 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the url parameter in (1) index.php and (2) exit.php, or (3) the HTTP Referer field in comment.php. serendipity-response-splitting(17798) 11497 http://www.s9y.org/5.html 12909 20041021 HTTP Response Splitting in Serendipity 0.7-beta4 11039 11038 11013 http://sourceforge.net/project/shownotes.php?release_id=276694 1011864 http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/index.php?rev=1.52&view=markup http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/exit.php?rev=1.10&view=markup http://cvs.sourceforge.net/viewcvs.py/php-blog/serendipity/comment.php?rev=1.49&view=markup ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in IBM Lotus Notes R6 and Domino R6, and possibly earlier versions, allows remote attackers to execute arbitrary web script or HTML via square brackets at the beginning and end of (1) computed for display, (2) computed when composed, or (3) computed text element fields. NOTE: the vendor has disputed this issue, saying that it is not a problem with Notes/Domino itself, but with the applications that do not properly handle this feature. lotus-notes-xss(17758) 11458 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21187833 1011779 12891 20041021 Re: IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) 20041018 IBM Lotus Notes/Domino fails to encode Square Brackets ( [ ] ) SQL injection vulnerability in dosearch.php in UBB.threads 3.4.x allows remote attackers to execute arbitrary SQL statements via the Name parameter. ubbthreads-sql-injection(17821) 11502 20041021 SQL Injection in UBB.threads 3.4.x The WAV file property handler in Windows XP SP1 allows remote attackers to cause a denial of service (infinite loop in Explorer) via a WAV file with an invalid file header whose fmt chunk length is set to 0xFFFFFFFF. 11503 http://www.hexview.com/docs/20041021-1.txt 20041021 [HV-LOW] Unsafe WAV header handling can cause DoS on Windows windowsxp-explorer-wav-dos(17864) 11053 1011880 Carbon Copy 6.0.5257 does not drop system privileges when opening external programs through the help topic interface, which allows local users to gain privileges via (1) the help topic interface in CCW32.exe, which launches Notepad, or (2) the help button in the Carbon Copy Scheduler (CCSched.exe). carboncopy-help-gain-privileges(17838) 11500 12962 20041022 [Fwd: Altiris Carbon Copy Remote Control local SYSTEM exploitation.] pGina 1.7.6 and possibly older versions, when the Restart or Shutdown options are enabled on the login screen, allows remote attackers to cause a denial of service by connecting via Remote Desktop and clicking restart or shutdown. pgina-dos(17836) http://www.lovebug.org/pgina_dos.txt 20041022 Windows DoS in certain pGina configurations Buffer overflow in Ability Server 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long STOR command. VU#857846 abilityftpserver-stor-dos(17823) 11508 11030 12941 20041022 Ability FTP Server 2.34 Buffer Overflow Exploit Buffer overflow in Ability Server 2.25, 2.32, 2.34, and possibly other versions, allows remote attackers to execute arbitrary code via a long APPE command. 11508 1012464 12941 [0day] 20041208 Ability Server 2.25 - 2.34 FTP => 'APPE' Buffer Overflow - PnK:: DCN3T ability-appe-bo(18405) 12347 Format string vulnerability in log.c in rssh before 2.2.2 allows remote authenticated users to execute arbitrary code. rssh-format-string(17831) http://www.pizzashack.org/rssh/ GLSA-200410-28 12954 20041023 rssh: pizzacode security alert Multiple SQL injection vulnerabilities in Dwc_articles 1.6 and earlier allow remote attackers to execute arbitrary SQL statements. dwc-articles-sql-injection(17830) 11509 20041023 dwc_articles possible sql injection Cross-site scripting (XSS) vulnerability in the login form in Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to execute arbitrary web script or HTML via the url parameter. 11514 12970 openwfe-login-form-xss(17853) 20041024 Two Vulnerabilities in OpenWFE Web Client Open WorkFlow Engine (OpenWFE) 1.4.x allows remote attackers to conduct port scans of remote hosts by specifying the target in an rmi:// Worklist URL, then using the response times to infer the results. openwfe-rmi-obtain-information(17852) 11514 20041024 Two Vulnerabilities in OpenWFE Web Client 12970 Cross-site scripting (XSS) vulnerability in wiki.php in MoniWiki 1.0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the arguments to wiki.php. moniwiki-wiki-xss(17835) 11516 12975 20041025 STG Security Advisory: [SSA-20041022-08] MoniWiki XSS vulnerability process_bug.cgi in Bugzilla 2.9 through 2.18rc2 and 2.19 from CVS does not check edit permissions on the keywords field, which allows remote authenticated users to modify the keywords in a bug via the keywordaction parameter. bugzilla-bug-change(17840) 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 https://bugzilla.mozilla.org/show_bug.cgi?id=252638 show_bug.cgi in Bugzilla 2.17.1 through 2.18rc2 and 2.19 from CVS, when using the insidergroup feature and exporting a bug to XML, shows comments and attachment summaries which are marked as private, which allows remote attackers to gain sensitive information. bugzilla-xml-information-disclosure(17841) 11511 https://bugzilla.mozilla.org/show_bug.cgi?id=263780 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 Bugzilla 2.17.1 through 2.18rc2 and 2.19 from cvs, when using the insidergroup feature, does not sufficiently protect private attachments when there are changes to the metadata, such as filename, description, MIME type, or review flags, which allows remote authenticated users to obtain sensitive information when (1) viewing the bug activity log or (2) receiving bug change notification mails. bugzila-metadata-information-disclosure(17842) 11511 20041025 [BUGZILLA] Vulnerabilities in Bugzilla 2.16.6 and 2.18rc2 https://bugzilla.mozilla.org/show_bug.cgi?id=253544 https://bugzilla.mozilla.org/show_bug.cgi?id=250605 Heap-based buffer overflow in the WvTFTPServer::new_connection function in wvtftpserver.cc for WvTftp 0.9 allows remote attackers to execute arbitrary code via a long option string in a TFTP packet. 12986 wvtfpd-wvtftpservercc-bo(17869) 11525 20041026 wvtfpd remote root heap overflow The Hawking Technologies HAR11A modem/router allows remote attackers to obtain sensitive information by connecting to port 254, which displays a management interface and information on established connections. har11a-gain-unauth-access(17877) 11543 20041026 Hawking Technologies HAR11A router considered insecure Buffer overflow in MailCarrier 2.51 allows remote attackers to execute arbitrary code via a long (1) EHLO and possibly (2) HELO command. mailcarrier-ehlo-helo-bo(17861) 11535 12999 20041026 MailCarrier 2.51 SMTP server Buffer Overflow [PoC included] Mozilla Firefox before 0.10, Mozilla 5.0, and Gecko 20040913 allows remote attackers to cause a denial of service (application crash or memory consumption) via a large binary file with a .html extension. mozilla-html-dos(17839) 20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding 20041026 Rendering large binary file as HTML makes Mozilla Firefox stop responding or crash Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 0.94 and 1.0 allow remote attackers to execute arbitrary web script and HTML via the (1) terme parameter to search.php or (2) letter parameter to letter.php. xoops-dictionary-letter-xss(17154) 11064 12424 20040828 Cross Site Scripting in XOOPS Version 2.x Dictionary module xoops-dictionary-search-xss(17152) 9394 9393 http://cyruxnet.org/modulo_dic_xoops.htm Heap-based buffer overflow in Titan FTP 3.21 and earlier allows remote attackers to cause a denial of service (crash) via a long FTP command such as (1) CWD, (2) STAT, or (3) LIST. 11069 12419 titan-long-command-bo(17172) 20040829 [vulnwatch] Titan FTP Server Long Command Heap Overflow Vulnerability WFTPD Pro Server 3.21 allows remote authenticated users to cause a denial of service (crash) via a series of long MLIST commands. wftpd-mlst-command-dos(17169) 11067 12420 20040829 [vulnwatch] WFTPD Pro Server 3.21 MLST Command Denial of Service Vulnerability WS_FTP 5.0.2 allows remote authenticated users to cause a denial of service (CPU consumption) via a CD command that contains an invalid path with a "../" sequence. 12406 wsftp-file-parsing-dos(17155) 11065 20040829 [vulnwatch] WS_FTP Server Denial of Service Vulnerability Xedus 1.0 allows remote attackers to cause a denial of service (refuse connections) by connecting multiple times from the same IP address. xedus-mult-connection-dos(17165) 11071 http://www.gulftech.org/?node=research&article_id=00047-08302004 12418 20040830 Multiple Vulnerabilities In Xedus Webserver Cross-site scripting (XSS) vulnerability in Xedus 1.0 allows remote attackers to execute arbitrary web script or HTML via the (1) username parameter to test.x, (2) username parameter to TestServer.x, or (3) param parameter to testgetrequest.x. xedus-test-xss(17166) 11071 http://www.gulftech.org/?node=research&article_id=00047-08302004 12418 20040830 Multiple Vulnerabilities In Xedus Webserver Directory traversal vulnerability in Xedus 1.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. xedus-dotdot-directory-traversal(17167) 11071 http://www.gulftech.org/?node=research&article_id=00047-08302004 12418 20040830 Multiple Vulnerabilities In Xedus Webserver SQL injection vulnerability in Password Protect allows remote attackers to execute arbitrary SQL statements and bypass authentication via (1) admin or Pass parameter to index_next.asp, (2) LoginId, OPass, or NPass to CPassChangePassword.asp, (3) users_edit.asp, or (4) users_add.asp. password-protect-sql-injection(17188) 11073 http://www.criolabs.net/advisories/passprotect.txt 12407 20040830 Password Protect XSS and SQL-Injection vulnerabilities. Cross-site scripting (XSS) vulnerability in (1) index.asp, (2) ChangePassword.asp, (3) users_list.asp, (4) and users_add.asp in Password Protect allows remote attackers to inject arbitrary web script or HTML via the ShowMsg parameter. password-protect-showmsg-xss(17187) 11073 http://www.criolabs.net/advisories/passprotect.txt 12407 20040830 Password Protect XSS and SQL-Injection vulnerabilities. Buffer overflow in Microsoft Msinfo32.exe might allow local users to execute arbitrary code via a long filename in the msinfo_file command line parameter. NOTE: this issue might not cross security boundaries, so it may be REJECTED in the future. msinfo-msinfofile-bo(17153) 20040830 MSInfo Buffer Overflow 20040831 MSInfo Buffer Overflow 20040830 MSInfo Buffer Overflow D-Link DCS-900 Internet Camera listens on UDP port 62976 for an IP address, which allows remote attackers to change the IP address of the camera via a UDP broadcast packet. 12425 dlink-dcs900-ip-modification(17171) 11072 1011100 20040831 D-Link DCS-900 IP camera remote exploit that change the IP Multiple cross-site scripting (XSS) vulnerabilities in the registration page in phpScheduleIt 1.0.0 RC1 allow remote attackers to inject arbitrary web script or HTML via the (1) Name or (2) Lastname fields during new user registration, or (3) the Schedule Name field. 11080 20040831 Multiple Vulnerabilities in phpScheduleIt phpscheduleit-xss(17193) phpscheduleit-script-injection(17194) 9451 20040917 Re: Multiple Vulnerabilities in phpScheduleIt phpScheduleIt 1.0.0 RC1 does not clear administrative privileges if the administrator logs in as a normal user, which allows users with physical access to gain administrative privileges. phpscheduleit-gain-privileges(17195) 20040831 Multiple Vulnerabilities in phpScheduleIt The default configuration for OpenSSH enables AllowTcpForwarding, which could allow remote authenticated users to perform a port bounce, when configured with an anonymous access program such as AnonCVS. openssh-port-bounce(17213) 1011143 20040831 SSHD / AnonCVS Nastyness 9562 SQL injection vulnerability in the calendar module in phpWebsite 0.9.3-4 and earlier allows remote attackers to execute arbitrary SQL commands via cal_template. phpwebsite-calendar-module-sql-injection(17199) 11088 http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 http://www.gulftech.org/?node=research&article_id=00048-08312004 12438 20040901 Multiple Vulnerabilities In phpWebsite Cross-site scripting (XSS) vulnerability in phpWebsite 0.9.3-4 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) CM_pid parameter in the comments module or (2) the subject or message fields in the notes module. phpwebsite-comments-module-xss(17202) 11088 http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=view&ANN_id=822 http://www.gulftech.org/?node=research&article_id=00048-08312004 12438 20040901 Multiple Vulnerabilities In phpWebsite 1011120 phpwebsite-notes-script-injection(17203) CRLF injection vulnerability in Comersus Shopping Cart 5.0991 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the redirecturl parameter. comersus-cart-response-splitting(17201) 11083 20040901 ADVISORY: http response splitting hole in Comersus shopping cart Cross-site scripting (XSS) vulnerability in the Activity and Events Viewer for Newtelligence DasBlog allows remote attackers to inject arbitrary web script or HTML via the (1) User Agent or (2) Referrer HTTP headers. dasblog-useragent-referer-xss(17174) 11086 12416 20040901 Cross-Site Scripting Vulnerability in Newtelligence DasBlog http://staff.newtelligence.net/clemensv/PermaLink.aspx?guid=69bce168-cb09-4f09-8d53-f0b97f11b198 Kerio Personal Firewall 4.0 (KPF4) allows local users with administrative privileges to bypass the Application Security feature and execute arbitrary processes by directly writing to \device\physicalmemory to restore the running kernel's SDT ServiceTable. kerio-pf-protection-dos(17270) 11096 http://www.security.org.sg/vuln/kerio4016.html 12468 20040902 Kerio Personal Firewall's Application Launch Protection Can Be Disabled by Direct Service Table Restoration Cross-site scripting (XSS) vulnerability in index.php in CuteNews 1.3.6 and earlier allows remote attackers with Administrator, Editor, Journalist or Commenter privileges to inject arbitrary web script or HTML via the mod parameter. cutenews-mod-xss(17214) 11097 12432 20040902 [hackgen-2004-#001] - Non-critacal Cross-Site Scripting bug in CuteNews PHP remote file inclusion vulnerability in CuteNews 1.3.6 and earlier allows remote attackers to execute arbitrary PHP code via the cutepath parameter to (1) show_archives.php or (2) show_news.php. cutenews-file-include(17288) http://www.7a69ezine.org/node/view/130 12432 20040830 RE: CuteNews News.txt writable to world MailWorks Professional allows remote attackers to bypass authentication and gain privileges via a cookie that contains "auth=1" and "uId=1." mailworks-cookie-admin-access(17217) 11095 12458 20040902 MailWorks Professional - Authentication bypass YaBB SE 1.5.1 allows remote attackers to obtain sensitive information via a direct HTTP request to Admin.php, which reveals the full path in a PHP error message. yabb-admin-path-disclosure(17267) 20040904 FUll Path Disclosure in YABBSE http://echo.or.id/adv/adv05-y3dips-2004.txt Engenio/LSI Logic storage controllers, as used in products such as Storagetek D280, and IBM DS4100 (formerly FastT 100) and Brocade SilkWorm Switches, allow remote attackers to cause a denial of service (freeze and possible data corruption) via crafted TCP packets. engenio-controller-tcp-dos(17290) 11108 12464 20040904 Engenio/LSI Logic controllers denial of service/data corruption Call of Duty 1.4 and earlier allows remote attackers to cause a denial of service (game end) via a large (1) query or (2) reply packet, which is not properly handled by the buffer overflow protection mechanism. NOTE: this issue might overlap CVE-2005-0430. callofduty-dos(17286) 11119 20040905 Broadcast shutdown in Call of Duty 1.4 Cross-site scripting (XSS) vulnerability in index.php in PsNews 1.1 allows remote attackers to inject arbitrary web script or HTML via the no parameter. psnews-xss(17302) 11124 1011191 20040905 Bug XSS in PsNews 1.1 Buffer overflow in the MSN module in Trillian 0.74i allows remote MSN servers to execute arbitrary code via a long string that ends in a newline character. trillian-msn-bo(17292) 11142 http://unsecure.altervista.org/security/trillian.htm 12487 20040908 Cerulean Studios Trillian 0.74i Buffer Overflow in MSN module exploit Off-by-one error in Halo Combat Evolved 1.04 and earlier allows remote attackers to cause a denial of service (server crash) via a long client response. halo-response-offbyone-bo(17310) 11147 http://www.bungie.net/News/Story.aspx?link=hpc105 12504 http://aluigi.altervista.org/adv/haloboom-adv.txt 20040909 Off-by-one bug in Halo 1.04 Multiple SQL injection vulnerabilities in index.php in Subjects 2.0 Postnuke module allow remote attackers to execute arbitrary SQL commands via the (1) pageid, (2) subid, or (3) catid parameters. 12497 subjects-indexphp-sql-injection(17311) 11148 20040910 SQL-Injection in Subjects 2.0 for Postnuke Cross-site scripting (XSS) vulnerability in MERAK Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to execute arbitrary web script or HTML via the (1) User name parameter to accountsettings.html or (2) Search string parameter to search.html. merak-icewarp-xss(17313) 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 Multiple directory traversal vulnerabilities Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7, and possibly other versions, allow remote attackers to (1) create arbitrary directories via a .. (dot dot) in the user parameter to viewaction.html or (2) rename arbitrary files via a ....// (doubled dot dot) in the folderold or folder parameters to folders.html. merak-icewarp-create-directory(17314) 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to gain sensitive information via a direct request to (1) accountsettings_add.html or (2) topmenu.html. 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 merak-icewarp-path-disclosure(17315) attachment.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to view other users' attachments by specifying the username and message ID in an HTTP request. merak-icewarp-view-attachment(17316) 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 accountsettings_add.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allow remote attackers to create text files with arbitrary content via the accountid parameter. 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 merak-icewarp-create-file(17317) viewaction.html in Merak Mail Server 7.4.5 with Icewarp Web Mail 5.2.7 and possibly other versions allows remote attackers to (1) delete arbitrary files via the originalfolder parameter or (2) move arbitrary files via the messageid parameter. 11371 12789 20040910 Multiple vulnerabilities in Icewarp Web Mail 5.2.7 merak-icewarp-file-deletion(17976) Serv-U FTP server 4.x and 5.x allows remote attackers to cause a denial of service (application crash) via a STORE UNIQUE (STOU) command with an MS-DOS device name argument such as (1) COM1, (2) LPT1, (3) PRN, or (4) AUX. 11155 12507 servu-stou-dos(17329) 20040911 Serv-U up to 5.2 Denial of Service Heap-based buffer overflow in the image sending feature in Gadu-Gadu 6.0 build 149 allows remote attackers to execute arbitrary code via a crafted GG_MSG_IMAGE_REPLY message. gadu-gadu-image-bo(17324) 11158 12510 20040912 Gadu-Gadu (all versions with image-send feature) Heap Overflow pdesk.cgi in PerlDesk allows remote attackers to gain sensitive information via an invalid lang parameter, which includes pathname information in an error message. 12512 perldesk-lang-file-include(17343) 20040912 Posible Inclusion File in Perl Desk Directory traversal vulnerability in pdesk.cgi in PerlDesk allows remote attackers to read portions of arbitrary files and possibly execute arbitrary Perl modules via ".." sequences terminated by a %00 (null) character in the lang parameter, which can leak portions of the requested files if a compilation error message occurs. perldesk-directory-traversal(19712) 12512 11160 20040912 Posible Inclusion File in Perl Desk Directory traversal vulnerability in TwinFTP 1.0.3 R2 allows remote attackers create arbitrary files via a .../ (triple dot) in the (1) CWD, (2) STOR, or (3) RETR commands. twinftp-argument-directory-traversal(17323) 11159 http://www.security.org.sg/vuln/twinftp103r2.html 12511 20040913 Directory Traversal Vulnerability in TwinFTP Server allows overwriting of files outside FTP directory application.cgi in the Pingtel Xpressa handset running firmware 2.1.11.24 allows remote authenticated users to cause a denial of service (VxWorks OS crash) via a long HTTP GET request, possibly triggering a buffer overflow. xpressa-applicationcgi-dos(17346) 11161 A091304-2 12523 Multiple buffer overflows in (1) phrelay-cfg, (2) phlocale, (3) pkg-installer, or (4) input-cfg in QNX Photon microGUI for QNX RTP 6.1 allow local users to gain privileges via a long -s (server) command line parameter. qnx-rtp-photon-bo(17339) 11164 http://www.rfdslabs.com.br/qnx-advs-03-2004.txt 20040913 [RLSA_02-2004] QNX Photon multiple buffer overflows Format string vulnerability in QNX 6.1 FTP client allows remote authenticated users to gain group bin privileges via format string specifiers in the QUOTE command. qnx-ftp-quote-format-string(17347) http://www.rfdslabs.com.br/qnx-advs-04-2004.txt 12533 20040913 [RLSA_03-2004] QNX ftp client format string bug A race condition in crrtrap for QNX RTP 6.1 allows local users to gain privileges by modifying the PATH environment variable to reference a malicious io-graphics program before is executed by crrtrap. qnx-rtp-crttrap-race-condition(17345) 11165 20040913 [RLSA_04-2004] QNX crrtrap possible race condition vulnerability Zyxel P681 running ZyNOS Vt020225a contains portions of memory in an ARP request, which allows remote attackers to obtain sensitive information by sniffing the network. prestige-information-disclosure(17372) 11167 20040913 Zyxel Prestige 681 SDSL router information leak 9962 SMC routers SMC7004VWBR running firmware 1.00.014 and SMC7008ABR EU running firmware 1.42.003 allow remote attackers to bypass authentication by connecting to it from the same IP address as the administrator who is logged in, then accessing the setup_status.htm or status.HTM pages. 