Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion. FLSA:2336 linux-fault-handler-gain-privileges(18849) 2005-0001 12244 RHSA-2005:092 RHSA-2005:043 RHSA-2005:017 RHSA-2005:016 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1012862 20338 20202 20163 13822 oval:org.mitre.oval:def:10322 20050114 [USN-60-0] Linux kernel vulnerabilities 20050112 Linux kernel i386 SMP page fault handler privilege escalation 20050112 Linux kernel i386 SMP page fault handler privilege escalation http://isec.pl/vulnerabilities/isec-0022-pagefault.txt CLA-2005:930 MDKSA-2005:022 poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows remote attackers to change passwords for arbitrary users. GLSA-200501-22 1012840 13865 The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file. 12261 RHSA-2005:043 linux-vma-gain-privileges(18886) 2005-0001 RHSA-2005:017 SUSE-SA:2005:018 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1012885 20338 20202 20163 oval:org.mitre.oval:def:9512 http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3tw MDKSA-2005:022 The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files. 12277 DSA-647 13867 mysql-mysqlaccess-symlink(18922) http://mysql.osuosl.org/doc/mysql/en/News-4.1.10.html 20050118 [USN-63-1] MySQL client vulnerability http://lists.mysql.com/internals/20600 CLA-2005:947 MDKSA-2005:036 101864 Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers. RHSA-2005:071 DSA-646 20050117 Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability GLSA-200501-37 oval:org.mitre.oval:def:9925 20050118 [USN-62-1] imagemagick vulnerability RHSA-2005:070 The COPS dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (infinite loop). http://www.ethereal.com/appnotes/enpa-sa-00017.html 13946 ethereal-cops-dos(18999) RHSA-2005:037 GLSA-200501-27 P-106 oval:org.mitre.oval:def:10801 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the DLSw dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash from assertion). ethereal-dlsw-dos(19000) 13946 RHSA-2005:037 GLSA-200501-27 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:11381 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the DNP dissector in Ethereal 0.10.5 through 0.10.8 allows remote attackers to cause "memory corruption." http://www.ethereal.com/appnotes/enpa-sa-00017.html ethereal-dnp-memory-corruption(19001) RHSA-2005:037 GLSA-200501-27 P-106 13946 oval:org.mitre.oval:def:10689 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the Gnutella dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash). GLSA-200501-27 13946 ethereal-gnutella-dos(19002) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:10623 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through 0.10.8 allows remote attackers to cause a denial of service by triggering a free of statically allocated memory. ethereal-mmse-free-memory(19003) 13946 RHSA-2005:037 GLSA-200501-27 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:9521 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Multiple vulnerabilities in fliccd, when installed setuid root as part of the kdeedu Kstars support for Instrument Neutral Distributed Interface (INDI) in KDE 3.3 to 3.3.2, allow local users and remote attackers to execute arbitrary code via stack-based buffer overflows. http://www.kde.org/info/security/advisory-20050215-1.txt 14306 FEDORA-2005-148 GLSA-200502-23 Format string vulnerability in the a_Interface_msg function in Dillo before 0.8.3-r4 allows remote attackers to execute arbitrary code via format string specifiers in a web page. 12203 dillo-capi-format-string(18807) GLSA-200501-11 13760 13764 nwclient.c in ncpfs before 2.2.6 does not drop root privileges before executing utilities using the NetWare client functions, which allows local users to gain privileges. DSA-665 GLSA-200501-44 ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6 12400 FLSA:152904 RHSA-2005:371 13297 MDKSA-2005:028 1013019 Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malicious NetWare servers to execute arbitrary code on the NetWare client. GLSA-200501-44 ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6 12400 FLSA:152904 13298 MDKSA-2005:028 1013019 diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. DSA-650 sword-diatheke-command-execution(18997) 1012955 13897 12320 13941 Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code. DSA-640 13884 gatos-xatitv-bo(18930) The f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files. DSA-661 GLSA-200501-43 12380 1013028 14067 14052 14041 The f2 shell script in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files. 12380 DSA-661 1013028 14052 14041 Unknown vulnerability in hztty 2.0 and earlier allows local users to execute arbitrary commands. 12518 DSA-675 hztty-command-execution(19297) 1013154 14236 Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code. DSA-641 playmidi-bo(18933) 12274 13049 MDKSA-2005:010 1012957 13898 13890 13828 Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function. VU#132992 RHSA-2005:025 20050114 Exim dns_buld_reverse() Buffer Overflow Vulnerability 20050107 Exim host_aton() Buffer Overflow Vulnerability [exim] 20050104 2 smallish security issues DSA-637 DSA-635 GLSA-200501-23 oval:org.mitre.oval:def:10347 http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44 Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication. RHSA-2005:025 [exim] 20050104 2 smallish security issues 20050107 Exim auth_spa_server() Buffer Overflow Vulnerability GLSA-200501-23 oval:org.mitre.oval:def:11293 20050212 exim auth_spa_server() PoC exploit http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44 12188 gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable. NOTE: the severity of this issue has been disputed. libzvt-gnomeptyhelper-spoof(22496) ADV-2005-1931 15004 17023 20051007 gnome-pty-helper writes arbitrary utmp records http://bugzilla.gnome.org/show_bug.cgi?id=317312 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330907 Buffer overflow in the code for recursion and glue fetching in BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses. VU#327633 http://www.uniras.gov.uk/niscc/docs/al-20050125-00059.html http://www.isc.org/index.pl?/sw/bind/bind8.php http://www.isc.org/index.pl?/sw/bind/bind-security.php bind-qusedns-bo(19063) 12364 1012996 18291 14009 SCOSA-2006.1 An "incorrect assumption" in the authvalidated validator function in BIND 9.3.0, when DNSSEC is enabled, allows remote attackers to cause a denial of service (named server exit) via crafted DNS packets that cause an internal consistency test (self-check) to fail. VU#938617 bind-named-dns-dos(19062) http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html http://www.isc.org/index.pl?/sw/bind/bind-security.php 2005-0003 12365 http://www.isc.org/index.pl?/sw/bind/bind9.php 1012995 14008 The Acrobat web control in Adobe Acrobat and Acrobat Reader 7.0 and earlier, when used with Internet Explorer, allows remote attackers to determine the existence of arbitrary files via the LoadFile ActiveX method. ADV-2005-0310 http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf http://www.hyperdose.com/advisories/H2005-06.txt http://www.adobe.com/support/techdocs/331465.html 12989 15242 14813 The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. This vulnerability is addressed in the following product release: dnrd, dnrd, 2.10 http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address. VU#302220 ADV-2005-2806 ADV-2005-0507 SSRT5957 http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en 13562 HPSBTU01217 1015320 17938 20050509 NISCC Vulnerability Advisory IPSEC - 004033 Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke before 3.0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) register a new user page, (2) User-Agent, or (3) Username, which is not properly quoted before sending to the error log. http://www.woany.co.uk/advisories/dotnetnukexss.txt 15397 20050516 DotNetNuke (Multiple XSS) 13647 13646 13644 Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files. VU#377368 20050113 Apple iTunes Playlist Parsing Buffer Overflow Vulnerability APPLE-SA-2005-01-11 itunes-m3u-pls-bo(18851) 12238 12833 1012839 13804 The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." VU#927889 TA05-039A MS05-012 win-ole-code-execution(19109) oval:org.mitre.oval:def:4499 oval:org.mitre.oval:def:3568 oval:org.mitre.oval:def:2917 oval:org.mitre.oval:def:1180 The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. TA05-039A VU#652537 win-smb-code-execution(19089) MS05-011 20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 20050309 Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 12484 oval:org.mitre.oval:def:4043 oval:org.mitre.oval:def:1889 oval:org.mitre.oval:def:1847 oval:org.mitre.oval:def:1606 Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." TA05-039A VU#597889 MS05-012 win-com-gain-privileges(19105) http://www.argeniss.com/research/SSExploit.c 20050530 [Argeniss] MS05-012 Exploit oval:org.mitre.oval:def:901 oval:org.mitre.oval:def:2892 oval:org.mitre.oval:def:2351 oval:org.mitre.oval:def:1159 Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability." TA05-102A VU#233754 MS05-019 20050412 Windows IP Options Remote Compromise oval:org.mitre.oval:def:4549 oval:org.mitre.oval:def:3824 oval:org.mitre.oval:def:1744 Windows SharePoint Services and SharePoint Team Services for Windows Server 2003 does not properly validate an HTTP redirection query, which allows remote attackers to inject arbitrary HTML and web script via a cross-site scripting (XSS) attack, or to spoof the web cache. TA05-039A VU#340409 MS05-006 win-sharepoint-services-xss(19091) The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, aka the "License Logging Service Vulnerability." TA05-039A VU#130433 MS05-010 win-license-code-execution(19101) oval:org.mitre.oval:def:644 oval:org.mitre.oval:def:4786 oval:org.mitre.oval:def:3582 oval:org.mitre.oval:def:2568 The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability." TA05-039A VU#939074 MS05-007 win-named-pipe-information-disclosure(19093) 12486 1013112 14189 oval:org.mitre.oval:def:3055 oval:org.mitre.oval:def:2292 Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." TA05-039A VU#698835 ie-dragdrop-gain-privileges(19117) 11466 MS05-014 MS05-008 oval:org.mitre.oval:def:4864 oval:org.mitre.oval:def:4726 oval:org.mitre.oval:def:3006 oval:org.mitre.oval:def:2953 oval:org.mitre.oval:def:2046 oval:org.mitre.oval:def:1334 oval:org.mitre.oval:def:1015 Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." TA05-039A VU#580299 MS05-014 20050209 Internet Explorer zone spoofing with encoded URLs ie-file-url-encode(19214) oval:org.mitre.oval:def:3586 oval:org.mitre.oval:def:3196 oval:org.mitre.oval:def:3060 oval:org.mitre.oval:def:1736 oval:org.mitre.oval:def:1308 Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." TA05-039A VU#843771 MS05-014 ie-cdf-execute-code(19137) 1013125 oval:org.mitre.oval:def:710 oval:org.mitre.oval:def:3910 oval:org.mitre.oval:def:3137 oval:org.mitre.oval:def:2692 oval:org.mitre.oval:def:1005 Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." TA05-039A VU#823971 12427 MS05-014 ie-cdf-execute-code(19137) 1013126 oval:org.mitre.oval:def:4947 oval:org.mitre.oval:def:4085 oval:org.mitre.oval:def:3318 oval:org.mitre.oval:def:2817 oval:org.mitre.oval:def:2385 The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. TA05-039A VU#820427 MS05-015 win-hyperlink-code-execution(19110) 12479 1013119 14195 oval:org.mitre.oval:def:713 oval:org.mitre.oval:def:3203 oval:org.mitre.oval:def:2570 Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. MS05-040 16354 14518 1014639 oval:org.mitre.oval:def:1297 oval:org.mitre.oval:def:1213 oval:org.mitre.oval:def:1075 oval:org.mitre.oval:def:100088 oval:org.mitre.oval:def:100086 oval:org.mitre.oval:def:100085 oval:org.mitre.oval:def:100084 Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. MS05-017 oval:org.mitre.oval:def:4988 oval:org.mitre.oval:def:4384 Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. MS05-018 http://www.ngssoftware.com/advisories/ms-01.txt 20050413 Windows kernel overflow fixed oval:org.mitre.oval:def:4797 oval:org.mitre.oval:def:3941 oval:org.mitre.oval:def:2731 oval:org.mitre.oval:def:2562 The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. MS05-018 oval:org.mitre.oval:def:4593 oval:org.mitre.oval:def:3994 oval:org.mitre.oval:def:1761 oval:org.mitre.oval:def:1656 The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. MS05-016 20050412 Microsoft MSHTA Script Execution Vulnerability ADV-2005-0335 http://www.securiteam.com/exploits/5YP0T0AFFW.html 13132 20050529 Spam exploiting MS05-016 oval:org.mitre.oval:def:587 oval:org.mitre.oval:def:573 oval:org.mitre.oval:def:4710 oval:org.mitre.oval:def:407 oval:org.mitre.oval:def:3456 oval:org.mitre.oval:def:2184 Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. FLSA:2353 FLSA:2352 2005-0003 RHSA-2005:066 RHSA-2005:059 RHSA-2005:057 RHSA-2005:053 RHSA-2005:034 20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow GLSA-200502-10 DSA-648 DSA-645 20050119 [USN-64-1] xpdf, CUPS vulnerabilities CLA-2005:921 ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch RHSA-2005:026 17277 oval:org.mitre.oval:def:11781 SCOSA-2005.42 MDKSA-2005:021 MDKSA-2005:020 MDKSA-2005:019 MDKSA-2005:018 MDKSA-2005:017 MDKSA-2005:016 The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files. vim-symlink(18870) RHSA-2005:122 RHSA-2005:036 13841 20050118 [USN-61-1] vim vulnerabilities FLSA:2343 oval:org.mitre.oval:def:9402 1012938 Synaesthesia 2.1 and earlier, and possibly other versions, when installed setuid root, does not drop privileges before processing configuration and mixer files, which allows local users to read arbitrary files. DSA-681 12546 1013206 14300 vdr before 1.2.6 does not securely create files, which allows attackers to overwrite arbitrary files. vdr-dvdapi-file-overwrite(19066) GLSA-200501-42 DSA-656 12356 14066 13995 13930 zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files. DSA-655 zhcon-information-disclosure(19045) 12343 MDKSA-2005:012 1012977 13987 13982 13977 Buffer overflow in queue.c in a support script for sympa 3.3.3, when running setuid, allows local users to execute arbitrary code. DSA-677 1013163 14224 14217 Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to execute arbitrary code. DSA-676 12523 1013162 14250 14248 prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers. http://www.squirrelmail.org/security/issue/2005-01-14 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 oval:org.mitre.oval:def:9587 20050129 SquirrelMail Security Advisory GLSA-200501-39 Multiple buffer overflows in the XView library 3.2 may allow local users to execute arbitrary code via setuid applications that use the library. xview-xvparseone-bo(19271) DSA-672 The DBI library (libdbi-perl) for Perl allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file. dbi-library-file-overwrite(19068) RHSA-2005:072 GLSA-200501-38 DSA-658 20050125 [USN-70-1] Perl DBI module vulnerability oval:org.mitre.oval:def:10552 12360 FLSA-2006:178989 MDKSA-2005:030 1013007 14050 14015 The KDE screen saver in KDE before 3.0.5 does not properly check the return value from a certain function call, which allows attackers with physical access to cause a crash and access the desktop session. kdebase-screensaver-security-bypass(19084) RHSA-2005:009 DSA-660 oval:org.mitre.oval:def:9260 Buffer overflow in xtrlock 2.0 allows local users to cause a denial of service (application crash) and hijack the desktop session. DSA-649 xtrlock-screen-lock-bypass(18991) 12316 13938 The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the e-mail address is subscribed to a private list, which allows remote attackers to determine the list membership for a given e-mail address. 20050110 [USN-59-1] mailman vulnerabilities http://qa.debian.org/bts-security.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285839 MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers. 20050119 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities The sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash. 20050119 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities MySQL MaxDB 7.5.00 for Windows, and possibly earlier versions and other platforms, allows remote attackers to cause a denial of service (application crash) via invalid parameters to the (1) DBMCli_String::ReallocString, (2) DBMCli_String::operator, (3) DBMCli_Buffer::ForceResize, (4) DBMCli_Wizard::InstallDatabase, (5) DBMCli_Devspaces::Complete, (6) DBMWeb_TemplateWizard::askForWriteCountStep5, or (7) DBMWeb_DBMWeb::wizardDB functions, which triggers a null dereference. maxdb-null-pointer-dos(19687) 20050314 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities Buffer overflow in the X11 dissector in Ethereal 0.8.10 through 0.10.8 allows remote attackers to execute arbitrary code via a crafted packet. GLSA-200501-27 DSA-653 13946 ethereal-x11-bo(19004) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:9140 12326 FLSA-2006:152922 MDKSA-2005:013 Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message. 12442 DSA-680 htdig-config-xss(19223) RHSA-2005:073 GLSA-200502-16 1013078 oval:org.mitre.oval:def:10878 RHSA-2005:090 FLSA-2006:152907 MDKSA-2005:063 17415 17414 15007 14795 14303 14276 14255 SCOSA-2005.46 Heap-based buffer overflow in less in Red Hat Enterprise Linux 3 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file, as demonstrated using the UTF-8 locale. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527 FLSA:2404 less-file-bo(19131) RHSA-2005:068 oval:org.mitre.oval:def:11027 The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library. RHSA-2005:033 oval:org.mitre.oval:def:10355 The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL. VU#356409 DSA-689 GLSA-200502-14 2005-0003 12519 FLSA:152896 RHSA-2005:104 RHSA-2005:100 1013156 oval:org.mitre.oval:def:10617 20050211 [USN-80-1] mod_python vulnerability CLA-2005:926 The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes. http://www.python.org/security/PSF-2005-001/ DSA-666 http://python.org/security/PSF-2005-001/patch-2.2.txt 20050203 Python Security Advisory PSF-2005-001 - SimpleXMLRPCServer.py python-simplexmlrpcserver-bypass(19217) 2005-0003 RHSA-2005:108 oval:org.mitre.oval:def:9811 12437 MDKSA-2005:035 1013083 14128 A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch omits an "access check," which allows local users to cause a denial of service (crash). red-hat-regression-dos(20618) 12599 RHSA-2005:092 oval:org.mitre.oval:def:10425 Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when using the hugemem kernel, allows local users to read and write to arbitrary kernel memory and gain privileges via certain syscalls. red-hat-patch-gain-privileges(20619) 12599 RHSA-2005:092 oval:org.mitre.oval:def:11249 Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when running on x86 with the hugemem kernel, allows local users to cause a denial of service (crash). 12599 RHSA-2005:092 red-hat-patch-dos(20620) oval:org.mitre.oval:def:11647 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses. RHSA-2005:061 RHSA-2005:060 DSA-651 GLSA-200501-25 13825 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch http://www.squid-cache.org/Advisories/SQUID-2005_1.txt SUSE-SA:2005:006 oval:org.mitre.oval:def:11146 CLA-2005:923 12276 MDKSA-2005:014 FLSA-2006:152809 The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers. 2005-0003 http://www.squid-cache.org/Advisories/SQUID-2005_2.txt RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-651 GLSA-200501-25 13825 CLA-2005:923 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch oval:org.mitre.oval:def:10269 12275 12886 MDKSA-2005:014 1012882 FLSA-2006:152809 Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption). http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 GLSA-200501-25 CLA-2005:923 2005-0003 SUSE-SA:2005:006 oval:org.mitre.oval:def:10233 12324 1012818 FLSA-2006:152809 The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference. 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 GLSA-200501-25 13789 oval:org.mitre.oval:def:11646 12220 1012818 FLSA-2006:152809 Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line. DSA-691 14495 The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files. DSA-691 14495 14610 Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets. xemacs-movemail-format-string(19246) RHSA-2005:133 RHSA-2005:112 RHSA-2005:110 DSA-685 DSA-671 DSA-670 oval:org.mitre.oval:def:9408 20050207 [USN-76-1] Emacs vulnerability 12462 FLSA-2006:152898 MDKSA-2005:038 Buffer overflow in the socket_getline function in Newspost 2.1.1 and earlier allows remote malicious NNTP servers to execute arbitrary code via a long string without a newline character. GLSA-200502-05 newspost-socketgetline-bo(19178) http://www.vuxml.org/freebsd/7f13607b-6948-11d9-8937-00065be4b5b6.html 14092 http://people.freebsd.org/~niels/issues/newspost-20050114.txt 20050202 RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT] 12418 1013056 14098 Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow. evolution-camellockhelper-bo(19031) 12354 RHSA-2005:397 DSA-673 GLSA-200501-35 CLA-2005:925 RHSA-2005:238 oval:org.mitre.oval:def:9616 USN-69-1 MDKSA-2005:024 1012981 13830 PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code. http://www.squirrelmail.org/security/issue/2005-01-19?PHPSESSID=8af117822fb1ca3aa966a64248b5d223 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 squirrelmail-frame-file-include(19037) GLSA-200501-39 oval:org.mitre.oval:def:10670 20050129 SquirrelMail Security Advisory Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables. http://www.squirrelmail.org/security/issue/2005-01-20 RHSA-2005:135 RHSA-2005:099 DSA-662 14096 13962 20050129 SquirrelMail Security Advisory APPLE-SA-2005-03-21 oval:org.mitre.oval:def:10568 squirrelmail-webmailphp-xss(19036) GLSA-200501-39 Unknown vulnerability in typespeed 0.4.1 and earlier allows local users to gain privileges. DSA-684 SSLeay.pm in libnet-ssleay-perl before 1.25 uses the /tmp/entropy file for entropy if a source is not set in the EGD_PATH variable, which allows local users to reduce the cryptographic strength of certain operations by modifying the file. USN-113-1 13471 MDKSA-2006:023 18639 bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, which allows remote attackers to execute arbitrary commands. DSA-690 Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service (crash) via a RADIUS_REPLY_MESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument. modauthradius-dos(18841) DSA-659 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02 20050111 Apache mod_auth_radius remote integer overflow 12217 1012829 14046 13773 Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. VU#911878 12724 1013967 ADV-2005-3002 ADV-2005-0540 RHSA-2005:800 RHSA-2005:476 http://www.daemonology.net/papers/htt.pdf http://www.daemonology.net/hyperthreading-considered-harmful/ http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754 101739 18165 15348 oval:org.mitre.oval:def:9747 [openbsd-misc] 20050304 Re: FreeBSD hiding security stuff [freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff] [freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff SCOSA-2005.24 Internet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function. 20050114 Internet Explorer (SP2) - Remote File Download Stack-based buffer overflow in the websql CGI program in MySQL MaxDB 7.5.00 allows remote attackers to execute arbitrary code via a long password parameter. 20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 12265 1012893 The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs. 3com-officeconnect-information-disclosure(18994) 12322 20050120 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability 1012958 13942 inpview in SGI IRIX allows local users to execute arbitrary commands via the SUN_TTSESSION_CMD environment variable, which is executed by inpview without dropping privileges. irix-inpview-gain-privileges(18894) 20050113 SGI IRIX inpview Design Error Vulnerability 13858 12259 12915 1012894 vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. 20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerability http://download.zonelabs.com/bin/free/securityAlert/19.html 12531 14256 Stack-based buffer overflow in DataRescue Interactive Disassembler (IDA) Pro 4.7 allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name. database-ida-portable-executable-bo(19042) http://www.datarescue.com/ubb/ultimatebb.php?/topic/2/146.html 20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability 12353 1012975 13980 AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl. VU#272296 20050117 AWStats Remote Command Execution Vulnerability 13893 http://awstats.sourceforge.net/docs/awstats_changelog.txt 12298 13002 http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf Buffer overflow in XShisen before 1.36 allows local users to execute arbitrary code via a long GECOS field. http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784 helvis 1.8h2_1 and earlier stores recovery files in world readable directories with world readable permissions, which allows local users to read the recovered files of other users. http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.html helvis 1.8h2_1 and earlier allows local users to recover and read the files of other users via the elvrec setuid program. http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.html helvis 1.8h2_1 and earlier allows local users to delete arbitrary files via the elvprsv setuid program. http://people.freebsd.org/~niels/ports/korean/helvis/issues.txt Multiple buffer overflows in golddig 2.0 and earlier allow local users to execute arbitrary code via (1) a long map name command line argument or (2) a long username as recorded in the USER environment variable. http://www.vuxml.org/freebsd/949c470e-528f-11d9-ac20-00065be4b5b6.html golddig-long-username-bo(19040) golddig-long-mapname-bo(19039) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0975. Reason: This candidate is a duplicate of CVE-2005-0975. Notes: All CVE users should reference CVE-2005-0975 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow. ADV-2005-1878 [linux-kernel] 20050107 [PATCH 2.6.10-mm2] fs/coda Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20050107 [PATCH 2.4.29-pre3-bk4] fs/coda Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20050105 Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20041216 [Coverity] Untrusted user data in kernel oval:org.mitre.oval:def:11690 14967 FLSA:157459-1 RHSA-2006:0191 RHSA-2005:663 DSA-1082 DSA-1070 DSA-1069 DSA-1067 DSA-1017 1013018 20338 20202 20163 19374 18684 17002 The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user. VU#678150 APPLE-SA-2005-01-25 macos-at-gain-privileges(18981) http://www.digitalmunition.com/DMA[2005-0127a].txt 20050127 DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid' ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap. VU#980078 macos-icc-profile-bo(19083) APPLE-SA-2005-01-25 12367 1013000 Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine. VU#464662 macos-ethernet-address-disclosure(19085) 14005 APPLE-SA-2005-01-25 1013001 The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected. 20050119 Multiple vulnerabilities in Konversation konversation-expansion-execute-code(19025) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC sripts. 20050119 Multiple vulnerabilities in Konversation konversation-perlscript-execute-code(19008) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users. 20050119 Multiple vulnerabilities in Konversation konversation-nick-password-information-disclosure(19038) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 ClamAV 0.80 and earlier allows remote attackers to cause a denial of service (clamd daemon crash) via a ZIP file with malformed headers. 2005-0003 GLSA-200501-46 http://sourceforge.net/project/shownotes.php?release_id=300116 CLA-2005:928 MDKSA-2005:025 The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly create socket directories in /tmp, which could allow attackers to hijack local sockets. SCOSA-2005.8 ADV-2005-0077 The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash). https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868 RHSA-2005:366 RHSA-2005:284 15019 oval:org.mitre.oval:def:9040 http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg 13266 RHSA-2005:293 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155283 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148862 RHSA-2005:663 RHSA-2005:420 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11 [linux-ia64] 20040916 Re: [Patch] Per CPU MCA/INIT data save areas 17002 http://openvz.org/news/updates/kernel-022stab045.1-released ADV-2005-1878 oval:org.mitre.oval:def:11628 [kernel-svn-changes] 20050816 r3920 - in branches/dist/sarge-security: . kernel kernel/i386 kernel/source kernel/source/kernel-source-2.6.8-2.6.8/debian Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry." RHSA-2005:293 RHSA-2005:284 oval:org.mitre.oval:def:11039 rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not correctly allow access to anonymous clients that connect from a system whose hostname can not be determined. NOTE: while this issue occurs in a security mechanism, there is no apparent attacker role and probably does not satisfy the CVE definition of a vulnerability. P-214 ADV-2005-0702 15619 Unknown vulnerability in rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not sufficiently restrict access rights for read-mostly exports, which allows attackers to conduct unauthorized activities. P-214 ADV-2005-0702 15619 Buffer overflow in PeID allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name. database-ida-portable-executable-bo(19042) 20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability 12355 13984 Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab. mozilla-firefox-file-upload(19168) RHSA-2005:335 RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=249332 http://www.mozilla.org/security/announce/mfsa2005-01.html oval:org.mitre.oval:def:10756 12407 oval:org.mitre.oval:def:100057 Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF. mozilla-world-readable(17832) RHSA-2005:335 https://bugzilla.mozilla.org/show_bug.cgi?id=251297 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-02.html oval:org.mitre.oval:def:9543 RHSA-2005:384 SUSE-SA:2006:022 19823 oval:org.mitre.oval:def:100056 Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks. https://bugzilla.mozilla.org/show_bug.cgi?id=257308 mozilla-ssl-spoofing(19166) RHSA-2005:335 http://www.mozilla.org/security/announce/mfsa2005-03.html oval:org.mitre.oval:def:11297 12407 RHSA-2005:384 oval:org.mitre.oval:def:100055 Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks. mozilla-ssl-view-source-spoofing(19169) RHSA-2005:335 RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=262689 http://www.mozilla.org/security/announce/mfsa2005-04.html oval:org.mitre.oval:def:11016 12407 oval:org.mitre.oval:def:100054 Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature. https://bugzilla.mozilla.org/show_bug.cgi?id=265176 mozilla-script-click-event-bypass(19170) http://www.mozilla.org/security/announce/mfsa2005-07.html 12407 oval:org.mitre.oval:def:100051 Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to obtain sensitive data from the clipboard via Javascript that generates a middle-click event on systems for which a middle-click performs a paste operation. RHSA-2005:335 https://bugzilla.mozilla.org/show_bug.cgi?id=265728 mozilla-middle-click-information-disclosure(19171) http://www.mozilla.org/security/announce/mfsa2005-08.html oval:org.mitre.oval:def:10362 12407 RHSA-2005:384 Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials. mozilla-407-proxy-obtain-information(19174) RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=267263 http://www.mozilla.org/security/announce/mfsa2005-09.html oval:org.mitre.oval:def:9578 12407 oval:org.mitre.oval:def:100049 Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future. thunderbird-javascript-handler-launch(19173) https://bugzilla.mozilla.org/show_bug.cgi?id=263546 http://www.mozilla.org/security/announce/mfsa2005-10.html 12407 oval:org.mitre.oval:def:100048 Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages. https://bugzilla.mozilla.org/show_bug.cgi?id=268107 mozilla-cookie-policy-bypass(19172) RHSA-2005:335 RHSA-2005:323 RHSA-2005:094 http://www.mozilla.org/security/announce/mfsa2005-11.html SUSE-SA:2006:004 oval:org.mitre.oval:def:11407 12407 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100047 Firefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code. https://bugzilla.mozilla.org/show_bug.cgi?id=265668 mozilla-firefox-livefeed-xss(19187) http://www.mozilla.org/security/announce/mfsa2005-12.html 12407 oval:org.mitre.oval:def:100046 Unknown vulnerability in the installation of Adobe License Management Service, as used in Adobe Photoshop CS, Adobe Creative Suite 1.0, and Adobe Premiere Pro 1.5, allows attackers to gain administrator privileges. http://www.adobe.com/support/techdocs/331688.html 1014170 1014169 1014168 PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation." VU#203214 DSA-662 14096 The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable. perl-perliodebug-file-overwrite(19207) 2005-0003 12426 RHSA-2005:105 RHSA-2005:103 GLSA-200502-13 20050207 DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation' 20050202 [USN-72-1] Perl vulnerabilities http://www.digitalmunition.com/DMA[2005-0131a].txt oval:org.mitre.oval:def:10404 MDKSA-2005:031 http://support.avaya.com/elmodocs2/security/ASA-2006-163.htm 21646 14120 FLSA-2006:152845 CLSA-2006:1056 Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. perl-perliodebug-bo(19208) 2005-0003 12426 RHSA-2005:105 RHSA-2005:103 GLSA-200502-13 http://www.digitalmunition.com/DMA[2005-0131b].txt oval:org.mitre.oval:def:10803 20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG 20050202 [USN-72-1] Perl vulnerabilities MDKSA-2005:031 14120 FLSA-2006:152845 CLSA-2006:1056 The confirm add-on in SmartList 3.15 and earlier allows attackers to subscribe arbitrary e-mail addresses by using a valid cookie that specifies an address other than the address for which the cookie was assigned. DSA-720 Format string vulnerability in bidwatcher before 1.3.17 allows remote malicious web servers from eBay, or a spoofed eBay server, to cause a denial of service and possibly execute arbitrary code via certain responses. GLSA-200503-06 DSA-687 The tpkg-* scripts in the toolchain-source 3.0.4 package on Debian GNU/Linux 3.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files. 12540 DSA-679 toolchain-source-symlink(19317) 14277 Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages. VU#215006 SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12630 Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames. SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12628 Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. openswan-xauth-pam-bo(19078) http://www.openswan.org/support/vuln/IDEF0785/ 20050126 Openswan XAUTH/PAM Buffer Overflow Vulnerability 12377 FEDORA-2005-082 13195 1013014 14062 14038 squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated users to bypass username-based Access Control Lists (ACLs) via a username with a space at the beginning or end, which is ignored by the LDAP server. VU#924198 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:923 http://www.squid-cache.org/bugs/show_bug.cgi?id=1187 oval:org.mitre.oval:def:10251 12431 MDKSA-2005:034 FLSA-2006:152809 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters. VU#768702 RHSA-2005:061 RHSA-2005:060 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing FEDORA-2005-373 SUSE-SA:2005:006 oval:org.mitre.oval:def:10656 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 12412 MDKSA-2005:034 FLSA-2006:152809 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. VU#625878 RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting http://www.squid-cache.org/Advisories/SQUID-2005_5.txt FEDORA-2005-373 oval:org.mitre.oval:def:11605 12433 MDKSA-2005:034 FLSA-2006:152809 The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. RHSA-2005:092 oval:org.mitre.oval:def:8778 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 12598 RHSA-2005:472 19607 20060402-01-U oval:org.mitre.oval:def:1225 nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQ CLA-2005:930 12598 oval:org.mitre.oval:def:10298 20050215 [USN-82-1] Linux kernel vulnerabilities Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8A 12598 oval:org.mitre.oval:def:10647 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. RHSA-2005:092 ADV-2005-1878 oval:org.mitre.oval:def:9890 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 RHSA-2005:663 17002 Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions. RHSA-2005:092 MDKSA-2005:219 oval:org.mitre.oval:def:10667 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 12198 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories MDKSA-2005:219 MDKSA-2005:218 17826 The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack. moddosevasive-symlink(18765) 12181 http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01 20050111 Mod_dosevasive symlink and race vulnerability 13725 ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to execute arbitrary commands via shell metacharacters in a command line argument. vacation-ftpfile-command-execution(18855) http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 20050111 Squirrelmail vacation v0.15 local root exploit http://www.squirrelmail.org/plugin_view.php?id=51 12222 1012866 13791 Directory traversal vulnerability in ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to read arbitrary files via a .. (dot dot) in a get request. vacation-ftpfile-directory-traversal(18856) http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 20050111 Squirrelmail vacation v0.15 local root exploit http://www.squirrelmail.org/plugin_view.php?id=51 12222 1012866 13791 Stack-based buffer overflow in NodeManager Professional 2.00 allows remote attackers to execute arbitrary commands via a LinkDown-Trap packet that contains a long OCTET-STRING in the Trap variable-bindings field. nodemanager-linkdown-bo(18937) http://www.security.org.sg/vuln/nodemanager200.html 13881 20050117 [SIG^2 G-TEC] NodeManager Professional V2.00 Buffer Overflow Vulnerability 12283 1012915 Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port. cisco-ios-sccp-dos(18956) 20050119 Vulnerability in Cisco IOS Embedded Call Processing Solutions oval:org.mitre.oval:def:4849 1012945 13913 Stack-based buffer overflow in the SetSkin function in AtHoc toolbar allows remote attackers to execute arbitrary code via a long skin name. athoc-toolbar-bo(17627) 11341 http://www.ngssoftware.com/advisories/athoc-01full.txt 20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c) 20041006 Patch available for high risk flaws in the AtHoc Toolbar Format string vulnerability in the SetBaseURL function in AtHoc toolbar allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log. athoc-toolbar-format-string(17628) 11341 http://www.ngssoftware.com/advisories/athoc-01full.txt 20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c) 20041006 Patch available for high risk flaws in the AtHoc Toolbar Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument. VU#698390 12311 http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension. realplayer-media-file-deletion(17551) 11308 http://www.ngssoftware.com/advisories/real-02full.txt http://service.real.com/help/faq/security/040928_player/EN/ 12672 20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag. realplayer-long-filename-offbyone-bo(18982) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in the parsing of Skin file names in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an RJS filename. realplayer-rjs-filenane-directory-traversal(18984) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code. isync-mrouter-bo(19011) 20050122 Mac OS X 10.3 iSync Privilege Escalation APPLE-SA-2005-04-19 12334 1012974 13965 Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. VU#260421 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls DSA-667 20050221 [USN-84-1] Squid vulnerabilities CLA-2005:923 http://www.squid-cache.org/bugs/show_bug.cgi?id=1166 FLSA-2006:152809 Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. TA05-026A VU#472582 cisco-ios-ipv6-dos(19072) 20050126 Multiple Crafted IPv6 Packets Cause Reload oval:org.mitre.oval:def:5813 Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet. TA05-026A VU#689326 cisco-ios-bgp-packetdos(19074) 20050126 Cisco IOS Misformed BGP Packet Causes Reload oval:org.mitre.oval:def:5652 1013013 14034 Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface. TA05-026A VU#583638 cisco-ios-mpls-dos(19071) 20050126 Crafted Packet Causes Reload on Cisco Routers 12369 1013015 14031 oval:org.mitre.oval:def:5662 A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users. http://www.kb.cert.org/vuls/id/CRDY-68QSL5 VU#702777 RHSA-2005:128 GLSA-200502-02 oval:org.mitre.oval:def:11306 12391 MDKSA-2005:026 1013037 14097 14057 Integer underflow in the Lists_MakeMask() function in lists.c in ngIRCd before 0.8.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MODE line that causes an incorrect length calculation, which leads to a buffer overflow. ngircd-listmakemask-bo(19143) 12397 GLSA-200501-40 [ngIRCd-ML] 20050126 ngIRCd 0.8.2 http://bugs.gentoo.org/show_bug.cgi?id=79705 1013047 14059 14056 TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2004-1386. GLSA-200501-41 http://tikiwiki.org/art102 13948 D-BUS (dbus) before 0.22 does not properly restrict access to a socket, if the socket address is known, which allows local users to listen or send arbitrary messages on another user's per-user session bus via that socket. RHSA-2005:102 MDKSA-2005:105 USN-144-1 ESB-2005.0435 oval:org.mitre.oval:def:10973 12435 1013075 15844 15833 15638 14119 Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences. RHSA-2005:137 RHSA-2005:136 GLSA-200502-11 20050209 [USN-78-1] Mailman vulnerability APPLE-SA-2005-03-21 DSA-674 oval:org.mitre.oval:def:10657 20050209 Administrivia: List Compromised due to Mailman Vulnerability SUSE-SA:2005:007 MDKSA-2005:037 1013145 14211 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none. Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction. RHSA-2005:092 2006-0006 12598 RHSA-2005:293 18784 oval:org.mitre.oval:def:10320 KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp. RHSA-2005:175 http://www.kde.org/info/security/advisory-20050228-1.txt 20050228 KPPP Privileged File Descriptor Leak Vulnerability DSA-692 CLA-2005:934 oval:org.mitre.oval:def:9596 The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities. 11501 RHSA-2005:213 xpdf-pdf-bo(17818) RHSA-2005:132 RHSA-2005:057 RHSA-2005:053 RHSA-2005:034 oval:org.mitre.oval:def:11107 MDKSA-2005:056 MDKSA-2005:052 MDKSA-2005:044 MDKSA-2005:043 MDKSA-2005:042 MDKSA-2005:041 Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT. 12330 SUSE-SA:2005:003 CLA-2005:930 oval:org.mitre.oval:def:11001 RHSA-2005:366 The HTML parsing functions in Gaim before 1.1.4 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0473. VU#795812 RHSA-2005:215 GLSA-200503-03 14386 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 oval:org.mitre.oval:def:10477 http://gaim.sourceforge.net/security/?id=12 12660 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments. SUSE-SA:2005:018 20050315 [USN-95-1] Linux kernel vulnerabilities CLA-2005:945 12598 RHSA-2005:420 RHSA-2005:366 oval:org.mitre.oval:def:11855 Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice. SUSE-SA:2005:018 20050315 [USN-95-1] Linux kernel vulnerabilities CLA-2005:945 ADV-2005-1878 12816 14966 MDKSA-2005:219 MDKSA-2005:219 MDKSA-2005:218 17826 17002 14295 RHSA-2005:663 RHSA-2005:366 oval:org.mitre.oval:def:10275 Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter. VU#886006 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities oval:org.mitre.oval:def:9573 12432 13319 MDKSA-2005:034 1013045 14076 FLSA-2006:152809 The Amp II engine as used by Gore: Ultimate Soldier 1.50 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero byte UDP packet. amp-3d-socket-dos(18789) 12192 http://aluigi.altervista.org/adv/amp2zero-adv.txt 13754 20050106 Socket unreacheable in Amp II engine Directory traversal vulnerability in WinHKI 1.4d allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a zip file. winhki-zip-directory-traversal(18798) 12176 20050106 WinAc AND WinHKI ZIP File Directory Transversal 1012798 13738 Directory traversal vulnerability in Simple PHP Blog (SPHPBlog) 0.3.7c allows remote attackers to read or create arbitrary files via a .. (dot dot) in the entry parameter. 12193 sphp-dotdot-directory-traversal(18802) 20050107 Simple PHP Blog directory traversal vulnerability 20050107 Simple PHP Blog directory traversal vulnerability Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value. 20050107 Mozilla XBM Image Vulnerability mozilla-xbm-dos(18803) Cross-site scripting (XSS) vulnerability in formmail.php in Woltlab Burning Board Lite 1.0.0, 1.0.1e, and possibly other versions, allows remote attackers to inject arbitrary web sript and HTML via the userid parameter. wbb-formmail-userid-xss(18814) 12199 20050108 Security Advisory: Woltlab Burning Board Lite formmail.php XSS 13782 SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter. icb-sql-injection(18815) 12205 20050109 SQL Injection Vulnerability in Invision Community Blog 12817 1012831 13783 ClamAV 0.80 and earlier allows remote attackers to bypass virus scanning via a base64 encoded image in a data: (RFC 2397) URL. GLSA-200501-46 http://sourceforge.net/project/shownotes.php?release_id=300116 13900 MDKSA-2005:025 Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the index field in add_comment.php, (2) set_albumName, (3) slide_index, (4) slide_full, (5) slide_loop, (6) slide_pause, (7) slide_dir fields in slideshow_low.php, or (8) username field in search.php. http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 gallery-multiple-xss(18938) 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability gallery-multiple-scripts-xss(43473) Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 allows remote attackers to inject arbitrary web script or HTML via the username field. 13887 http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 gallery-multiple-xss(18938) GLSA-200501-45 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field. gallery-multiple-xss(18938) http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 http://theinsider.deep-ice.com/texts/advisory69.txt 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability 20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability gallery-g2formsubject-xss(43472) main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitive information by changing the value of g2_subView parameter, which reveals the path in an error message. gallery-mainphp-obtain-information(18940) http://theinsider.deep-ice.com/texts/advisory69.txt 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability The Software Development Kit (SDK) and Run Time Environment (RTE) 1.4.1 and 1.4.2 for Tru64 UNIX allows remote attackers to cause a denial of service (Java Virtual Machine hang) via object deserialization. SSRT4875 Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 through 4.7, when running the TGA daemon, allows remote attackers to cause a denial of service via certain network traffic. 