12601 20040915 SMC7004VWBR / SMC7008ABR "spoofing" vulnerability. smc-router-security-bypass(17443) 11197 10088 Internet Explorer 6.0 in Windows XP SP2 allows remote attackers to bypass the Information Bar prompt for ActiveX and Javascript via an XHTML page that contains an Internet Explorer formatted comment between the DOCTYPE tag and the HTML tag, as demonstrated using the DesignScience MathPlayer ActiveX plugin. ie-information-bar-bypass(20617) 11200 20040915 IE6 + XP SP2 Vulnerability CRLF injection vulnerability in down.asp for Snitz Forums 2000 3.4.04 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via the location parameter. snitz-response-splitting(17421) 11201 12590 20040916 ADVISORY: security hole (http response splitting) in snitz forums http://forum.snitz.com/forum/topic.asp?ARCHIVE=true&TOPIC_ID=54791 Pigeon Server 3.02.0143 and earlier allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a long login name sent to port 3103. pigeon-server-dos(17427) 11203 12585 20040916 Freeze in Pigeon Server 3.02.0143 20040916 Freeze in Pigeon Server 3.02.0143 sudoedit (aka sudo -e) in sudo 1.6.8 opens a temporary file with root privileges, which allows local users to read arbitrary files via a symlink attack on the temporary file before quitting sudoedit. VU#424358 sudo-sudoedit-view-files(17424) http://www.sudo.ws/sudo/alerts/sudoedit.html 11204 10023 O-219 12596 http://packetstormsecurity.nl/0409-exploits/sudoedit.txt 20040916 [sudo-announce] Sudo version 1.6.8p1 now available (fwd) Cross-site scripting (XSS) vulnerability in the Web Server in DNS4Me 3.0.0.4 allows remote attackers to execute arbitrary web script or HTML via the URL. dns4me-xss(17425) 11213 http://www.gulftech.org/?node=research&article_id=00049-09162004 1011334 12595 20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilities The Web Server in DNS4Me 3.0.0.4 allows remote attackers to cause a denial of service (CPU consumption and crash) via a large amount of data. dns4me-dos(17426) 11213 http://www.gulftech.org/?node=research&article_id=00049-09162004 1011334 12595 20040918 RhinoSoft DNS4ME HTTP Server Vulnerabilities Cross-site scripting (XSS) vulnerability in index.php in Mambo 4.5 (1.0.9) allows remote attackers to inject arbitrary web script or HTML via the (1) Itemid, (2) mosmsg, or (3) limit parameters. 11220 10179 http://mamboforge.net/frs/shownotes.php?release_id=1672 mambo-multiple-xss(20616) 20040918 Vulnerabilities in TUTOS PHP remote file inclusion vulnerability in Function.php in Mambo 4.5 (1.0.9) allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code. mambo-cachelibrary-execute-code(17449) 10180 11220 1011365 20040918 Vulnerabilities in TUTOS Symantec ON Command CCM 5.4.x and iCommand 3.0.x has four default usernames and passwords, one of which is hardcoded, which allows remote attackers to gain unauthorized access. oncommand-multiple-default-accounts(17447) 11225 12604 http://www.sarc.com/avcenter/security/Content/2004.09.29.html 20040920 Default username/password pairs in ON Command CCM 5.x database EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to bypass authentication for the remote administration feature via a URL that contains an extra leading / (slash). emuliveserver4-url-gain-access(17450) 11226 http://www.gulftech.org/?node=research&article_id=00051-09202004 12616 20040921 Multiple Vulnerabilities In EmuLive Server4 EmuLive Server4 Commerce Edition Build 7560 allows remote attackers to cause a denial of service (application crash) via a sequence of carriage returns sent to TCP port 66. 12616 emulive-tcp-port-dos(17451) 11226 http://www.gulftech.org/?node=research&article_id=00051-09202004 20040921 Multiple Vulnerabilities In EmuLive Server4 The "Forgot your Password" link in Computer Associates (CA) Unicenter Management Portal 2.0 and 3.1 displays different error messages for users that exist and users that do not exist, which could allow remote attackers to guess valid usernames. unicenter-management-username-bruteforce(17464) 11229 12620 20040921 CA UniCenter Management Portal Username Enumeration Vulnerability The Base64 function in PopMessenger 1.60 (before 20 Sep 2004) and earlier allows remote attackers to cause a denial of service (application crash) via invalid characters in a message, which causes several alert dialogs to be displayed and leads to a crash. 12612 popmessenger-base64-dos(17465) 11230 20040921 Broadcast crash in Popmessenger 1.60 (before 20 Sep 2004) SettingsBase.php in Pinnacle ShowCenter 1.51 allows remote attackers to cause a denial of service (web interface errors) via an invalid Skin parameter. pinnacle-showcenter-dos(17463) 11232 20040922 Pinnacle ShowCenter 1.51 possible DoS 20040921 Pinnacle ShowCenter Skin Denial of Service Cross-site scripting (XSS) vulnerability in SettingsBase.php in Pinnacle ShowCenter 1.51 build 121 allows remote attackers to inject arbitrary HTML or web script via the Skin parameter, which is echoed in an error message. 12613 pinnacle-showcenter-xss(17708) 11415 Heap-based buffer overflow in the AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 allows remote attackers to execute arbitrary code via a long SAUTH command during RSA authentication. cfengine-cfservd-command-execution(16935) 10899 http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10 GLSA-200408-08 12251 20050219 cfengine rsa heap remote exploit: part of PTjob project 20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruption The AuthenticationDialogue function in cfservd for Cfengine 2.0.0 to 2.1.7p1 does not properly check the return value of the ReceiveTransaction function, which leads to a failed malloc call and triggers to a null dereference, which allows remote attackers to cause a denial of service (crash). cfengine-cfservd-dos(16937) 10900 http://www.coresecurity.com/common/showdoc.php?idx=387&idxseccion=10 GLSA-200408-08 12251 20040809 CORE-2004-0714: Cfengine RSA Authentication Heap Corruption Fusion News 3.6.1 allows remote attackers to add user accounts, if the administrator is logged in, via a comment that contains an img bbcode tag that calls index.php with the signup action, which is executed when the administrator's browser loads the page with the img tag. fusion-news-add-account(16853) 10836 1010829 20040729 Fusion News Yet Another Unauthorized Account Addition Vulnerability WpQuiz 2.60b1 through 2.60b8 allows remote attackers to gain privileges via a direct request to adminrestore.php in the extras directory. wpquiz-extra-gain-access(16848) 8321 20040730 WpQuiz Gain Admin Rightd Exploit found Buffer overflow in Citadel/UX 6.23 and earlier allows remote attackers to cause a denial of service via a long username. citadel-user-dos(16840) 10833 http://www.nosystem.com.ar/advisories/advisory-04.txt 1010809 12197 20040731 Re: Citadel/UX Remote DoS Vulnerability 20040731 Citadel/UX Remote DoS Vulnerability The U.S. Robotics USR808054 wireless access point allows remote attackers to cause a denial of service (device crash) and possibly execute arbitrary code via an HTTP GET request with a long version string. 12207 usrobotics-wireless-get-bo(16860) 10840 20040802 7a69Adv#13 - USRobotics AP Wireless Denial of Service The (1) dbsnmp and (2) nmo programs in Oracle 8i, Oracle 9i, and Oracle IAS 9.0.2.0.1, on Unix systems, use a default path to find and execute library files while operating at raised privileges, which allows certain Oracle user accounts to gain root privileges via a modified libclntsh.so.9.0. 12205 20040802 OPEN3S - Local Privilege Elevation through Oracle products (Unix Platform) oracle-libraries-gain-privileges(16839) 10829 Webbsyte Chat 0.9.0 allows remote attackers to cause a denial of service (crash) via a large number of connections. webbsyte-chat-dos(16852) 10842 20040803 DoS in Webbsyte Chat 0.9.0 Datakey Rainbow iKey2032 USB token, when using the CIP client package, does not encrypt communications between the token and the driver, which could allow local users to obtain the PINs of other users. datakey-plaintext-pin(16887) 20040804 Clear text password exposure in Datakey's tokens and smartcards page.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the url parameter. pagecgi-url-command-execution(19713) 8936 20040806 Remote Command Execution Cross-site scripting (XSS) vulnerability in post.php in Moodle before 1.3 allows remote attackers to inject arbitrary web script or HTML via the reply parameter. moodle-post-xss(16924) 10884 12262 20040806 xss in moodle (post.php) Cross-site scripting (XSS) vulnerability in TypePad allows remote attackers inject arbitrary Javascript via the name parameter. typepad-name-xss(19664) 20040806 Type xxs Unknown vulnerability in HP Process Resource Manager (PRM) C.02.01[.01] and earlier, as used by HP-UX Workload Manager (WLM), allows local users to corrupt data files. 10907 SSRT4785 hp-prm-wlm-file-corruption(16928) 12245 BlackICE PC Protection and Server Protection installs (1) firewall.ini, (2) blackice.ini, (3) sigs.ini and (4) protect.ini with Everyone Full Control permissions, which allows local users to cause a denial of service (crash) or modify configuration, as demonstrated by modifying firewall.ini to contain a large firewall rule. 20040811 BlackICE unprivileged local user attack 20040811 ISS BlackIce Server Protect Unprivileged User Attack blackice-firewall-dos(16959) 10915 Directory traversal vulnerability in MIMEsweeper for Web before 5.0.4 allows remote attackers or local users to read arbitrary files via "..\\", "..\", and similar dot dot sequences in the URL. This was fixed in MIMEsweeper for Web v5.0.4. mimesweeper-directory-traversal(16960) 10918 20040811 Re: Clearswift Mimesweeper Path Traversal Vulnerability 12273 http://packetstormsecurity.nl/0408-exploits/clearswift.txt 20040811 Clearswift Mimesweeper Path Traversal Vulnerability Cross-site scripting (XSS) vulnerability in PForum before 1.26 allows remote attackers to inject arbitrary web script or HTML via the (1) IRC Server or (2) AIM ID fields in the user profile. VU#674542 pforum-irc-aim-xss(17003) 10954 12317 20040814 pscript.de PFORUM XSS Vulnerability 8985 Multiple buffer overflows in the psscan function in ps.c for gv (ghostview) allow remote attackers to execute arbitrary code via a Postscript file with a long (1) BoundingBox, (2) comment, (3) Orientation, (4) PageOrder, or (5) Pages value. gv-psscan-header-bo(17019) 10944 20040816 gv buffer overflows: here, there, and everywhere The ZwOpenSection function in Integrity Protection Driver (IPD) 1.4 and earlier allows local users to cause a denial of service (crash) via an invalid pointer in the "oa" argument. ipd-oa-pointer-dos(17010) 10965 http://www.ngsec.com/docs/advisories/NGSEC-2004-6.txt 12169 20040817 [NGSEC-2004-6] IPD, local system denial of service. Multiple cross-site scripting (XSS) vulnerabilities in Merak Webmail Server 5.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) category, (2) cserver, (3) ext, (4) global, (5) showgroups, (6) or showlite parameters to address.html, or the (7) spage or (8) autoresponder parameters to settings.html, the (9) folder parameter to readmail.html, or the (10) attachmentpage_text_error parameter to attachment.html, (11) folder, (12) ct, or (13) cv parameters to calendar.html, (14) an <img> tag, or (15) the subject of an e-mail message. merak-xss(17024) 10966 9042 9041 9040 9039 9038 9037 12269 http://packetstormsecurity.nl/0408-exploits/merak527.txt 20040817 Vulnerabilities in Merak Webmail Server 1010969 The (1) address.html and possibly (2) calendar.html pages in Merak Mail Server 5.2.7 allow remote attackers to gain sensitive information via an invalid HTTP request, which reveals the installation path. NOTE: it is unclear whether the calendar.html is an exposure, since the path is leaked in web logs that may only be available to the administrators, who would have access to the path through legitimate means. merak-address-calendar-path-disclosure(17027) 10966 9043 12269 http://packetstormsecurity.nl/0408-exploits/merak527.txt 20040817 Vulnerabilities in Merak Webmail Server 1010969 The (1) function.php or (2) function.view.php scripts in Merak Mail Server 5.2.7 allow remote attackers to read arbitrary PHP files via a direct HTTP request to port 32000. merak-view-php-files(17029) 10966 9045 12269 http://packetstormsecurity.nl/0408-exploits/merak527.txt 20040817 Vulnerabilities in Merak Webmail Server 1010969 SQL injection vulnerability in calendar.html in Merak Mail Server 5.2.7 allows remote attackers to execute arbitrary SQL statements via the schedule parameter. merak-calendarhtml-sql-injection(17022) 10966 9044 12269 http://packetstormsecurity.nl/0408-exploits/merak527.txt 20040817 Vulnerabilities in Merak Webmail Server 1010969 The (1) updateuser.php and (2) forums_prune.php scripts in PHP-Fusion 4.00 allow remote attackers to obtain sensitive information via a direct HTTP request, which reveals the installation path in an error message. phpfusion-path-disclosure(17036) 20040818 Multiple vulnerabilities in PHP-FUSION The ReadMe First.txt file in PHP-Fusion 4.0 instructs users to set the permissions on the fusion_admin/db_backups directory to world read/write/execute (777), which allows remote attackers to download or view database backups, which have easily guessable filenames and contain the administrator username and password. phpfusion-database-file-access(17037) 10974 12336 20040818 Multiple vulnerabilities in PHP-FUSION Stack-based buffer overflow in xvbmp.c in XV allows remote attackers to execute arbitrary code via a crafted image file. 10985 xv-image-bo(17053) 20040820 XV multiple buffer overflows, exploit included Multiple integer overflows in (1) xviris.c, (2) xvpcx.c, and (3) xvpm.c in XV allow remote attackers to execute arbitrary code via a crafted image file that triggers a heap-based buffer overflow. 10985 xv-image-bo(17053) 20040820 XV multiple buffer overflows, exploit included BadBlue 2.5 allows remote attackers to cause a denial of service (refuse HTTP connections) via a large number of connections from the same IP address. badblue-mult-connection-dos(17064) 10983 http://www.gulftech.org/?node=research&article_id=00043-08202004 12346 20040820 BadBlue Webserver v2.5 Denial Of Service Vulnerability Buffer overflow in British National Corpus SARA (sarad) allows remote attackers to execute arbitrary code by calling the client with a long string. sara-server-bo(17060) 10984 12348 20040820 Buffer overflow in sarad Cross-site scripting (XSS) vulnerability in Nihuo Web Log Analyzer 1.6 allows remote attackers to inject arbitrary web script or HTML via the User-Agent HTTP header. nihuo-http-get-xss(17055) 10988 12347 20040820 Cross-Site Scripting (XSS) in Nihuo Web Log Analyzer Cross-site scripting (XSS) vulnerability in Mantis bugtracker allows remote attackers to inject arbitrary web script or HTML via (1) the return parameter to login_page.php, (2) e-mail field in signup.php, (3) action parameter to login_select_proj_page.php, or (4) hide_status parameter to view_all_set.php. 12338 mantis-viewallset-xss(17072) mantis-loginselectprojpage-xss(17070) mantis-signup-xss(17069) mantis-loginpage-xss(17066) 10994 20040820 Multiple Vulnerabilities in Mantis Bugtracker signup_page.php in Mantis bugtracker allows remote attackers to send e-mail bombs by creating multiple users and providing the same e-mail address. mantis-improper-account-validation(17093) 10995 20040820 Multiple Vulnerabilities in Mantis Bugtracker SQL injection vulnerability in out.ViewFolder.php in MyDMS before 1.4.2 allows remote attackers to execute arbitrary SQL commands via the folderid parameter. This was fixed in version 1.4.2. mydms-folderld-sql-injection(17054) 10996 12340 20040820 Multiple vulnerabilities in MyDMS Directory traversal vulnerability in MyDMS 1.4.2 and other versions allows remote registered users to read arbitrary files via .. (dot dot) sequences in the URL. mydms-dotdot-file-download(17058) 10996 12340 20040820 Multiple vulnerabilities in MyDMS PHP remote file inclusion vulnerability in Mantis 0.19.0a allows remote attackers to execute arbitrary PHP code by modifying the (1) t_core_path parameter to bug_api.php or (2) t_core_dir parameter to relationship_api.php to reference a URL on a remote web server that contains the code. 10993 20040820 Mantis Bugtracker Remote PHP Code Execution Vulnerability mantis-php-file-include(17065) Cross-site scripting (XSS) vulnerability in the create list option in Sympa 4.1.x and earlier allows remote authenticated users to inject arbitrary web script or HTML via the description field. sympa-description-xss(17057) 10992 12339 20040820 Cross Site Scripting Vulnerability in Sympa Cacti 0.8.5a allows remote attackers to gain sensitive information via an HTTP request to (1) auth.php, (2) auth_login.php, (3) auth_changepassword.php, and possibly other php files, which reveal the installation path in a PHP error message. cacti-error-path-disclosure(17014) 12308 20040816 SQL Injection in CACTI 20040816 SQL Injection in CACTI SQL injection vulnerability in auth_login.php in Cacti 0.8.5a allows remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) password parameters. cacti-authlogin-sql-injection(17011) 10960 GLSA-200408-21 12308 20040816 SQL Injection in CACTI 20040816 SQL Injection in CACTI Cross-site scripting (XSS) vulnerability in page.php in JShop allows remote attackers to inject arbitrary web script or HTML via the xPage parameter. jshop-page-xpage-xss(17075) 1011020 12345 20040823 JShop Input Validation Hole in 'page.php' Permits Cross-Site http://indohack.sourceforge.net/drponidi/jshop-vuln.txt Bird Chat 1.61 allows remote attackers to cause a denial of service (crash) via invalid users. This has been fixed in version 1.61 Security Release. 12365 bird-chat-dos(17080) 11010 http://www.autistici.org/fdonato/advisory/BirdChat1.61-adv.txt 20040823 DoS in Bird Chat 1.61 Music daemon (musicd) 0.0.3 and earlier allows remote attackers to read arbitrary files by calling LOAD with a full pathname, then calling SHOWLIST. http://musicdaemon.sourceforge.net/ musicd-commands-view-files(17067) 11006 20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit Music daemon (musicd) 0.0.3 and earlier allows remote attackers to cause a denial of service (crash) by calling LOAD with a binary file as an argument, then calling SHOWLIST. http://musicdaemon.sourceforge.net/ musicd-load-showlist-dos(17068) 11006 1011025 20040823 MusicDaemon <= 0.0.3 /etc/shadow Stealer / DoS Exploit Directory traversal vulnerability in WebAPP 0.9.9 allows remote attackers to view arbitrary files via a .. (dot dot) in the viewcat parameter. 12373 webapp-dotdot-directory-traversal(17100) 11028 20040824 WebAPP directory traversal and ability to retrieve the DES encrypted password hash http://cornerstone.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=updates&id=1 Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to view arbitrary files via an HTTP request for the disk_c virtual folder. easyfilesharing-obtain-info(17109) 11034 http://www.gulftech.org/?node=research&article_id=00045-08242004 1011045 12372 20040824 Easy File Sharing Webserver v1.25 Vulnerabilities Easy File Sharing (EFS) Webserver 1.25 allows remote attackers to cause a denial of service (CPU consumption or crash) via many large HTTP requests. easyfilesharing-http-request-dos(17110) 11036 9175 http://www.gulftech.org/?node=research&article_id=00045-08242004 1011045 12372 20040824 Easy File Sharing Webserver v1.25 Vulnerabilities Buffer overflow in Painkiller 1.3.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long password. painkiller-long-password-bo(17101) 11029 12367 20040824 Limited buffer overflow in Painkiller 1.31 Cross-site scripting (XSS) vulnerability in index.php in PHP Code Snippet Library allows remote attackers to inject arbitrary web script or HTML via the (1) cat_select or (2) show parameters. snippet-index-xss(17108) 11038 12370 20040824 PHP Code Snippet Library Multiple Cross-Site Scripting (XSS) Cross-site scripting (XSS) vulnerability in NetworkEverywhere NR041 running firmware 1.2 Release 03 allows remote attackers to inject arbitrary web script or HTML via the DHCP HOSTNAME option. network-everywhere-dhcp-gain-access(17120) 11046 20040825 bug found NtRegmon before 6.12 allows local users to cause a denial of service (crash), while NtRegmon is running, via invalid pointers to hook functions such as ZwSetQueryValue. ntregmon-registry-dos(17106) 11042 http://www.ngsec.com/docs/advisories/NGSEC-2004-7.txt 20040825 [NGSEC-2004-7] NtRegmon, local system denial of service. Attack Mitigator IPS 5500 3.11.008, and possibly other versions, when configured in a one-armed routing configuration, allows remote attackers to cause a denial of service (CPU consumption) via a large number of HTTP requests. am-ips5500-http-dos(17125) 11049 12390 20040825 IRM 010: Top Layer Attack Mitigator IPS 5500 Denial of Service RealVNC 4.0 and earlier allows remote attackers to cause a denial of service (crash) via a large number of connections to port 5900. realvnc-multiple-connections-dos(17123) 11048 13143 20040825 RealVNC 4.0 DoS Ground Control II: Operation Exodus 1.0.0.7 and earlier allows remote servers to cause a denial of service (client or server crash) via a large packet, which generates a "Message too long" socket error that is treated as a critical error. ground-control-dos(17130) 11058 1011075 http://aluigi.altervista.org/adv/gc2boom-adv.txt 20040826 Broadcast forced exit in Ground Control II 1.0.0.7 Stack-based buffer overflow in Gaucho 1.4 Build 145 allows remote attackers to execute arbitrary code via a POP3 email with a long Content-Type header. gaucho-pop3-bo(17090) 11023 http://www.security.org.sg/vuln/gaucho140.html 1011032 12387 20040826 Gaucho v1.4 Build 145 Buffer Overflow The Apple Java plugin, as used in Netscape 7.1 and 7.2, Mozilla 1.7.2, and Firefox 0.9.3 on MacOS X 10.3.5, when tabbed browsing is enabled, does not properly handle SetWindow(NULL) calls, which allows Java applets from one tab to draw to other tabs and facilitates phishing attacks that spoof tabs. netscape-java-tab-spoofing(17137) 11059 20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 20040827 Re: Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 20040826 Netscape Navigator 7.2 failure to isolate browser tabs (was Re: Computer Network Defence Vulnerability Alert State) 12392 http://bugzilla.mozilla.org/show_bug.cgi?id=162134 The DNS proxy (DNSd) for multiple Symantec Gateway Security products allows remote attackers to poison the DNS cache via a malicious DNS server query response that contains authoritative or additional records. 