14082 SSRT5900 firehol.sh in FireHOL before 1.224 creates temporary files with predictable file names, which could allow local users to overwrite arbitrary files via a symlink attack. GLSA-200502-01 http://cvs.sourceforge.net/viewcvs.py/firehol/firehol/firehol.sh firehol-symlink(19032) 12336 13137 1012969 14102 13970 Format string vulnerability in the Log_Resolver function in log.c for ngIRCd 0.8.2 and earlier, when compiled with IDENT, logging to SYSLOG, and with DEBUG enabled, allows remote attackers to execute arbitrary code. http://www.nosystem.com.ar/advisories/advisory-11.txt 14114 20050203 ngIRCd <= v0.8.2 Format String Vulnerability 12434 PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension. 2005-0003 RHSA-2005:150 RHSA-2005:138 DSA-668 200502-08 12948 20050201 [USN-71-1] PostgreSQL vulnerability [pgsql-announce] 20050201 PostgreSQL Security Release 12411 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:10234 [pgsql-bugs] 20050121 Privilege escalation via LOAD ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1388. Reason: This candidate is a duplicate of CVE-2004-1388. Notes: All CVE users should reference CVE-2004-1388 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file under the web root, which allows remote attackers to steal credit card information via a direct request to newfile.txt. 12402 20050212 Credit Card data disclosure in CitrusDB citrus-information-disclosure(19145) http://www.redteam-pentesting.de/advisories/rt-sa-2005-001.txt http://www.citrusdb.org/forums/viewtopic.php?t=49 1013040 Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging." http://www.mozilla.org/security/announce/mfsa2005-25.html GLSA-200503-30 GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=279945 12468 SUSE-SA:2006:004 http://www.mikx.de/firedragging/ 20050207 Firedragging [Firefox 1.0] SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100033 Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing." https://bugzilla.mozilla.org/show_bug.cgi?id=280056 mozilla-firefox-tab-gain-access(19264) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-26.html GLSA-200503-30 GLSA-200503-10 http://www.mikx.de/firetabbing/ oval:org.mitre.oval:def:10079 20050207 Firetabbing [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100032 Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing." mozilla-firefox-aboutconfig-modify(19266) RHSA-2005:323 SUSE-SA:2005:016 GLSA-200503-30 GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=280664 http://www.mozilla.org/security/announce/mfsa2005-27.html http://www.mikx.de/fireflashing/ oval:org.mitre.oval:def:10967 20050207 Fireflashing [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-29.html GLSA-200503-30 GLSA-200503-10 http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:11229 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks oval:org.mitre.oval:def:100029 The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks APPLE-SA-2005-03-21 12461 The International Domain Name (IDN) support in Opera 7.54 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks 12461 SUSE-SA:2005:031 The International Domain Name (IDN) support in Omniweb 5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.kde.org/info/security/advisory-20050316-2.txt 14162 http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn oval:org.mitre.oval:def:10671 20050206 Re: state of homograph attacks 20050206 state of homograph attacks 12461 FLSA:178606 RHSA-2005:325 MDKSA-2005:058 The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. https://bugzilla.redhat.com/beta/show_bug.cgi?id=147399 multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 20050206 state of homograph attacks viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the cert parameter. VU#502328 squirrelmail-smime-command-execution(19242) http://www.squirrelmail.org/plugin_view.php?id=54 20050207 SquirrelMail S/MIME Plugin Command Injection Vulnerability Format string vulnerability in chdev on IBM AIX 5.2 allows local users to execute arbitrary code via format string specifiers in a command line argument, which is not properly handled when printing an error message. aix-chdev-format-string(19244) 20050207 IBM AIX chdev Local Format String Vulnerability IY67654 IY67455 The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers, which might allow remote attackers to poison the cache or bypass access controls based on header size. VU#823350 squid-http-cache-poisoning(19060) http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-oversize_reply_headers http://www.squid-cache.org/bugs/show_bug.cgi?id=1216 RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 CLA-2005:931 oval:org.mitre.oval:def:10998 12412 14091 FLSA-2006:152809 The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions. http://secunia.com/secunia_research/2004-6/advisory/ 11815 Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions. http://secunia.com/secunia_research/2005-2/advisory/ 13712 PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. postgresql-security-bypass(19184) RHSA-2005:138 12948 20050210 [USN-79-1] PostgreSQL vulnerabilities 12417 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:10927 [pgsql-hackers] 20050127 Permissions on aggregate component functions Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247. postgresql-cursor-bo(19188) RHSA-2005:150 RHSA-2005:138 12948 DSA-683 oval:org.mitre.oval:def:10175 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-patches] 20050120 Re: WIP: pl/pgsql cleanup [pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser. [pgsql-committers] 20050121 pgsql: Prevent overrunning a heap-allocated buffer is more than 1024 12417 SUSE-SA:2005:036 MDKSA-2005:040 The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays. postgresql-contribintagg-dos(19185) RHSA-2005:138 12948 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-committers] 20050127 pgsql: Fix security and 64-bit issues in contrib/intagg. oval:org.mitre.oval:def:10148 12417 SUSE-SA:2005:036 MDKSA-2005:040 Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245. postgresql-fetch-makefetchstmt-bo(19378) postgresql-makeselectstmt-arbitrary-bo(19377) postgresql-makeselectstmt-input-bo(19376) postgresql-readsqlconstruct-bo(19375) RHSA-2005:150 RHSA-2005:138 SUSE-SA:2005:027 GLSA-200502-19 DSA-683 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser. 12417 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:9345 The Solaris Management Console (SMC) GUI for Solaris 8 and 9, when creating user accounts that are configured for password aging, creates the accounts with a blank password, which allows remote or local attackers to break into those accounts. solaris-smc-blank-password(18868) 12260 57717 13803 P-096 1012860 Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. VU#107822 upx-engine-gain-control(18869) 20050208 Symantec AntiVirus Library Heap Overflow http://www.symantec.com/avcenter/security/Content/2005.02.08.html 1013133 Format string vulnerability in auditselect on IBM AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via format string specifiers in a command line argument. VU#896729 12496 20050208 IBM AIX auditselect Local Format String Vulnerability aix-auditselect-format-string(19255) IY67802 IY67519 IY67472 14198 1013103 Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the search parameter. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB Directory traversal vulnerability in index.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to delete arbitrary files via a Delete action and .. (dot dot) sequences in the database_name parameter. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading and executing those files. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption. RHSA-2005:337 RHSA-2005:277 SUSE-SA:2005:016 20050228 Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error GLSA-200503-30 GLSA-200503-10 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-18.html oval:org.mitre.oval:def:9111 12659 RHSA-2005:176 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100040 The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. DSA-705 ADV-2006-1271 ADV-2005-0588 14203 20050225 WU-FTPD File Globbing Denial of Service Vulnerability 57795 101699 19561 18210 14411 HPSBUX02110 SSRT061110 SCOSA-2005.63 oval:org.mitre.oval:def:1762 oval:org.mitre.oval:def:1333 oval:org.mitre.oval:def:1265 Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter. 20050222 phpBB Group phpBB2 Arbitrary File Unlink Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target file. VU#774686 20050222 phpBB Group phpBB Arbitrary File Disclosure Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 14362 Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call. 20050209 Computer Associates BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow Vulnerability http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1 brightstor-discovery-bo(19251) 1013138 14183 lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop privileges before processing the -f option, which allows local users to read one line of arbitrary files. IY67655 IY67457 ibm-aix-ispath-information-disclosure(19281) 20050210 IBM AIX lspath Local File Access Vulnerability 12513 14232 Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -d argument. 20050210 IBM AIX ipl_varyon Local Buffer Overflow Vulnerability ibm-aix-iplvaryon-bo(19282) IY67812 IY67750 IY66933 12516 14231 Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -O argument. 20050210 IBM AIX netpmon Local Buffer Overflow Vulnerability ibm-aix-netpmon-bo(19278) IY67807 IY67136 IY67124 12517 14237 Multiple cross-site scripting (XSS) vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) expand or (2) order parameter. 20050101 Various Vulnerabilities in OWL Intranet Engine owl-intranet-engine-xss(18705) 12114 13695 Multiple SQL injection vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to execute arbitrary SQL commands via the (1) parent or (2) sortposted parameter. 12114 owl-intranet-engine-sql-injection(18704) 20050101 Various Vulnerabilities in OWL Intranet Engine 13695 Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter. 20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution sugar-sales-index-xss(18719) 12113 index.php in FlatNuke 2.5.1 allows remote attackers to create an administrator account via carriage returns and #10 in the url_avatar field, which is interpreted as a sensitive directive. 12150 flatnuke-indexphp-gain-access(18741) 20050102 Multiple Vulnerabilities in FlatNuke Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field. flatnuke-indexphp-xss(18746) 12150 20050102 Multiple Vulnerabilities in FlatNuke The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. gnuboard-gbupdate-file-upload(18729) 12149 13711 20050103 STG Security Advisory: [SSA-20041224-21] File extensions Multiple cross-site scripting (XSS) vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to inject arbitrary web script or HTML via the (1) si parameter to showcat.php, (2) cat or (3) page parameter to showproduct.php, or (4) report parameter to reportproduct.php. reviewpost-php-xss(18731) http://www.gulftech.org/?node=research&article_id=00062-01022005 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php. reviewpost-php-sql-injection(18732) http://www.gulftech.org/?node=research&article_id=00062-01022005 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost ReviewPost PHP Pro before 2.84 allows remote attackers to upload and execute arbitrary PHP files by posting a review file with multiple extensions, which bypasses the intended restrictions. 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost reviewpost-php-file-upload(18735) Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter. photopost-php-showgallery-xss(18744) 12156 http://www.gulftech.org/?node=research&article_id=00063-01032005 13680 20050103 Multiple PhotoPost Pro Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters. photopost-php-showgallery-xss(18744) 12156 http://www.gulftech.org/?node=research&article_id=00063-01032005 20050103 Multiple PhotoPost Pro Vulnerabilities 13680 TFTP in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) via a GET request containing an MS-DOS device name. 3cdaemon-reserved-name-dos(18750) 20050104 3Com 3CDaemon Multiple Vulnerabilities Multiple format string vulnerabilities in the FTP service in 3Com 3CDaemon 2.0 revision 10 allow remote attackers to cause a denial of service (application crash) via format string specifiers in (1) the username, (2) cd, (3) delete, (4) rename, (5) rmdir, (6) literal, (7) stat, or (8) CWD commands. 3cdaemon-login-dos(18751) 12155 20050104 3Com 3CDaemon Multiple Vulnerabilities Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls. 3cdaemon-long-command-dos(18754) 12155 20050218 3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow 20050104 3Com 3CDaemon Multiple Vulnerabilities The FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to gain sensitive information via a cd command that contains an MS-DOS device name, which reveals the installation path in an error message. 3cdaemon-command-obtain-information(18756) 12155 20050104 3Com 3CDaemon Multiple Vulnerabilities Soldner Secret Wars 30830 and earlier does not properly handle the "message too long" socket error, which allows remote attackers to cause a denial of service (socket termination) via a long UDP packet. soldner-secret-wars-dos(18749) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message. soldner-secret-wars-format-string(18752) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars Cross-site scripting (XSS) vulnerability in the web interface in Soldner Secret Wars 30830 allows remote attackers to inject arbitrary web script or HTML via a user message, which is not filtered or quoted when the administrator views the server logs. soldner-secret-wars-xss(18753) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the uid parameter. mybb-member-sql-injection(18755) 12161 20050104 MyBB SQL Injection Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. (dot dot) and a %00 at the end of the filename in the page parameter. qwikiwiki-directory-traversal(18748) 12163 20050104 QWikiwiki directory traversal vulnerability http://www.qwikiwiki.com/index.php?page=QwikiVulnerability 12044 SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter. woltlab-book-addentry-sql-injection(18859) 20050110 Woltlab Burning Book addentry.php SQL Injection Webseries Payment Application does not properly restrict privileged operations, which allows remote authenticated users to gain privileges by directly accessing certain URLs. webseries-pa-url-security-bypass(18848) 12216 20050110 Portcullis Security Advisory 05-001 1012854 13821 eMotion MediaPartner Web Server 5.0 and 5.1 allows remote attackers to obtain sensitive information via an HTTP request for a .bhtml file that contains a (1) . (dot) or (2) + (plus sign) at the end, which returns the source code for that file. mediapartner-bhtml-source-disclosure(18861) 12236 20050110 Portcullis Security Advisory 05-004 1012855 13820 Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values. webseries-report-execution(18862) 20050110 Portcullis Security Advisory 05-009 1012854 13821 The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords. webseries-pa-password-gain-access(18860) 12231 20050110 Portcullis Security Advisory 05-008 1012854 13821 Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs. 20050115 Apple Airport WDS DoS apple-airport-dos(18865) 12152 13753 NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension. netgear-fvs318-filter-bypass(18920) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 1012913 13787 Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase. netgear-fvs318-log-xss(18921) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 13012 1012913 13787 Multiple SQL injection vulnerabilities in index.php in PHP Gift Registry (phpGiftReg) 1.4.0, and possibly other versions before 1.5.0b1, allow remote attackers to execute arbitrary SQL commands via the (1) messageid, (2) shopper, (3) shopfor, or (4) itemid parameters. 12289 20050307 Re: phpGiftReq SQL Injection phpgiftregistry-sql-injection(18925) 13873 20050116 phpGiftReq SQL Injection 20050116 phpGiftReq SQL Injection 1012910 Directory traversal vulnerability in minis.php in Minis 0.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the month parameter. minis-month-directory-traversal(18928) 12279 20050116 Minis directory traversal vulnerability 1012911 13866 minis.php in Minis 0.2.1 allows remote attackers to cause a denial of service (infinite loop) via an HTTP request for a file that the web server does not have permission to read, as demonstrated using the month parameter. minis-month-dos(18929) 20050116 Minis directory traversal vulnerability 20050116 Minis directory traversal vulnerability 1012911 13866 npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges. nprotect-npptnt2-gain-access(18952) 12280 20050116 Unrestricted I/O access vulnerability in INCA Gameguard 13928 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect login and a modified (1) error or (2) modify parameter that returns template files or the "about" information page. NOTE: the vendor has disputed this issue. groupwise-error-auth-bypass(18954) 12285 20050127 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) 20050121 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) http://support.novell.com/servlet/tidfinder/10096251 20050117 Novell GroupWise WebAccess error modules loading 13135 SQL injection vulnerability in Oracle Database 9i and 10g allows remote attackers to execute arbitrary SQL commands and gain privileges. 20050118 Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i The DIRECTORY objects in Oracle 8i through Oracle 10g contain the location of a specific operating system directory, which allows users with read privileges to a DIRECTORY object to obtain sensitive information. oracle-directory-lob-obtain-info(18947) http://www.petefinnigan.com/directory_traversal.pdf http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf 20050118 PeteFinnigan.com - Oracle security advisory Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php. 12318 20050120 STG Security Advisory: [SSA-20050120-24] GForge 3.x directory gforge-dir-dirname-directory-traversal(18988) 1012950 Directory traversal vulnerability in session.php in JSBoard 2.0.9 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the table parameter. jsboard-session-file-include(18990) 12319 20050120 STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure 1012949 13920 comersus_backoffice_install10.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to bypass authentication and gain privileges via a direct request to the program. backoffice-lite-administrative-bypass(19010) 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html http://www.comersus.org/forum/displayMessage.asp?mid=32753 SQL injection vulnerability in default.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to execute arbitrary SQL commands via the referer field in the HTTP header. backoffice-lite-sql-injection(19013) http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_supportError.asp or (2) comersus_backofficelite_supportError.asp in BackOffice Lite 6.0 and 6.01 allow remote attackers to inject arbitrary web script or HTML via the error parameter. backoffice-lite-xss(19014) 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html Directory traversal vulnerability in DivX Player 2.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a filename in a ZIP file for a skin. divx-player-directory-traversal(19030) 12332 20050121 Arbitrary files overwriting through skins in DivX Player 2.6 13969 http://aluigi.altervista.org/adv/divxplayer-adv.txt CRLF injection vulnerability in users.php in Siteman 1.1.10 and earlier allows remote attackers to add arbitrary users and gain privileges via the line parameter in a docreate operation. siteman-gain-access(18998) 12304 20050122 Siteman User Database Line Insertion Vulnerability 20050120 God Admin Injection Vulnerability in Siteman 1.0.x, 13131 1012951 MercuryBoard 1.1.1 allows remote attackers to gain sensitive information via an HTTP request with the n parameter set to 0, which causes a divide-by-zero error and reveals the path in the resulting error message. mercuryboard-multiple-script-path-disclosure(19048) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Multiple cross-site scripting (XSS) vulnerabilities in index.php in MercuryBoard 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) s, (2) l, (3) a, (4) t, (5) to, or (6) re parameters. mercuryboard-multiple-scripts-xss(19050) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier allows remote attackers to execute arbitrary code via a large import or export function name. w32dasm-wsprintf-bo(19044) 12352 20050124 Local buffer-overflow in W32Dasm 8.93 1012997 13986 Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php or (2) mod.php in Exponent 0.95 allow remote attackers to inject arbitrary web script or HTML via the module parameter. exponent-module-xss(19061) 12358 20050125 Vulnerabilities in eXponent 0.95 13190 13188 Exponent 0.95 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) search.info.php, (2) permissions.info.php, (3) security.info.php, (4) formcontrol.php, or (5) file_modules.php, which reveals the path in an error message because the pathos_core_version variable is undefined. exponent-pathoscoreversion-path-disclosure(19064) 20050125 Vulnerabilities in eXponent 0.95 Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources. ingate-firewall-unath-access(19123) 12383 20050127 Ingate Firewall: Removed PPTP tunnels not deactivated http://www.ingate.com/relnote-422.php 1013022 14060 WarFTPD 1.82 RC9, when running as an NT service, allows remote authenticated users to cause a denial of service (access violation) via a CWD command with a crafted pathname, as demonstrated using a large string of "%s" sequences, possibly indicating a format string vulnerability. 12384 20050127 WarFTPD 1.82 RC9 DoS warftpd-cwd-dos(19129) http://support.jgaa.com/index.php?cmd=ShowReport&ID=02643 Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or delete arbitrary directories and files via the IMAP commands (3) CREATE, (4) EXAMINE, (5) SELECT, or (6) DELETE. magic-winmail-command-directory-traversal(19114) magicwinmail-uploadphp-file-upload(19108) 12388 1013017 14053 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail Server 4.0 Build 1112 allows remote attackers to inject arbitrary web script or HTML via the personal information fields. magic-winmail-userphp-xss(19113) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify that the IP address in a PORT command is the same as the IP address of the user of the FTP session, which allows remote authenticated users to use the server as an intermediary for port scanning. magicwinmail-ftp-obtain-information(19115) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions. 12394 14058 webwasher-classic-connect-gain-access(19144) http://www.oliverkarow.de/research/WebWasherCONNECT.txt 20050128 WebWasher Classic - HTTP CONNECT weakness 1013036 Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter. webadmin-usereditaccountwdm-xss(19161) 12395 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 1013038 14079 useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validate account edits by the logged in user, which allows remote authenticated users to edit other users' account information via a modified user parameter. 12395 1013038 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to load external webpages that appear to come from the WebAdmin server, which allows remote attackers to inject arbitrary HTML or web script to facilitate cross-site scripting (XSS) and phishing attacks. 12395 webadmin-html-injection(19162) 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to login.html, (2) accountid parameter to accountsettings_add.html, or the (3) note, (4) title, and (5) location fields to calendar.html. 12396 merak-icewarp-multiple-xss(19147) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the installation path. merak-icewarp-user-path-disclosure(19152) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 and Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 uses weak encryption in the (1) users.cfg, (2) settings.cfg, (3) users.dat or (4) user.dat files, which allows local users to extract the passwords. merak-icewarp-weak-password-encryption(19153) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes Cross-site scripting (XSS) vulnerability in Infinite Mobile Delivery Webmail 2.6 allows remote attackers to inject arbitrary web script or HTML via the URL. infinite-mobile-delivery-xss(19151) 20050129 XSS in Infinite Mobile Delivery v2.6 Webmail 12399 http://www.lovebug.org/imd_advisory.txt 1013044 14075 Infinite Mobile Delivery Webmail 2.6 allows remote attackers to gain sensitive information via an HTTP request that contains invalid characters for a Windows foldername, which reveals the path in an error message. infinite-mobile-delivery-path-disclosure(19154) 20050129 XSS in Infinite Mobile Delivery v2.6 Webmail 12399 http://www.lovebug.org/imd_advisory.txt 1013044 14075 Xpand Rally 1.0.0.0 allows remote attackers or remote malicious game servers to cause a denial of service (application crash) via a packet with large values that are not properly handled in certain malloc or memcpy operations. xpand-rally-memory-dos(19150) 20050130 Broadcast crash in Xpand Rally 1.0.0.0 http://aluigi.altervista.org/adv/xprallyboom-adv.txt 12409 1013043 14073 20050130 Broadcast crash in Xpand Rally 1.0.0.0 pafiledb.php in PaFileDB 3.1 allows remote attackers to gain sensitive information via an invalid or missing action parameter, which reveals the path in an error message when it cannot include a login.php script. 20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final pafiledb-login-path-disclosure(19175) pafiledb.php in Pafiledb 3.1 may allow remote attackers to execute arbitrary PHP code via a modified action parameter that is used in an include statement for login.php. pafiledb-login-file-include(19176) 20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address. zyxel-netgear-ping-information-disclosure(20609) 20050131 Zyxel / Netgear and probably other routers leaking information. Directory traversal vulnerability in ZipGenius 5.5 and earlier allows remote attackers to create and possibly modify arbitrary files via a ZIP file with a file whose name includes .. (dot dot) sequences. 12419 1013542 20050202 7a69Adv#19 - ZipGenius unpack path disclosure zipgenius-path-disclosure(19203) 14123 Buffer overflow in Painkiller 1.35 and earlier, and possibly other versions before 1.61, allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a long cd-key hash. painkiller-long-cdkey-bo(19205) 12423 14113 1013066 20050202 Limited buffer-overflow in Painkiller 1.35 Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file. winrar-dotdotdotdirectory-traversal(20585) 12422 20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure Directory traversal vulnerability in DeskNow Mail and Collaboration Server 2.5.12 allows remote attackers to (1) upload and possibly execute files outside the directory via the AttachmentsKey parameter to attachment.do, as demonstrated using JSP pages, or (2) delete arbitrary files via the select_file parameter to file.do. desknow-jsp-gain-access(19211) desknow-attachmentkey-file-upload(19206) 12421 desknow-filedo-file-deletion(19212) http://www.security.org.sg/vuln/desknow2512.html 1013060 14116 20050202 [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities LANChat Pro Revival 1.666c allows remote attackers to cause a denial of service (application crash) via a malformed UDP packet. lanchatpro-udp-packet-dos(19213) 12439 http://www.autistici.org/fdonato/advisory/LANChatRevival1.666c-adv.txt 20050203 DoS in LANChat Pro Revival 1.666c Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value. linksys-psus4-dos(19222) 12443 14136 20050203 [ RSTACK Public Security Advisory ] Remote DOS against Linksys PSUS4 Directory traversal vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. mediapartner-dotdot-directory-traversal(18842) 12236 1012838 20050110 Portcullis Security Advisory 05-010 13820 Cross-site scripting (XSS) vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to inject arbitrary HTML or web script, as demonstrated using a URL containing .. sequences and HTML, which results in a directory browsing page that does not properly filter the HTML. mediapartner-url-xss(18845) 12236 1012838 20050110 Portcullis Security Advisory 05-010 13820 Postfix 2.1.3, when /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, allows remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname. postfix-ipv6-security-bypass(19218) 12445 14137 20050204 [USN-74-1] Postfix vulnerability oval:org.mitre.oval:def:11339 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267837 RHSA-2005:152 Buffer overflow in Savant Web Server 3.1 allows remote attackers to execute arbitrary code via a long HTTP request. savant-bo(19177) 12429 20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1 20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1 20050204 Exploit For Savant Web Server 3.1 (tested on win2003) Buffer overflow in Foxmail 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long MAIL FROM command. foxmail-mailfrom-bo(19229) 12454 20050205 Foxmail Server Remote Buffer Overflow Vulnerability Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet. APPLE-SA-2005-03-21 Applefileserver-fploginext-dos(19263) 20050208 AppleFileServer Denial of Service. 12478 Apple Safari 1.2.4 does not obey the Content-type field in the HTTP header and renders text as HTML, which allows remote attackers to inject arbitrary web script or HTML and perform cross-site scripting (XSS) attacks. safari-contenttype-xss(19227) http://tigger.uic.edu/~jrockw2/safari_20050204.txt 1013087 20050204 Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12 The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. 14188 APPLE-SA-2005-05-03 finder-dsstore-file-overwrite(19253) 12458 20050207 [OSX Finder] DS_Store arbitrary file overwrite vulnerability. SQL injection vulnerability in PerlDesk 1.x allows remote attackers to inject arbitrary SQL commands via the view parameter. 12471 12512 perldesk-view-sql-injection(19245) http://www.security-project.org/projects/board/showthread.php?p=5172#post5172 20050207 [SePro Bugtraq] SQL-Injection in PerlDesk 1.x Directory traversal vulnerability in 602LAN SUITE 2004.0.04.1221 allows remote authenticated users to upload and execute arbitrary files via a .. (dot dot) in the filename parameter. http://www.security.org.sg/vuln/602lansuite1221.html 14169 20050208 [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories 602lansuite-webmail-directory-traversal(19258) 1013106 viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter. phpfusion-viewthread-obtain-information(19257) 20050208 php-fusion 4.x vuln 12482 SafeNet SoftRemote VPN Client stores the VPN password (pre-shared key) in cleartext in memory of the IreIKE.exe process, which allows local users to gain sensitive information if they have access to that process. softremote-vpn-password-disclosure(19256) http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm 20050208 SafeNet SoftRemote VPN Client Issue: Clear-text password 1013134 Integer overflow in RealArcade 1.2.0.994 and earlier allows remote attackers to execute arbitrary code via an RGS file with an invalid size string for the GUID and game name, which leads to a buffer overflow. realarcade-rgs-bo(19259) 14187 20050208 Integer overflow and arbitrary files deletion in RealArcade 1013128 Directory traversal vulnerability in RealArcade 1.2.0.994 allows remote attackers to delete arbitrary files via an RGP file with a .. (dot dot) in the FILENAME tag. realarcade-rgp-file-deletion(19260) 12494 14187 20050208 Integer overflow and arbitrary files deletion in RealArcade 1013128 The production release of the UniversalAgent for UNIX in BrightStor ARCserve Backup 11.1 contains hard-coded credentials, which allows remote attackers to access the file system and possibly execute arbitrary commands. 20050210 Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO63672&os=UNIX&returninput=0 ADV-2005-0145 12522 13706 1013144 14233 Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive. 20050210 F-Secure AntiVirus Library Heap Overflow http://www.f-secure.com/security/fsc-2005-1.shtml Buffer overflow in (1) termsh, (2) atcronsh, and (3) auditsh in SCO OpenServer 5.0.6 and 5.0.7 might allow local users to execute arbitrary code via a long HOME environment variable. SCOSA-2005.15 13062 Servers Alive 4.1 and 5.0, when running as a service, does not drop SYSTEM privileges before loading local manual under the help menu, which allows local users to gain privileges. serversalive-gain-privileges(19715) 12822 14616 20050316 Servers Alive: Local Privilege Escalation Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093. VU#108790 http://www.cirt.dk/advisories/cirt-30-advisory.pdf 14511 sentinel-license-manager-bo(19621) 12742 20050313 [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit 20050307 CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflow Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old. VU#637934 15417 tcp-ip-timestamp-dos(20635) 13676 20050518 Vulnerability in a Variant of the TCP Timestamps Option 15393 http://support.avaya.com/elmodocs2/security/ASA-2006-032.htm 18662 18222 SCOSA-2005.64 FreeBSD-SA-05:15 EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 rely on AUTH_UNIX authentication, which relies on user ID for authentication and allows remote attackers to bypass authentication and gain privileges by spoofing a username or UID. VU#606857 legato-authunix-bypass-authentication(21887) 14582 http://www.legato.com/support/websupport/product_alerts/081605_NW_authentication.htm 101886 1014713 16464 18800 16470 EMC Legato NetWorker, Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 6.0 through 7.2 do not properly verify authentication tokens, which allows remote attackers to gain privileges by modifying an authentication token. VU#407641 legato-token-gain-privileges(21892) 14582 101886 1014713 16464 18801 http://www.legato.com/support/websupport/product_alerts/081605_NW_token_authentication.htm 16470 The Legato PortMapper in EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 does not restrict access to the pmap_set and pmap_unset commands, which allows remote attackers to (1) cause a denial of service by using pmap_unset to un-register a NetWorker service, or (2) obtain sensitive information from NetWorker services by using pmap_set to register a new service. VU#801089 legato-portmapper-obtain-information(21893) 14582 http://www.legato.com/support/websupport/product_alerts/081605_NW_port_mapper.htm 101886 1014713 16464 18802 16470 The Microsoft Log Sink Class ActiveX control in pkmcore.dll is marked as "safe for scripting" for Internet Explorer, which allows remote attackers to create or append to arbitrary files. VU#165022 awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 16089 awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. DSA-682 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service. hpux-bind-dos(19276) 14220 HPSBUX01117 oval:org.mitre.oval:def:5690 The dcopidlng script in KDE 3.2.x and 3.3.x creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack. http://www.kde.org/info/security/advisory-20050316-2.txt GLSA-200503-14 20050211 insecure temporary file creation in kdelibs 3.3.2 http://bugs.kde.org/show_bug.cgi?id=97608 oval:org.mitre.oval:def:10676 RHSA-2005:325 MDKSA-2005:058 MDKSA-2005:045 1013525 14254 FEDORA-2005-245 The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed. VU#303094 http://www.pgp.com/library/ctocorner/openpgp.html GLSA-200503-29 http://eprint.iacr.org/2005/033.pdf 12529 13775 SUSE-SR:2005:007 MDKSA-2005:057 1013166 http://eprint.iacr.org/2005/033 Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1.8.7.3 allow remote authenticated users to read, delete, or upload arbitrary files via a .. (dot dot) in (1) the filename of an e-mail attachment, (2) the _msgatt.rec file, (3) and the /msg, /delete, /folderadd, and /folderdelete operations for the Folder parameter. 20050209 [SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities http://www.security.org.sg/vuln/argosoftmail1873.html Multiple SQL injection vulnerabilities in CMScore allow remote attackers to execute arbitrary SQL commands via the (1) EntryID or (2) searchterm parameter to index.php, or (3) username parameter to authenticate.php. cmscore-multiple-sql-injection(19235) 12457 14142 20050209 CMS Core SQL injection Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 earlier allows remote attackers to cause a denial of service (application crash) via a packet with a large (1) descriptor ID or (2) claim_id, which exceeds the boundaries of an array. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (network disconnection) via an empty UDP packet, which is not properly distinguished from the "no new packets" state of the associated socket. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (freeze) via a large number of player connections that do not send any data. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. 12539 GLSA-200502-27 DSA-686 FEDORA-2005-310 FEDORA-2005-309 oval:org.mitre.oval:def:9923 CLSA-2005:957 RHSA-2005:410 MDKSA-2005:050 oval:org.mitre.oval:def:717 Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as digestmda5.c), as used in the DIGEST-MD5 SASL plugin for Cyrus-SASL but not in any official releases, allows remote attackers to execute arbitrary code. cyrus-sasl-digestmda5-bo(17642) 11347 [openbsd-ports] 20040717 UPDATE: cyrus-sasl-2.1.19 SUSE-SR:2005:006 GLSA-200410-05 https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c?rev=1.171&content-type=text/x-cvsweb-markup https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171 MDKSA-2005:054 Cross-site scripting (XSS) vulnerability in Bitboard 2.5 and earlier allows remote attackers to inject arbitrary web script or HTML via an [img] bbcode image tag with an event such as mouseover. bitshifters-bitboard-xss(18871) 12248 1012864 20050112 Security Advisory: BiTBOARD xss imageview.php in SGallery 1.01 allows remote attackers to obtain sensitive information via an HTTP request with (1) idalbum and (2) idimage unset, which reveals the installation path in an error message for the sql_fetch_row function. 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke sgallery-path-disclosure(18877) http://www.waraxe.us/advisory-39.html 1012868 PHP remote file inclusion vulnerability in SGallery 1.01 allows local and possibly remote attackers to execute arbitrary PHP code by modifying the DOCUMENT_ROOT parameter to reference a URL on a remote web server that contains (1) config.php or (2) sql_layer.php. sgallery-file-include(18878) http://www.waraxe.us/advisory-39.html 1012868 13824 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke SQL injection vulnerability in imageview.php for SGallery 1.01 allows remote attackers to execute arbitrary SQL commands via the (1) idalbum or (2) idimage parameters. sgallery-imageview-sql-injection(18876) http://www.waraxe.us/advisory-39.html 12249 1012868 13824 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to prefs.php or (2) url parameter to index.php. 12255 20050113 Cross Site Scripting holes found in Horde 3.0 horde-prefs-index-xss(18881) http://www.hyperdose.com/advisories/H2005-01.txt 1012892 Multiple directory traversal vulnerabilities in ZeroBoard 4.1pl5 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the _zb_path parameter to (1) _head.php or (2) outlogin.php, or the dir parameter to (3) write.php. zeroboard-file-disclosure(18891) 12257 1012884 20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities Multiple PHP remote file inclusion vulnerabilities in (1) print_category.php, (2) login.php, (3) setup.php, (4) ask_password.php, or (5) error.php in ZeroBoard 4.1pl5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the dir parameter to reference a URL on a remote web server that contains the code. 13769 zeroboard-zero-vote-file-include(18893) zeroboard-printcategory-file-include(18892) 12258 12206 12932 12931 12930 12929 12928 1012884 20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities Cross-site scripting (XSS) vulnerability in f.aspx in forumKIT 1.0 allows remote attackers to inject arbitrary web script or HTML via the members parameter. forumkit-members-xss(18880) 12256 1012895 20050113 XSS Vulnerability in ForumKIT Breed patch 1 and earlier allows remote attackers to cause a denial of service (application crash) via an empty UDP packet, which triggers a null dereference. breed-udp-datagram-dos(18890) 12262 13211 20050113 Server crash in Breed patch #1 Trend Micro Control Manager 3.0 Enterprise Edition allows remote attackers to gain privileges via a replay attack of the encrypted username and password. http://www.cirt.dk/advisories/cirt-28-advisory.pdf 20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack control-manager-replay-attack(18887) 20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client. FLSA:152532 USN-95-1 2005-0009 12810 RHSA-2005:366 RHSA-2005:293 RHSA-2005:284 RHSA-2005:283 SUSE-SA:2005:018 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 oval:org.mitre.oval:def:9562 Buffer overflow in luxman before 0.41, if used with certain insecure svgalib libraries, allows local users to execute arbitrary code via a long -f command line argument. 12797 luxman-bo-execute-commands(19680) 20050314 DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow' http://www.digitalmunition.com/DMA[2005-0310a].txt DSA-693 14582 Cross-site scripting (XSS) vulnerability in network.cgi in mailreader before 2.3.29 earlier allows remote attackers to inject arbitrary web script or HTML via MIME text/enriched or text/richtext messages. DSA-700 14777 remstats 1.0.13 and earlier, when processing uptime data, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. DSA-704 Unknown vulnerability in the remoteping service in remstats 1.0.13 and earlier allows remote attackers to execute arbitrary commands "due to missing input sanitising." DSA-704 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0814. Reason: This candidate is a duplicate of CVE-2005-0814. Notes: All CVE users should reference CVE-2005-0814 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the HTTP redirection capability in conn.c for Axel before 1.0b may allow remote attackers to execute arbitrary code. 13059 DSA-706 GLSA-200504-09 14831 http://www.mail-archive.com/debian-devel-changes@lists.debian.org/msg118978.html geneweb 4.10 and earlier does not properly check file permissions and content during conversion, which allows attackers to modify arbitrary files. DSA-712 geneweb-insecure-file-permission(20176) ppxp does not drop root privileges before opening log files, which allows local users to execute arbitrary commands. 13681 DSA-725 The helper scripts for crip 3.5 do not properly use temporary files, which allows local users to have an unknown impact with unknown attack vectors. DSA-733 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none. Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in KDE before 3.4 allows local users to cause a denial of service (dcopserver consumption) by "stalling the DCOP authentication process." http://www.kde.org/info/security/advisory-20050316-1.txt GLSA-200503-22 20050316 Multiple KDE Security Advisories (2005-03-16) oval:org.mitre.oval:def:10432 12820 FLSA:178606 RHSA-2005:325 RHSA-2005:307 MDKSA-2005:058 Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications. imagemagick-filename-format-string(19586) RHSA-2005:320 SUSE-SA:2005:017 GLSA-200503-11 DSA-702 20050303 [USN-90-1] Imagemagick vulnerability http://bugs.gentoo.org/show_bug.cgi?id=83542 oval:org.mitre.oval:def:10302 RHSA-2005:070 The KAME racoon daemon in ipsec-tools before 0.5 allows remote attackers to cause a denial of service (crash) via malformed ISAKMP packets. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=view racoon-isakmp-header-dos(19707) 12804 RHSA-2005:232 [ipsec-tools-devel] 20050312 potential remote crash in racoon 1013433 GLSA-200503-33 14584 ADV-2005-0264 oval:org.mitre.oval:def:10028 MDKSA-2005:062 Heap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size. VU#557948 14654 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150877 gif-extension-overflow(19269) 20050323 Mozilla Foundation GIF Overflow ADV-2005-0296 12881 RHSA-2005:337 RHSA-2005:336 RHSA-2005:335 RHSA-2005:323 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-30.html GLSA-200503-30 P-160 oval:org.mitre.oval:def:11377 15495 SUSE-SA:2006:004 19823 SCOSA-2005.49 oval:org.mitre.oval:def:100028 The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block. kernel-ext2-information-disclosure(19866) FLSA:152532 ADV-2005-1878 USN-103-1 14713 oval:org.mitre.oval:def:10336 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 http://arkoon.net/advisories/ext2-make-empty-leak.txt 12932 RHSA-2006:0191 RHSA-2006:0190 RHSA-2005:663 RHSA-2005:366 18684 17002 20050401 Information leak in the Linux kernel ext2 implementation FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2." 12885 ADV-2005-0296 RHSA-2005:336 RHSA-2005:335 http://www.mozilla.org/security/announce/mfsa2005-32.html GLSA-200503-30 14654 oval:org.mitre.oval:def:9650 http://mikx.de/firescrolling2/ 20050324 Firescrolling 2 [Firefox 1.0.1] RHSA-2005:384 oval:org.mitre.oval:def:100026 Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page. https://bugzilla.mozilla.org/show_bug.cgi?id=284627 RHSA-2005:336 14654 ADV-2005-0296 http://www.mozilla.org/security/announce/mfsa2005-31.html oval:org.mitre.oval:def:11868 oval:org.mitre.oval:def:100027 init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure. RHSA-2005:293 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144059 oval:org.mitre.oval:def:9435 KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email. http://www.securiteam.com/unixfocus/5GP0B0AFFE.html http://bugs.kde.org/show_bug.cgi?id=96020 14925 [kmail-devel] 20050215 [Bug 96020] HTML Allows Spoofing of Emails Content A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image. http://www.redteam-pentesting.de/advisories/rt-sa-2005-008.txt 20050214 Advisory: JPEG EXIF information disclosure Cross-site scripting (XSS) vulnerability in Openconf 1.04, and possibly other versions before 1.10, allows remote attackers to inject arbitrary HTML and web script via the paper title. 