10557 http://securityresponse.symantec.com/avcenter/security/Content/2004.06.21.html 11888 20040615 Symantec Enterprise Firewall DNSD cache poisoning Vulnerability The Web Services fat client for BEA WebLogic Server and Express 7.0 SP4 and earlier, when using 2-way SSL and multiple certificates to connect to the same URL, may use the incorrect identity after the first connection, which could allow users to gain privileges. VU#858990 weblogic-multiple-connection-gain-access(15826) 9502 10725 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_47.00.jsp BEA WebLogic Server and WebLogic Express 8.1 SP2 and earlier, and 7.0 SP4 and earlier, when using 2-way SSL with a custom trust manager, may accept a certificate chain even if the trust manager rejects it, which allows remote attackers to spoof other users or servers. VU#566390 weblogic-trust-certificate-spoofing(15862) 10132 1009765 11358 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_54.00.jsp BEA WebLogic Server and Express 8.1, SP1 and earlier, stores the administrator password in cleartext in config.xml, which allows local users to gain privileges. VU#350350 weblogic-boot-password-disclosure(14957) 9501 10728 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_50.00.jsp BEA WebLogic Server and WebLogic Express version 8.1 up to SP2, 7.0 up to SP4, and 6.1 up to SP6 may store the database username and password for an untargeted JDBC connection pool in plaintext in config.xml, which allows local users to gain privileges. VU#920238 bea-configxml-plaintext-password(15860) 10131 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA04_53.00.jsp 5297 1009764 11357 Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, allows remote attackers to cause a denial of service (CPU consumption) via arbitrary packets to TCP port 14247, as demonstrated using port scanning. VU#721092 9469 20040121 Voice Product Vulnerabilities on IBM Servers 10696 ciscovoice-ibmservers-dos(14901) 1008814 3691 O-066 The default installation of Cisco voice products, when running the IBM Director Agent on IBM servers before OS 2000.2.6, does not require authentication, which allows remote attackers to gain administrator privileges by connecting to TCP port 14247. VU#602734 ciscovoice-ibmservers-admin-access(14900) 9468 20040121 Voice Product Vulnerabilities on IBM Servers 10696 1008814 3692 O-066 Unknown vulnerability in Ethereal 0.8.13 to 0.10.2 allows attackers to cause a denial of service (segmentation fault) via a malformed color filter file. VU#695486 11185 ethereal-colour-filter-dos(15572) http://www.ethereal.com/appnotes/enpa-sa-00013.html oval:org.mitre.oval:def:10013 RHSA-2004:136 Unknown vulnerability in F-Secure Anti-Virus (FSAV) 4.52 for Linux before Hotfix 3 allows the Sober.D worm to bypass FASV. VU#415734 http://support.f-secure.com/enu/corporate/downloads/hotfixes/av-linux-hotfixes.shtml fsecure-antivirus-protection-bypass(15432) 11089 Buffer overflow in hsrun.exe for HAHTsite Scenario Server 5.1 Patch 06 (build 91) allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long project name. VU#705958 10033 11288 20040402 Buffer Overflow in HAHTsite Scenario Server 5.1 hahtsite-long-request-bo(15717) Buffer overflow in CDE libDtSvc on HP-UX B.11.00, B.11.04, B.11.11, and B.11.22 allows local users to gain root privileges via unknown vectors. VU#406406 hp-libdtsvc-bo(14828) HPSBUX0401-308 O-057 oval:org.mitre.oval:def:5789 Off-by-one buffer overflow in ModSecurity (mod_security) 1.7.4 for Apache 2.x, when SecFilterScanPost is enabled, allows remote attackers to execute arbitrary code via crafted POST requests. VU#779438 9885 11138 mod-security-offbyone-bo(15489) http://www.s-quadra.com/advisories/Adv-20040315.txt http://www.modsecurity.org/ 20040316 ModSecurity 1.7.4 for Apache 2.x remote off-by-one overflow The default installation of NetScreen-Security Manager before Feature Pack 1 does not enable encryption for communication with devices running ScreenOS 5.0, which allows remote attackers to obtain sensitive information via sniffing. http://www.kb.cert.org/vuls/id/CRDY-5VEU8N VU#927630 netscreen-information-disclosure(14886) 9455 10675 3613 http://www.juniper.net/support/security/alerts/58290.txt The kernel in Solaris 2.6, 7, 8, and 9 allows local users to gain privileges by loading arbitrary loadable kernel modules (LKM), possibly involving the modload function. VU#702526 9477 57479 solaris-kernel-module-gain-privilege(14917) oval:org.mitre.oval:def:4532 The character converters in the Spamhunter and Language ID modules for Symantec Brightmail AntiSpam 6.0.1 before patch 132 allow remote attackers to cause a denial of service (crash) via messages with the ISO-8859-10 character set, which is not recognized by the converters. VU#697598 symantec-brightmail-spamhunter-dos(18530) 12459 13489 ftp://ftp.symantec.com/public/english_us_canada/products/sba/sba_60x/updates/p132_notes.htm The "Allow cPanel users to reset their password via email" feature in cPanel 9.1.0 build 34 and earlier, including 8.x, allows remote attackers to execute arbitrary code via the user parameter to resetpass. VU#831534 cpanel-resetpass-execute-commands(15443) 9848 20040311 Cpanel 8.*.* have a problem ? 11111 20040311 cPanel Secuirty Advisory CPANEL-2004:01-01 The login page for cPanel 9.1.0, and possibly other versions, allows remote attackers to execute arbitrary code via shell metacharacters in the user parameter. VU#831534 cpanel-login-execute-commands(15486) 9855 11124 20040312 Cpanel 9.1.0 have a problem ? Scalable OGo (SOGo) 1.0 allows remote authenticated users to bypass intended permissions and view private appointments of other users. ogo-permission-information-disclosure(19820) 14675 1013553 http://bugzilla.opengroupware.org/bugzilla/show_bug.cgi?id=1060 Stack-based buffer overflow in shar in GNU sharutils 4.2.1 allows local users to execute arbitrary code via a long -o command line argument. FLSA:2155 10066 20040406 GNU Sharutils buffer overflow vulnerability. OpenPKG-SA-2004.011 sharutils-shar-bo(15759) RHSA-2005:377 oval:org.mitre.oval:def:11722 Multiple buffer overflows in sharutils 4.2.1 and earlier may allow attackers to execute arbitrary code via (1) long output from wc to shar, or (2) unknown vectors in unshar. FLSA:2155 11298 GLSA-200410-01 RHSA-2005:377 oval:org.mitre.oval:def:11093 Buffer overflow in the SDO_CODE_SIZE procedure of the MD2 package (MDSYS.MD2.SDO_CODE_SIZE) in Oracle 10g before 10.1.0.2 Patch 2 allows local users to execute arbitrary code via a long LAYER parameter. http://www.securiteam.com/securitynews/5CP010KE0W.html oracle-mdsysmd2sdocodesize-bo(20078) 13145 http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf http://www.frsirt.com/exploits/20050413.OracleExploit.sql.php http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ 20040902 [SHATTER Team Security Alert] Multiple vulnerabilities in Oracle Database Server Cisco VACM (View-based Access Control MIB) for Catalyst Operating Software (CatOS) 5.5 and 6.1 and IOS 12.0 and 12.1 allows remote attackers to read and modify device configuration via the read-write community string. VU#645400 5030 20041008 Cisco IOS Software Multiple SNMP Community String Vulnerabilities cisco-snmp-vacm(6179) Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and modify device configuration data via the cable-docsis read-write community string used by the Data Over Cable Service Interface Specification (DOCSIS) standard. VU#840665 cisco-ios-cable-docsis(6180) 20041008 Cisco IOS Software Multiple SNMP Community String Vulnerabilities A "range check error" in Skype for Windows before 0.98.0.28 allows local and remote attackers to cause a denial of service (application crash) via long command line arguments or a long callto:// URL, a different vulnerability than CVE-2004-1114. http://www.skype.com/security/ssa-2004-01.html 11860 1010490 20040615 Skype URI callto username overflow Skype 0.92.0.12 and 1.0.0.1 for Linux, and possibly other versions, creates the /usr/share/skype/lang directory with world-writable permissions, which allows local users to modify language files and possibly conduct social engineering or other attacks. skype-lang-insecure-permissions(18644) 20041222 Permission problem in Skype BETA for linux 12081 20050216 Re: Permission problem in Skype BETA for linux Cross-site scripting (XSS) vulnerability in board.php for ThWboard before beta 2.84 allows remote attackers to inject arbitrary web script or HTML via the lastvisited parameter. 9367 1008617 10546 http://cvs.sourceforge.net/viewcvs.py/thwb/thwb/board.php?r1=1.11&r2=1.12 thwboard-board-xss(14143) 3330 http://sourceforge.net/project/shownotes.php?release_id=207893 Info Touch Surfnet kiosk allows local users to deposit extra time into Internet kiosk accounts via repeated authentication attempts. 9347 Info Touch Surfnet kiosk allows local users to crash Surfnet and access the underlying operating system via the CMD_CREDITCARD_CHARGE command. 9348 athenareg.php in Athena Web Registration allows remote attackers to execute arbitrary commands via shell metacharacters in the pass parameter. 9349 16861 Directory traversal vulnerability in Net2Soft Flash FTP Server 1.0 allows remote attackers to read and create arbitrary files via a /.. (slash dot dot). 10522 9350 http://www.securiteam.com/windowsntfocus/5FP051FBPQ.html 1008588 Buffer overflow in the web server of Webcam Watchdog 3.63 allows remote attackers to execute arbitrary code via a long HTTP GET request. 10527 webcam-watchdog-get-bo(14131) http://www.webcamsoft.com/en/watchdog_h.html 9351 20040103 Webcam Watchdog Stack Overflow Vulnerability 3312 http://www.elitehaven.net/webcamwatchdog.txt SQL injection vulnerability in calendar.php for Invision Power Board 1.3 allows remote attackers to execute arbitrary SQL commands via the m parameter, which sets the $this->chosen_month variable. 9353 3319 10530 20040103 [SCSA-025] Invision Power Board SQL Injection Vulnerability 1008589 PortalApp places user credentials under the web root with insufficient access control, which allows remote attackers to gain access to sensitive information via a direct request to 8275.mdb. portalapp-url-access-database(14169) 9354 1008627 SQL injection vulnerability in PostCalendar 4.0.0 allows remote attackers to execute arbitrary SQL commands via search queries. 9372 1008621 10554 http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2537 postcalendar-search-sql-injection(14111) 3336 ASP-Nuke 1.3 and earlier places user credentials under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to main.mdb. 9355 Cross-site scripting (XSS) vulnerability in the web management interface in ZyWALL 10 4.07 allows remote attackers to inject arbitrary web script or HTML via the rpAuth_1 page. zywall-xss(14163) 9373 20040106 ZyXEL10 OF ZyWALL Series Router Cross Site Scripting Vulnerabillity 3443 1008644 12793 10574 Cross-site scripting (XSS) vulnerability in the web management interface in Edimax AR-6004 ADSL Routers allows remote attackers to inject arbitrary web script or HTML via the URL. edimax-ar6004-xss(14165) 9374 20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity 3435 1008643 10576 The web management interface in Edimax AR-6004 ADSL Routers uses a default administrator name and password, which also appear as the default login text for the management interface, which allows remote attackers to gain access. 20040106 EDIMAX AR-6004 Full Rate ADSL Router Cross Site Scripting Vulnerabillity 3511 1008643 swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a long packet with two CRLF sequences to the service management port (TCP 8000). switch-off-swnet-dos(14123) 9339 20040102 Switch Off Multiple Vulnerabilities http://www.elitehaven.net/switchoff.txt 1008581 10521 Stack-based buffer overflow in swnet.dll in YaSoft Switch Off 2.3 and earlier allows remote authenticated users to execute arbitrary code via a long message parameter in a SendMsg action to action.htm. switch-off-swnet-bo(14124) 9340 20040102 Switch Off Multiple Vulnerabilities 3309 http://www.elitehaven.net/switchoff.txt 1008581 10521 Cross-site scripting (XSS) vulnerability in the VCard4J Toolkit allows remote attackers to inject arbitrary web script or HTML via the NICKNAME tag in a vCard. 1008582 vcard4j-nickname-xss(14120) 9343 20040101 Possible XSS vuln in VCard4J Info Touch Surfnet kiosk allows local users to access the underlying filesystem via a 'file://' URI. 9346 PHP remote file inclusion vulnerability in HotNews 0.7.2 and earlier allows remote attackers to execute arbitrary PHP code via the (1) config[header] parameter to hotnews-engine.inc.php3 or (2) config[incdir] parameter to hnmain.inc.php3. hotnews-php-file-include(14140) 9357 20040104 HotNews arbitary file inclusion http://sourceforge.net/forum/forum.php?forum_id=342594 1008608 10551 3405 3332 Cross-site scripting (XSS) vulnerability in search.php for FreznoShop 1.3.0 RC1 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter. 1008606 10547 freznoshop-searchphp-xss(14147) 9359 3335 RealOne player 6.0.11.868 allows remote attackers to execute arbitrary script in the "My Computer" zone via a Synchronized Multimedia Integration Language (SMIL) presentation with a "file:javascript:" URL, which is executed in the security context of the previously loaded URL, a different vulnerability than CVE-2003-0726. 9378 3826 9584 realoneplayer-smil-xss(14168) 20040107 RealNetworks fails to address Cross-Site Scripting in RealOne Player 1008647 PF in certain OpenBSD versions, when stateful filtering is enabled, does not limit packets for a session to the original interface, which allows remote attackers to bypass intended packet filters via spoofed packets to other interfaces. 9362 20040105 firewall security bug? 19105 Unknown vulnerability in Sysbotz SimpleData 4.0.1 and possibly earlier versions allows remote attackers to gain access via a crafted URL and a certain cookie. simpledata-gain-unauth-access(14206) 9380 1008695 10595 Directory traversal vulnerability in PWebServer 0.3.3 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. 9817 http://www.autistici.org/fdonato/advisory/PWebServer0.3.3-adv.txt 11057 20040308 directory traversal in PWebServer 0.3.3 pwebserver-dotdot-directory-traversal(15404) Chat Anywhere 2.72 and earlier allows remote attackers to hide their IP address by using %00 before the nickname, which causes the IP address to be displayed as $IP$ on the administration web page. http://www.lionmax.com/chatanywhere.htm chat-anywhere-admin-bypass(15416) 9823 http://aluigi.altervista.org/adv/chatany-ghost-adv.txt 20040309 Ghost users in Chat Anywhere 2.72 wMCam server 2.1.348 allows remote attackers to cause a denial of service (no new connections) via multiple malformed HTTP requests without the GET command. wmcam-multiple-connections-dos(15431) 9839 20040310 DoS in wMCam server 2.1.348 Format string vulnerability in games using the Epic Games Unreal Engine 436 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in class names. 9840 ut-class-format-string(15430) 11108 http://aluigi.altervista.org/adv/unrfs-adv.txt 20040311 Re: Format string bug in EpicGames Unreal engine 20040310 Format string bug in EpicGames Unreal engine SQL injection vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to execute SQL commands via the (1) category_id, (2) product_id, or (3) feature_id parameters. 11112 cfwebstore-index-sql-injection(15447) 9854 http://www.s-quadra.com/advisories/Adv-20040312.txt 4229 1009403 20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilities Cross-site scripting (XSS) vulnerability in index.cfm in CFWebstore 5.0 allows remote attackers to inject arbitrary web script or HTML via the URL. 11112 cfwebstore-url-xss(15454) 9856 http://www.s-quadra.com/advisories/Adv-20040312.txt 4230 1009403 20040312 Dogpatch Software CFWebstore 5.0 shopping cart software multiple security vulnerabilities Extcompose in metamail does not verify the output file before writing to it, which allows local users to overwrite arbitrary files via a symlink attack. metamail-extcompose-symlink(15460) 9850 20040312 Metamail 'extcompose' script Symlink Vulnerability Cross-site scripting (XSS) vulnerability in phpBB 2.0.6d and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) postdays parameter to viewtopic.php or (2) topicdays parameter to viewforum.php. 9866 9865 11121 20040313 phpBB 2.0.6d && Earlier Security Issues phpbb-viewforum-viewtopic-xss(15464) http://www.phpbb.com/support/documents.php?mode=changelog#206 4259 4257 The Javascript engine in Opera 7.23 allows remote attackers to cause a denial of service (crash) by creating a new Array object with a large size value, then writing into that array. safari-array-dos(15413) 9869 20040314 Opera Array Allocation Managment Exploit The SSL HTTP Server in HP Web-enabled Management Software 5.0 through 5.92, with anonymous access enabled, allows remote attackers to compromise the trusted certificates by uploading their own certificates. HPSBMA01003 9859 O-100 http://www.immunitysec.com/downloads/hp_http.sxw.pdf 20040314 Multiple Immunity Advisories hp-http-certificate-upload(15466) SSRT4679 11126 20040315 Immunity Advisory: Compaq Web Management vulnerability Multiple stack-based buffer overflows in Agent Common Services (1) cam.exe and (2) awservices.exe in Unicenter TNG 2.4 allow remote attackers to execute arbitrary code. unicentertng-awservices-cam-bo(15472) 9863 http://www.immunitysec.com/downloads/awservices.sxw.pdf 20040315 Immunity Advisory: Computer Associates Unicenter TNG 11131 20040314 Multiple Immunity Advisories ftp://ftp.ca.com/CAproducts/unicenter/CCS31/nt/qi52764/QI52764.DB0 VocalTec VGW4/8 Gateway 8.0 allows remote attackers to bypass authentication via an HTTP request to home.asp with a trailing slash (/). vgw48-gateway-directory-traversal(15476) 20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass 9876 Directory traversal vulnerability in VocalTec VGW4/8 Gateway 8.0 allows remote attackers to read protected files via .. (dot dot) sequences in an HTTP request, as demonstrated using home.asp. vgw48-gateway-directory-traversal(15476) 9876 20040315 VocalTec Gateway 8 Reverse Directory Transversal + Authorization Bypass Unknown vulnerability in ColdFusion MX 6.0 and 6.1, and JRun 4.0, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). soap-array-dos(15473) 9877 http://www.macromedia.com/devnet/security/security_zone/mpsb04-04.html 11132 20040315 Multiple Vendor SOAP server array DoS Unknown vulnerability in Sun Java System Application Server 7.0 Update 2 and earlier, when a SOAP web service expects an array of objects as an argument, allows remote attackers to cause a denial of service (memory consumption). soap-array-dos(15473) 9877 57517 11130 20040315 Multiple Vendor SOAP server array DoS 201713 Cross-site scripting (XSS) vulnerability in modules.php in Php-Nuke 7.1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) Your Name field, (2) e-mail field, (3) nicname field, (4) fname parameter, (5) ratenum parameter, or (6) search field. phpnuke-multiple-parameters-xss(15491) 9879 11135 20040315 [waraxe-2004-SA#005 - XSS in Php-Nuke 7.1.0 - part 2] Cross-site scripting (XSS) vulnerability in nmimage.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary script as other users by injecting arbitrary script into the z parameter. 4nalbum-nmimagephp-xss(15497) 9881 4293 11134 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to obtain sensitive information via a direct request to displaycategory.php, which reveals the path in an error message. 4nalbum-error path-disclosure(15493) 9881 4291 11134 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] PHP remote file inclusion vulnerability in displaycategory.php in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to execute arbitrary PHP code by modifying the basepath parameter to reference a URL on a remote web server that contains fileFunctions.php. 11134 4nalbum-displaycategory-file-include(15496) 9881 4292 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] SQL injection vulnerability in 4nalbum 0.92 for PHP-Nuke 6.5 through 7.0 allows remote attackers to gain privileges or perform unauthorized database operations via the gid parameter. 11134 4nalbum-modulesphp-SQL-injection(15498) 9881 4294 20040315 [waraxe-2004-SA#006 - Multiple vulnerabilities in 4nalbum module for PhpNuke] Multiple cross-site scripting (XSS) vulnerabilities in Phorum 3.1 through 5.0.3 beta allow remote attackers to inject arbitrary web script or HTML via the (1) HTTP_REFERER parameter to login.php, (2) HTTP_REFERER parameter to register.php, or (3) target parameter to profile.php. 9882 11157 phorum-register-xss(15494) http://phorum.org/changelog.txt 20040315 Phorum 5.0.3 Beta && Earlier XSS Issues 4335 4334 4333 1009433 Multiple cross-site scripting (XSS) vulnerabilities in Jelsoft vBulletin 2.0 beta 3 through 3.0 can4 allows remote attackers to inject arbitrary web script or HTML via the (1) page parameter to showthread.php or (2) order parameter to forumdisplay.php. 11142 vbulletin-showthread-xss(15495) 9889 9888 20040316 JelSoft vBulletin Multiple XSS Vulnerabilities 4311 4310 1009440 Cross-site scripting (XSS) vulnerability in Jelsoft vBulletin before 3.0 allows remote attackers to inject arbitrary web script or HTML via the what parameter to memberlist.php. 11142 vbulletin-showthread-xss(15495) 9887 20040316 JelSoft vBulletin Multiple XSS Vulnerabilities 6226 4312 vbulletin-memberlist-xss(10679) 1009440 20021121 XSS bug in vBulletin Cross-site scripting (XSS) vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) return or (2) mos_change_template parameters. 4665 11140 20040316 Mambo Open Source Multiple Vulnerabilities mambo-return-moschangetemplate-xss(15499) 9890 4308 SQL injection vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 4307 11140 20040316 Mambo Open Source Multiple Vulnerabilities mambo-id-sql-injection(15500) 9891 Cross-site scripting (XSS) vulnerability in YaBB 1 Gold(SP1.3) and YaBB SE 1.5.1 Final allows remote attackers to inject arbitrary web script via the background:url property in (1) glow or (2) shadow tags. 9873 11128 yabb-glow-shadow-xss(15488) http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 1009427 20040316 RE: YaBB/YaBBse Cross Site Scripting Vulnerability 20040314 YaBB/YaBBse Cross Site Scripting Vulnerability Vcard 2.9 and possibly other versions does not require authorization to run uninstall.php, which could allow remote attackers to uninstall Vcard and delete database tables via a direct request to uninstall.php. 9910 20040317 Vcard 2.8 uninstall script problem vcard-uninstall-delete-table(15522) Multiple cross-site scripting (XSS) vulnerabilities in error.php in Gijza.net Error Manager 2.1 for PHP-Nuke 6.0 allow remote attackers to inject arbitrary web script or HTML via the (1) pagetitle or (2) error parameters, or (3) certain parameters in the error log. errormanager-error-command-execution(15530) errormanager-error-xss(15529) 9911 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager 4384 11164 error.php in Error Manager 2.1 for PHP-Nuke 6.0 allows remote attackers to obtain sensitive information via an invalid (1) language, (2) newlang, or (3) lang parameter, which leaks the pathname in a PHP error message. errormanager-error-path-disclosure(15524) 9911 4386 11164 20040318 [waraxe-2004-SA#010 - Multiple vulnerabilities in Error Manager Buffer overflow in Chrome 1.2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large length value, which leads to a null dereference or out-of-bounds read. chrome-malloc-memcpy-dos(15535) 9898 http://aluigi.altervista.org/adv/chrome-boom-adv.txt 20040318 Chrome 1.2.0.0 server crash Buffer overflow in the GUI admin service in Mac OS X Server 10.3 allows remote attackers to cause a denial of service (crash and restart) via a large amount of data to TCP port 660. macos-admin-servicebo(15533) 20040319 Re: mac osx- admin service buffer overflow 20040318 mac osx- admin service buffer overflow 9914 The admin.ib file in Borland Interbase 7.1 for Linux has default world writable permissions, which allows local users to gain database administrative privileges. 9929 1009500 11172 interbase-admin-gain-privileges(15546) 4381 20040319 Borland Interbase admin.ib Administrative Access Vulnerability mod_disk_cache in Apache 2.0 through 2.0.49 stores client headers, including authentication information, on the hard disk, which could allow local users to gain sensitive information. apache-moddiskcache-obtain-info(15547) 9933 ADV-2006-0789 4446 1009509 11176 oval:org.mitre.oval:def:11133 20040319 Apache mod_disk_cache stores client authentication credentials on disk RHSA-2004:562 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 19072 Multiple SQL injection vulnerabilities in index.php in Invision Gallery 1.0.1 allow remote attackers to execute arbitrary SQL via the (1) img, (2) cat, (3) sort_key, (4) order_key, (5) user, or (6) album parameters. invision-gallery-sql-injection(15566) 9944 4472 1009512 11194 20040322 Invision Gallery SQL Injection Vulnerabilities SQL injection vulnerability in index.php in Invision Power Top Site List 1.1 RC 2 and earlier allows remote attackers to execute arbitrary SQL via the id parameter of the comments action. invision-id-sql-injection(15568) 9945 1009511 11187 20040322 Invision Power Top Site List SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in Mod_survey 3.0.x before 3.0.16-pre2 and 3.2.x before 3.2.0-pre4 allows remote attackers to inject arbitrary web script or HTML via the certain survey fields or error messages for malformed query strings. 9941 1009516 modsurvey-xss(15582) 20040322 Mod_Survey security advisory: Script injection bug Directory traversal vulnerability in xweb 1.0 allows remote attackers to download arbitrary files via a .. (dot dot) in the URL. 9937 http://www.autistici.org/fdonato/advisory/xweb1.0-adv.txt 1009514 11186 20040322 directory traversal in xweb 1.0 xweb-dotdot-directory-traversal(15567) 4460 MS Analysis module 2.0 for PHP-Nuke allows remote attackers to obtain sensitive information via a direct request to (1) browsers.php, (2) mstrack.php, or (3) title.php, which reveal the full path in a PHP error message. 9946 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] Multiple cross-site scripting (XSS) vulnerabilities in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to inject arbitrary web script or HTML via the (1) screen parameter to modules.php, (2) module_name parameter to title.php, (3) sortby parameter to modules.php, or (4) overview parameter to modules.php. msanalysis-modules-title-xss(15575) 9947 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] SQL injection vulnerability in MS Analysis module 2.0 for PHP-Nuke allows remote attackers to execute arbitrary SQL via the referer field in an HTTP request. msanalysis-referer-sql-injection(15576) 9948 20040322 [waraxe-2004-SA#011 Multiple vulnerabilities in MS Analysis v2.0 module for PhpNuke] Cross-site request forgery (CSRF) vulnerability in Php-Nuke 6.x through 7.1.0 allows remote attackers to gain administrative privileges via an img tag with a URL to admin.php. phpnuke-img-gain-privileges(15596) 9895 11195 20040322 [waraxe-2004-SA#008 - easy way to get superadmin rights in PhpNuke 6.x-7.1.0] SQL injection vulnerability in Member Management System 2.1 allows remote attackers to execute arbitrary SQL via the ID parameter to (1) resend.asp or (2) news_view.asp. 9931 1009508 11179 20040322 Vulnerabilities in Member Management System 2.1 mms-id-sql-injection(15551) Cross-site scripting (XSS) vulnerability in Member Management System 2.1 allows remote attackers to inject arbitrary web script or HTML via (1) the err parameter to error.asp or (2) register.asp. mms-xss(15552) 9932 1009508 11179 20040322 Vulnerabilities in Member Management System 2.1 Multiple cross-site scripting (XSS) vulnerabilities in News Manager Lite 2.5 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to comment_add.asp, (2) search parameter to search.asp, or (3) n parameter to category_news_headline.asp. news-manager-xss(15548) 9935 4494 4493 4492 1009507 11180 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration Multiple SQL injection vulnerabilities in News Manager Lite 2.5 allow remote attackers to execute arbitrary SQL code via the (1) ID parameter to more.asp, (2) ID parameter to category_news.asp, or (3) filter parameter to news_sort.asp. 9935 1009507 news-manager-sql-injection(15549) 4497 4496 4495 11180 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration News Manager Lite 2.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the ADMIN parameter in the NEWS_LOGIN cookie. 9935 news-manager-admin-access(15550) 1009507 11180 20040322 Vulnerabilities in News Manager Lite 2.5 & News Manager Lite administration Ipswitch WS_FTP Server 4.0.2 allows remote attackers to cause a denial of service (disk consumption) and bypass file size restrictions via a REST command with a large size argument, followed by a STOR of a smaller file. 11206 wsftp-rest-stor-dos(41831) wsftp-rest-dos(15560) 9953 4542 1009529 20040323 How to crash a harddisk - the Ipswitch WS_FTP Server way Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to dodelautores.html or (2) handle parameter to addhandle.html. cpanel-dodelautores-addhandle-xss(15517) 9965 4530 4529 1009541 20040323 More Cpanel Vuls (cross site scripting) The Rage 1.01 and earlier allows remote attackers to cause a denial of service (infinite loop) via a TCP packet with the port and IP address set to zero. therage-packet-dos(15584) 9961 1009540 http://aluigi.altervista.org/adv/ragefreeze-adv.txt 20040323 Server freeze in The Rage 1.01 Dameware Mini Remote Control 4.1.0.0 uses insufficiently random data to create the encryption key, which makes it easier for remote attackers to obtain sensitive information via brute force guessing. 11205 dameware-random-generator-weak(15587) 9957 4547 1009557 20030323 Dameware Passes Weak File Encryption Key in the Clear DameWare Mini Remote Control 3.x before 3.74 and 4.x before 4.2 transmits the Blowfish encryption key in plaintext, which allows remote attackers to gain sensitive information. dameware-encryption-key-plaintext(15586) 9959 http://www.dameware.com/support/security/bulletin.asp?ID=SB3 11205 4547 1009557 20040323 Dameware Passes Weak File Encryption Key in the Clear Buffer overflow in Terminator 3: War of the Machines 1.0 allows remote attackers to cause a denial of service via a long ServerInfo variable. 1009498 11182 http://aluigi.altervista.org/adv/t3cbof-adv.txt terminator3-bo(15542) 9918 4447 20040323 Broadcast client buffer-overflow in Terminator 3 1.0 Buffer overflow in the logging function in Picophone 1.63 and earlier allows remote attackers to execute arbitrary code via a large packet. picophone-logging-function-bo(15595) 9969 1009551 11209 http://aluigi.altervista.org/adv/picobof-adv.txt 4550 20040324 Buffer overflow in PicoPhone 1.63 Dark Age of Camelot before 1.68 live patch does not sign the RSA public key, which could allow remote malicious servers to gain sensitive information via a man-in-the-middle attack. daoc-login-mitm(15597) 9960 20040324 Dark Age of Camelot login client vulnerability to man in the middle 20040323 Dark Age of Camelot login client vulnerability to man in the middle attack http://capnbry.net/daoc/advisory20040323/ devices_update_printer_fw_upload.hts in HP Web JetAdmin 7.5.2546, when no password is set, allows remote attackers to upload arbitrary files to the printer directory. hp-jetadmin-file-upload(15605) 9971 SSRT4700 http://sh0dan.org/files/hpjadmadv.txt 20040324 HP Web JetAdmin vulnerabilities. Directory traversal vulnerability in setinfo.hts in HP Web Jetadmin 7.5.2546 allows remote authenticated attackers to read arbitrary files via a .. (dot dot) in the setinclude parameter. hp-jetadmin-setinfo-directory-traversal(15606) 9972 SSRT4700 20040324 HP Web JetAdmin vulnerabilities. HP Web Jetadmin 7.5.2546 allows remote attackers to cause a denial of service (crash) via a malformed request, possibly due to a stricmp() error from an invalid use of the "$" character. SSRT4700 20040324 HP Web JetAdmin vulnerabilities. Directory traversal vulnerability in Trend Micro Interscan Web Viruswall in InterScan VirusWall 3.5x allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. interscan-dotdot-directory-traversal(15590) 11215 http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=19257 9966 4549 1009550 20040324 TrendMacro Interscan Viruswall Directory Traversal Buffer overflow in Check Point SmartDashboard in Check Point NG AI R54 and R55 allows remote authenticated users to cause a denial of service (server disconnect) and possibly execute arbitrary code via a large filter on a column when using SmartView Tracker. fw1-smartdashboard-bo(15539) 1009490 20040325 Check Point SmartDashboard Buffer Overflow 9870 4412 Invision NetSupport School Pro uses a weak encryption algorithm to encrypt passwords, which allows local users to obtain passwords. netsupportschoolpro-weak-encryption(15621) 9981 20040326 NetSupport School Pro: Password Encryption Weaknesses Multiple cross-site scripting (XSS) vulnerabilities in Extreme Messageboard (XMB) 1.8 SP3 and 1.9 beta allow remote attackers to inject arbitrary web script or HTML via the (1) xmbuser parameter to xmb.php, (2) folder parameter to u2u.php, (3) viewmost, replymost, or latest parameter to stats.php, (4) message or icons parameter to post.php, (5) threadlist, pagelinks, forumlist, navigation, or (6) forumdisplay parameter to forumdisplay.php. xmb-forum-multiple-xss(15654) 9983 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] 11230 14988 14987 14986 14985 14983 Multiple cross-site scripting (XSS) vulnerabilities in XMB (aka extreme message board) 1.9 beta (aka Nexus beta) allow remote attackers to inject arbitrary web script or HTML via (1) the u2uheader parameter in editprofile.php, the restrict parameter in (2) member.php, (3) misc.php, and (4) today.php, and (5) an arbitrary parameter in phpinfo.php. xmb-forum-multiple-xss(15654) 9983 16884 14991 14989 14982 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 Partagium SP3 and 1.9 Nexus Beta] SQL injection vulnerability in Extreme Messageboard (XMB) 1.9 beta allows remote attackers to execute arbitrary SQL commands via the restrict parameter to (1) member.php, (2) misc.php, or (3) today.php. xmb-forum-sql-injection(15655) 9983 16886 1009561 20040326 [waraxe-2004-SA#012 - Multiple vulnerabilities in XMB Forum 1.8 SP3 and 1.9 beta] Cross-site scripting (XSS) vulnerability in the administration panel in bBlog 0.7.2 allows remote authenticated users with superuser privileges to inject arbitrary web script or HTML via a blog name ($blogname). NOTE: if administrators are normally allowed to add HTML by other means, e.g. through Smarty templates, then this issue would not give any additional privileges, and thus would not be considered a vulnerability. bblog-name-xss(15635) 1009564 20040326 bblog 0.7.2 cross site scripting 13397 10510 nstxd in Nstx 1.1 beta3 and earlier allows remote attackers to cause a denial of service (crash) via a large packet, which triggers a null dereference. nstx-null-dos(15638) 9989 1009567 http://nstx.dereference.de/nstx/nstx-1.1-beta4.tgz 20040326 Nstxd vulnerability Cross-site scripting (XSS) vulnerability in guest.cgi in Fresh Guest Book allows remote attackers to inject arbitrary web script or HTML via the Name field. freshguestbook-guest-xss(15649) 9995 20040328 vuln Stack-based buffer overflow in WinSig.exe in eSignal 7.5 and 7.6 allows remote attackers to execute arbitrary code via a long STREAMQUOTE tag. esignal-specs-bo(15624) 9978 11222 20040406 Re: eSignal v7 remote buffer overflow http://viziblesoft.com/insect/advisories/vz012004-esignal7.txt 20040325 eSignal v7 remote buffer overflow (exploit) Etherlords I 1.07 and earlier and Etherlords II 1.03 and earlier allows remote attackers to cause a denial of service (crash) by sending a packet that specifies the size for the next packet, then sending a larger packet than specified, which causes Etherlords to read unallocated memory. etherlords2-packet-dos(15619) etherlords1-packet-dos(15618) 9979 http://aluigi.altervista.org/adv/ethboom-adv.txt 20040325 Remote crash in Etherlords I 1.07 and II 1.03 Multiple SQL injection vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to gain users' passwords via the (1) photo parameter to addfav.php, (2) photo parameter to comments.php, (3) credit parameter to comments.php, (4) cat parameter to index.php, (5) ppuser parameter to showgallery.php, (6) cat parameter to showgallery.php, (7) cat parameter to uploadphoto.php, (8) albumid parameter to useralbums.php, or (9) albumid parameter to useralbums.php. photopost-php-sql-injection(15642) 9994 1009571 11241 20040328 PhotoPost PHP Pro Multiple Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 4.6.x and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ppuser, (2) password, (3) stype, (4) perpage, (5) sort, (6) page, (7) si, or (8) cat parameters to showmembers.php, or the (9) photo name, (10) photo description, (11) album name, or (12) album description fields. 9994 11241 20040328 PhotoPost PHP Pro Multiple Vulnerabilities photopost-php-xss(15643) 1009571 Cross-site scripting (XSS) vulnerability in WebCT Campus Edition 4.1.1.5 allows remote attackers to inject arbitrary web script or HTML via the @import URL function in a CSS style tag. webct-import-xss(15652) 9999 20040329 WebCT Campus Edition 4.1 - Cross site scripting using CSS @import 11242 SQL injection vulnerability in category.asp in A-CART Pro and A-CART 2.0 allows remote attackers to gain privileges via the catcode parameter. acart-categoryasp-sql-injection(15661) 9997 11236 20040329 A-CART Pro & A-CART 2.0 Input Validation Holes 20061118 Re: A-Cart PRO SQL Injection 20061118 A-Cart PRO SQL Injection 20061118 A-Cart 2.0 SQL Injection 20061114 A-Cart pro[ injection sql (post&get)] http://www.aria-security.com/forum/showthread.php?t=32 http://www.aria-security.com/forum/showthread.php?t=31 http://s-a-p.ca/index.php?page=OurAdvisories&id=27 Multiple cross-site scripting (XSS) vulnerabilities in (1) deliver.asp and (2) billing.asp in A-CART Pro and A-CART 2.0 allow remote attackers to inject arbitrary web script or HTML via the user information forms. acart-deliverasp-billingasp-xss(15660) 9997 11236 20040329 A-CART Pro & A-CART 2.0 Input Validation Holes Multiple cross-site scripting (XSS) vulnerabilities in cPanel 9.1.0-R85 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to testfile.html, (2) file parameter to erredit.html, (3) dns parameter to dnslook.html, (4) account parameter to ignorelist.html, (5) account parameter to showlog.html, (6) db parameter to repairdb.html, (7) login parameter to doaddftp.html (8) account parameter to editmsg.htm, or (9) ip parameter to del.html. NOTE: the dnslook.html vector was later reported to exist in cPanel 10. cpanel-multiple-scripts-xss(15671) http://www.cirt.net/advisories/cpanel_xss.shtml 11244 20040330 Exensive cPanel Cross Site Scripting ADV-2006-4658 21142 10002 4243 4215 4214 4213 4212 4211 4210 4209 4208 http://www.aria-security.com/forum/showthread.php?t=30 22984 The "%f" feature in the VirusEvent directive in Clam AntiVirus daemon (clamd) before 0.70 allows local users to execute arbitrary commands via shell metacharacters in a file name. clamantivirus-virusevent-gain-privileges(15692) 10007 GLSA-200405-03 11253 20040330 clamd - NEVER use "%f" in your "VirusEvent" The p_submit_url value in the sample login form in the Oracle 9i Application Server (9iAS) Single Sign-on Administrators Guide, Release 2(9.0.2) for Oracle SSO allows remote attackers to spoof the login page, which could allow users to inadvertently reveal their username and password. oracle-sso-login-spoofing(15676) 10009 20040330 Problem with customized login pages for Oracle SSO LINBOX LIN:BOX allows remote attackers to bypass authentication, obtain sensitive information, or gain access via a direct request to admin/user.pl preceded by // (double leading slash). linbox-slashslash-security-bypass(15677) 10010 11264 http://www.websec.org/adv/linbit.txt.html 20040330 Linbit linbox Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in PHPKIT 1.6.03 allows allows remote attackers to inject arbitrary web script or HTML via forum messages. phpkit-forum-message-xss(15681) 10013 20040330 phpkit suffers (reale stupid) XSS vuln. Memory leak in the back-bdb backend for OpenLDAP 2.1.12 and earlier allows remote attackers to cause a denial of service (memory consumption). 9203 CLSA-2003:685 17000 SQL injection vulnerability in (1) mailorder.asp or (2) payonline.asp in CactuShop 5.x allows remote attackers to execute arbitrary SQL commands via the strItems parameter. 11272 cactushop-multiple-sql-injection(15686) 10019 http://www.s-quadra.com/advisories/Adv-20040331.txt 4786 4785 1009601 20040331 CactuSoft CactuShop v5.x shopping cart software multiple security Cross-site scripting (XSS) vulnerability in popuplargeimage.asp in CactuShop 5.x allows remote attackers to inject arbitrary web script or HTML via the strImageTag parameter. 11272 cactushop-popularlargeimageasp-xss(15687) 10020 4787 20040331 CactuSoft CactuShop v5.x shopping cart software multiple security 2004031 CactuSoft CactuShop v5.x shopping cart software multiple security vulnerabilities 1009601 Multiple buffer overflows in Ipswitch WS_FTP Server 4.0.2 (1) allow remote authenticated users to execute arbitrary code by causing a large error string to be generated by the ALLO handler, or (2) may allow remote FTP administrators to execute arbitrary code by causing a long hostname or username to be inserted into a reply to a STAT command while a file is being transferred. 11206 wsftp-allo-bo(15561) 9953 20040323 Think of the buffers! Won't somebody think of the buffers?! 20040323 ALLO ALLO WS_FTP Server Ipswitch WS_FTP Server 4.0.2 has a backdoor XXSESS_MGRYY username with a default password, which allows remote attackers to gain access. 11206 wftp-site-gain-priviliege(15558) 9953 20040323 Open the WS_FTP Server backdoor to SYSTEM Ipswitch WS_FTP Server 4.0.2 allows remote authenticated users to execute arbitrary programs as SYSTEM by using the SITE command to modify certain iFtpSvc options that are handled by iftpmgr.exe. 11206 wftp-site-gain-priviliege(15558) 9953 20040323 Open the WS_FTP Server backdoor to SYSTEM ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1848. Reason: This candidate is a duplicate of CVE-2004-1848. Notes: All CVE users should reference CVE-2004-1848 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Ada Image Server (ImgSvr) 0.4 allows remote attackers to view directories or download files via an HTTP request with a trailing %00 (null). 11277 imgsvr-obtain-information(15706) 10027 10026 http://www.autistici.org/fdonato/advisory/imgSvr0.4-adv.txt http://sourceforge.net/project/shownotes.php?release_id=230023 20040401 Index viewing in imgSvr 0.4 display.cgi in Aborior Encore WebForum allows remote to execute arbitrary commands via shell metacharacters in the file variable. encore-display-command-execution(15725) 10040 20040403 Remote Exploit for Aborior's Encore Web Forum 1009652 20060621 Re: display.cgi 20060620 display.cgi 16831 Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via a link failure with Microsoft Windows. irix-ftpd-link-dos(15722) 10037 20040401-01-P Unknown vulnerability in ftpd in SGI IRIX 6.5.20 through 6.5.23 allows remote attackers to cause a denial of service (hang) via the PORT mode. irix-ftpd-port-dos(15723) 10037 20040401-01-P The ftp_syslog function in ftpd in SGI IRIX 6.5.20 "doesn't work with anonymous FTP," which has an unknown impact, possibly preventing the actions of anonymous users from being logged. 20040401-01-P Stack-based buffer overflow in DecodeBase16 function, as used in the (1) IRC module and (2) web server in eMule 0.42d, allows remote attackers to execute arbitrary code via a long string. 10039 http://www.emule-project.net/home/perl/news.cgi?l=1&cat_id=22 11289 emule-decodebase16-bo(15730) 20040403 eMule v0.42d Buffer Overflow Dreamweaver MX, when "Using Driver On Testing Server" or "Using DSN on Testing Server" is selected, uploads the mmhttpdb.asp script to the web site but does not require authentication, which allows remote attackers to obtain sensitive information and possibly execute arbitrary SQL commands via a direct request to mmhttpdb.asp. 11284 dreamweaver-test-script-sql-injection(15721) 10036 http://www.nextgenss.com/advisories/dreamweaver.txt http://www.macromedia.com/devnet/security/security_zone/mpsb04-05.html 20040403 [securityzone@macromedia.com: New Macromedia Security Zone Bulletin Posted] TEXutil in ConTEXt, when executed with the --silent option, allows local users to overwrite arbitrary files via a symlink attack on texutil.log. 10042 20040404 Texutil symlink vulnerability. 20040404 Texutil symlink vulnerability. texutil-symlink-attack(15728) 1009661 YaST Online Update (YOU) in SuSE 8.2 and 9.0 allows local users to overwrite arbitrary files via a symlink attack on you-$USER/cookies. suse-you-symlink(15731) 10047 4985 1009668 11300 20040405 SuSEs YaST Online Update - possible symlink attack 20040406 Re: SuSEs YaST Online Update - possible symlink attack Heap-based buffer overflow in in_mod.dll in Nullsoft Winamp 2.91 through 5.02 allows remote attackers to execute arbitrary code via a Fasttracker 2 (.xm) mod media file. 10045 http://www.nextgenss.com/advisories/winampheap.txt 11285 20040405 NGSSoftware Insight Security Research Advisory winamp-inmod-bo(15727) 4944 1009660 Administration interface in Monit 1.4 through 4.2 allows remote attackers to cause a denial of service (segmentation fault) by sending a Basic Authentication request without a password, which causes Monit to decrement a null pointer and perform an out-of-bounds read. 10051 11304 20040405 Advisory: Multiple Vulnerabilities in Monit monit-basic-auth-dos(15734) Stack-based buffer overflow in the administration interface in Monit 1.4 through 4.2 allows remote attackers to execute arbitrary code via a long username. 10051 11304 20040405 Advisory: Multiple Vulnerabilities in Monit monit-offbyone-bo(15735) 4981 The administration interface in Monit 1.4 through 4.2 allows remote attackers to cause an off-by-one overflow via a POST that contains 1024 bytes. 