12554 http://www.redteam-pentesting.de/advisories/rt-sa-2005-007.txt 14294 20050214 Advisory: Cross Site Scripting Vulnerability in Openconf Conference Management Software CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable. http://www.redteam-pentesting.de/advisories/rt-sa-2005-002.txt 20050214 Advisory: Authentication bypass in CitrusDB CitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities. http://www.redteam-pentesting.de/advisories/rt-sa-2005-003.txt 20050214 Advisory: Upload Authorization bypass in CitrusDB SQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and earlier allows remote attackers to inject data via the fields of a CSV file. http://www.redteam-pentesting.de/advisories/rt-sa-2005-004.txt 20050214 Advisory: SQL-Injection in CitrusDB Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter. http://www.redteam-pentesting.de/advisories/rt-sa-2005-005.txt 20050214 Advisory: Directory traversal in CitrusDB Cross-site scripting (XSS) vulnerability in Spidean PostWrap allows remote attackers to inject arbitrary HTML and web script via the page parameter. postwrap-xss(19261) 1013130 20050208 XSS VULNERABILITY AT MODULE PostWrap Multiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the fid in forum.php, (2) the member parameter in member.php, (3) the email parameter in forgot.php, or (4) the nbuser or nbpass parameters in include.php. NOTE: it was later reported that vector 2 exists in 3.0 and earlier. myphpforum-member-sql-injection(39348) myphpforum-multiple-sql-injection(19272) 27083 12501 4822 1013136 14205 20050209 Several SQL injection bugs in myPHP Forum v.1.0 SQL injection vulnerability in post.php for MercuryBoard 1.1.1 allows remote attackers to execute arbitrary SQL commands via a reply post action for index.php with (1) the t parameter or (2) the qu parameter. 1013137 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 mercuryboard-index-sql-injection(19051) 20050209 Mercuryboard =?iso-8859-1?Q?<=3D?= 1.1.1 Working Sql Injection http://cvs.sunsite.dk/viewcvs.cgi/mercury/func/post.php.diff?r1=1.68&r2=1.70 Multiple memory leaks in the MQL parser in Emdros before 1.1.22 allow remote attackers to cause a denial of service (memory consumption) via malformed MQL statements. emdros-mql-dos(19273) http://sourceforge.net/tracker/index.php?func=detail&aid=1116935&group_id=37219&atid=419458 http://sourceforge.net/project/shownotes.php?release_id=303465 The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow. win-user32-aniheader-overflow(18879) 12233 MS05-002 http://eeye.com/html/research/advisories/AD20050111.html 20050112 Windows ANI File Parsing Proof Of Concept (MS05-002) 20050111 EEYE: Windows ANI File Parsing Buffer Overflow Unknown "high risk" vulnerability in DB2 Universal Database 8.1 and earlier has unknown impact and attack vectors. NOTE: due to the delayed disclosure of details for this issue, this candidate may be SPLIT in the future. In addition, this may be a duplicate of other issues as reported by the vendor. 12508 20050209 Patch available for high risk IBM DB2 Universal Database flaw http://www.ngssoftware.com/advisories/db2-09-05-05.htm Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up to 1.4.2_06, on Mac OS X, allows untrusted applications to gain privileges via the value parameter of a property tag in a JNLP file. NOTE: it is highly likely that this item will be MERGED with CVE-2005-0836. APPLE-SA-2005-03-24 Multiple heap-based buffer overflows in 3Com 3CServer allow remote authenticated users to execute arbitrary code via long FTP commands, as demonstrated using the STAT command. 3cserver-multiple-command-bo(19250) 20050207 Vulnerability in 3Com 3CServer v1.1 Microsoft Outlook Web Access (OWA), when used with Exchange, allows remote attackers to redirect users to arbitrary URLs for login via a link to the owalogon.asp application. owa-owalogonasp-url-redirect(19225) ADV-2005-0105 12459 14144 20050206 Microsoft Outlook Web Access URL Injection Vulnerability DelphiTurk FTP 1.0 stores usernames and passwords in the profile.dat file, which allows local users to gain privileges. delphiturkcodebank-obtain-information(19248) 1013139 DelphiTurk CodeBank (aka KodBank) 3.1 and earlier stores usernames and passwords in the Codebank registry key, which allows local users to gain privileges. delphiturkcodebank-obtain-information(19248) 1013139 SQL injection vulnerability in login.asp in ASPjar Guestbook allows remote attackers to execute arbitrary SQL commands via the password field. 12521 aspjar-guest-login-sql-injection(19299) 14225 20050210 ASPjar guestbook (Injection in login page) Unknown vulnerability in the delete.asp program in certain versions of ASPjar Guestbook allows remote attackers to delete messages. NOTE: there is insufficient information to know if this is the same issue as CVE-2002-1730. 12521 aspjar-delete-message-deletion(19301) 14225 20050210 ASPjar guestbook (Injection in login page) Unknown vulnerability in IBM Websphere Application Server 5.0, 5.1, and 6.0 when running on Windows, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via a crafted URL that causes the page to be processed by the file serving servlet instead of the JSP engine. http://www-1.ibm.com/support/docview.wss?uid=swg24008815 http://www-1.ibm.com/support/docview.wss?uid=swg24008814 14274 Unknown vulnerability in Solaris 8 and 9 allows remote attackers to cause a denial of service (panic) via "Heavy UDP Usage" that triggers a NULL dereference. solaris-udp-end-point-dos(19119) 12385 57728 The ebuild of Webmin before 1.170-r3 on Gentoo Linux includes the encrypted root password in the miniserv.users file when building a tbz2 of the webmin package, which allows remote attackers to obtain and possibly crack the encrypted password. GLSA-200502-12 webmin-encrypted-password(19315) http://bugs.gentoo.org/show_bug.cgi?id=77731 The DNSPacket::expand method in dnspacket.cc in PowerDNS before 2.9.17 allows remote attackers to cause a denial of service by sending a random stream of bytes. powerdns-random-bytes-dos(19221) 12446 GLSA-200502-15 http://ds9a.nl/cgi-bin/cvstrac/pdns/tktview?tn=21 http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-17 Direct code injection vulnerability in forumdisplay.php in vBulletin 3.0 through 3.0.4, when showforumusers is enabled, allows remote attackers to execute inject arbitrary PHP commands via the comma parameter. 20050213 vbulletin 3.0.x PHP code execution 12542 The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow. http://aluigi.altervista.org/adv/q3infoboom-adv.txt 12534 20050212 Infostring crash and shutdown in the Quake 3 engine Barracuda Spam Firewall 3.1.10 and earlier does not restrict the domains that white-listed domains can send mail to, which allows members of white-listed domains to use Barracuda as an open mail relay for spam. barracuda-open-relay(19283) 14243 20050210 Barracuda Spam Firewall <= 3.1.10 acts as open relay for whitelisted senders. BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pack 3 and earlier, generates different login exceptions that suggest why an authentication attempt fails, which makes it easier for remote attackers to guess passwords via brute force attacks. 14298 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA05-74.00.jsp Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. phpnuke-multiple-scripts-path-disclosure(19344) http://www.waraxe.us/advisory-40.html 12561 Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation. phpnuke-downloads-weblinks-xss(19346) http://www.waraxe.us/advisory-40.html 12561 awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog. 14299 awstats-awstatpl-obtain-information(19333) 20050214 AWStats <= 6.4 Multiple vulnerabilities Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. 14299 awstats-function-code-execution(19336) 20050214 AWStats <= 6.4 Multiple vulnerabilities 13832 Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter. 14299 20050214 AWStats <= 6.4 Multiple vulnerabilities awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter. 14299 awstats-information-disclosure(19477) 20050214 AWStats <= 6.4 Multiple vulnerabilities Buffer overflow in the decode_post function in ELOG before 2.5.7 allows remote attackers to execute arbitrary code via attachments with long file names. 12556 http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880 http://midas.psi.ch/elogs/Forum/941 elog-weblog-bo(19313) ELOG before 2.5.7 allows remote attackers to bypass authentication and download a configuration file that contains a sensitive write password via a modified URL. 12556 http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880 http://midas.psi.ch/elogs/Forum/941 Multiple stack-based buffer overflows in Sybase Adaptive Server Enterprise (ASE) 12.x before 12.5.3 ESD#1 allow remote authenticated users to execute arbitrary code via the (1) attrib_valid function, (2) covert function, (3) declare statement, or (4) a crafted query plan, or remote authenticated users with database owner or "sa" role privileges to execute arbitrary code via (5) a crafted install java statement. sybase-ase-install-java-bo(19980) sybase-ase-abstract-bo(19979) sybase-ase-declare-bo(19978) sybase-ase-convert-bo(19976) sybase-ase-attribvalid-bo(19974) sybase-adaptive-server(19354) http://www.sybase.com/detail?id=1034752 http://www.sybase.com/detail?id=1034520 12080 20050321 Details of Sybase ASE bugs withheld 13632 20050405 Sybase ASE Multiple Security Issues (#NISR05042005) 20041222 Sybase ASE 12.5.2 vulnerabilities http://www.ngssoftware.com/advisories/sybase-ase.txt Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter. 12549 http://www.cubecart.com/site/forums/index.php?showtopic=5741 14272 cubecart-dotdot-directory-traversal(19322) 20050406 RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure 20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message. 12549 http://www.cubecart.com/site/forums/index.php?showtopic=5741 cubecart-index-xss(19328) 20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities 14064 VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries using a path that includes the rrdharan world-writable temporary directory, which allows local users to execute arbitrary code. GLSA-200502-18 Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows remote attackers to inject arbitrary HTML or web script via the domain name parameter (logindomain) in the login page. 14253 open-webmail-logindomain-xss(19335) http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/2.5x.patch http://turtle.ee.ncku.edu.tw/openwebmail/doc/changes.txt 12547 1013172 Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure. http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE8-dns_assert.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_assert RHSA-2005:173 GLSA-200502-25 DSA-688 14271 CLA-2005:931 squid-xstrndup-dos(19332) oval:org.mitre.oval:def:11264 20050221 [USN-84-1] Squid vulnerabilities 12551 RHSA-2005:201 MDKSA-2005:047 FLSA-2006:152809 Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (hang) via a flood of certain ARP packets. 14286 solaris-arp-dos(19331) 12553 57673 1013179 Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. GLSA-200501-38 DSA-696 HPSBUX01208 oval:org.mitre.oval:def:10475 USN-94-1 12767 HPSBUX01208 RHSA-2005:881 RHSA-2005:674 MDKSA-2005:079 18517 18075 17079 14531 FLSA-2006:152845 CLSA-2006:1056 20060101-01-U oval:org.mitre.oval:def:728 The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function. RHSA-2005:284 RHSA-2005:283 SUSE-SA:2005:018 CLA-2005:945 FLSA:152532 USN-82-1 12598 RHSA-2005:366 RHSA-2005:293 MDKSA-2005:218 DSA-1018 DSA-1017 19607 19374 19369 oval:org.mitre.oval:def:10753 [netdev] 20050124 Re: skb_checksum_help 20060402-01-U Directory traversal vulnerability in Sami HTTP Server 1.0.5 allows remote attackers to read arbitrary files via an HTTP request containing (1) .. (dot dot) or (2) "%2e%2e" (encoded dot dot) sequences. 1013191 14283 Sami HTTP Server 1.0.5 allows remote attackers to cause a denial of service via an HTTP request containing two CRLF sequences, which triggers a NULL dereference. 1013191 14283 Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.NET (.Net) 1.0 and 1.1 to SP1 allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 12574 14214 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension. GLSA-200502-21 14297 http://article.gmane.org/gmane.comp.web.lighttpd/1171 Multiple SQL injection vulnerabilities in DCP-Portal 6.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the lcat, doc, or uid parameters to index.php, or (2) the mid or bid parameters to forums.php. http://www.hackgen.org/advisories/hackgen-2005-003.txt 1013216 20050216 [hackgen-2005-#003] - SQL injection bugs in DCP-Portal dcpportal-multiple-sql-injection(19361) 12573 20051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities 108 http://glide.stanford.edu/yichen/research/sec.pdf Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value. RHSA-2005:265 20050301 RealNetworks RealPlayer .smil Buffer Overflow Vulnerability http://service.real.com/help/faq/security/050224_player oval:org.mitre.oval:def:10926 RHSA-2005:271 Opera 7.54 and earlier does not properly validate base64 encoded binary data in a data: (RFC 2397) URL, which causes the URL to be obscured in a download dialog, which may allow remote attackers to trick users into executing arbitrary code. VU#882926 http://www.opera.com/linux/changelogs/754u2/ GLSA-200502-17 13818 opera-data-dialog-spoofing(18867) SUSE-SA:2005:031 Opera 7.54 and earlier on Gentoo Linux uses an insecure path for plugins, which could allow local users to gain privileges by inserting malicious libraries into the PORTAGE_TMPDIR (portage) temporary directory. GLSA-200502-17 http://bugs.gentoo.org/show_bug.cgi?id=81747 Cross-site scripting (XSS) vulnerability in contact_us.php in osCommerce 2.2-MS2 allows remote attackers to inject arbitrary web script or HTML via the enquiry parameter. 20050215 [NOBYTES.COM: #3] osCommerce 2.2-MS2 - XSS Vulnerability phpMyAdmin 2.6.2-dev, and possibly earlier versions, allows remote attackers to determine the full path of the web root via a direct request to select_lang.lib.php, which reveals the path in a PHP error message. 1013210 index.php in MercuryBoard 1.0.x and 1.1.x allows remote attackers to obtain sensitive information by setting the debug parameter. 13787 14284 http://lostmon.blogspot.com/2005/02/mercuryboard-debug-information.html Unknown vulnerability in NewsBruiser 2.x before 2.6.1 allows remote attackers to "take actions on comments." 14262 http://newsbruiser.tigris.org/servlets/NewsItemView?newsItemID=1016 http://newsbruiser.tigris.org/source/browse/newsbruiser/CHANGELOG?rev=1.283&content-type=text/x-cvsweb-markup Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1.x allows remote attackers to inject arbitrary HTML and web script via the f parameter. 13937 http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html Unknown "major security flaws" in Ulog-php before 1.0, related to input validation, have unknown impact and attack vectors, probably related to SQL injection vulnerabilities in (1) host.php, (2) port.php, and (3) index.php. 12610 http://www.inl.fr/article.php3?id_article=7 1013220 14321 13853 gr_osview in SGI IRIX 6.5.22, and possibly other 6.5 versions, does not drop privileges when opening description files while in debug mode, which allows local users to read a line from arbitrary files via the -d and -D options, which prints the line as a formatting error. 20050407 SGI IRIX gr_osview Information Disclosure Vulnerability 20050402-01-P 15351 1013662 14875 gr_osview in SGI IRIX does not drop privileges before opening files, which allows local users to overwrite arbitrary files via the -s option. 20050407 SGI IRIX gr_osview File Overwrite Vulnerability 20050402-01-P 1013662 14875 Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated. 20050221 Multiple PuTTY SFTP Client Packet Parsing Integer Overflow Vulnerabilities GLSA-200502-28 14333 putty-sftppktgetstring-bo(19403) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414 17214 Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. VU#341908 RHSA-2005:330 RHSA-2005:327 DSA-703 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt 20050405-01-P USN-224-1 12919 20050328 Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability DSA-731 57761 57755 101671 101665 17899 14745 oval:org.mitre.oval:def:9640 CLA-2005:962 FreeBSD-SA-05:01.telnet MDKSA-2005:061 Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands. VU#291924 RHSA-2005:330 RHSA-2005:327 20050328 Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability GLSA-200503-36 DSA-703 DSA-699 DSA-697 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt 57755 20050405-01-P USN-224-1 12918 DSA-731 57761 101671 101665 17899 14745 oval:org.mitre.oval:def:9708 FreeBSD-SA-05:01.telnet MDKSA-2005:061 Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data. wpasupplicant-bo(19357) GLSA-200502-22 14313 1013226 [HostAP] 20050213 wpa_supplicant - new stable releases v0.3.8 and v0.2.7 Sun Java JRE 1.1.x through 1.4.x writes temporary files with long filenames that become predictable on a file system that uses 8.3 style short names, which allows remote attackers to write arbitrary files to known locations and facilitates the exploitation of vulnerabilities in applications that rely on unpredictable file names. VU#544392 sun-java-create-files(19285) http://secunia.com/secunia_research/2004-7/advisory/ 11070 Gaim before 1.1.3 allows remote attackers to cause a denial of service (infinite loop) via malformed SNAC packets from (1) AIM or (2) ICQ. VU#839280 gaim-snac-dos(19380) RHSA-2005:432 RHSA-2005:215 GLSA-200503-03 DSA-716 14322 oval:org.mitre.oval:def:10433 http://gaim.sourceforge.net/security/index.php?id=10 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 The HTML parsing functions in Gaim before 1.1.3 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0208. VU#523888 gaim-html-dos(19381) RHSA-2005:215 GLSA-200503-03 14322 oval:org.mitre.oval:def:10212 http://gaim.sourceforge.net/security/index.php?id=11 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 SQL injection vulnerability in the user_valid_crypt function in user.php in WebCalendar 0.9.45 allows remote attackers to execute arbitrary SQL commands via an encoded webcalendar_session cookie. webcalendar-sql-injection(19369) http://www.scovettalabs.com/advisory/SCL-2005.001.txt 14319 13918 1013231 20050217 [ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie SQL injection vulnerability in paFAQ Beta4, and possibly other versions, allows remote attackers to execute arbitrary SQL code via the (1) offset, (2) limit, (3) order, or (4) orderby parameter to question.php, (5) offset parameter to answer.php, (6) search_item parameter to search.php, (7) cat_id, (8) cid, or (9) id parameter to comment.php. 20050217 [PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection pafaq-sql-injection(19371) Cross-site scripting (XSS) vulnerability in hpm_guestbook.cgi allows remote attackers to inject arbitrary web script or HTML by posting a message. hpm-guestbook-xss(19372) 20050217 hpm_guestbook.cgi JavaScript-Injection Cross-site scripting (XSS) vulnerability in the SML code for Invision Power Board 1.3.1 FINAL allows remote attackers to inject arbitrary web script via (1) a signature file or (2) a message post containing an IMG tag within a COLOR tag whose style is set to background:url. invision-power-board-sml-xss(19399) 20050217 Invision Power Boards 1.3.1 FINAL XSS Exploit Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script. trackercam-php-bo(19411) trackercam-useragent-bo(19409) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Directory traversal vulnerability in ComGetLogFile.php3 for TrackerCam 5.12 and earlier allows remote attackers to read arbitrary files via ".." sequences and (1) "/" slash), (2) "\" (backslash), or (3) hex-encoded characters in the fn parameter. trackercam-fn-directory-traversal(19414) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Cross-site scripting (XSS) vulnerability in TrackerCam 5.12 and earlier allows remote attackers to inject arbitrary HTML or web script via the login request, which is recorded in a log file but not properly handled when the administrator views the log file. trackercam-xss(19416) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 TrackerCam 5.12 and earlier allows remote attackers to read log files via the fn parameter in a direct request to the ComGetLogFile.php3 script. trackercam-fn-path-disclosure(19415) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 TrackerCam 5.12 and earlier allows remote attackers to cause a denial of service (crash) via (1) a large number of connections with a negative Content-Length header, possibly triggering an integer signedness error, or (2) a large amount of data. trackercam-contentlength-dos(19417) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Multiple directory traversal vulnerabilities in sitenfo.sh, sitezipchk.sh, and siteziplist.sh in Glftpd 1.26 to 2.00 allow remote authenticated users to (1) determine the existence of arbitrary files, (2) list files in restricted directories, or (3) read arbitrary files from within ZIP or gzip files, via .. (dot dot) sequences and globbing ("*") characters in a SITE NFO command. glftpd-sitenfosh-directory-traversal(19401) 12586 20050218 Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins Format string vulnerability in gprostats for GProFTPD before 8.1.9 may allow remote attackers to execute arbitrary code via an FTP transfer with a crafted filename that causes format string specifiers to be inserted into the ProFTPD transfer log. GLSA-200502-26 http://bugs.gentoo.org/show_bug.cgi?id=81894 Cross-site scripting (XSS) vulnerability in comment.php for paNews 2.0b4 for PHP Arena allows remote attackers to inject arbitrary HTML and web script via the showpost parameter. 20050216 [PersianHacker.NET 200505-06] paNews v2.0b4 XSS Vulnerability panews-commentphp-xss(19359) 12576 Tarantella Secure Global Desktop Enterprise Edition 4.00 and 3.42, and Tarantella Enterprise 3 3.40 and 3.30, when using RSA SecurID and multiple users have the same username, reveals sensitive information during authentication, which allows remote attackers to identify valid usernames and the authentication scheme. http://www.tarantella.com/security/bulletin-11.html tarantella-enterprise-obtain-information(19407) Cross-site scripting (XSS) vulnerability in index.php for Kayako ESupport 2.3.1, and possibly other versions, allows remote attackers to inject arbitrary HTML and web script via the nav parameter. kayako-index-xss(18571) 12563 20050215 Kayako eSupport v2.3.1 Support Tracker XSS Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. VU#800829 TA06-214A 57761 57755 ADV-2006-3101 RHSA-2005:504 SUSE-SR:2005:016 oval:org.mitre.oval:def:11373 20050614 Multiple Vendor Telnet Client Information Disclosure Vulnerability 19289 13940 RHSA-2005:562 101671 101665 1014203 21253 17135 APPLE-SA-2006-08-01 oval:org.mitre.oval:def:1139 The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory. This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.27 18173 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20202 20163 http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes 20338 Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. GLSA-200503-20 20050228 [USN-86-1] cURL vulnerability CLA-2005:940 curl-kerberos-bo(19423) 20050221 Multiple Unix/Linux Vendor cURL/libcURL Kerberos Authentication Buffer Overflow Vulnerability 20050221 Multiple Unix/Linux Vendor cURL/libcURL NTLM Authentication Buffer Overflow Vulnerability oval:org.mitre.oval:def:10273 12616 12615 RHSA-2005:340 SUSE-SA:2005:011 MDKSA-2005:048 Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request. 12594 14327 arkeia-backup-client-bo(19398) 20050218 Knox Arkeia remote root/system exploit Adobe Acrobat Reader 6.0.3 and 7.0.0 allows remote attackers to cause a denial of service (application crash) via a PDF file that contains a negative Count value in the root page node. http://www.adobe.com/support/techdocs/331468.html adobe-root-page-node-dos(19946) ADV-2005-0310 20050218 Adobe Reader invalid root page node Count value DOS 14813 CRLF injection vulnerability in bizmail.cgi in Biz Mail Form before 2.2 allows remote attackers to bypass the email check and send spam e-mail via CRLF sequences and forged mail headers in the email parameter. Upgrade to newest version. 20050218 BizMail 2.1 Spam Exploit The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request. thomson-tcw690-gain-access(19387) 14353 20050219 Thomson TCW690 POST Password Validation Vulnerability Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote attackers to inject arbitrary web script or HTML via the (1) sn1, (2) year, or (3) page parameter to zboard.php or (4) filename to view_image.php. zeroboard-xss(19420) 1013243 20050219 Multiples vulnerability in ZeroBoard, Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands. arkeia-backup-client-gain-access(20667) 1013256 http://metasploit.com/research/arkeia_agent/ 20050220 Arkeia Network Backup Client Remote Access ADP Elite System Max 9000 allows remote authenticated users to gain privileges by uploading a .profile that sets the ADPROOT environment variable to the root directory. 20050219 ADP Elite System Max 9000 Series Login Vulnerability adp-elite-gain-privileges(20622) Gigafast router (aka CompUSA router) allows remote attackers to gain sensitive information and bypass the login page via a direct request to backup.cfg, which reveals the administrator password in plaintext. gigafast-backupcfg-plaintext-password(19422) 20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilities Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries. gigafast-dns-queries-dos(19426) 20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilities Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to spoof the domain name of a URL in a titlebar for a script-initiated popup window, which could facilitate phishing attacks. ie-title-bar-spoofing(19452) 12602 20050221 WindowsXPSP2 script-initiated popup window 14335 Buffer overflow in Bontago 1.1 and earlier allows remote attackers exeucte arbitrary code via a long nickname. bontago-nickname-bo(19406) 12603 14350 http://aluigi.altervista.org/adv/bontagobof-adv.txt Directory traversal vulnerability in Xinkaa 1.0.3 and earlier allows remote attackers to read arbitrary files via (1) ../ and (2) ..\ characters in an HTTP request. xinkaa-web-directory-traversal(19404) ADV-2005-0189 12606 14349 http://aluigi.altervista.org/adv/xinkaa-adv.txt uim before 0.4.5.1 trusts certain environment variables when libUIM is used in setuid or setgid applications, which allows local users to gain privileges. 12604 13981 [uim] 20050220 uim 0.4.5.1 released MDKSA-2005:046 Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value. 12195 ADV-2005-1878 USN-508-1 RHSA-2005:663 RHSA-2005:551 RHSA-2005:529 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1013273 30112 26651 20338 20202 20163 17002 oval:org.mitre.oval:def:9770 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22 RHSA-2008:0237 Unknown vulnerability in Information Resource Manager (IRM) before 1.5.2.1 allows remote attackers has "potentially serious" impact, related to LDAP logins. irm-ldap-security-bypass(19419) http://sourceforge.net/project/shownotes.php?release_id=306629 14342 The Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic. http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_Leak.pdf 20050222 Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability 20050222 Avaya IP Office Phone Manager - Sensitive Information Cleartext Directory traversal vulnerability in SD Server 4.0.70 and earlier allows remote attackers to read arbitrary files via .. sequences in an HTTP request. 14365 20050221 SD Server 4.0.70 Directory Traversal Bug http://www.gdsoftware.dk/ 20050222 SD Server 4.0.70 Directory Traversal Bug Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue." 12619 14336 http://xml.apache.org/batik/#SecurityWarning Multiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 implementation of ASP.NET (.Net) allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 14325 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The daemon for fallback-reboot before 0.995 allows attackers to cause a denial of service (daemon exit), possibly related to verbose debug messages when the daemon is not on a tty. 14328 http://dcs.nac.uci.edu/~strombrg/fallback-reboot/ misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter. 14326 http://www.vbulletin.com/forum/showthread.php?postid=819562 12622 20050222 [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection PHP remote file inclusion vulnerability in Tar.php in Mambo 4.5.2 allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2004-1693. 14337 http://mamboforge.net/frs/download.php/4043/Patch_4.5.2_to_4.5.2.1.zip PHP remote file inclusion vulnerability in mail_autocheck.php in the Email This Entry add-on for pMachine Pro 2.4, and possibly other versions including pMachine Free, allows remote attackers to execute arbitrary PHP code by directly requesting mail_autocheck.php and modifying the pm_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2003-1086. 12597 15473 20050219 pMachine Pro / pMachine Free Remote Code Execution Cross-site scripting (XSS) vulnerability in Verity Ultraseek before 5.3.3 allows remote attackers to inject arbitrary HTML and web script via search parameters. VU#716144 http://www.mikx.de/index.php?p=6 14367 20041223 Cross-Site Scripting - an industry-wide problem Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files. http://www.webroot.com/services/mfp_advisory.php 12842 http://secunia.com/secunia_research/2004-20/advisory/ 13577 The ImageGalleryPlugin (ImageGalleryPlugin.pm) in Twiki allows remote attackers to execute arbitrary commands via certain commands that generate thumbnails. 14384 http://www.enyo.de/fw/security/notes/twiki-robustness.html http://static.enyo.de/fw/patches/twiki/imagegallery-robustness-20041128.diff 20050223 Robustness patch for TWiki, vulnerability in ImageGalleryPlugin PeerFTP_5 stores sensitive information such as passwords in plaintext in the PeerFTP.ini files, which allows local users to gain privileges. 1013263 eXeem 0.21 stores sensitive information such as passwords in plaintext in the Exeem registry key, which allows local users to gain privileges via the proxy_user and proxy_password values. 1013266 ArGoSoft FTP Server before 1.4.2.7 allows remote attackers to read arbitrary files by uploading a ZIP file containing a shortcut (.LNK) file, using SITE UNZIP to extract the .LNK file onto the server, then accessing the file, a different vulnerability than CVE-2005-0520. http://www.argosoft.com/ftpserver/changelist.aspx 14172 argosoft-ink-file-upload(17939) 12487 13614 ArGoSoft FTP Server before 1.4.2.8 allows remote attackers to read arbitrary files via shortcut (.LNK) files in the SITE COPY command, a different vulnerability than CVE-2005-0519. http://www.argosoft.com/ftpserver/changelist.aspx 14372 argosoft-site-copy-files(19442) 12632 14061 SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges. 1013269 Chat Anywhere 2.72a stores sensitive information such as passwords in plaintext in the .INI file for a chatroom, which allows local users to gain privileges. 1013270 Format string vulnerability in ProZilla 1.3.7.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the Location header. DSA-719 12635 http://www.securiteam.com/exploits/5WP082KEUW.html The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. 20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities 1013619 14792 php-phphandleiff-dos(19920) ADV-2005-0305 RHSA-2005:406 RHSA-2005:405 GLSA-200504-15 oval:org.mitre.oval:def:9310 APPLE-SA-2005-06-08 15183 MDKSA-2005:072 The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek. DSA-708 14792 ADV-2005-0305 20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities RHSA-2005:406 RHSA-2005:405 GLSA-200504-15 DSA-729 1013619 oval:org.mitre.oval:def:11703 APPLE-SA-2005-06-08 15184 MDKSA-2005:072 Multiple cross-site scripting (XSS) vulnerabilities in PBLang 4.65 allow remote attackers to inject arbitrary web script or HTML via (1) the search string to search.php, (2) the subject of a PM, which is processed by pm.php, or (3) the body of a PM, which is processed by pmpshow.php. 1013277 20050222 Software PBLang 4.65 pm.php XSS vulnerability 20050222 Software PBLang 4.65 pmpshow.php XSS vulnerability 20050222 Software PBLang 4.65 search.php XSS vulnerability Firefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling." GLSA-200503-30 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-27.html http://www.mikx.de/?p=11 1013301 oval:org.mitre.oval:def:11772 20050225 Firescrolling [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100031 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0985. Reason: This candidate is a duplicate of CVE-2003-0985. Notes: All CVE users should reference CVE-2003-0985 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke SUSE-SA:2005:018 oval:org.mitre.oval:def:8994 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQ CLA-2005:930 RHSA-2005:366 Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke SUSE-SA:2005:018 oval:org.mitre.oval:def:10960 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w CLA-2005:930 RHSA-2005:366 The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3A CLA-2005:930 oval:org.mitre.oval:def:10095 RHSA-2005:366 The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. SUSE-SA:2005:018 http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQ Heap-based buffer overflow in Trend Micro AntiVirus Library VSAPI before 7.510, as used in multiple Trend Micro products, allows remote attackers to execute arbitrary code via a crafted ARJ file with long header file names that modify pointers within a structure. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution 12643 1013290 1013289 14396 20050224 Trend Micro AntiVirus Library Heap Overflow Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script. http://sourceforge.net/project/shownotes.php?release_id=307067 1013260 14360 GLSA-200502-33 Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users. 1013260 14360 GLSA-200502-33 Directory traversal vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to delete arbitrary files or determine file existence via a parameter related to image deletion. http://sourceforge.net/project/shownotes.php?release_id=307067 1013260 14360 GLSA-200502-33 Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters. 1013268 14369 20050221 [NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection Directory traversal vulnerability in (1) GinpPictureServlet.java and (2) PicCollection.java in ginp (Java Photo Gallery Web Application) before 0.22 allows remote attackers to read arbitrary files. http://sourceforge.net/project/shownotes.php?release_id=307518 14373 Unknown vulnerability in IBM Hardware Management Console (HMC) before 4.4 for POWER5 servers allows local users to gain privileges, related to the Guided Setup Wizard. http://techsupport.services.ibm.com/server/hmc/power5/fixes/ptf_MH00220.html 14377 Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to obtain sensitive information via a direct request to the /about.html page. 14073 http://www.cirt.net/advisories/alterpath_disclosure.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities consoleConnect.jsp in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to connect to arbitrary consoles by modifying the consolename parameter. 14075 http://www.cirt.net/advisories/alterpath_console.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities saveUser.do in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows local users to gain privileges by setting the adminUser parameter to true. 14074 http://www.cirt.net/advisories/alterpath_privesc.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_family parameter in theme_right.css.php. phpmyadmin-multiple-php-xss(19462) 12644 GLSA-200503-07 14382 20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4 phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message. GLSA-200503-07 14382 http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_id=23067&atid=377408 Microsoft Windows XP Pro SP2 and Windows 2000 Server SP4 running Active Directory allow local users to bypass group policies that restrict access to hidden drives by using the browse feature in Office 10 applications such as Word or Excel, or using a flash drive. NOTE: this issue has been disputed in a followup post. 12641 20050223 Office 10 applications & flashdrives can be used to browse restricted drives 20050225 Re: Office 10 applications & flashdrives can be used to browse restricted Multiple buffer overflows in Cyrus IMAPd before 2.2.11 may allow attackers to execute arbitrary code via (1) an off-by-one error in the imapd annotate extension, (2) an off-by-one error in "cached header handling," (3) a stack-based buffer overflow in fetchnews, or (4) a stack-based buffer overflow in imapd. GLSA-200502-29 14383 20050228 [USN-87-1] Cyrus IMAP server vulnerability [info-cyrus] 20050214 Cyrus IMAPd 2.2.11 Released oval:org.mitre.oval:def:10674 CLA-2005:937 http://bugs.gentoo.org/show_bug.cgi?id=82404 12636 FLSA:156290 RHSA-2005:408 MDKSA-2005:051 1013278 Unknown vulnerability in ftpd on HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23 allows remote authenticated users to gain "unauthorized access to files." 12651 hp-ux-ftpd-gain-access(19467) oval:org.mitre.oval:def:5464 HPSBUX01119 HPSBUX01119 Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search function. 1000230 57737 20050328 Multiple XSS issues in Sun AnswerBook2 Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the "View Log Files" function. 57737 1000230 20050328 Multiple XSS issues in Sun AnswerBook2 Buffer overflow in Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to cause a denial of service (i.e., system crash) via a malformed request, aka "Object Management Vulnerability". MS05-018 oval:org.mitre.oval:def:4832 oval:org.mitre.oval:def:4397 oval:org.mitre.oval:def:2043 oval:org.mitre.oval:def:1271 Stack-based buffer overflow in WINSRV.DLL in the Client Server Runtime System (CSRSS) process of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application that provides console window information with a long FaceName value. MS05-018 20050412 Microsoft Windows CSRSS.EXE Stack Overflow Vulnerability oval:org.mitre.oval:def:777 oval:org.mitre.oval:def:3544 oval:org.mitre.oval:def:266 oval:org.mitre.oval:def:1822 Race condition in the memory management routines in the DHTML object processor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a malicious web page or HTML e-mail, aka "DHTML Object Memory Corruption Vulnerability". TA05-102A VU#774338 ie-dhtml-bo(19831) MS05-020 20050412 Microsoft Internet Explorer DHTML Engine Race Condition Vulnerability 14922 oval:org.mitre.oval:def:4985 oval:org.mitre.oval:def:4874 oval:org.mitre.oval:def:3752 oval:org.mitre.oval:def:3100 oval:org.mitre.oval:def:1695 Buffer overflow in the URL processor of Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a URL with a long hostname, aka "URL Parsing Memory Corruption Vulnerability." TA05-102A VU#756122 MS05-020 20050412 Microsoft Windows Internet Explorer Long Hostname Heap Corruption Vulnerability 14922 oval:org.mitre.oval:def:789 oval:org.mitre.oval:def:3817 oval:org.mitre.oval:def:2559 oval:org.mitre.oval:def:2253 oval:org.mitre.oval:def:1196 Buffer overflow in the Content Advisor in Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via a crafted Content Advisor file, aka "Content Advisor Memory Corruption Vulnerability." TA05-102A VU#222050 MS05-020 14922 ie-content-advisor-bo(19842) oval:org.mitre.oval:def:4674 oval:org.mitre.oval:def:3926 oval:org.mitre.oval:def:3157 oval:org.mitre.oval:def:2786 oval:org.mitre.oval:def:2077 Buffer overflow in Microsoft Word 2000, Word 2002, and Word 2003 allows remote attackers to execute arbitrary code via a crafted document. word-document-bo(19828) MS05-023 oval:org.mitre.oval:def:4234 oval:org.mitre.oval:def:2685 oval:org.mitre.oval:def:2415 oval:org.mitre.oval:def:1236 Heap-based buffer overflow in the SvrAppendReceivedChunk function in xlsasink.dll in the SMTP service of Exchange Server 2000 and 2003 allows remote attackers to execute arbitrary code via a crafted X-LINK2STATE extended verb request to the SMTP port. TA05-102A VU#275193 MS05-021 14920 20050412 Microsoft Exchange Remote Compromise 15467 20050419 MS05-021 Microsoft Exchange X-LINK2STATE Heap Overflow PoC oval:org.mitre.oval:def:4032 GIF file validation error in MSN Messenger 6.2 allows remote attackers in a user's contact list to execute arbitrary code via a GIF image with an improper height and width. TA05-102A VU#633446 msn-messenger-gif-execute-code (19950) MS05-022 14915 oval:org.mitre.oval:def:4927 Cross-site scripting (XSS) vulnerability in Microsoft Outlook Web Access (OWA) component in Exchange Server 5.5 allows remote attackers to inject arbitrary web script or HTML via an email message with an encoded javascript: URL ("jav&#X41sc&#0010;ript:") in an IMG tag. MS05-029 20050614 Microsoft Outlook Web Access Cross-Site Scripting Vulnerability 15697 Stack-based buffer overflow in Microsoft Word 2000 and Word 2002, and Microsoft Works Suites 2000 through 2004, might allow remote attackers to execute arbitrary code via a .doc file with long font information. TA05-193A VU#218621 MS05-035 20050712 Microsoft Word 2000 and Word 2002 Font Parsing Buffer Overflow Vulnerability oval:org.mitre.oval:def:1331 oval:org.mitre.oval:def:1190 The Announce module in phpWebSite 0.10.0 and earlier allows remote attackers to execute arbitrary PHP code by setting the Image field to reference a PHP file whose name contains a .gif.php extension. phpwebsite-announce-execute-code(19482) GLSA-200503-04 14399 1013298 20050224 phpWebSite-0.10.0_exploit Buffer overflow in Golden FTP Server Pro (goldenftpd) 2.x allows remote attackers to execute arbitrary code via a long RNTO command. VU#620862 golden-ftp-rnto-bo(19015) 12333 http://www.goldenftpserver.com 13966 1012973 20050122 several BO's in goldenftpd Multiple PHP remote file inclusion vulnerabilities in phpMyAdmin 2.6.1 allow remote attackers to execute arbitrary PHP code by modifying the (1) theme parameter to phpmyadmin.css.php or (2) cfg[Server][extension] parameter to database_interface.lib.php to reference a URL on a remote web server that contains the code. phpmyadmin-file-include(19465) 12645 http://sourceforge.net/tracker/index.php?func=detail&aid=1149381&group_id=23067&atid=377408 14382 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-1 20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4 Soldier of Fortune II 1.03 gold allows remote attackers to cause a denial of service (application crash) via a large cl_guid value, which results in an invalid pointer dereference. 12650 1013291 13289 http://aluigi.altervista.org/adv/sof2guidboom-adv.txt 20050224 In-game cl_guid crash in Soldier of Fortune II 1.03 Multiple SQL injection vulnerabilities in PunBB 1.2.1 allow remote attackers to execute arbitrary SQL commands via the (1) language parameter to register.php, (2) change email feature in profile.php, (3) posts or (4) topics parameter to moderate.php. punbb-multiple-sql-injection(19473) 12652 14538 14394 http://www.punbb.org/changelogs/1.2.1_to_1.2.2.txt 20050224 Multiple vulns in punBB profile.php in PunBB 1.2.1 allows remote attackers to cause a denial of service (account lockout) by setting the user's password to NULL. punbb-profile-dos(19483) 12652 14394 20050224 Multiple vulns in punBB admin_loader.php in PunBB 1.2.1 allows remote attackers to read arbitrary files via the plugin parameter. punbb-file-disclosure(19478) http://www.punbb.org/download/patch/punbb-1.2.1_to_1.2.2.patch 14394 http://www.punbb.org/changelogs/1.2.1_to_1.2.2.txt 20050224 Multiple vulns in punBB index.php in phpWebSite 0.10.0 and earlier allows remote attackers to obtain sensitive information via an invalid SEA_search_module parameter, which reveals the path in a PHP error message. GLSA-200503-04 phpwebsite-search-path-disclosure(19480) http://neossecurity.net/Advisories/Advisory-05.txt 20050225 phpWebSite 0.10.0 Full Path disclosure Gaim 1.1.3 on Windows systems allows remote attackers to cause a denial of service (client crash) via a file transfer in which the filename contains "(" or ")" (parenthesis) characters. 1013300 20050224 GAIM exploit Directory traversal vulnerability in CIS WebServer 3.5.13 allows remote attackers to read arbitrary files via .. (dot dot) sequences in the URL. 12662 20050225 CIS WebServer Directory Traversal Bug Buffer overflow in Stormy Studios Knet 1.04c and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long HTTP GET request. 12671 14400 20050225 Knet <= 1.04c Buffer Overflow Bug Unknown vulnerability in Standard Type Services Framework (STSF) Font Server Daemon (stfontserverd) in Solaris 9 allows local users to modify or delete arbitrary files. 12656 57738 14381 Format string vulnerability in DNA MKBold-MKItalic 0.06_1 and earlier allows remote attackers to execute arbitrary code via crafted BDF font files. http://www.freshports.org/x11-fonts/mkbold-mkitalic/ 14398 http://www.vuxml.org/freebsd/32d4f0f1-85c3-11d9-b6dc-0007e900f747.html Firefox before 1.0.1 and Mozilla Suite before 1.7.6 use a predictable filename for the plugin temporary directory, which allows local users to delete arbitrary files of other users via a symlink attack on the plugtmp directory. GLSA-200503-30 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-28.html oval:org.mitre.oval:def:10954 12659 RHSA-2005:384 RHSA-2005:176 nxagent in FreeNX before 0.2.8 does not properly handle when the XAUTHORITY environment variable is not set, which allows local users to access the X server without X authentication. SUSE-SR:2005:006 [FreeNX-kNX] 20050217 Security: Serious bug in authority handling found and fixed cmd5checkpw, when running setuid, does not properly drop privileges before calling the execvp function, which allows local users to read the poppasswd file. GLSA-200502-30 Multiple buffer overflows in Computer Associates (CA) License Client and Server 0.1.0.15 allow remote attackers to execute arbitrary code via (1) certain long fields in the Checksum item in a GCR request, (2) a long IP address, hostname, or netmask values in a GCR request, (3) a long last parameter in a GETCONFIG packet, or (4) long values in a request with an invalid format. 20050302 Computer Associates License Client/Server GCR Checksum Buffer Overflow 20050302 Computer Associates License Client/Server GCR Network Buffer Overflow 20050302 Computer Associates License Client/Server GETCONFIG Buffer Overflow 20050302 Computer Associates License Client and Server Invalid Command Buffer Overflow http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp 20050302 License Patches Are Now Available To Address Buffer Overflows Buffer overflow in Computer Associates (CA) License Client 0.1.0.15 allows remote attackers to execute arbitrary code via a long filename in a PUTOLF request. 20050302 Computer Associates License Client PUTOLF Buffer Overflow http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp 20050302 License Patches Are Now Available To Address Buffer Overflows Directory traversal vulnerability in Computer Associates (CA) License Client 0.1.0.15 allows remote attackers to create arbitrary files via .. (dot dot) sequences in a PUTOLF request. 