10051 20040405 Advisory: Multiple Vulnerabilities in Monit monit-post-offbyone-bo(15736) 11304 4979 Format string vulnerability in the logging function in IGI 2 Covert Strike server 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in RCON commands. igi2covertstrike-rcon-format-string(15742) 10053 11299 20040405 Format string bug in IGI 2: Covert Strike 1.3 4966 1009667 http://aluigi.altervista.org/adv/igi2fs-adv.txt Portage before 2.0.50-r3 allows local users to overwrite arbitrary files via a hard link attack on the lockfiles. 10060 GLSA-200404-01 11305 portage-lockfile-hardlink(15754) The Citrix MetaFrame Password Manager 2.0, when a central credential store is not configured, does not encrypt passwords entered immediately after executing the First Time User Wizards, which allows local users to gain sensitive information. 10049 http://support.citrix.com/kb/entry.jspa?entryID=4062&categoryID=256 11293 metaframe-wizard-info-disclosure(15737) 20040406 Foundstone Labs Advisory: Citrix MetaFrame Password Manager 2.0 4942 1009659 Buffer overflow in blaxxun 3D 7.0 allows remote attackers to execute arbitrary code via a long URL property inside an object tag. blaxxun-applicationxcc3d-bo(15625) 10064 20040406 blaxxun3D(blaxxun Platform) 7 - Remote Buffer Overflow Buffer overflow in ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to execute arbitrary code via the Internacional property followed by a long string. panda-activescan-ascontrol-bo(15764) 10065 http://theinsider.deep-ice.com/texts/advisory53.txt 11312 20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S) ascontrol.dll in Panda ActiveScan 5.0 allows remote attackers to cause a denial of service (crash) by calling the SetSitesFile function. panda-activescan-ascontrol-dos(15831) 10067 http://theinsider.deep-ice.com/texts/advisory53.txt 20040406 Panda ActiveScan 5.0 - Remote Buffer Overflow and A Crash(D.O.S) Mcafee FreeScan allows remote attackers to cause a denial of service and possibly arbitrary code via a long string in the ScanParam property of a COM object, which may trigger a buffer overflow. freescan-mcfscan-bo(15772) 10071 http://theinsider.deep-ice.com/texts/advisory54.txt 11313 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure 20040407 Symantec, McAfee and Panda ActiveX controls 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure The Web Filtering functionality in Kerio Personal Firewall (KPF) 4.0.13 allows remote attackers to cause a denial of service (crash) by sending hex-encoded URLs containing "%13%12%13". kerio-pf-webfilter-dos(15821) 10075 http://www.cipher.org.uk/index.php?p=advisories/HEX-Kerio_Personal_Firewall_Remote_DOS_7-04-2004.advisory 11331 20040407 Kerio Personal Firewall 4.0.13 - Remote DoS (Crash) 20040406 Kerio Personal Firewall 4 and IE 6 "Bug" McFreeScan.CoMcFreeScan.1 ActiveX object in Mcafee FreeScan allows remote attackers to obtain sensitive information via the GetSpecialFolderLocation function with certain parameters. freescan-mcfscan-info-disclosure(15782) 10077 11313 20040407 McAfee Freescan ActiveX Information Disclosure [Additional Details & PoC] 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure 20040407 Symantec, McAfee and Panda ActiveX controls 20040407 Mcafee FreeScan - Remote Buffer Overflow and Private Information Disclosure Claim Anti-Virus (ClamAV) 0.68 and earlier allows remote attackers to cause a denial of service (crash) via certain RAR archives, such as those generated by the Beagle/Bagle worm. 9897 GLSA-200404-07 11177 clam-antivirus-rar-dos(15553) http://freshmeat.net/projects/clamav/?branch_id=29355&release_id=154462 rufsi.dll in Symantec Virus Detection allows remote attackers to cause a denial of service (crash) via a long string to the GetPrivateProfileString function. NOTE: this issue was originally reported as a buffer overflow, but that specific claim is disputed by the vendor, although a crash is acknowledged. symantec-sc-rufsi-bo(15778) 10069 20040408 Re: Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow, Apr 7 20040407 Symantec Virus Detection(Free ActiveX) - Remote Buffer Overflow 20040407 Symantec, McAfee and Panda ActiveX controls Cross-site scripting (XSS) vulnerability in AzDGDatingLite 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the (1) l parameter (aka language variable) to index.php or (2) id parameter to view.php. azdgdating-index-view-xss(15796) 10084 5019 5018 11326 20040408 [waraxe-2004-SA#014 - Cross-Site Scripting aka XSS in AzDGDatingLite] The (1) modules.php, (2) block-Calendar.php, (3) block-Calendar1.php, (4) block-Calendar_center.php scripts in NukeCalendar 1.1.a, as used in PHP-Nuke, allow remote attackers to obtain sensitive information via a URL with an invalid argument, which reveals the full path in an error message. nuke-calendar-path-disclosure(15795) 10082 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] Cross-site scripting (XSS) vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to inject arbitrary web script or HTML via the eid parameter. nuke-calendar-modulesphp-xss(15798) 10082 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] SQL injection vulnerability in modules.php in NukeCalendar 1.1.a, as used in PHP-Nuke, allows remote attackers to execute arbitrary SQL commands via the eid parameter. nukecalendar-modulesphp-sql-injection(15799) 10082 20040408 [waraxe-2004-SA#015 - Multiple vulnerabilities in NukeCalendar v1.1.a] Buffer overflow in the parse_all_client_messages function in LCDproc 0.4.x up to 0.4.4 allows remote attackers to execute arbitrary code via a large number of arguments. lcdproc-parseallclientmessages-bo(15803) 10085 GLSA-200404-19 11333 20040408 PSR - #2004-001 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Multiple buffer overflows in LCDProc 0.4.1, and possibly other 0.4.x versions up to 0.4.4, allows remote attackers to execute arbitrary code via (1) a long invalid command to parse_all_client_messages function, or (2) long argv command to test_func_func function. 10085 11333 lcdproc-testfuncfunc-bo(15814) GLSA-200404-19 20040408 PSR - #2004-002 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html Format string vulnerability in test_func_func in LCDProc 0.4.1 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the str variable. 10085 GLSA-200404-19 11333 lcdproc-testfuncfunc-format-string(15817) 20040408 PSR - #2004-002 Remote - LCDProc http://lists.omnipotent.net/pipermail/lcdproc/2004-April/008884.html RSniff 1.0 allows remote attackers to cause a denial of service (connection exhaustion) via a large number of connections with a command other than AUTHENTICATE, or without any data, which prevents the socket from being closed properly. 10093 rsniff-connection-dos(15823) 11339 http://aluigi.altervista.org/adv/rsniff-adv.txt 20040409 DoS in Rsniff 1.0 The hash_strcmp function in hasch.c in Crackalaka 1.0.8 allows remote attackers to cause a denial of service (crash) via large malformed strings. crackalaka-hashstrcmp-dos(15824) 10092 11340 20040409 DoS in Crackalaka 1.0.8 X-Micro WLAN 11b Broadband Router 1.2.2, 1.2.2.3, 1.2.2.4, and 1.6.0.0 has a hardcoded "super" username and password, which could allow remote attackers to gain access. 10095 20040410 Backdoor in X-Micro WLAN 11b Broadband Router xmicro-router-default-account(15829) 11342 X-Micro WLAN 11b Broadband Router 1.6.0.1 has a hardcoded "1502" username and password, which could allow remote attackers to gain access. xmicro-router-default-login(15890) 10095 20040416 NEW backdoor in X-Micro WLAN 11b Broadband Router 11342 20040416 Re: Backdoor in X-Micro WLAN 11b Broadband Router Microsoft Internet Explorer 5.5 and 6.0 allocates memory based on the memory size written in the BMP file instead of the actual BMP file size, which allows remote attackers to cause a denial of service (memory consumption) via a small BMP file with has a large memory size. 20040411 Microsoft Internet Explorer BMP file memory DoS vulnerability Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to gain sensitive information via a direct request to (1) banner_click.php, (2) categorize.php, (3) tiki-admin_include_directory.php, (4) tiki-directory_search.php, which reveal the web server path in an error message. tikiwiki-path-disclosure(15847) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] 11344 Multiple cross-site scripting (XSS) vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to inject arbitrary web script or HTML via via the (1) theme parameter to tiki-switch_theme.php, (2) find and priority parameters to messu-mailbox.php, (3) flag, priority, flagval, sort_mode, or find parameters to messu-read.php, (4) articleId parameter to tiki-read_article.php, (5) parentId parameter to tiki-browse_categories.php, (6) comments_threshold parameter to tiki-index.php (7) articleId parameter to tiki-print_article.php, (8) galleryId parameter to tiki-list_file_gallery.php, (9) galleryId parameter to tiki-upload_file.php, (10) faqId parameter to tiki-view_faq.php, (11) chartId parameter to tiki-view_chart.php, or (12) surveyId parameter to tiki-survey_stats_survey.php. tikiwiki-xss(15846) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Multiple SQL injection vulnerabilities in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allow remote attackers to execute arbitrary SQL commands via the sort_mode parameter in (1) tiki-usermenu.php, (2) tiki-list_file_gallery.php, (3) tiki-directory_ranking.php, (4) tiki-browse_categories.php, (5) tiki-index.php, (6) tiki-user_tasks.php, (7) tiki-directory_ranking.php, (8) tiki-directory_search.php, (9) tiki-file_galleries.php, (10) tiki-list_faqs.php, (11) tiki-list_trackers.php, (12) tiki-list_blogs.php, or via the offset parameter in (13) tiki-usermenu.php, (14) tiki-browse_categories.php, (15) tiki-index.php, (16) tiki-user_tasks.php, (17) tiki-list_faqs.php, (18) tiki-list_trackers.php, or (19) tiki-list_blogs.php. tikiwiki-sql-injection(15845) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040411 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to inject arbitrary code via the (1) Theme, (2) Country, (3) Real Name, or (4) Displayed time zone fields in a User Profile, or the (5) Name, (6) Description, (7) URL, or (8) Country fields in a Directory/Add Site operation. 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] Directory traversal vulnerability in the map feature (tiki-map.phtml) in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to determine the existence of arbitrary files via .. (dot dot) sequences in the mapfile parameter. tikiwiki-tikimap-file-disclosure(15848) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] The image upload feature in Tiki CMS/Groupware (TikiWiki) 1.8.1 and earlier allows remote attackers to upload and possibly execute arbitrary files via the img/wiki_up URL. tikiwiki-file-upload(15849) 10100 http://tikiwiki.org/tiki-read_article.php?articleId=66 11344 20040412 Multiple Vulnerabilities In Tiki CMS/Groupware [ TikiWiki ] SQL injection vulnerability in the bblogin function in functions.php in PHP-Nuke 6.x through 7.2 allows remote attackers to bypass authentication and gain access by injecting base64-encoded SQL code into the user parameter. phpnuke-bypass-authentication(15839) http://www.waraxe.us/index.php?modname=sa&id=17 10135 11347 20040412 [waraxe-2004-SA#017 - User-level authentication bypass in phpnuke 6.x-7.2] Cross-site scripting (XSS) vulnerability in the cookiedecode function in mainfile.php for PHP-Nuke 6.x through 7.2, when themes are used, allows remote attackers to inject arbitrary web script or HTML via a base64-encoded user parameter or cookie. phpnuke-cookiedecode-xss(15842) http://www.waraxe.us/index.php?modname=sa&id=16 10128 11347 20040412 [waraxe-2004-SA#016 - Cross-Site Scripting aka XSS in phpnuke 6.x-7.2 part 3] SQL injection vulnerability in (1) auth.php and (2) admin.php in PHP-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL code and create an administrator account via base64-encoded SQL in the admin parameter. phpnuke-admin-bypass-authentication(15835) http://www.waraxe.us/index.php?modname=sa&id=18 20040412 [waraxe-2004-SA#018 - Admin-level authentication bypass in phpnuke 6.x-7.2] Citadel/UX 5.00 through 6.14 installs the database directory and files with world-read permissions, which could allow local users to bypass access controls and read unauthorized messages. citadel-database-insecure-permissions(15850) 10102 20040412 Citadel/UX 6.20 fixes local permissions vulnerability PHP remote file inclusion vulnerability in affich.php in Gemitel 3.50 allows remote attackers to execute arbitrary PHP code via the base parameter. 10156 20040415 Include vulnerability in GEMITEL v 3.50 gemitel-spturnphpfile-include(15887) 5396 1009824 11393 Cross-site scripting (XSS) vulnerability in SCT Campus Pipeline allows remote attackers to inject arbitrary web script or HTML via onload, onmouseover, and other Javascript events in an e-mail attachment. 10154 11396 sct-campus-attachment-xss(15878) 20040415 SCT javascript execution vulnerability ZoneAlarm Pro 4.5.538.001 and possibly other versions allows remote attackers to bypass e-mail protection via attachments whose names contain certain non-English characters. zonealarm-email-bypass-security(15884) 10148 20040420 Re: ZA Security Hole 20040414 ZA Security Hole Multiple directory traversal vulnerabilities in Nuked-KlaN 1.4b and 1.5b allow remote attackers to read or include arbitrary files via .. sequences in (1) the user_langue parameter to index.php or (2) the langue parameter to update.php, or modify arbitrary GLOBAL variables by causing globals.php to be loaded before conf.inc.php via (3) .. sequences in the file parameter with the page parameter set to globals, or (4) ../globals.php in the user_langue parameter, as demonstrated by modifying $nuked[prefix] in the Suggest module. 10104 http://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt nuked-klan-configurtion-corruption(15844) nuked-klan-file-include(15843) 11341 20040417 [SCSA-028] Nuked-Klan Multiple Vulnerabilities SQL injection vulnerability in userlogin.php in Phorum 3.4.7 allows remote attackers to execute arbitrary SQL commands via doubly hex-encoded characters such as "%2527", which is translated to "'", as demonstrated using the phorum_uriauth parameter to list.php. 10173 11407 phorum-userlogin-sql-injection(15894) http://www.waraxe.us/index.php?modname=sa&id=19 20040419 [waraxe-2004-SA#019 - Critical sql injection bug in Phorum 3.4.7] Cross-site scripting (XSS) vulnerability in Zaep AntiSpam 2.0 allows remote attackers to inject arbitrary web script or HTML via double encoded slashes (%252F) in the key parameter. zaep-antispam-xss(15858) 10139 http://www.securiteam.com/windowsntfocus/5EP0I15CKK.html 11388 20040419 Zaep AntiSpam Cross Site Scripting sipclient.cpp in KPhone 4.0.1 and earlier allows remote attackers to cause a denial of service (crash) via a STUN response packet with a large attrLen value that causes an out-of-bounds read. http://www.wirlab.net/kphone/changes-4.0.2.html 10159 kphone-stun-dos(15874) http://www.securiteam.com/unixfocus/5PP0B1FCLY.html 20040419 KPhone STUN DoS (Malformed STUN Packets) Fastream NETFile FTP/Web Server 6.5.1.980 allows remote attackers to cause a denial of service via a username that does not exist. fastream-user-pass-dos(15899) 10169 11428 http://www.autistici.org/fdonato/advisory/FastreamNETFileFWServer6.5.1.980-adv.txt 20040419 DoS in NETFile FTP/Web Server 5548 1009868 The Solaris 9 patches 113579-02 through 113579-05, and 114342-02 through 114342-05, prevent ypserv and ypxfrd from properly restricting access to secure NIS maps, which allows local users to use ypcat or ypmatch to extract the contents of a secure map such as passwd.adjunct.byname. 10261 O-144 57554 solaris-nis-unauth-privileges(15908) 20040419 Solaris 9 patch 113579-03 introduces a NIS security bug PHP remote file inclusion vulnerability in album_portal.php in phpBB modified by Przemo 1.8 allows remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter. 10177 phpbb-albumportal-file-include(15916) 20040419 phpBB modified by Przemo arbitary code execution Eudora 6.1 and 6.0.3 for Windows allows remote attackers to cause a denial of service (crash) via a deeply nested multipart MIME message. eudora-mime-message-dos(15857) 10137 11360 20040419 Eudora 6.1 is evil 20040414 Eudora 6.0.3 nested MIME DoS Buffer overflow in Kinesphere eXchange POP3 allows remote attackers to execute arbitrary code via a long MAIL FROM field. 10180 11449 exchange-pop3-smtp-bo(15922) 1009882 20040527 Re: Exchange pop3 remote exploit 20040419 Exchange pop3 remote exploit 5593 Format string vulnerability in the PRINT_ERROR function in common.c for Cherokee Web Server 0.4.16 and earlier allows local users to execute arbitrary code via format string specifiers in the -C command line argument. NOTE: it is not clear whether this issue could be exploited remotely, or if Cherokee is running at escalated privileges. Therefore it might not be a vulnerability. cherokee-printerror-format-string(15924) http://www.nosystem.com.ar/advisories/advisory-03.txt 20040420 Format String in Cherokee The AVXSCANONLINE.AvxScanOnlineCtrl.1 ActiveX control in BitDefender Scan Online allows remote attackers to (1) obtain sensitive information such as system drives and contents or (2) use the RequestFile method to download and execute arbitrary code via an object codebase that uses bitdefender.cab. bitdefender-avxscanonline-code-execution(15911) 10175 11427 20040420 Re: BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure 20040419 BitDefender Scan Online(ActiveX) - Remote File Download & Execute & Private Information Disclosure 10174 5549 1009862 NcFTP client 3.1.6 and 3.1.7, when the username and password are included in an FTP URL that is provided on the command line, allows local users to obtain sensitive information via "ps aux," which displays the URL in the process list. ncftp-info-disclosure(15919) 10182 11438 20040419 NcFTP - password leaking 5595 SQL injection vulnerability in PostNuke 7.2.6 and earlier allows remote attackers to execute arbitrary SQL via (1) the sif parameter to index.php in the Comments module or (2) timezoneoffset parameter to changeinfo.php in the Your_Account module. 10146 postnuke-changeinfo-sql-injection(15875) postnuke-indexphp-sql-injection(15869) 5369 5368 1009801 11386 http://news.postnuke.com/Article2580.html 20040420 [PNSA 2004-2] PostNuke Security Advisory PNSA 2004-2 20040414 [SCAN Associates Sdn Bhd Security Advisory] Postnuke v 0.726 and below SQL injection phpBB 2.0.8a and earlier trusts the IP address that is in the X-Forwarded-For in the HTTP header, which allows remote attackers to spoof IP addresses. phbb-common-ip-spoofing(15909) 10170 11434 20040419 Re: phpBB 2.0.8a and lower - IP spoofing vulnerability 20040419 phpBB 2.0.8a and lower - IP spoofing vulnerability xine 1.x alpha, 1.x beta, and 1.0rc through 1.0rc3a, and xine-ui 0.9.21 to 0.9.23 allows remote attackers to overwrite arbitrary files via the (1) audio.sun_audio_device or (2) dxr3.devicename options in an MRL link. 10193 GLSA-200404-20 xine-mrl-file-overwrite(15939) http://www.xinehq.de/index.php/security/XSA-2004-2 http://www.xinehq.de/index.php/security/XSA-2004-1 SSA:2004-111 11433 5739 5594 SQL injection vulnerability in Advanced Guestbook 2.2 allows remote attackers to execute arbitrary SQL commands and gain privileges via the password. advancedguestbook-sql-injection(15892) 10209 20040421 Advanced Guestbook 2.2 -- SQL Injection Exploit 20050212 Re: Advanced Guestbook 2.2 -- SQL Injection Exploit phProfession 2.5 allows remote attackers to gain sensitive information via a direct HTTP request to upload.php, which reveals the path in a PHP error message. phprofession-upload-path-disclosure(15930) http://www.waraxe.us/index.php?modname=sa&id=21 10190 5623 11465 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] Cross-site scripting (XSS) vulnerability in modules.php in phProfession 2.5 allows remote attackers to inject arbitrary web script or HTML via the jcode parameter. phprofession-jcode-xss(15931) http://www.waraxe.us/index.php?modname=sa&id=21 10190 5624 11465 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] SQL injection vulnerability in modules.php in phProfession 2.5 allows remote attackers to execute arbitrary SQL code via the offset parameter. phprofession-offset-sql-injection(15932) http://www.waraxe.us/index.php?modname=sa&id=21 10190 5625 11465 20040421 [waraxe-2004-SA#021 - Multiple vulnerabilities in phprofession 2.5 module for PostNuke] PostNuke 0.7.2.6 allows remote attackers to gain information via a direct HTTP request to files in the (1) includes/blocks directory, (2) pnadodb directory, (3) NS-NewUser module, (4) NS-Your_Account, (5) NS-LostPassword module, or (6) NS-User module which reveals the path to the web server in a PHP error message. postnuke-scripts-modules-path-disclosure(15933) http://www.waraxe.us/index.php?modname=sa&id=22 10191 20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2] Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.726 allows remote attackers to inject arbitrary web script or HTML via the (1) lid and query parameters to the Downloads module, (2) query parameter to the Web_links module, or (3) hlpfile parameter to openwindow.php. postnuke-openwindow-xss(15934) http://www.waraxe.us/index.php?modname=sa&id=22 10191 20040421 [waraxe-2004-SA#022 - Multiple vulnerabilities in PostNuke 0.726 Phoenix - part 2] Directory traversal vulnerability in manifest.ini in Unreal engine allows remote attackers to overwrite arbitrary files via .. (dot dot) sequences in a UMOD (Unreal MOD) file. unreal-umod-dotdot-file-overwrite(15942) 10196 http://aluigi.altervista.org/adv/umod-adv.txt 20040422 Arbitrary file overwriting in Unreal engine through UMOD blocker_query.php in Protector System 1.15b1 for PHP-Nuke allows remote attackers to gain sensitive information via a string in the portNum parameter, which reveals the full path in an error message. 10206 protector-blockerquery-path-disclosure(15963) http://www.waraxe.us/index.php?modname=sa&id=25 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] Cross-site scripting (XSS) vulnerability in blocker_query.php in Protector System 1.15b1 allows remote attackers to inject arbitrary web script or HTML via the (1) target or (2) portNum parameters. 10206 protector-blockerquery-xss(15965) http://www.waraxe.us/index.php?modname=sa&id=25 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] blocker.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection protection and execute limited SQL commands via URL-encoded "'" characters ("%27"). http://www.waraxe.us/index.php?modname=sa&id=25 10206 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] SQL injection vulnerability in index.php in Protector System 1.15b1 allows remote attackers to bypass SQL injection filters by using "/**/" sequences in the targeted fields. 