20050302 Computer Associates License Client PUTOLF Directory Traversal http://supportconnectw.ca.com/public/ca_common_docs/security_notice.asp 20050302 License Patches Are Now Available To Address Buffer Overflows Firefox before 1.0.1 and Mozilla before 1.7.6, when displaying the HTTP Authentication dialog, do not change the focus to the tab that generated the prompt, which could facilitate spoofing and phishing attacks. https://bugzilla.mozilla.org/show_bug.cgi?id=277574 GLSA-200503-10 RHSA-2005:384 RHSA-2005:176 http://www.mozilla.org/security/announce/mfsa2005-24.html GLSA-200503-30 oval:org.mitre.oval:def:11191 oval:org.mitre.oval:def:100034 Firefox before 1.0.1 and Mozilla before 1.7.6 truncates long sub-domains or paths for display, which may allow remote malicious web sites to spoof legitimate sites and facilitate phishing attacks. http://www.mozilla.org/security/announce/mfsa2005-23.html GLSA-200503-30 GLSA-200503-10 http://secunia.com/secunia_research/2004-15/advisory/ 13599 oval:org.mitre.oval:def:9924 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100035 Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to spoof the extensions of files to download via the Content-Disposition header, which could be used to trick users into downloading dangerous content. GLSA-200503-10 13258 http://www.mozilla.org/security/announce/mfsa2005-22.html oval:org.mitre.oval:def:11152 12659 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100036 Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote malicious web sites to overwrite arbitrary files by tricking the user into downloading a .LNK (link) file twice, which overwrites the file that was referenced in the first .LNK file. SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-21.html 12659 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100037 Firefox before 1.0.1 and Mozilla before 1.7.6 does not restrict xsl:include and xsl:import tags in XSLT stylesheets to the current domain, which allows remote attackers to determine the existence of files on the local system. https://bugzilla.mozilla.org/show_bug.cgi?id=271209 GLSA-200503-30 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-20.html oval:org.mitre.oval:def:10682 12659 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100038 The Form Fill feature in Firefox before 1.0.1 allows remote attackers to steal potentially sensitive information via an input control that monitors the values that are generated by the autocomplete capability. https://bugzilla.mozilla.org/show_bug.cgi?id=270697 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-19.html oval:org.mitre.oval:def:10825 12659 RHSA-2005:176 oval:org.mitre.oval:def:100039 The installation confirmation dialog in Firefox before 1.0.1, Thunderbird before 1.0.1, and Mozilla before 1.7.6 allows remote attackers to use InstallTrigger to spoof the hostname of the host performing the installation via a long "user:pass" sequence in the URL, which appears before the real hostname. https://bugzilla.mozilla.org/show_bug.cgi?id=268059 GLSA-200503-30 GLSA-200503-10 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-17.html oval:org.mitre.oval:def:10010 12659 RHSA-2005:384 RHSA-2005:176 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100041 Firefox before 1.0.1 allows remote attackers to spoof the (1) security and (2) download modal dialog boxes, which could be used to trick users into executing script or downloading and executing a file, aka "Firespoofing." https://bugzilla.mozilla.org/show_bug.cgi?id=260560 GLSA-200503-30 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-16.html http://www.mikx.de/index.php?p=7 http://www.mikx.de/firespoofing/ oval:org.mitre.oval:def:10039 20050111 Firespoofing [Firefox 1.0] web-browser-modal-spoofing(18864) 12234 RHSA-2005:384 RHSA-2005:176 13786 oval:org.mitre.oval:def:100042 Heap-based buffer overflow in the UTF8ToNewUnicode function for Firefox before 1.0.1 and Mozilla before 1.7.6 might allow remote attackers to cause a denial of service (crash) or execute arbitrary code via invalid sequences in a UTF8 encoded string that result in a zero length value. https://bugzilla.mozilla.org/show_bug.cgi?id=241440 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-15.html GLSA-200503-30 GLSA-200503-10 oval:org.mitre.oval:def:10606 12659 RHSA-2005:176 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100043 Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=277564 https://bugzilla.mozilla.org/show_bug.cgi?id=276720 https://bugzilla.mozilla.org/show_bug.cgi?id=268483 https://bugzilla.mozilla.org/show_bug.cgi?id=258048 http://www.mozilla.org/security/announce/mfsa2005-14.html GLSA-200503-30 oval:org.mitre.oval:def:9533 12659 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100044 Buffer overflow in the Netinfo Setup Tool (NeST) allows local users to execute arbitrary code. TA05-136A VU#354486 APPLE-SA-2005-05-03 Buffer overflow in ext.dll in BadBlue 2.55 allows remote attackers execute arbitrary code via a long mfcisapicommand parameter. 12673 14405 20050226 Badblue HTTP Server, ext.dll buffer overflow PHP 4 (PHP4) allows attackers to cause a denial of service (daemon crash) by using the readfile function on a file whose size is a multiple of the page size. 12665 SUSE-SR:2005:006 Cisco devices running Application and Content Networking System (ACNS) 5.0 before 5.0.17.6 and 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (process restart) via a "crafted TCP connection." 14395 cisco-tcp-acns-dos(19466) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities The RealServer RealSubscriber on Cisco devices running Application and Content Networking System (ACNS) 5.1 allow remote attackers to cause a denial of service (CPU consumption) via malformed packets. VU#579240 cisco-realserver-realsubscriber-dos(19469) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities 14395 Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, or 5.1 before 5.1.11.6 allow remote attackers to cause a denial of service (CPU consumption) via malformed IP packets. 14395 cisco-ip-packet-dos(19468) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities Cisco devices running Application and Content Networking System (ACNS) 5.0, 5.1 before 5.1.13.7, or 5.2 before 5.2.3.9 allow remote attackers to cause a denial of service (bandwidth consumption) via "crafted IP packets" that are continuously forwarded. cisco-acns-dos(19470) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities 14395 Cisco devices running Application and Content Networking System (ACNS) 4.x, 5.0, 5.1, or 5.2 use a default password when the setup dialog has not been run, which allows remote attackers to gain access. 14395 cisco-acns-gain-access(19471) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities Unzip 5.51 and earlier does not properly warn the user when extracting setuid or setgid files, which may allow local users to gain privileges. ADV-2007-3866 20050228 7a69Adv#22 - UNIX unzip keep setuid and setgid files 2005-0053 14447 MDKSA-2005:197 200844 103150 27684 17342 17045 viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message. http://www.phpbb.com/phpBB/viewtopic.php?t=267563 14413 20050225 -==phpBB 2.0.12 Full path disclosure==- lnss.exe in GFI Languard Network Security Scanner 5.0 stores the username and password in memory in plaintext, which could allow local administrators to obtain domain administrator credentials. http://www.hat-squad.com/en/000160.html 20050228 [Hat-Squad] GFI L.N.S.S 5.0 Insecure Credential Storage scan.c for LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow. 12714 RHSA-2005:331 GLSA-200503-15 DSA-723 1013339 GLSA-200503-08 http://bugs.gentoo.org/show_bug.cgi?id=83655 http://bugs.gentoo.org/show_bug.cgi?id=83598 https://bugs.freedesktop.org/attachment.cgi?id=1909 RHSA-2005:412 oval:org.mitre.oval:def:10411 USN-97-1 USN-92-1 RHSA-2008:0261 RHSA-2005:473 RHSA-2005:198 RHSA-2005:044 FLSA-2006:152803 19624 18316 18049 14460 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20060403-01-U SCOSA-2005.57 SCOSA-2006.5 Cross-site scripting (XSS) vulnerability in settings.inc.php for CubeCart 2.0.0 through 2.0.5, as used in multiple PHP files, allows remote attackers to inject arbitrary HTML or web script via the (1) cat_id, (2) PHPSESSID, (3) view_doc, (4) product, (5) session, (6) catname, (7) search, or (8) page parameters. 12658 http://www.cubecart.com/site/forums/index.php?showtopic=6032 cubecart-multiple-xss(20637) 1013304 14416 http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html CubeCart 2.0.0 through 2.0.5 allows remote attackers to determine the full path of the server via direct calls without parameters to (1) information.php, (2) language.php, (3) list_docs.php, (4) popular_prod.php, (5) sale.php, (6) subfooter.inc.php, (7) subheader.inc.php, (8) cat_navi.php, or (9) check_sum.php, which reveals the path in a PHP error message. http://www.cubecart.com/site/forums/index.php?showtopic=6032 cubecart-multiple-path-disclosure(20638) 1013304 http://lostmon.blogspot.com/2005/02/cubecart-20x-multiple-variable-xss.html Heap-based buffer overflow in server.cpp for WebMod 0.47 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a POST request with a Content-Length that is less than the amount of data that is actually sent. 14302 http://djeyl.net/forum/index.php?showtopic=41440 Multiple symlink vulnerabilities in portupgrade before 20041226_2 in FreeBSD allow local users to (1) overwrite arbitrary files and possibly replace packages to execute arbitrary code via pkg_fetch, (2) overwrite arbitrary files via temporary files when portupgrade upgrades a port or package, or (3) create arbitrary zero-byte files via the pkgdb.fixme temporary file. http://www.vuxml.org/freebsd/22f00553-a09d-11d9-a788-0001020eed82.html 14903 13106 Heap-based buffer overflow in RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1, allows remote attackers to execute arbitrary code via .WAV files. RHSA-2005:265 http://service.real.com/help/faq/security/050224_player/EN/ oval:org.mitre.oval:def:11419 20050302 RealOne Player / Real .WAV Heap Overflow File Format Vulnerability 20050302 RealOne Player / Real .WAV Heap Overflow File Format Vulnerability RHSA-2005:271 Cisco IP/VC Videoconferencing System 3510, 3520, 3525 and 3530 contain hard-coded default SNMP community strings, which allows remote attackers to gain access, cause a denial of service, and modify configuration. 20050202 Default SNMP Community Strings in Cisco IP/VC Products 14122 12424 1013067 Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files. 12676 sessions.php in phpBB 2.0.12 and earlier allows remote attackers to gain administrator privileges via the autologinid value in a cookie. http://www.phpbb.com/phpBB/viewtopic.php?t=267563 14413 20050304 phpBB 2.0.12 Session Handling Administrator Authentication Bypass 20050301 phpBB <= 2.0.12 UID Exploit Multiple SQL injection vulnerabilities in (1) index.php, (2) modules.php, or (3) admin.php in PostNuke 0.760-RC2 allow remote attackers to execute arbitrary SQL code via the catid parameter. 1013324 http://news.postnuke.com/Article2669.html 20050228 [SECURITYREASON.COM] PostNuke Critical SQL Injection 0.760-RC2=>x Multiple cross-site scripting (XSS) vulnerabilities in the Download module for PostNuke 0.750 and 0.760-RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) Program name, (2) File link, (3) Author name (4) Author e-mail address, (5) File size, (6) Version, or (7) Home page variables. 1013324 http://news.postnuke.com/Article2669.html 20050228 [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2 SQL injection vulnerability in dl-search.php in PostNuke 0.750 and 0.760-RC2 allows remote attackers to execute arbitrary SQL commands via the show parameter. 1013324 http://news.postnuke.com/Article2669.html 20050228 [SECURITYREASON.COM] PostNuke SQL Injection 0.760-RC2=>x cXIb8O3.3 The SMTP binding function in Symantec Firewall/VPN Appliance 200/200R firmware after 1.5Z and before 1.68, Gateway Security 360/360R and 460/460R firmware before vuild 858, and Nexland Pro800turbo, when configured for load balancing between two WANs, might send SMTP traffic to a trusted network through an untrusted network. http://securityresponse.symantec.com/avcenter/security/Content/2005.02.28.html 14428 Einstein 1.0.1 stores sensitive information such as usernames and passwords in plaintext in the registry, which allows local users to gain privileges. 14212 1013316 14455 846 Einstein 1.0 stores credit card information in plaintext in the world-readable wallets.dat file, which allows local users to steal the information. 14455 Scrapland 1.0 and earlier allows remote attackers to cause a denial of service (server termination) by triggering an error, which is treated as a fatal error by the server, as demonstrated using (1) signed integers for size values, (2) an invalid model, (3) a "newpos" value that is less than or equal to a size value, or (4) partial packets. 14435 http://aluigi.altervista.org/adv/scrapboom-adv.txt 20050228 Server termination in Scrapland 1.0 RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to view the PHP source code via an HTTP GET request for a filename with a trailing (1) . (dot) or (2) space. http://www.security.org.sg/vuln/raidenhttpd1132.html 14453 20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities Buffer overflow in RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to execute arbitrary code via a long URL. http://www.security.org.sg/vuln/raidenhttpd1132.html 14453 20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities reportbug before 2.62 creates the .reportbugrc configuration file with world-readable permissions, which allows local users to obtain email smarthost passwords. reportbug-file-world-readable(19504) 14422 https://bugzilla.ubuntu.com/show_bug.cgi?id=6600 20050228 [USN-88-1] reportbug information disclosure http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295407 reportbug 3.2 includes settings from .reportbugrc in bug reports, which exposes sensitive information such as smtpuser and smtppasswd. reportbug-smtppasswd-information-disclosure(19520) 14422 https://bugzilla.ubuntu.com/show_bug.cgi?id=6717 https://bugzilla.ubuntu.com/show_bug.cgi?id=6600 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295407 20050228 [USN-88-1] reportbug information disclosure Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. squid-set-cookie-race-condition(19581) USN-93-1 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie RHSA-2005:415 oval:org.mitre.oval:def:11169 12716 FLSA-2006:152809 Qt before 3.3.4 searches the BUILD_PREFIX directory, which could be world-writable, to load shared libraries regardless of the LD_LIBRARY_PATH environment variable, which allows local users to execute arbitrary programs. 12695 GLSA-200503-01 http://bugs.gentoo.org/show_bug.cgi?id=75181 Multiple cross-site scripting (XSS) vulnerabilities in Forumwa 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in search.php or the (2) body or (3) subject of a forum message. 12689 14418 20050301 Forumwa search.php xss vulnerability Multiple cross-site scripting (XSS) vulnerabilities in profile.php in 427BB 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) Avatar parameters. 427bb-profile-xss(19546) 12693 1013337 14434 20050301 427BB profile.php XSS vulnerability. 20050301 427BB profile.php XSS vulnerability. sendpm.php in PBLang 4.63 allows remote authenticated users to read arbitrary files via a full pathname in the orig parameter. pblang-sendpm-obtain-information(19544) 12690 20050301 Software PBLang 4.63 sendpm.php reply file read vulnerability http://pblforum.drmartinus.de/post.php?cat=2&fid=2&pid=40&page=1 delpm.php in PBLang 4.63 allows remote authenticated users to delete arbitrary PM files by modifying the "id" and "a" parameters. pblang-delpm-delete-messages(19552) 12694 20050301 Software PBLang 4.63 delpm.php authentication vulnerability http://pblforum.drmartinus.de/post.php?cat=2&fid=2&pid=42&page=1 PHP remote file inclusion vulnerability in auth.php in PHPNews 1.2.4 and possibly 1.2.3, allows remote attackers to execute arbitrary PHP code via the path parameter. 1013345 14449 12696 20050303 PHP News <= 1.2.4 - Remote File Inclusion Exploit 20050301 PHP News <= 1.2.4 - Remote File Inclusion (VXSfx) Buffer overflow in Trillian 3.0 and Pro 3.0 allows remote attackers to execute arbitrary code via a crafted PNG image file. 12703 http://www.securiteam.com/exploits/5KP030KF5E.html 20050306 See-security advisory: Trillian Basic 3.0 PNG Processing Buffer overflow ADV-2005-0221 Buffer overflow in Golden FTP Server 1.92 allows remote attackers to execute arbitrary code via a long USER command. ADV-2006-4936 12704 20050302 Golden Ftp server 1.29 Username remote Buffer Overflow 23323 http://retrogod.altervista.org/golden_heap.html Buffer overflow in Foxmail Server 2.0 allows remote attackers to execute arbitrary code via a long USER command. 12711 20050302 Foxmail server "USER" command Multiple remote buffer overflow 1013356 14145 Format string vulnerability in Foxmail Server 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the USER command. 12711 20050302 Foxmail server "USER" command Multiple remote buffer overflow 1013356 14145 The copy functions in locore.s such as copyout in OpenBSD 3.5 and 3.6, and possibly other BSD based operating systems, may allow attackers to exceed certain address boundaries and modify kernel memory. openbsd-copy-functions(19531) 12825 20050228 028: SECURITY FIX: February 28, 2005 20050316 012: SECURITY FIX: March 16, 2005 amd64 only 1013333 14432 20050228 011: SECURITY FIX: February 28, 2005 i386 only xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command. 14459 DSA-695 GLSA-200503-05 14462 oval:org.mitre.oval:def:10898 http://bugs.gentoo.org/show_bug.cgi?id=79762 12712 FLSA-2006:152923 RHSA-2005:332 14365 http://support.avaya.com/elmodocs2/security/ASA-2005-134_RHSA-2005-332.pdf Multiple vulnerabilities in xli before 1.17 may allow remote attackers to execute arbitrary code via "buffer management errors" from certain image properties, some of which may be related to integer overflows in PPM files. 14459 DSA-695 GLSA-200503-05 http://bugs.gentoo.org/show_bug.cgi?id=79762 Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 does not properly initialize the "Change Credentials for Database" window, which allows local users to recover the SQL Admin password via certain methods. http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 14454 Cross-site scripting (XSS) vulnerability in the Reporter for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to inject arbitrary HTML or web script via the (1) name or (2) description in a report template. 14454 http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 SQL injection vulnerability in the Query Designer for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to execute arbitrary SQL via an imported file. http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 14454 Buffer overflow in McAfee Scan Engine 4320 with DAT version before 4357 allows remote attackers to execute arbitrary code via crafted LHA files. 10243 14628 http://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdf Buffer overflow in McAfee Scan Engine 4320 with DAT version before 4436 allows remote attackers to execute arbitrary code via a malformed LHA file with a type 2 header file name field, a variant of CVE-2005-0643. VU#361180 20050317 McAfee AntiVirus Library Stack Overflow 12832 10243 1013463 14628 http://images.mcafee.com/misc/McAfee_Security_Bulletin_05-march-17.pdf Cross-site scripting (XSS) vulnerability in show.inc.php in cuteNews 1.3.6 allows remote attackers to inject arbitrary HTML, web script, and PHP code via the (1) CLIENT-IP or (2) X-FORWARDED-FOR header in an HTTP POST request to show_news.php. http://www.kernelpanik.org/docs/kernelpanik/cutenews.txt 20050301 Kernelpanik Labs Digest 2005-2 SQL injection vulnerability in auth.php in paNews 2.0.4b allows remote attackers to execute arbitrary SQL via the mysql_prefix parameter. http://www.kernelpanik.org/docs/kernelpanik/panews.txt 20050301 Kernelpanik Labs Digest 2005-2 admin_setup.php in paNews 2.0.4b allows remote attackers to inject arbitrary PHP code via the (1) $form[comments] or (2) $form[autoapprove] parameters, which are written to config.php. http://www.kernelpanik.org/docs/kernelpanik/panews.txt 20050301 Kernelpanik Labs Digest 2005-2 Multiple vulnerabilities in Pixel-Apes SafeHTML before 1.3.0 allow remote attackers to bypass cross-site scripting (XSS) protection via (1) "decimal HTML entities" or (2) "the \x00 symbol." 1013315 http://pixel-apes.com/safehtml/feed Pixel-Apes SafeHTML before 1.2.1 allows remote attackers to bypass cross-site scripting (XSS) protection via "hexadecimal HTML entities." 13869 http://pixel-apes.com/safehtml/feed Multiple cross-site scripting (XSS) vulnerabilities in ProjectBB 0.4.5.1 allow remote attackers to inject arbitrary web script or HTML via (1) the pages parameter to divers.php (incorrectly referred to as "drivers.php" by some sources), (2) in the search feature text area, (3) forum name, (4) site name or (5) the maximum avatar size in the option section, (5) new category or (6) new forum fields in the forum section. projectbb-multiple-xss(19556) ADV-2005-0223 12709 1013332 14533 20050308 failles dans ProjectBB v0.4.5.1 Multiple SQL injection vulnerabilities in ProjectBB 0.4.5.1 allow remote attackers to execute arbitrary SQL commands via (1) liste or (2) desc parameters to divers.php (incorrectly referred to as "drivers.php" by some sources), (3) the search feature text area, (4) post name in the post creation feature, (5) City, (6) Homepage, (7) ICQ, (8) AOL, (9) Yahoo!, (10) MSN, or (11) e-mail fields in the profile feature or (12) the new field in the moderator section. projectbb-mulitple-sql-injection(19557) ADV-2005-0223 12710 1013332 14533 20050308 failles dans ProjectBB v0.4.5.1 Unknown vulnerability in HP OpenVMS VAX 7.x and 6.x and OpenVMS Alpha 7.x or 6.x allows local users to access privileged files. openvms-gain-access(19566) 14444 SSRT4866 phpMyAdmin 2.6.1 does not properly grant permissions on tables with an underscore in the name, which grants remote authenticated users more privileges than intended. GLSA-200503-07 http://bugs.gentoo.org/show_bug.cgi?id=83792 gifload.exe in GIMP 2.0.5, 2.2.3, and possibly 2.2.4 allows remote attackers or local users to cause a denial of service (application crash) via the image descriptor (1) height or (2) width fields set to zero. 20050304 GIMP gifload.exe GIF file (image width)*(image height)==0 DOS vulnerability auraCMS 1.5 allows remote attackers to obtain sensitive information via an HTTP request with an invalid id parameter to (1) teman.php, (2) hal.php, or (3) arsip.php, which reveals the path in a PHP error message. 1013357 20050302 Vulnerabilities in Aura CMS Multiple cross-site scripting (XSS) vulnerabilities in auraCMS 1.5 allow remote attackers to inject arbitrary web script or HTML via the (1) hits parameter to hits.php, (2) query parameter to index.php, or (3) theCount parameter to counter.php. 1013357 14458 20050302 Vulnerabilities in Aura CMS Directory traversal vulnerability in Computalynx CProxy 3.3.x and 3.4.x through 3.4.4 allows remote attackers to read arbitrary files or cause a denial of service (application crash) via a .. (dot dot) in an HTTP request. computalynx-cproxy-get-dos(19574) computalynx-cproxy-directory-traversal(19573) 14461 20050302 Security Advisory: Computalynx CProxy Server Multiple Remote Vulnerabilities SQL injection vulnerability in a third party extension to TYPO3 allows remote attackers to execute arbitrary SQL commands via the category_uid parameter. 