10206 protector-sql-filter-bypass(15969) http://www.waraxe.us/index.php?modname=sa&id=25 20040423 [waraxe-2004-SA#025 - Multiple vulnerabilities in Protector for PhpNuke] nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to obtain sensitive information via a string in the portNum parameter, which reveals the full path in an error message. nqt-nqtphp-path-disclosure(15957) http://www.waraxe.us/index.php?modname=sa&id=24 11479 20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6] Cross-site scripting (XSS) vulnerability in nqt.php in Network Query Tool (NQT) 1.6 allows remote attackers to inject arbitrary web script or HTML via the portNum parameter. nqt-nqtphp-xss(15929) http://www.waraxe.us/index.php?modname=sa&id=24 10205 11479 20040423 [waraxe-2004-SA#024 - XSS and full path disclosure in Network Query Tool 1.6] Multiple cross-site scripting (XSS) vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) redirect parameter to member.php, (2) to parameter to myhome.php (3) TID parameter to post.php, or (4) redirect parameter to index.php. openbb-multiple-scripts-xss(15966) 10214 1009935 11481 20040425 Multiple Vulnerabilities In OpenBB Multiple SQL injection vulnerabilities in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) FID parameter in board.php, (2) sortorder, perpage, or id parameters in member.php, (3) forums parameter in search.php, or (4) PID or FID parameters in post.php. openbb-multiplescripts-sql-injection(15964) 10214 1009935 11481 20040425 Multiple Vulnerabilities In OpenBB Cross-site request forgery (CSRF) vulnerabilities in (1) cp_forums.php, (2) cp_usergroup.php, (3) cp_ipbans.php, (4) myhome.php, (5) post.php, or (6) moderator.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allow remote attackers to execute arbitrary code by including the code in an image tag or a link. openbb-tags-execute-code(15967) 1009935 11481 20040425 Multiple Vulnerabilities In OpenBB The readmsg action in myhome.php in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to read arbitrary messages by modifying the id parameter. openbb-myhomephp-obtain-information(15970) 10217 1009935 11481 20040425 Multiple Vulnerabilities In OpenBB The avatar upload capability in Open Bulletin Board (OpenBB) 1.0.6 and earlier allows remote attackers to execute arbitrary script by uploading files that include scripting code such as Javascript. openbb-file-upload(15971) 10218 1009935 11481 20040425 Multiple Vulnerabilities In OpenBB Samsung SmartEther SS6215S switch, and possibly other Samsung switches, allows remote attackers and local users to gain administrative access by providing the admin username followed by a password that is the maximum allowed length, then pressing the enter key after the resulting error message. samsung-smartether-admin-access(15973) 10219 20040426 Samsung SmartEther SS6215S Switch modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to gain sensitive information via an HTTP request with an invalid (1) catid or (2) clipid parameter, which reveals the full path in an error message. video-gallery-error-path-disclosure(15978) 20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke SQL injection vulnerability in modules.php in PHP-Nuke Video Gallery Module 0.1 Beta 5 allows remote attackers to execute arbitrary SQL code via the (1) clipid or (2) catid parameters in a viewclip, viewcat, or voteclip action. video-gallery-sql-injection(15979) 10215 20040426 Multiple vulnerabilities PHP-Nuke Video Gallery Module for PHP-Nuke DiGi Web Server allows remote attackers to cause a denial of service (CPU consumption) via an HTTP GET request that contains a large number of / (slash) characters, which consumes resources when DiGi converts the slashes to \ (backslash) characters. digi-www-slash-dos(15987) 10228 5702 http://sourceforge.net/project/shownotes.php?release_id=234261 11490 http://www.autistici.org/fdonato/advisory/DiGiWwwServerC1-adv.txt 20040427 resources consumption in DiGi WWW Server 1009957 paFileDB 3.1 allows remote attackers to gain sensitive information via a direct request to (1) login.php, (2) category.php, (3) search.php, (4) main.php, (5) viewall.php, (6) download.php, (7) email.php, (8) file.php, (9) rate.php, or (10) stats.php, which reveals the path in an error message. pafiledb-loginphp-path-disclosure(15990) 20040427 Multiple vulnerabilities paFileDB Cross-site scripting (XSS) vulnerability in the category module in pafiledb.php for paFileDB 3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter, a vulnerability that is closely related to CVE-2004-1551. pafiledb-pafiledbphp-xss(15992) 10229 20040925 New XSS vulnerabilities in paFileDB 3.1 final 20040427 Multiple vulnerabilities paFileDB SMC Barricade broadband router 7008ABR and 7004VBR enable remote administration by default, which allows remote attackers to gain access by connecting to port 1900. barricade-router-gain-access(15993) 10232 20040605 SMC 7008ABRv2 and 7004VBRv1 updated firmware corrects port 1900 issue. 20040428 SMC Routers have remote administration enabled by default 20040427 SMC Routers have remote administration enabled by default 3com NBX IP VOIP NetSet Configuration Manager allows remote attackers to cause a denial of service (crash) via a Nessus scan in safeChecks mode. 3com-nbx-scan-dos(16015) 10240 11504 20040429 3com NBX VOIP NetSet Denial of Service Attack Cross-site scripting (XSS) vulnerability in help.php in Moodle before 1.3 allows remote attackers to inject arbitrary HTML and web script via the text parameter. moodle-help-xss(16023) 10251 11535 20040430 Cross Site Scripting in Moodle < 1.3 5747 1010008 Cross-site scripting (XSS) vulnerability in do_search.php in PROPS 0.6.1 allows remote attackers to inject arbitrary HTML or web script via the search_string parameter. props-dosearch-xss(16035) 10258 http://sourceforge.net/project/shownotes.php?group_id=29581&release_id=234433 20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerability Directory traversal vulnerability in glossary.php in PROPS 0.6.1 allows remote attackers to view arbitrary files via a .. (dot dot) in (1) module or (2) format variables. props-glossary-obtain-information(16036) http://sourceforge.net/project/shownotes.php?group_id=29581&release_id=234433 20040501 Props 0.6.1 XSS and Remote File Viewing Vulnerability The web interface for Crystal Reports allows remote attackers to cause a denial of service (disk exhaustion) by repeatedly requesting reports without retrieving the associated image files, which are not cleared from the image file folder. 20040608 Vulnerability: Arbitrary File Access & DoS in Crystal Reports 20040502 Crystal Reports Vulnerabilities Post.pl in YaBB 1 Gold SP 1.2 allows remote attackers to modify records in the board's .txt file via carriage return characters in the subject field. yabb-subject-modify-file(16050) 10263 12609 20040502 Vulnerability in YaBB forum (Perl version without SQL) http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 The arch_get_unmapped_area function in mmap.c in the PaX patches for Linux kernel 2.6, when Address Space Layout Randomization (ASLR) is enabled, allows local users to cause a denial of service (infinite loop) via unknown attack vectors. pax-aslr-enabled-dos(16037) 10264 http://pax.grsecurity.net/ 20040502 PaX Linux Kernel 2.6 Patches DoS Advisory GLSA-200407-02 20040509 PaX DoS proof-of-concept Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) phpinfo.php, (2) addpic.php, (3) config.php, (4) db_input.php, (5) displayecard.php, (6) ecard.php, (7) crop.inc.php, which reveal the full path in a PHP error message. coppermine-multiple-path-disclosure(16039) http://www.waraxe.us/index.php?modname=sa&id=26 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 6500 6499 6498 6497 6496 6495 5756 1010001 Cross-site scripting (XSS) vulnerability in menu.inc.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to inject arbitrary HTML or web script via the CPG_URL parameter. coppermine-menuincpho-xss(16040) http://www.waraxe.us/index.php?modname=sa&id=26 10253 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 5757 Directory traversal vulnerability in modules.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to read arbitrary files via a .. (dot dot) in the startdir parameter. coppermine-modulesphp-directory-traversal(16042) http://www.waraxe.us/index.php?modname=sa&id=26 10253 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 5758 1010001 picmgmtbatch.inc.php in Coppermine Photo Gallery 1.2.2b and 1.2.0 RC4 allows remote attackers with administrative privileges to execute arbitrary commands via shell metacharacters in the (1) $CONFIG['impath'] or (2) $CONFIG['jpeg_qual'] parameters. coppermine-parameters-execute-commands(16043) http://www.waraxe.us/index.php?modname=sa&id=26 10253 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] 5759 1010001 PHP remote file inclusion vulnerability in init.inc.php in Coppermine Photo Gallery 1.2.0 RC4 allows remote attackers to execute arbitrary PHP code by modifying the CPG_M_DIR to reference a URL on a remote web server that contains functions.inc.php. coppermine-multiple-file-include(16041) http://www.waraxe.us/index.php?modname=sa&id=26 10253 5761 1010001 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] PHP remote file inclusion vulnerability in theme.php in Coppermine Photo Gallery 1.2.2b allows remote attackers to execute arbitrary PHP code by modifying the THEME_DIR parameter to reference a URL on a remote web server that contains user_list_info_box.inc. coppermine-multiple-file-include(16041) http://www.waraxe.us/index.php?modname=sa&id=26 10253 5912 1010001 11524 20040502 [waraxe-2004-SA#026 - Multiple vulnerabilities in Coppermine Photo Gallery for PhpNuke] Aldo's Web Server (aweb) 1.5 allows remote attackers to gain sensitive information via an arbitrary character, which reveals the full path and the user running the aweb process, possibly due to a malformed request. aweb-path-disclosure(16047) 10262 http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt 11542 20040503 Multible_Vulnerabilites_in_Aldos_Webserver 5880 Directory traversal vulnerability in Aldo's Web Server (aweb) 1.5 allows remote attackers to view arbitrary files via a .. (dot dot) in an HTTP GET request. aweb-dotdot-directory-traversal(16048) 10262 http://www.oliverkarow.de/research/AldosWebserverMultipleVulns.txt 11542 20040503 Multible_Vulnerabilites_in_Aldos_Webserver 5881 Buffer overflow in Serv-U FTP server before 5.0.0.6 allows remote attackers to cause a denial of service (crash) via a long -l parameter, which triggers an out-of-bounds read. servu-list-command-bo(15913) 11430 10181 http://www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html 5546 1009869 20040503 Serv-U LIST -l Parameter Buffer Overflow 20040503 Serv-U LIST -l Parameter Buffer Overflow The patch to the checklogin function in omail.pl for omail webmail 0.98.5 is incomplete, which allows remote attackers to execute arbitrary commands via shell metacharacters such as "`" (backticks) in the password. omailwebmail-checklogin-code-execution(12948) 10274 9585 20040504 remote root exec vulnerability in omail FuseTalk 4.0 allows remote attackers to ban other users via a direct request to banning.cfm. fusetalk-banning-unauth-access(16081) 10278 11555 20040505 Fuse Talk Vunerabilities 5894 Cross-Site Request Forgery (CSRF) vulnerability in FuseTalk 2.0 allows remote attackers to create arbitrary accounts via a link to adduser.cfm. fusetalk-get-add-users(16080) 10276 11555 20040505 Fuse Talk Vunerabilities 5895 1010080 Cross-site scripting (XSS) vulnerability in Simple Machines Forum (SMF) 1.0 allows remote attackers to inject arbitrary web script via the size tag. smf-size-html-injection(16067) 10281 20040505 SMF SIZE Tag Script Injection Vulnerability Kolab stores OpenLDAP passwords in plaintext in the slapd.conf file, which may be installed world-readable, which allows local users to gain privileges. kolab-root-password-plaintext(16068) 10277 11560 OpenPKG-SA-2004.019 [kolab-users] 20040420 Possible Kolab LDAP configuration information disclosure 5898 MDKSA-2004:052 http://www.erfrakon.de/projects/kolab/download/kolab-server-1.0/src/Changelog The Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to gain sensitive information via an invalid show parameter to modules.php, which reveals the full path in a PHP error message. http://www.waraxe.us/index.php?modname=sa&id=27 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] Cross-site scripting (XSS) vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to inject arbitrary HTML and web script via the (1) ttitle or (2) sid parameters to modules.php. phpnuke-ttitle-sid-xss(16073) http://www.waraxe.us/index.php?modname=sa&id=27 11553 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] SQL injection vulnerability in the Downloads module in Php-Nuke 6.x through 7.2 allows remote attackers to execute arbitrary SQL via the (1) orderby or (2) sid parameters to modules.php. phpnuke-orderby-sid-sql-injection(16074) http://www.waraxe.us/index.php?modname=sa&id=27 10282 11553 52223 20040505 [waraxe-2004-SA#027 - Once again - critical vulnerabilities in PhpNuke 6.x - 7.2] 27932 20080221 PHP-Nuke Module Downloads SQL Injection(sid) ifconfig "-arp" in SGI IRIX 6.5 through 6.5.22m does not properly disable ARP requests from being sent or received. 10289 20040502-01-P Unknown vulnerability in SGI IRIX 6.5 through 6.5.22m allows remote attackers to cause a denial of service via a certain UDP packet. 20040502-01-P 10287 irix-udp-dos(16158) Buffer overflow in the ssl_prcert function in the SSLway filter (sslway.c) for DeleGate 8.9.2 and earlier allows remote attackers to execute arbitrary code via a certificate with a long (1) subject or (2) issuer name field. 10295 11569 20040506 [0xbadc0ded #03] DeleGate (SSL-filter) <= 8.9.2 delegate-sslway-bo(16078) 5945 The Live CD in SUSE LINUX 9.1 Personal edition is configured without a password for root, which allows remote attackers to gain privileges via SSH. 10297 livecd-ssh-gain-access(16084) Buffer overflow in Eudora for Windows 5.2.1, 6.0.3, and 6.1 allows remote attackers to execute arbitrary code via an e-mail with (1) a link to a long URL to the C drive or (2) a long attachment name. 10298 11568 eudora-long-url-bo(16086) http://www.eudora.com/download/eudora/windows/6.1.1/RelNotes.txt 20040507 Eudora file URL buffer overflow Trend Micro OfficeScan 3.0 - 6.0 has default permissions of "Everyone Full Control" on the installation directory and registry keys, which allows local users to disable virus protection. officescan-configuration-modify(16092) 11576 10300 5990 20040507 Security issue with Trend OfficeScan Corporate Edition Cross-site scripting (XSS) vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to inject arbitrary HTML or web script via the (1) cat parameter in a CatView function or (2) jokeid parameter in a JokeView function. nukejokes-modules-xss(16096) 10306 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] SQL injection vulnerability in modules.php in NukeJokes 1.7 and 2 Beta allows remote attackers to execute arbitrary SQL via the jokeid parameter. nukejokes-sql-injection(16099) http://www.waraxe.us/index.php?modname=sa&id=28 10306 11579 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] NukeJokes 1.7 and 2 Beta allows remote attackers to obtain the full path of the server via (1) a direct call to mainfunctions.php, (2) an invalid jokeid parameter in a JokeView function or (3) an invalid cat parameter in a CatView function, which reveals the path in a PHP error message. nukejokes-multiple-path-disclosure(16094) 20040508 [waraxe-2004-SA#028 - Multiple vulnerabilities in NukeJokes module for PhpNuke] PHP remote file inclusion vulnerability in index.php in phpShop 0.7.1 and earlier allows remote attackers to execute arbitrary PHP code by modifying the base_dir parameter to reference a URL on a remote web server that contains phpshop.cfg. 11587 phpshop-basedir-file-include(16107) 10313 http://www.fribble.net/advisories/phpshop_29-04-04.txt 20040509 Arbitrary code inclusion in phpShop msxml3.dll in Internet Explorer 6.0.2600.0 allows remote attackers to cause a denial of service (crash) via a single & (ampersand) in a <Ref href> link, which triggers a parsing error, possibly due to missing portions of the URI. msxml3-ampersand-dos(16112) 20040510 msxml3.dll Parsing Error Crashes Internet Explorer Remotely Upon Refresh The systrace_exit function in the systrace utility for NetBSD-current and 2.0 before April 16, 2004, and certain FreeBSD ports, does not verify the owner of the /dec/systrace connection before setting euid to 0, which allows local users to gain root privileges. systrace-gain-privileges(16110) 10320 11585 20040510 Advisory 04/2004: Net(Free)BSD Systrace local root vulnerabilitiy Integer overflow in the SCTP_SOCKOPT_DEBUG_NAME SCTP socket option in socket.c in the Linux kernel 2.4.25 and earlier allows local users to execute arbitrary code via an optlen value of -1, which causes kmalloc to allocate 0 bytes of memory. 2004-0029 20040511 Linux Kernel sctp_setsockopt() Integer Overflow linux-sctpsetsockopt-integer-bo(16117) 10326 Wget 1.9 and 1.9.1 allows local users to overwrite arbitrary files via a symlink attack on the name of the file being downloaded. wget-lock-race-condition(16167) 10361 oval:org.mitre.oval:def:9830 [wget] 20040517 Re: Wget race condition vulnerability (fwd) [wget] 20040517 Wget race condition vulnerability (fwd) 20040516 Wget race condition vulnerability USN-145-1 RHSA-2005:771 MDKSA-2005:204 17399 Cross-site scripting (XSS) vulnerability in WebCT Campus Edition allows remote attackers to inject arbitrary HTML or web script via (1) iframe, (2) img, or (3) object tags. webct-iframe-img-tags-xss(16156) 10357 20040517 WebCT: Cross Site Scripting Vulnerability 20040516 WebCT: Cross Site Scripting Vulnerability Stack-based buffer overflow in the HTTP server in NetChat 7.3 and earlier allows remote attackers to execute arbitrary code via a long GET request. 10353 11637 netchat-sprintf-bo(16165) 20040517 NetChat HTTP Server Stack Overflow Multiple cross-site scripting (XSS) vulnerabilities in Turbo Traffic Trader C (TTT-C) 1.0 allow remote attackers to inject arbitrary HTML or web script, as demonstrated via (1) the link parameter to ttt-out, (2) the X-Forwarded-For header in a GET request to ttt-in, (3) the Referer header in a GET request to ttt-in, or the (4) site name or (5) site URL fields in the main control panel. turbotraffictraderc-multiple-xss(16164) 10359 11623 20040517 Multiple TTT-C XSS vulnerabilities 6344 6343 6342 6341 6340 6339 PHP remote file inclusion vulnerability in index.php in Php-Nuke 6.x through 7.3 allows remote attackers to execute arbitrary PHP code by modifying the modpath parameter to reference a URL on a remote web server that contains the code. phpnuke-modpath-file-include(16218) http://www.waraxe.us/index.php?modname=sa&id=29 10365 6222 11625 20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3] 20040517 [waraxe-2004-SA#029 - Possible remote file inclusion in PhpNuke 6.x - 7.3] The WebLinks module in Php-Nuke 6.x through 7.3 allows remote attackers to obtain sensitive information via an invalid show parameter, which displays the full path in a PHP error message. phpnuke-show-weblink-path-disclosure(16170) http://www.waraxe.us/index.php?modname=sa&id=29 10367 11625 20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3] Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 6.x through 7.3 allow remote attackers inject arbitrary HTML or web script into the (1) optionbox parameter in the News module, (2) date parameter in the Statistics module, (3) year, month, and month_1 parameters in the Stories_Archive module, (4) mode, order, and thold parameters in the Surveys module, or (5) a SQL statement to index.php, as processed by mainfile.php. phpnuke-multi-xss(16172) http://www.waraxe.us/index.php?modname=sa&id=29 10367 11625 20040517 [waraxe-2004-SA#030 - Multiple vulnerabilities in PhpNuke 6.x - 7.3] 6226 6225 Directory traversal vulnerability in file_manager.php in osCommerce 2.2 allows remote attackers to view arbitrary files via a .. (dot dot) in the filename argument. oscommerce-dotdot-directory-traversal(16174) 10364 11624 20040517 oscommerce 2.2 file_manager.php file browsing 6308 http://www.excluded.org/advisories/advisory13.txt 1010176 20050322 osCommerce File Manager Directory Traversal Vulnerability ActivePerl 5.8.x and others, and Larry Wall's Perl 5.6.1 and others, when running on Windows systems, allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the system command, which leads to a stack-based buffer overflow. NOTE: it is unclear whether this bug is in Perl or the OS API that is used by Perl. perl-system-bo(16169) 10375 http://www.perlmonks.org/index.pl?node_id=354145 http://www.oliverkarow.de/research/ActivePerlSystemBOF.txt 20040518 Re: Buffer Overflow in ActivePerl ? 20040517 RE: Buffer Overflow in ActivePerl ? 20040517 Buffer Overflow in ActivePerl ? 20040518 RE: [Full-Disclosure] Re: Buffer Overflow in ActivePerl ? 20040518 Re[2]: [Full-Disclosure] Buffer Overflow in ActivePerl ? SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters. zencart-login-sql-injection(16176) http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD 11649 http://www.zen-cart.com/modules/ipb/index.php?showtopic=4835 10378 1010172 20040518 Zen Cart login.php SQL Injection Vulnerability 20060517 Re: Zen Cart login.php SQL Injection Vulnerability http://www.packetstormsecurity.org/0405-advisories/zencart112d.txt 6298 The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php. http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873 SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 Format string vulnerability in the logmsg function in svc.c for Pound 1.5 and earlier allows remote attackers to execute arbitrary code via format string specifiers in syslog messages. 10267 GLSA-200405-08 11528 pound-logmsg-format-string(16033) 5746 http://www.apsis.ch/pound/pound_list/archive/2003/2003-12/1070234315000#1070234315000 1010034 20040507 Pound <=1.5 Remote Exploit (Format string bug) Buffer overflow in Icecast 2.0.0 and earlier allows remote attackers to cause a denial of service (crash) via a long Basic Authorization header that triggers an out-of-bounds read. 10311 11578 icecast-auth-request-bo(16103) 6075 GLSA-200405-10 20040509 Icecast 2.0.0 preauth overflow Cross-site scripting (XSS) vulnerability in stats.php in e107 allows remote attackers to inject arbitrary web script or HTML via the referer parameter to log.php. e107-log-xss(16231) 10395 11693 20040521 e107 web portal Referers HTTP Injection 6345 The Util_DecodeHTTPAuth function in BNBT BitTorrent Tracker Beta 7.5 Release 2 and earlier allows remote attackers to cause a denial of service (crash) via a Basic Authorization HTTP request with a "A==" value. bittorrent-http-get-dos(16228) 10399 11684 20040522 BNBT BitTorrent Tracker Denial Of Service http://fux0r.phathookups.com/advisory/sp-x12-advisory.txt 6336 1010254 Multiple cross-site scripting (XSS) vulnerabilities in index.jsp for Liferay before 2.2.0 release 10/1/2004 allow remote attackers to inject arbitrary web script or HTML, as demonstrated using the message subject. liferay-message-xss(16232) 10402 6346 20041125 Re: Liferay Cross Site Scripting Flaw http://sourceforge.net/project/shownotes.php?release_id=252060 1010259 11692 20040522 Liferay Cross Site Scripting Flaw Cross-site scripting (XSS) vulnerability in user.php in e107 allows remote attackers to inject arbitrary web script or HTML via the (1) URL, (2) MSN, or (3) AIM fields. 20040522 e107 web portal user.php XSS (Cross Site Scripting) e107-user-xss(16241) 10405 6410 11696 Netgear RP114 allows remote attackers to bypass the keyword based URL filtering by requesting a long URL, as demonstrated using a large number of %20 (hex-encoded space) sequences. netgearrp114-long-url-filter-bypass(16238) 10404 6411 11698 20040524 Netgear RP114 URL filter fails if URL is too long Orenosv 0.5.9f allows remote attackers to cause a denial of service (crash) via a long HTTP GET request. orenosv-http-get-dos(16250) 10420 6419 11706 20040526 Orenosv HTTP/FTP Server Denial Of Service http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html Buffer overflow in the (1) WTHoster and (2) WebDriver modules in WildTangent Web Driver 4.0 allows remote attackers to execute arbitrary code via a long filename. wildtangent-wthoster-webdriver-bo(16266) 10421 6445 http://www.ngssoftware.com/advisories/wildtangent.txt 11727 20040527 WildTangent Web Driver Long FileName Stack Overflow MiniShare 1.3.2 allows remote attackers to cause a denial of service (crash) via a malformed HTTP GET or HEAD request without the proper number of trailing CRLF sequences. 10417 6432 http://sourceforge.net/project/shownotes.php?release_id=241158 11715 minishare-get-head-dos(16260) http://www.autistici.org/fdonato/advisory/MiniShare1.3.2-adv.txt 20040527 DoS in MiniShare 1.3.2 SQL injection vulnerability in the art_print function in print.inc.php in unknown versions of jPortal before 2.3.1 allows remote attackers to inject arbitrary SQL commands via the id parameter. jportal-printincphp-sql-injection(16272) 10430 http://www.securiteam.com/unixfocus/5HP020KD5K.html 6503 1010327 11737 20040528 JPortal SQL Injects Buffer overflow in Mollensoft Lightweight FTP Server 3.6 allows remote authenticated users to cause a denial of service (crash) and possibly execute arbitrary code via a long CWD command, as demonstrated in one example by using the "cd" command in an interactive FTP client. mollensoft-cwd-command-bo(16237) 6412 mollensoft-cd-bo(16303) 10429 10409 20040601 Mollensoft Lightweight FTP Server CWD Buffer Overflow 20040528 Mollensoft ftp Server ver 3.6 Buffer overflow 1010328 Cross-site scripting (XSS) vulnerability in Land Down Under (LDU) before LDU 700 allows remote attackers to inject arbitrary web script or HTML via a BBcode img tag in (1) functions.php, (2) header.php or (3) auth.inc.php. 6511 6510 6508 11739 ldu-bbcode-xss(16284) 10435 1010335 20040529 LDU (land down under) xss vulnerability e107 0.615 allows remote attackers to obtain sensitive information via a direct request to (1) alt_news.php, (2) backend_menu.php, (3) clock_menu.php, (4) counter_menu.php, (5) login_menu.php, and other files, which reveal the full path in a PHP error message. e107-multiplescripts-path-disclosure(16277) 6525 11740 http://www.waraxe.us/index.php?modname=sa&id=31 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 10436 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] Multiple cross-site scripting (XSS) vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary web script or HTML via the (1) LAN_407 parameter to clock_menu.php, (2) "email article to a friend" field, (3) "submit news" field, or (4) avmsg parameter to usersettings.php. e107-user-setting-xss(16281) e107-email-friend-xss(16280) e107-clock-menu-xss(16279) 11740 http://www.waraxe.us/index.php?modname=sa&id=31 10436 6529 6528 6527 6526 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] PHP remote file inclusion vulnerability in secure_img_render.php in e107 0.615 allows remote attackers to execute arbitrary PHP code by modifying the p parameter to reference a URL on a remote web server that contains the code. e107-secure-img-render-file-include(16282) http://www.waraxe.us/index.php?modname=sa&id=31 10436 6530 11740 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] Multiple SQL injection vulnerabilities in e107 0.615 allow remote attackers to inject arbitrary SQL code and gain sensitive information via (1) content parameter to content.php, (2) content_id parameter to content.php, or (3) list parameter to news.php. e107-content-news-sql-injection(16283) http://www.waraxe.us/index.php?modname=sa&id=31 10436 6533 6531 11740 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 20040529 [waraxe-2004-SA#031 - Multiple vulnerabilities in e107 version 0.615] 6532 Buffer overflow in ibserver for Firebird Database 1.0 and other versions before 1.5, and possibly other products that use the InterBase codebase, allows remote attackers to cause a denial of service (crash) via a long database name, as demonstrated using the gsec command. 11756 interbase-database-name-bo(16316) firebird-database-name-bo(16229) 10446 http://www.securiteam.com/unixfocus/5AP0P0UCUO.html 6624 6408 DSA-1014 1010381 19350 20040601 Firebird Database Remote Database Name Overflow 20040602 Firebird [ AND Interbase 7 ] Database Remote Database Name Overflow PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string. nukecops-ergei-path-disclosure(16298) oscnukelite-eregi-path-disclosure(16297) osc2nuke-eregi-path-disclosure(16296) phpnuke-eregi-path-disclosure(16294) 10447 6593 11766 20040606 Re: [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke 20040601 [Squid 2004-Nuke-001] Inadequate Security Checking in PHPNuke 20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops 20040601 [Squid 2004-OSC2Nuke-001] Inadequate Security Checking in OSC2Nuke 20040601 [Squid 2004-betaNC-001] Inadequate Security Checking in NukeCops betaNC Bundle The HTTP administration interface on Conceptronic CADSLR1 ADSL router running firmware 3.04n allows remote attackers to cause a denial of service (device reboot) via an HTTP request with a long username. conceptronic-long-username-dos(16746) http://www.shellsec.net/leer_advisory.php?id=5 10769 12110 20040721 Denial of Service in Conceptronic CADSLR1 Router Unknown vulnerability in APC PowerChute Business Edition 6.0 through 7.0.1 allows remote attackers to cause a denial of service via unknown attack vectors. 10777 12124 powerchute-console-dos(16767) 8187 1010745 20040721 APC Security Advisory Denial of Service Vulnerability with PowerChute Business Edition Directory traversal vulnerability in EasyWeb FileManager 1.0 RC-1 for PostNuke allows remote attackers to retrieve arbitrary files via a .. (dot dot) in the pathext parameter. filemanager-pathext-view-directory-traversal(16806) 10792 8193 http://www.cirt.net/advisories/ew_file_manager.shtml 12151 20040724 EasyWeb FileManager Directory Traversal radmin in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier starts a process port 25072 that can be accessed with a default "jstwo" password, which allows remote attackers to gain access. thintune-password-gain-access(16790) 10794 12154 20040724 eSeSIX Thintune thin client multiple vulnerabilities 8246 1010770 eSeSIX Thintune thin clients running firmware 2.4.38 and earlier store sensitive usernames and passwords in cleartext in configuration files for the keeper library, which allows attackers to gain access. thintune-plaintext-passwords(16795) 10794 12154 20040724 eSeSIX Thintune thin client multiple vulnerabilities 8247 1010770 eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allow local users to gain privileges by pressing CTRL-SHIFT-ALT-DEL and entering the "maertsJ" password, which is hard-coded into lshell. thintune-password-gain-privileges(16808) 10794 12154 20040724 eSeSIX Thintune thin client multiple vulnerabilities 8248 1010770 The Phoenix browser in eSeSIX Thintune thin clients running firmware 2.4.38 and earlier allows local users to read arbitrary files via a file:/// URL. thintune-url-obtain-information(16798) 10794 12154 20040724 eSeSIX Thintune thin client multiple vulnerabilities 8249 1010770 eSeSIX Thintune thin clients running firmware 2.4.38 and earlier accept any password that begins with the actual password, which makes it easier for users to conduct brute force password guessing. 20040724 eSeSIX Thintune thin client multiple vulnerabilities PHP remote file inclusion vulnerability in index.php in EasyIns Stadtportal 4 allows remote attackers to execute arbitrary PHP code via the site parameter. easyins-php-file-include(16797) 10795 1010769 20040724 Easyins Stadtportal 8233 CRLF injection vulnerability in PhpBB 2.0.4 and 2.0.9 allows remote attackers to perform HTTP Response Splitting attacks to modify expected HTML content from the server via (1) the mode parameter to privmsg.php or (2) the redirect parameter to login.php. phpbb-search-response-splitting(16759) 10753 12114 20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities Cross-site scripting (XSS) vulnerability in search.php for PhpBB 2.0.4 and 2.0.9 allows remote attackers to inject arbitrary HTMl or web script via the search_author parameter. phpbb-search-searchauthor-xss(16758) 10753 12114 20040720 PhpBB HTTP Response Splitting & Cross Site Scripting vulnerabilities SQL injection vulnerability in action.php in Nucleus CMS 3.01 allows remote attackers execute arbitrary SQL statements via the itemid parameter. 13136 20040725 NucleusCMS 3.01 SQL Injection Vulnerability nucleus-sql-injection(18002) SQL injection vulnerability in ASPRunner 2.4 allows remote attackers to execute arbitrary SQL statements. asprunner-sql-injection(16799) 10799 12164 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 8251 1010777 ASPRunner 2.4 allows remote attackers to gain sensitive information via (1) hidden form fields or (2) error messages. asprunner-information-disclosure(16800) 10799 12164 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 8252 1010777 Multiple cross-site scripting vulnerabilities in ASPRunner 2.4 allow remote attackers inject arbitrary web script or HTML via the (1) SearchFor parameter in [TABLE-NAME]_search.asp, (2) SQL parameter in [TABLE-NAME]_edit.asp, (3) SearchFor parameter in [TABLE]_list.asp, or (4) SQL parameter in export.asp. asprunner-xss(16801) 10799 12164 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities 8257 8256 8255 8254 1010777 ASPRunner 2.4 stores the database under the web root in the db directory, which may allow remote attackers to obtain the database via a direct request to the database filename, which is predictable based on table and field names. 10799 12164 20040726 ASPRunner Multiple Vulnerabilities http://ferruh.mavituna.com/article/?574 20040726 ASPRunner Multiple Vulnerabilities asprunner-database-file-access(16802) 8253 1010777 RiSearch 1.0.01 and RiSearch Pro 3.2.06 allows remote attackers to use the show.pl script as an open proxy, or read arbitrary local files, by setting the url parameter to a (1) http://, (2) ftp://, or (3) file:// URL. risearch-show-open-proxy(16817) 10812 12173 20040727 IRM 009: RiSearch and RiSearch ProPro are vulnerable to open FTP/HTTP proxy, directory listings and file disclosure vulnerabilities 8266 8265 1010788 SQL injection vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to execute arbitrary SQL via the (1) thread_id, (2) parent_id, or (3) mode parameters. antiboard-get-sql-injection(16828) 10821 12137 20040728 AntiBoard <= 0.7.2 XSS/SQL Injection Cross-site scripting (XSS) vulnerability in antiboard.php in AntiBoard 0.7.2 and earlier allows remote attackers to inject arbitrary HTML or web script via the feedback parameter. antiboard-feedback-xss(16830) 10821 12137 20040728 AntiBoard <= 0.7.2 XSS/SQL Injection 8269 Cross-site scripting (XSS) vulnerability in lostBook 1.1 and earlier allows remote attackers to inject arbitrary web script via the (1) Email or (2) Website fields. lostbook-email-website-xss(16835) 10825 8271 1010812 12190 20040729 lostBook v1.1 Javascript Execution DansGuardian 2.8 and earlier allows remote attackers to bypass the extension filtering rule via a hex encoded extension or . in the filename. 10823 12191 dansguardian-filename-bypass-filtering(16836) 20040729 DansGuardian Hex Encoding URL Banned Extension Filter Bypass http://dansguardian.org/?page=history 8270 1010817 SQL injection vulnerability in session.php in LinPHA 0.9.4 allows remote attackers to execute arbitrary SQL code and bypass authentication via the (1) linpha_userid or (2) linpha_password cookies. linpha-cookie-gain-access(16834) 10827 12189 20040729 Linpha 0.9.4: authentication bypass 8272 SQL injection vulnerability in controlpanel.php in Jaws Framework and Content Management System 0.4 allows remote attackers to execute arbitrary SQL and bypass authentication via the (1) user, (2) password, or (3) crypted_password parameters. jaws-controlpanel-sql-injection(16847) 10826 8320 1010815 20040729 Jaws 0.4: authentication bypass fetchnews in leafnode 1.9.47 and earlier allows remote attackers to cause a denial of service (process hang) via an emptry NNTP news article with missing mandatory headers. 10590 http://leafnode.sourceforge.net/leafnode-SA-2004-01.txt leafnode-fetchnews-nntp-dos(14189) 3441 20040109 leafnode -1.9.47 security announcement SA-2004-01 sshd.c in OpenSSH 3.6.1p2 and 3.7.1p2 and possibly other versions, when using privilege separation, does not properly signal the non-privileged process when a session has been terminated after exceeding the LoginGraceTime setting, which leaves the connection open and allows remote attackers to cause a denial of service (connection consumption). [openssh-unix-dev] 20040128 Re: OpenSSH - Connection problem when LoginGraceTime exceeds time openssh-sshdc-logingracetime-dos(20930) ADV-2006-4502 14963 FLSA-2006:168935 16567 http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf 17252 17135 RHSA-2005:550 oval:org.mitre.oval:def:11541 [openssh-unix-dev] 20040127 OpenSSH - Connection problem when LoginGraceTime exceeds time http://www.vmware.com/support/vi3/doc/esx-9986131-patch.html http://www.vmware.com/support/vi3/doc/esx-3069097-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 23680 22875 17000 The Altiris Client Service for Windows 5.6 SP1 Hotfix E (5.6.181) allows local users to execute arbitrary commands by opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2005-1590. 20041119 Privilege escalation flaw in AClient Service for Windows (Version 5.6.181). Macallan Mail Solution 2.8.4.6 (Build 260), and possibly earlier versions, allows remote attackers to bypass authentication in the web interface via an HTTP GET request with two slashes ("//") after the server name. macallan-gain-unauthorized-access(15194) 9646 3926 1009030 10861 Cross-site scripting (XSS) vulnerability in index.php for Mambo Open Source 4.6, and possibly earlier versions, allows remote attackers to execute script on other clients via the Itemid parameter. mambo-itemid-xss(15062) http://www.systemsecure.org/advisories/ssadvisory06022004.php 9588 Linux-VServer 1.24 allows local users with root privileges on a virtual server to gain access to the filesystem outside the virtual server via a modified chroot-again exploit using the chmod command. http://www.linux-vserver.org/index.php?page=ChangeLog linux-vserver-gain-privileges(15073) 9596 20040206 Linux 2.4.24 with vserver 1.24 exploit 3875 10816 Format string vulnerability in Dream FTP 1.02 allows local users to cause a denial of service (crash) via format string specifiers in the (1) PASS or (2) RETR commands. dreamftp-command-format-string(15380) 9800 1009295 Sophos Anti-Virus 3.78 allows remote attackers to cause a denial of service (infinite loop) via a MIME header that is not properly terminated. 9648 sophos-mime-header-dos(15191) http://www.sophos.com/support/news/#mime-378 3925 1009042 10855 Cross-site scripting (XSS) vulnerability in search.php for Jelsoft vBulletin 3.0.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the query parameter. vbulletin-search-xss(15208) 9656 20040213 vBulletin PHP Forum Version Nadeo Game Engine for Nadeo TrackMania and Nadeo Virtual Skipper 3 allows remote attackers to cause a denial of service (server crash) via malformed data to TCP port 2350, possibly due to long values or incorrect size fields. trackmania-dos(15081) 9604 20040209 Re: TrackMania Demo Denial of Service 20040208 TrackMania Demo Denial of Service http://www.securiteinfo.com/attaques/hacking/trackmaniados.shtml Red-M Red-Alert 2.7.5 with software 3.1 build 24 allows remote attackers to cause a denial of service (reboot and loss of logged events) via a long request to TCP port 80, possibly triggering a buffer overflow. 1009001 redalert-long-request-dos(15086) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html 3891 10832 http://genhex.org/releases/031003.txt 20040209 Red-M Red-Alert Multiple Vulnerabilities Red-M Red-Alert 2.7.5 with software 3.1 build 24 binds authentication to IP addresses, which allows remote attackers to bypass authentication by connecting from the same IP address as an active authenticated user. 1009001 redalert-gain-access(15088) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html http://genhex.org/releases/031003.txt 3952 20040209 Red-M Red-Alert Multiple Vulnerabilities Red-M Red-Alert 2.7.5 with software 3.1 build 24 converts multiple spaces in a Service Set Identifier (SSID) to a single space, which prevents Red-Alert from correctly identifying the SSID. 1009001 redalert-bypass-security(15089) 9618 20040209 Red-M Red-Alert Multiple Vulnerabilities http://www.securiteam.com/securitynews/5SP0C0KC0A.html http://genhex.org/releases/031003.txt 3953 20040209 Red-M Red-Alert Multiple Vulnerabilities The samiftp.dll library in Sami FTP Server 1.1.3 allows local users to cause a denial of service (pmsystem.exe crash) by issuing (1) a CD command with a tilde (~) character or dot dot (/../) or (2) a GET command for an unavailable file. http://www.karja.com/samiftp/news.html sami-cd-get-dos(15204) 9657 20040213 Sami FTP Server 1.1.3 multiple vulnerabilities The samiftp.dll library in Sami FTP Server 1.1.3 allows remote authenticated users to cause a denial of service (pmsystem.exe crash) via a GET request wit a large number of leading "/" (slash) characters. http://www.karja.com/samiftp/news.html sami-cd-get-dos(15204) 9657 20040213 Sami FTP Server 1.1.3 multiple vulnerabilities Opera Web Browser 7.0 through 7.23 allows remote attackers to trick users into executing a malicious file by embedding a CLSID in the file name, which causes the malicious file to appear as a trusted file type, aka "File Download Extension Spoofing." 9640 http://secunia.com/Internet_Explorer_File_Download_Extension_Spoofing_Test/ 10760 opera-cslid-extension-spoof(21698) 3917 http://www.opera.com/docs/changelogs/windows/750b1/ Cross-site scripting (XSS) vulnerability in search.php in JShop E-Commerce Server allows remote attackers to inject arbitrary web script or HTML via the xSearch parameter. jshop-searchphp-xss(15100) 3889 http://www.systemsecure.org/advisories/ssadvisory09022004.php 9609 1008988 10825 Multiple cross-site scripting (XSS) vulnerabilities in Brad Fears phpCodeCabinet 0.4 and earlier allow remote attackers to inject arbitrary web script or HTML via multiple parameters, including (1) the sid parameter to comments.php, (2) the cid, cf, or rfd parameters to category.php, or the cid parameter to (3) input.php, (4) browse.php, (5) themes/facade/header.php, or (6) themes/phpcc/header.php. phpcodecabinet-multiple-xss(15190) 9645 9601 3887 3886 3885 http://sourceforge.net/project/shownotes.php?release_id=214860 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6 16711 16710 1009012 10862 Stack-based buffer overflow in results.stm for Sambar Server before the 6.0 production release allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an HTTP POST request with a long query parameter. http://www.sambar.com/security.htm 5786 sambar-http-post-bo(15071) 9607 20040207 Sambar 6.0 stack overflow 1008979 Unknown vulnerability in SandSurfer before 1.7.0 allows remote attackers to gain access as a logged-in user. sandsurfer-gain-access(15193) 9647 http://sourceforge.net/forum/forum.php?forum_id=351705 1009110 10829 3922 Sophos Anti-Virus 3.78 allows remote attackers to bypass virus scanning by using a qmail generated Delivery Status Notification (DSN) where the original email is not included in the bounce message. sophos-email-virus-undetected(15192) http://www.sophos.com/support/news/#mime-378 9650 1009042 10855 Matrix FTP Server allows remote attackers to cause a denial of service (crash) by logging in using four spaces as the username and password and then issuing a LIST command. matrixftp-login-list-dos(15075) 1008970 Microsoft Internet Explorer 5.0.1 through 6.0 allows remote attackers to determine the existence of arbitrary files via the VBScript LoadPicture method, which returns an error code if the file does not exist. ie-error-obtain-information(15078) 9611 10820 20040207 (no subject) Microsoft Baseline Security Analyzer (MBSA) 1.2 does not correctly identify systems that have been patched but remain vulnerable to exploit until the system is rebooted, possibly giving the administrator a false sense of security. 9634 20040210 Another Low Blow From Microsoft: MBSA Failure! eTrust InoculateIT for Linux 6.0 uses insecure permissions for multiple files and directories, including the application's registry and tmp directories, which allows local users to delete, modify, or examine sensitive information. etrust-inoculateit-insecure-permissions(15103) 9616 3896 10833 20040209 [local problems] eTrust Virus Protection 6.0 InoculateIT for linux Buffer overflow in the open_socket_out function in socket.c for rsync 2.5.7 and earlier allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a long RSYNC_PROXY environment variable. NOTE: since rsync is not setuid, this issue does not provide any additional privileges beyond those that are already available to the user. Therefore this issue may be REJECTED in the future. linux-rsync-opensocketout-bo(15108) 20040209 rsync <= 2.5.7 local buffer overflow (no root today:) Cross-site scripting (XSS) vulnerability in WebcamXP 1.06.945 allows remote attackers to inject arbitrary HTML or web script as other users via a URL that contains the script. webcamxp-xss(14904) 9465 20040121 WebcamXP v1.06.945 Cross Site Scripting Vulnerabillity Honeyd before 0.8 replies to TCP packets with the SYN and RST flags set, which allows remote attackers to identify IP addresses that are being simulated by Honeyd. honeyd-nmap-information-disclosure(14905) 9464 20040121 [ GLSA 200401-02 ] Honeyd remote detection vulnerability via a probe packet 20040121 Honeyd Security Advisory 2004-001: Remote Detection Via Simple Probe Packet 1008818 3690 10695 10694 Cross-site scripting (XSS) vulnerability in Mephistoles httpd 0.6.0 final allows remote attackers to execute arbitrary script as other users by injecting arbitrary HTML or script into the URL. 9470 20040121 Mephistoles Httpd 0.6.0final XSS mephistoles-httpd-xss(14899) 3689 10693 Multiple scripts on SuSE Linux 9.0 allow local users to overwrite arbitrary files via a symlink attack on (1) /tmp/fvwm-bug created by fvwm-bug, (2) /tmp/wmmenu created by wm-oldmenu2new, (3) /tmp/rates created by x11perfcomp, (4) /tmp/xf86debug.1.log created by xf86debug, (5) /tmp/.winpopup-new created by winpopup-send.sh, or (6) /tmp/initrd created by lvmcreate_initrd. suse-multiple-symlink-attack(14963) 9457 20040122 Re: [SuSE 9.0] possible symlink attacks in some scripts 20040121 [SuSE 9.0] possible symlink attacks in some scripts 1008781 Cross-site scripting (XSS) vulnerability in the banner engine (TBE) 5.0 allows remote attackers to execute arbitrary script as other users via the HTML banner view/preview capability. tbe-xss(14911) 9472 20040122 TBE - the banner engine server-side script execution vulnerability Buffer overflow in Need for Speed Hot Pursuit 2.0 client (NFSHP2), version 242 and earlier, allows remote attackers (servers) to execute arbitrary code via long (1) gamename, (2) gamever, (3) hostname, (4) gametype, (5) mapname or (6) gamemode commands. hotpursuit2-bo(14909) 9473 http://aluigi.altervista.org/adv/nfshp2cbof-adv.txt 20040122 Need for Speed Hot pursuit 2 <= 242 client's buffer overflow GeoHttpServer, when configured to authenticate users, allows remote attackers to bypass authentication and access unauthorized files via a URL that contains %0a%0a (encoded newlines). 20040122 GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service) The sysinfo script in GeoHttpServer allows remote attackers to cause a denial of service (crash) via a long pwd parameter, possibly triggering a buffer overflow. geohttpserver-long-password-bo(14913) 1008807 20040122 GeoHttpServer Authentification Bypass Vulnerability & D.O.S (Denial Of Service) Cross-site scripting (XSS) vulnerability in FREESCO 2.05, a modified version of thttpd, allows remote attackers to inject arbitrary web script or HTML via the test parameter. freesco-thttpd-xss(14916) 20040122 FREESCO public http server - Cross Site Scripting Vulnerabillity Cross-site scripting (XSS) vulnerability in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to process arbitrary script or HTML as other users via (1) a malformed request for a Perl program with script in the filename, (2) the User.id parameter to the webacc servlet, (3) the GWAP.version parameter to webacc, or (4) a URL request for a .bas file with script in the filename. netware-enterprise-cgi2perl-xss(14919) http://support.novell.com/cgi-bin/search/searchtid.cgi?/10091529.htm 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities 4949 Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to obtain sensitive server information, including the internal IP address, via a direct request to (1) snoop.jsp, (2) SnoopServlet, (3) env.bas, or (4) lcgitest.nlm. 4952 10711 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities netware-enterprise-path-disclosure(14921) 9479 3722 3721 3720 3715 The webacc servlet in Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to read arbitrary .htt files via a full pathname in the error parameter. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities Novell NetWare Enterprise Web Server 5.1 and 6.0 allows remote attackers to list directories via a direct request to (1) /com/, (2) /com/novell/, (3) /com/novell/webaccess, or (4) /ns-icons/. 20040123 NetWare-Enterprise-Web-Server/5.1/6.0 Multiple Vulnerabilities netware-enterprise-directory-disclosure(21749) 13404 13403 13402 Finjan SurfinGate 6.0 and 7.0, when running in proxy mode, does not authenticate FHTTP commands on TCP port 3141, which allows remote attackers to use the finjan-parameter-type header to (1) restart the service, (2) use the getlastmsg command to view log information, or (3) use the online command to force a policy update from the database server. 9478 10714 20040126 RE: Finjan SurfinGate Vulnerability 20040123 Finjan SurfinGate Vulnerability 20040123 Finjan SurfinGate Vulnerability finjan-surfingate-execute-commands(14934) Multiple SQL injection vulnerabilities in QuadComm Q-Shop allow remote attackers to execute arbitrary SQL commands via certain parameters to (1) search.asp, (2) browse.asp, (3) details.asp, (4) showcat.asp, (5) users.asp, (6) addtomylist.asp, (7) modline.asp, (8) cart.asp, or (9) newuser.asp. qshop-multiple-sql-injection(14922) 9481 http://www.s-quadra.com/advisories/Adv-20040123.txt 20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities 3706 3705 3704 3703 3702 3701 3700 3699 3698 1008837 10704 Multiple cross-site scripting (XSS) vulnerabilities in (1) imagezoom.asp or (2) recommend.asp in Q-Shop allow remote attackers to execute arbitrary script and steal the user session ID via Javascript in a URL. 9480 qshop-url-xss(14923) 20040123 QuadComm Q-Shop ASP Shopping Cart Software multiple security vulnerabilities 3697 3696 10704 SQL injection vulnerability in register.php in Phorum before 3.4.6 allows remote attackers to execute arbitrary SQL commands via the hide_email parameter. http://phorum.org/ 20040123 Multiple Vulnerabilities in Phorum 3.4.5 Stack-based buffer overflow in the site chmod command in Serv-U FTP Server before 4.2 allows remote attackers to execute arbitrary code via a long filename. servu-chmodcommand-execute-code(14931) 9675 9483 1008841 20040126 Serv-U ftp 4.2 site chmod long_file_name exploit 20040124 [SST]ServU MDTM command remote buffero verflow adv Directory traversal vulnerability in BremsServer 1.2.4 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in the URL. bremsserver-dotdot-directory-traversal(14954) 9493 20040126 Directory traversal and XSS in BremsServer 1.2.4 1008853 3755 10731 Cross-site scripting (XSS) vulnerability in BremsServer 1.2.4 allows remote attackers to inject arbitrary web script or HTML via the URL. bremsserver-xss(14953) 9491 20040126 Directory traversal and XSS in BremsServer 1.2.4 1008853 3754 10731 Stack-based and heap-based buffer overflows in ProxyNow! 2.75 and earlier allow remote attackers to execute arbitrary code via a GET request with a long ftp:// URL. proxynow-get-bo(14955) 9500 20040126 ProxyNow! 2.x Multiple Overflow Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in Oracle HTTP Server 1.3.22, based on Apache, allow remote attackers to execute arbitrary script as other users via the (1) action, (2) username, or (3) password parameters in an isqlplus request. oraclehttpserver-isqlplus-xss(14930) 9484 20040124 Oracle HTTP Server Cross Site Scripting Vulnerabillity Directory traversal vulnerability in Tiny Server 1.1 allows remote attackers to read or download arbitrary files via a .. (dot dot) in the URL. tinyserver-dotdot-directory-traversal(14927) 9485 http://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 3708 10707 Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via malformed HTTP requests such as (1) a GET request without the HTTP version (HTTP/1.1), or (2) a request without GET or the HTTP version. tinyserver-string-dos(14928) 9485 http://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 3709 10707 Tiny Server 1.1 allows remote attackers to cause a denial of service (crash) via a GET request with a long filename, possibly due to a buffer overflow. tinyserver-string-dos(14928) 9485 http://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 10707 Cross-site scripting (XSS) vulnerability in Tiny Server 1.1 allows remote attackers to inject arbitrary web script or HTML via the URL. tinyserver-xss(14929) 9485 http://www.autistici.org/fdonato/advisory/tinyServer1.1[1.0.5]-adv.txt 20040124 Tiny Server 1.1 (1.0.5) Multiple Vulnerabilities 3710 10707 Reptile Web Server allows remote attackers to cause a denial of service (CPU consumption) via multiple incomplete GET requests without the HTTP version. reptilewebserver-get-dos(14932) 9482 http://www.autistici.org/fdonato/advisory/reptilewsDailyVersion-adv.txt 1008842 20040124 Resources consumption in Reptile webserver daily version Multiple directory traversal vulnerabilities in Borland Web Server (BWS) 1.0b3 and earlier allow remote attackers to read and download arbitrary files via (1) multi-dot "......" sequences, or (2) "%5c%2e%2e" (encoded "\..") sequences, in the URL. bws-directory-traversal(14948) 9486 1008840 20040124 BWS v1.0b3 Directory Transversal Vulnerability Cross-site scripting (XSS) vulnerability in intraforum_db.cgi in Intra Forum allows remote attackers to inject arbitrary web script or HTML via the (1) use_last_read or (2) forum parameters. intraforum-intraforumcgi-xss(14933) 1008839 20040124 Inrtra Forum Cross Site Scripting Vulnerabillity Multiple cross-site scripting (XSS) vulnerabilities in Nextplace.com E-Commerce ASP Engine allow remote attackers to inject arbitrary web script or HTML via the (1) level parameter of productdetail.asp, (2) searchKey parameter of searchresults.asp, and possibly (3) level parameter of ListCategories.asp. nextplace-multiple-xss(14952) 20040124 NextPlace.com E-Commerce ASP Engine The register_globals simulation capability in Gallery 1.3.1 through 1.4.1 allows remote attackers to modify the HTTP_POST_VARS variable and conduct a PHP remote file inclusion attack via the GALLERY_BASEDIR parameter, a different vulnerability than CVE-2002-1412. 20040127 Remote exploit in Gallery 1.3.1, 1.3.2, 1.3.3, 1.4 and 1.4.1 http://gallery.menalto.com/modules.php?op=modload&name=News&file=index gallery-gallerybasedir-file-include(14950) 9490 GLSA-200402-04 10712 3737 Buffer overflow in blackd.exe for BlackICE PC Protection 3.6 and other versions before 3.6.ccb, with application protection off, allows local users to gain system privileges by modifying the .INI file to contain a long packetLog.fileprefix value. blackice-blackdexe-bo(14965) 9514 20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM 3740 10739 [ISSForum] 20040128 Third party BlackICE advisory The upgrade for BlackICE PC Protection 3.6 and earlier sets insecure permissions for .INI files such as (1) blackice.ini, (2) firewall.ini, (3) protect.ini, or (4) sigs.ini, which allows local users to modify BlackICE configuration or possibly execute arbitrary code by exploiting vulnerabilities in the .INI parsers. 9513 20040128 SRT2004-01-17-0227 - BlackICE allows local users to become SYSTEM Directory traversal vulnerability in Web Blog 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the file variable. webblog-dotdot-directory-traversal(14978) http://www.zone-h.org/en/advisories/read/id=3822/ 9517 20040128 ZH2004-01SA (security advisory): Web Blog 1.1 Remote arbitrary 3739 10740 Cross-site scripting (XSS) vulnerability in BRS WebWeaver 1.07 allows remote attackers to execute arbitrary script as other users via the query string to ISAPISkeleton.dll. 10741 webweaver-isapiskeleton-xss(14977) 9516 20040128 BRS WebWeaver Webserver Cross Site Scripting Vulnerability 1008880 3741 http://www.brswebweaver.com/modules.php?op=modload&name=News&file=article&sid=1 SurfNOW 2.2 allows remote attackers to cause a denial of service (crash) via a series of long HTTP GET requests, possibly triggering a buffer overflow. surfnow-get-dos(14976) 9519 20040128 Denial Of Service in SurfNOW 2.2 Multiple cross-site scripting (XSS) vulnerabilities in privmsg.php in phpBB 2.0.6 allow remote attackers to execute arbitrary script or HTML via the (1) folder or (2) mode variables. 9290 http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=161943 20040128 phpBB privmsg.php XSS vulnerability patch. Stack-based buffer overflow in ontape for IBM Informix Dynamic Server (IDS) 9.40.xC3 and earlier allows local users, with DSA privileges, to execute arbitrary code via a long ONCONFIG environment variable. 9512 http://www-1.ibm.com/support/docview.wss?uid=swg21153336 20040129 ----------========== OPEN3S-2003-08-08-eng-informix-ontape informix-ontape-binary-bo(14970) 3759 10737 Directory traversal vulnerability in PJreview_Neo.cgi in PJ CGI Neo review allows remote attackers to read arbitrary files via a .. (dot dot) in the p parameter. pjcgineoreview-dotdot-directory-traversal(14980) http://www.zone-h.org/advisories/read/id=3824 9524 20040129 ZH2004-02SA (security advisory): PJ CGI Neo review (NeoBoard review) Remote arbitrary file retrieving 10734 3746 Certain third-party packages for CVSup 16.1h, such as SuSE Linux, contain untrusted paths in the ELF RPATH fields of certain executables, which could allow local users to execute arbitrary code by causing cvsup to link against malicious libraries that are created in world-writable directories such as /usr/src/packages. cvsup-rpath-gain-privileges(14994) 9523 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs 20040129 Security Announcement: untrusted ELF library path in some cvsup binary RPMs Oracle toplink mapping workBench uses a weak encryption algorithm for passwords, which allows local users to decrypt the passwords. 9515 20040128 Re: Oracle toplink mapping workbench password algorithm http://www.planet-source-code.com/vb/scripts/ShowCode.asp?txtCodeId=803&lngWId=5 20040128 Oracle toplink mapping workbench password algorithm 20040128 Re: Oracle toplink mapping workbench password algorithm cryptoloop on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption. 13775 http://www.securiteam.com/exploits/5UP0P1PFPM.html http://mareichelt.de/pub/notmine/diskenc.pdf [linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.* dm-crypt on Linux kernel 2.6.x, when used on certain file systems with a block size 1024 or greater, has certain "IV computation" weaknesses that allow watermarked files to be detected without decryption. http://www.securiteam.com/exploits/5UP0P1PFPM.html http://mareichelt.de/pub/notmine/diskenc.pdf [linux-kernel] 20040219 Re: Oopsing cryptoapi (or loop device?) on 2.6.* Outlook Express 6.0, when sending multipart e-mail messages using the "Break apart messages larger than" setting, leaks the BCC recipients of the message to the addresses listed in the To and CC fields, which may allow remote attackers to obtain sensitive information. outlook-email-address-disclosure(17098) http://www.networksecurity.fi/advisories/outlook-bcc.html 843555 1011067 12376 11040 9167 Cross-site scripting (XSS) vulnerability in AWSguest.php in AllWebScripts MySQLGuest allows remote attackers to inject arbitrary HTML and PHP code via the (1) Name, (2) Email, (3) Homepage or (4) Comments field. mysqlguest-awsguestphp-xss(17462) 11234 http://www.computerknights.org/forum_viewtopic.php?2.122 1011376 Unknown vulnerability in Adminedit.pl YaBB 1 Gold before 1.3.2 allows attackers to execute arbitrary code via settings.pl. yabb-admineditpl-xss(17459) http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 12609 11235 10222 CRLF injection vulnerability in YaBB 1 Gold before 1.3.2 allows remote attackers to modify text file contents via the subject variable. http://www.yabbforum.com/community/YaBB.pl?board=general;action=display;num=1093133233 12609 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1827. Reason: This candidate is a duplicate of CVE-2004-1827. Notes: All CVE users should reference CVE-2004-1827 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in the remote tape support (remote.c) in the RMT client for Jorg Schilling sdd 1.28 and 1.31 has unknown impact and attack vectors. sdd-rmt(17442) 12584 ftp://ftp.berlios.de/pub/sdd/AN-1.52 SQL injection vulnerability in the ReMOSitory Server add-on module to Mambo Portal 4.5.1 (1.09) and earlier allows remote attackers to execute arbitrary SQL commands via the filecatid parameter in the com_remository option. http://www.mamboportal.com/content/view/1615/ 1011356 12597 remository-filecatid-sql-injection(17441) 11219 10040 20040919 Re: Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability. 20040917 Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL injection Vulnerability. Baal Smart Forms before 3.2 allows remote attackers to bypass authentication and obtain system access via a direct request to regadmin.php. baal-admin-password-modify(17499) 1011416 12649 SQL injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows remote attackers to execute arbitrary SQL commands via the (1) sortdir or (2) criteria parameter to ladder-log.asp or the (3) memberid or (4) teamid parameter to view-profile.asp. megabbs-sql-injection(17497) 20040926 Re: HTTP Response Splitting and SQL injection in megabbs forum 20040926 HTTP Response Splitting and SQL injection in megabbs forum CRLF injection vulnerability in PD9 Software MegaBBS 2 and 2.1 allows attackers to conduct HTTP response splitting attacks via the fid parameter in a writenew action to thread-post.asp. megabbs-response-splitting(17495) 20040926 Re: HTTP Response Splitting and SQL injection in megabbs forum 20040926 HTTP Response Splitting and SQL injection in megabbs forum http://www.pd9soft.com/megabbs/forums/thread-view.asp?tid=4924 Unknown versions of Symantec Norton AntiVirus and Microsoft Outlook allow attackers to cause a denial of service (crash) via malformed e-mail messages (1) without a body or (2) without a carriage return ("\n") separating the headers from the body. 11259 20040925 No body emails and Norton antivirus Unknown local vulnerability in the "change user" feature of Slava Astashonok Fprobe 1.0.5 and earlier has unknown impact and attack vectors. fprobe-change-user(17494) http://sourceforge.net/project/shownotes.php?release_id=269807 1011417 12648 11255 Buffer overflow in the prepared statements API in libmysqlclient for MySQL 4.1.3 beta and 4.1.4 allows remote attackers to cause a denial of service via a large number of placeholders. 11261 1011408 mysql-libmysqlclient-insert-bo(17493) 10244 http://dev.mysql.com/doc/mysql/en/news-4-1-5.html http://bugs.mysql.com/bug.php?id=5194 Nettica Corporation INTELLIPEER Email Server 1.01 displays different error messages for valid and invalid account names, which allows remote attackers to determine valid account names. 12661 intellipeer-username-obtain-information(17510) 11257 10349 1011425 Chatman 1.1.1 RC1 and earlier allows remote attackers to cause a denial of service (memory consumption or application crash) via a very large data size. 11263 20040927 Broadcast crash in Chatman 1.5.1 RC1 1011431 12665 chatman-dos(17513) 10365 Cross-site scripting (XSS) vulnerability in 'raw' page output mode for MediaWiki 1.3.4 and earlier allows remote attackers to inject arbitrary web script or HTML. mediawiki-raw-output-xss(17578) 11302 10454 http://sourceforge.net/project/shownotes.php?group_id=34373&release_id=271848 12692 Multiple unknown vulnerabilities in Real Estate Management Software 1.0 have unknown impact and attack vectors. real-estate-management-software(17598) 11304 12721 10480 [fm-news] 20041001 Newsletter for Thursday, September 30th 2004 CUPS before 1.1.21rc1 treats a Location directive in cupsd.conf as case sensitive, which allows attackers to bypass intended ACLs via a printer name containing uppercase or lowercase letters that are different from what is specified in the directive. http://www.cups.org/str.php?L700 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162405 oval:org.mitre.oval:def:9940 FLSA:163274 USN-185-1 RHSA-2005:571 SUSE-SR:2005:018 Online-bookmarks before 0.4.6 allows remote attackers to bypass its authentication mechanism via a direct request to (1) config/*, (2) bookmarks.php, (3) footer.php, (4) main.php, (5) tree.php, or (6) functions.php. online-bookmarks-resrtictions-bypass(17602) 11305 12728 http://freshmeat.net/projects/onlinebookmarks/?branch_id=34962&release_id=174401 Multiple unknown vulnerabilities in Online Recruitment Agency 1.0 have unknown impact and attack vectors. online-recruitment-agency(17586) 11306 12720 http://archives.neohapsis.com/archives/apps/freshmeat/2004-09/0030.html 10479 1011539 Cross-site scripting (XSS) vulnerability in Comment.php in Serendipity 0.7 beta1, and possibly other versions before 0.7-beta3, allows remote attackers to inject arbitrary HTML and PHP code via the (1) email or (2) username field. serendipity-commentphp-xss(17536) 11269 1011448 12673 20040928 Serendipity 0.7-beta1 SQL Injection PoC SQL injection vulnerability in Serendipity 0.7-beta1 allows remote attackers to execute arbitrary SQL commands via the entry_id parameter to (1) exit.php or (2) comment.php. serendipity-sql-injection(17533) 11269 1011448 12673 20040928 Serendipity 0.7-beta1 SQL Injection PoC 10371 10370 Multiple buffer overflows in XMLStarlet Command Line XML Toolkit 0.9.3 have unknown impact and attack vectors via (1) xml_elem.c and (2) xml_select.c. xmlstarlet-bo(17580) 11270 10074 http://sourceforge.net/project/shownotes.php?release_id=268962 1011496 Format string vulnerability in xml_elem.c for XMLStarlet Command Line XML Toolkit 0.9.3 may allow attackers to cause a denial of service or execute arbitrary code. http://sourceforge.net/project/shownotes.php?release_id=268962 http://cvs.sourceforge.net/viewcvs.py/xmlstar/xmlstarlet/src/xml_elem.c?r1=1.17&r2=1.18 SQL injection vulnerability in file_overview.php in TUTOS 1.1 allows remote attackers to execute arbitrary SQL commands via the link_id parameter. tutos-sql-injection(17444) 12606 11221 20040918 Vulnerabilities in TUTOS http://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/file/file_overview.php?r1=1.11.2.1&r2=1.11.2.2 10164 DSA-980 1011363 18954 Multiple cross-site scripting (XSS) vulnerabilities in TUTOS 1.1 allow remote attackers to inject arbitrary web script or HTML via (1) the search field of the Address Module or (2) the t parameter to app_new.php. tutos-xss(17445) 12606 11221 20040918 Vulnerabilities in TUTOS http://cvs.sourceforge.net/viewcvs.py/tutos/tutos/php/app_new.php?r1=1.58&r2=1.59 DSA-980 18954 login_radius on OpenBSD 3.2, 3.5, and possibly other versions does not verify the shared secret in a response packet from a RADIUS server, which allows remote attackers to bypass authentication by spoofing server replies. 11227 http://www.reseau.nl/advisories/0400-openbsd-radius.txt http://www.openbsd.org/errata35.html#radius 12617 openbsd-radius-auth-bypass(17456) 20040921 OpenBSD radius authentication vulnerability 10203 shoprestoreorder.asp in VP-ASP 5.0 does not close the database connection when a user restores a previous order, which allows remote attackers to cause a denial of service (connection consumption).