14465 20050304 Re: TYPO3 SQL Injection vunerabilitie 20050304 RE: TYPO3 SQL Injection vunerabilitie 20050303 TYPO3 SQL Injection vunerabilitie phpBB 2.0.13 and earlier allows remote attackers to obtain sensitive information via a direct request to oracle.php, which reveals the path in a PHP error message. 1013377 http://neosecurityteam.net/Advisories/Advisory-09.txt 20050304 -==phpBB 2.0.13 Full path disclosure==- Multiple cross-site scripting (XSS) vulnerabilities in D-Forum 1.11 allows remote attackers to inject arbitrary web script or HTML via certain fields, as demonstrated using the page parameter in nav.php3. 1013349 14464 SQL injection vulnerability in the getwbbuserdata function in session.php for Woltlab Burning Board 2.0.3 through 2.3.0 allows remote attackers to execute arbitrary SQL commands via the (1) userid or (2) lastvisit cookie. 14450 1013351 Cross-site scripting (XSS) vulnerability in index.php for MercuryBoard 1.1.2 allows remote attackers to inject arbitrary web script or HTML via the Avatar field. 14414 14308 SQL injection vulnerability in index.php for MercuryBoard 1.1.2 allows remote attackers to inject arbitrary SQL commands via the f parameter. 14414 14308 mercuryboard-index-sql-injection(19051) Buffer overflow in the EXIF library (libexif) 0.6.9 does not properly validate the structure of the EXIF tags, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a JPEG image with a crafted EXIF tag. https://bugzilla.ubuntu.com/show_bug.cgi?id=7152 GLSA-200503-17 DSA-709 1013398 ADV-2005-2565 ADV-2005-0240 USN-91-1 RHSA-2005:300 102041 17705 oval:org.mitre.oval:def:10832 MDKSA-2005:064 Format string vulnerability in xv before 3.10a allows remote attackers to execute arbitrary code via format string specifiers in a filename. GLSA-200503-09 http://bugs.gentoo.org/show_bug.cgi?id=83686 Unknown vulnerability in PaX from the September 2003 release to 2.2 before 2005.03.05, related to SEGMEXEC or RANDEXEC and VMA mirroring, allows local users and possibly remote attackers to bypass intended access restrictions and execute arbitrary code. 12729 20050305 PaX privilege elevation security bug 14489 Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message. RHSA-2005:303 GLSA-200503-26 http://sylpheed.good-day.net/changelog.html.en http://sylpheed.good-day.net/changelog-devel.html.en 14491 1013376 Unknown vulnerability in HTTP Anti Virus Proxy (HAVP) before 0.51 prevents viruses from being properly detected in certain files such as (1) .CAB or (2) .ZIP files. http://www.bemberg.de/server-side/index.htm 1013370 Multiple SQL injection vulnerabilities in mod.php for phpCOIN 1.2.0 through 1.2.1b allow remote attackers to execute arbitrary SQL commands via the (1) the faq_id in the faq mod, (2) the id parameter in the pages mod, (3) the id parameter in the siteinfo module, (4) the topic_id parameter in the articles module, (5) the ord_id in the orders module, (6) the dom_id parameter in the domains module, or (7) the invd_id parameter in the invoices module. 14439 http://forums.phpcoin.com/index.php?showtopic=4116 phpcoin-id-sql-injection(19571) 12686 1013329 http://lostmon.blogspot.com/2005/03/phpcoin-posible-sql-injection-comands.html http://forums.phpcoin.com/index.php?showtopic=4118 http://forums.phpcoin.com/index.php?showtopic=4101 Cross-site scripting (XSS) vulnerability in phpCOIN 1.2.0 through 1.2.1b allows remote attackers to inject arbitrary web script or HTML via (1) the new parameter to mod.php, (2) the w parameter to mod.php, (3) the e parameter to login.php, (4) the o parameter to login.php, and possibly other scripts. 14439 http://forums.phpcoin.com/index.php?showtopic=4116 phpcoin-xss(19572) 12686 1013329 http://lostmon.blogspot.com/2005/03/phpcoin-posible-sql-injection-comands.html http://forums.phpcoin.com/index.php?showtopic=4118 http://forums.phpcoin.com/index.php?showtopic=4101 Format string vulnerability in Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via format string specifiers in a command. 12727 14483 1013361 http://aluigi.altervista.org/adv/ca3dex-adv.txt Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via text strings that are not null terminated, which triggers a null dereference. 12727 1013361 14483 http://aluigi.altervista.org/adv/ca3dex-adv.txt Cross-site scripting (XSS) vulnerability in usercp_register.php for phpBB 2.0.13 allows remote attackers to inject arbitrary web script or HTML by setting the (1) allowhtml, (2) allowbbcode, or (3) allowsmilies parameters to inject HTML into signatures for personal messages, possibly when they are processed by privmsg.php or viewtopic.php. 14475 1013362 Cross-site scripting (XSS) vulnerability in the News module for paBox 1.6 allows remote attackers to inject arbitrary web script or HTML via the text hidden parameter in an HTTP POST request. 12719 1013363 14474 20050303 [XSS] paBox 1.6 Cross-site scripting (XSS) vulnerability in index.php for Zorum 3.5 allows remote attackers to inject arbitrary web script or HTML via the (1) list or (2) frommethod parameters. 1013365 9497 index.php in Zorum 3.5 allows remote attackers to trigger an SQL error, and possibly inject arbitrary SQL commands, via the search capability. 1013365 index.php for Zorum 3.5 allows remote attackers to perform certain actions as other users by modifying the id parameter. 1013365 PHP remote file inclusion vulnerability in formmail.inc.php for Form Mail Script 2.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the script_root to reference a URL on a remote web server that contains the code. http://www.stadtaus.com/forum/t-1579.html 14505 1013378 20050304 PHP Form Mail Script (2.3) - Arbitrary File Inclusion (VXSfx) PHP remote file inclusion vulnerability in tell_a_friend.inc.php for Tell A Friend Script 2.7 before 20050305 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. NOTE: it was later reported that 2.4 is also affected. http://www.stadtaus.com/forum/t-1579.html 1013390 tellafriend-scriptroot-file-include(19630) 20070727 Friend Script 2.5 - 2.4 Remote File &#304;nclude 14628 http://arfis.wordpress.com/2007/09/13/rfi-02-openelibrary/ PHP remote file inclusion vulnerability in download_center_lite.inc.php for Download Center Lite 1.6 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. http://www.stadtaus.com/forum/t-1579.html 14513 20050304 Download Center Lite (DCL) - Arbitrary File Inclusion (VXSfx) Nokia Symbian 60 allows remote attackers to cause a denial of service (phone restart) via a Bluetooth nickname. 1013380 nokia-symbian-dos(19594) 12743 http://www.securiteam.com/securitynews/5PP0V00G1S.html 14574 Cross-site scripting (XSS) vulnerability in common.inc in Drupal before 4.5.2 allows remote attackers to inject arbitrary web script or HTML via certain inputs. 14515 http://drupal.org/files/drupal-4.5-xss-fix.patch http://drupal.org/drupal-4.5.2 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0659. Reason: This candidate is a duplicate of CVE-2005-0659. Notes: All CVE users should reference CVE-2005-0659 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple buffer overflows in the web tool for MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via (1) an HTTP GET request with a long file parameter after a percent ("%") sign or (2) a long Lock-Token string to the WebDAV functionality, which is not properly handled by the getLockTokenHeader function in WDVHandler_CommonUtils.c. 20050425 MySQL MaxDB Webtool Remote Lock-Token Stack Overflow Vulnerability 20050425 MySQL MaxDB Webtool Remote Stack Overflow Vulnerability http://dev.mysql.com/doc/maxdb/changes/changes_7.5.00.26.html#WebDAV 13368 Multiple access validation errors in OutStart Participate Enterprise (PE) allow remote attackers to (1) browse arbitrary directory trees by modifying the rootFolder parameter to displaynavigator.jsp, (2) rename arbitrary directory objects by modifying the selectedObject parameter to renamepopup.jsp, (3) delete arbitrary directory objects by modifying the selectedObjectsCSV parameter to displaydeletenavigator.jsp, and conduct other unauthorized activities via the (4) showDeleteView, (5) showWebFolderView, (6) showLibraryView, (7) showMyLibraryView, (8) singleSelectObject, (9) processRadioSelection, (10) processCheckboxSelection, (11) singleSelectObject, (12) addToSelectedObjects, or (13) removeFromSelectedObjects commands. pe-access-validation-dos(19632) 12752 http://security.honour.ca/outstartpsi.txt 14542 20050308 PE Multiple Remote Access Validation Vulnerabilities (Participate Systems Inc. / Outstart Inc.) Integer overflow in mlterm 2.5.0 through 2.9.1, with gdk-pixbuf support enabled, allows remote attackers to execute arbitrary code via a large image file that is used as a background. https://sourceforge.net/project/shownotes.php?release_id=310416 GLSA-200503-13 Format string vulnerability in Hashcash 1.16 allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via format string specifiers in a reply address, which is not properly handled when printing the header. GLSA-200503-12 14487 http://bugs.gentoo.org/show_bug.cgi?id=83541 Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). ADV-2006-3983 HPSBST02161 MS05-019 20050305 Windows Server 2003 and XP SP2 LAND attack vulnerability HPSBST02161 MS06-064 22341 oval:org.mitre.oval:def:4978 oval:org.mitre.oval:def:482 oval:org.mitre.oval:def:1685 oval:org.mitre.oval:def:1288 includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter. 12738 20050308 Re: Remote Command Execution 20050307 Remote Command Execution Gene6 FTP Server does not properly restrict access to the control console, which allows local users to modify the server configuration and gain privileges, as demonstrated by defining a SITE command. 12739 http://secway.org/Advisory/ad20050303.txt 14436 20050308 Re: Gene6 FTP Server Local Privilege Escalation Vulnerability 20050307 Gene6 FTP Server Local Privilege Escalation Vulnerability PHP remote file inclusion vulnerability in article mode for modules.php in SocialMPN allows remote attackers to execute arbitrary PHP code by modifying the name parameter to reference a URL on a remote web server that contains the code. http://waraxe.us/ftopic-542-0-days0-orderasc-.html 20050307 Remote Testing SocialMPN Remote File Inclusion by y3dips Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript. 14492 20050306 PHP-FUSION 5.* XSS VULNERABILITY http://www.php-fusion.co.uk/news.php?readmore=183 Buffer overflow in JoWood Chaser 1.50 and earlier allows remote attackers to cause a denial of service (client or server crash) and execute arbitrary code via a long nickname. 12733 http://aluigi.altervista.org/adv/chasercool-adv.txt Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under the web root, which allows remote attackers to obtain sensitive information via a direct request to HCDiskQuotaService.csv. 14522 20050307 Hosting Controller Multiple Unauthenticated information disclose http://isun.shabgard.org/hc2.txt The password recovery feature (forgotpassword.asp) in Hosting Controller 6.1 Hotfix 1.7 and earlier allows remote attackers to determine the owner's e-mail address by providing a portion of the domain name to the "login ID" field. 14522 20050307 Hosting Controller Multiple Unauthenticated information disclose http://isun.shabgard.org/hc2.txt Buffer overflow in ArGoSoft FTP Server 1.4.2.8 allows remote authenticated users to execute arbitrary code via a long DELE command. NOTE: this issue was later reported to also affect 1.4.3.5. 12755 14526 https://www.securinfos.info/english/security-advisories-alerts/20060225_ArGoSoft.FTP.Server_Heap.Overflow.html 20060225 ArGoSoft FTP server remote heap overflow 20050308 ArGoSoft FTP Server 1.4.2.8 Buffer Overflow 1015681 20060225 ArGoSoft FTP server remote heap overflow 494 SQL injection vulnerability in the process_picture function xp_publish.php in CopperExport 0.2.1 allows remote attackers to execute arbitrary SQL commands, possibly via the (1) title, (2) caption, or (3) keywords parameters. http://www.zzamboni.org/copperexport/ 14401 PHP remote file inclusion vulnerability in PHPWebLog 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) G_PATH parameter to init.inc.php or the (2) PATH parameter to index.php to reference a URL on a remote web server that contains the code. 12747 20050307 phpWebLog <= 0.5.3 arbitrary file inclusion (VXSfx) Multiple buffer overflows in the dissect_a11_radius function in the CDMA A11 (3G-A11) dissector (packet-3g-a11.c) for Ethereal 0.10.9 and earlier allow remote attackers to execute arbitrary code via RADIUS authentication packets with large length values. 12759 RHSA-2005:306 http://www.ethereal.com/appnotes/enpa-sa-00018.html GLSA-200503-16 20050308 Ethereal remote buffer overflow oval:org.mitre.oval:def:10147 FLSA-2006:152922 MDKSA-2005:053 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-03-04 20050314 Ethereal 0.10.9 and below remote root exploit 20050309 RE: Ethereal remote buffer overflow - addon The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie. 12745 http://www.frsirt.com/exploits/20050307.aztek.c.php Directory traversal vulnerability in Oracle Database Server 8i and 9i allows remote attackers to read or rename arbitrary files via "\\.\\.." (modified dot dot backslash) sequences to UTL_FILE functions such as (1) UTL_FILE.FOPEN or (2) UTL_FILE.frename. http://www.argeniss.com/research/ARGENISS-ADV-030501.txt 20050307 - Argeniss - Oracle Database Server Directory transversal 20050307 - Argeniss - Oracle Database Server Directory transversal SQL injection vulnerability in phpMyFAQ 1.4 and 1.5 allows remote attackers to add FAQ records to the database via the username field in forum messages. http://www.phpmyfaq.de/advisory_2005-03-06.php 14516 Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, has an "unauthenticated account," which allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-1179. http://www.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf 14507 Buffer overflow in the Etheric dissector in Ethereal 0.10.7 through 0.10.9 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code. GLSA-200503-16 RHSA-2005:306 http://www.ethereal.com/appnotes/enpa-sa-00018.html oval:org.mitre.oval:def:10447 12762 FLSA-2006:152922 MDKSA-2005:053 The GPRS-LLC dissector in Ethereal 0.10.7 through 0.10.9, with the "ignore cipher bit" option enabled. allows remote attackers to cause a denial of service (application crash). GLSA-200503-16 RHSA-2005:306 http://www.ethereal.com/appnotes/enpa-sa-00018.html oval:org.mitre.oval:def:10565 12762 FLSA-2006:152922 MDKSA-2005:053 Buffer overflow in discdb.c for grip 3.1.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code by causing the cddb lookup to return more matches than expected. GLSA-200503-21 FEDORA-2008-11956 FEDORA-2008-9521 FEDORA-2008-9604 grip-cddb-bo(19648) 12770 RHSA-2009:0005 RHSA-2005:304 http://sourceforge.net/tracker/index.php?func=detail&aid=834724&group_id=3714&atid=103714 http://sourceforge.net/tracker/index.php?func=detail&aid=1160134&group_id=3714&atid=303714 33824 33389 32803 oval:org.mitre.oval:def:10768 FLSA:152919 http://rpmfind.net/linux/RPM/suse/9.3/i386/suse/i586/gnome-vfs-1.0.5-816.2.i586.html Buffer overflow in the IMAP daemon (IMAP4d32.exe) for Ipswitch Collaboration Suite (ICS) before 8.15 Hotfix 1 allows remote authenticated users to execute arbitrary code via a long EXAMINE command. 1013410 14546 ipswitch-imail-imapexamine-bo(19655) 12780 20050310 Ipswitch Collaboration Suite IMAP EXAMINE Buffer Overflow Vulnerability The sendfile system call in FreeBSD 4.8 through 4.11 and 5 through 5.4 can transfer portions of kernel memory if a file is truncated while it is being sent, which could allow remote attackers to obtain sensitive information. MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit. 2005-0009 12781 SUSE-SA:2005:019 GLSA-200503-19 DSA-707 USN-96-1 RHSA-2005:348 RHSA-2005:334 MDKSA-2005:060 101864 oval:org.mitre.oval:def:10479 20050310 Mysql CREATE FUNCTION libc arbitrary code execution. APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20050310 Mysql CREATE FUNCTION libc arbitrary code execution. MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, allows remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table, which is processed by the udf_init function. 12781 SUSE-SA:2005:019 GLSA-200503-19 DSA-707 mysql-udfinit-gain-access(19658) USN-96-1 2005-0009 RHSA-2005:348 RHSA-2005:334 oval:org.mitre.oval:def:10180 20050310 Mysql CREATE FUNCTION mysql.func table arbitrary library injection APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20050310 Mysql CREATE FUNCTION mysql.func table arbitrary library injection MDKSA-2005:060 101864 MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. 2005-0009 12781 RHSA-2005:334 SUSE-SA:2005:019 GLSA-200503-19 USN-96-1 RHSA-2005:348 DSA-707 oval:org.mitre.oval:def:9591 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20050310 Mysql insecure temporary file creation with CREATE TEMPORARY TABLE privilege escalation MDKSA-2005:060 101864 Mac OS X before 10.3.8 users world-writable permissions for certain directories, which may allow local users to gain privileges, possibly via the receipt cache or ColorSync profiles. APPLE-SA-2005-03-21 The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges. APPLE-SA-2005-03-21 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0340. Reason: This candidate is a reservation duplicate of CVE-2005-0340. Notes: All CVE users should reference CVE-2005-0340 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. AFP Server in Mac OS X before 10.3.8 uses insecure permissions for "Drop Boxes," which allows local users to read the contents of a Drop Box. APPLE-SA-2005-03-21 Stack-based buffer overflow in the Core Foundation Library in Mac OS X 10.3.5 and 10.3.6, and possibly earlier versions, allows local users to execute arbitrary code via a long CF_CHARSET_PATH environment variable. 20050321 Mac OS X CF_CHARSET_PATH Buffer Overflow Vulnerability APPLE-SA-2005-03-21 13224 Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (segmentation fault) by aborting the connection during a (1) PUT or (2) POST request, which causes Squid to access previously freed memory. http://www1.uk.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-post USN-111-1 http://www.squid-cache.org/bugs/show_bug.cgi?id=1224 RHSA-2005:415 oval:org.mitre.oval:def:11562 CLA-2005:931 squid-put-post-dos(19919) 13166 RHSA-2005:489 12508 FLSA-2006:152809 Unknown vulnerability in the systems message queue in HP Tru64 Unix 4.0F PK8 through 5.1B-2/PK4 allows local users to cause a denial of service (process crash) for processes such as nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat, and xntpd. tru64-system-message-dos(19642) 12768 14549 HPSBTU01109 HPSBTU01109 PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code. mcnews-skinfile-file-include(19616) 12776 20070811 mcNews (skinfile) Remote File Include Vulnerability 14528 20050307 PHP mcNews <= 1.3 arbitrary file inclusion (VXSfx) PHP remote file inclusion vulnerability in modules.php in eXPerience2 allows remote attackers to execute arbitrary PHP code by modifying the file parameter to reference a URL on a remote web server that contains the code. 20050307 Multiples Vulnerabilities eXPerience2 allows remote attackers to obtain the full path for the web root via a direct request to modules.php without any parameters, which leaks the path in a PHP error message. 20050307 Multiples Vulnerabilities Cross-site scripting (XSS) vulnerability in the jumpmenu function in functions.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameters, which is not properly cleansed in the $pageurl variable, as demonstrated using pafiledb.php. 20050308 Multiple vulnerabilities in paFileDB paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via (1) an invalid str parameter to pafiledb.php, or a direct request to (2) viewall.php, (3) stats.php, (4) search.php, (5) rate.php, (6) main.php, (7) license.php, (8) category.php, (9) download.php, (10) file.php, (11) email.php, or (12) admin.php, which reveals the path in a PHP error message. 20050308 Multiple vulnerabilities in paFileDB SQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php. wfsections-wfsfiles-sql-injection(19660) 20050308 Wfsection 1.07 vulnerabilities SQL injection vulnerability in editpost.php in UBB.threads 6.0 allows remote attackers to execute arbitrary SQL commands via the Number parameter. 20050311 UBB.threads 6 SQL Injection ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0735. Reason: This candidate is a duplicate of CVE-2005-0735. Notes: All CVE users should reference CVE-2005-0727 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0736. Reason: This candidate is a duplicate of CVE-2005-0736. Notes: All CVE users should reference CVE-2005-0736 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Format string vulnerability in Xpand Rally 1.1.0.0 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a message. xpandrally-message-format-string(19649) http://www.securiteam.com/windowsntfocus/5DP0G00F5Q.html 14545 http://aluigi.altervista.org/adv/xprallyfs-adv.txt PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service via a request to a file on the floppy drive, as demonstrated using A:\a.txt. active-webcam-dos(19647) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to Filelist.html. active-webcam-filelist-dos(19650) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to obtain the full path of the web server via a request for a non-existent filename, which leaks the full path in an error message. active-webcam-path-disclosure(19652) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to determine the existence of files via an HTTP request with a full pathname, which produces different messages whether the file exists or not. active-webcam-file-disclosure(19654) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (memory exhaustion and process crash) via a large number of HTTP requests. active-webcam-memory-dos(19653) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer newsscript.pl for NewsScript allows remote attackers to gain privileges by setting the mode parameter to admin. 12761 Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events. 12763 20050309 overwriting low kernel memory USN-95-1 SUSE-SA:2005:018 oval:org.mitre.oval:def:9870 http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d RHSA-2005:366 RHSA-2005:293 Buffer overflow in Yahoo! Messenger allows remote attackers to execute arbitrary code via the offline mode. 12750 20050308 Yahoo! Messenger Offline Mode Status Remote Buffer Overflow Vulnerability Stack consumption vulnerability in Microsoft Exchange Server 2003 SP1 allows users to cause a denial of service (hang) by deleting or moving a folder with deeply nested subfolders, which causes Microsoft Exchange Information Store service (Store.exe) to hang as a result of a large number of recursive calls. 891504 14543 The IAPP dissector (packet-iapp.c) for Ethereal 0.9.1 to 0.10.9 does not properly use certain routines for formatting strings, which could leave it vulnerable to buffer overflows, as demonstrated using modified length values that are not properly handled by the dissect_pdus and pduval_to_str functions. http://www.ethereal.com/appnotes/enpa-sa-00018.html DSA-718 12762 RHSA-2005:306 FLSA-2006:152922 MDKSA-2005:053 GLSA-200503-16 http://security.lss.hr/index.php?page=details&ID=LSS-2005-03-05 oval:org.mitre.oval:def:9687 20050312 Ethereal remote buffer overflow #2 http://anonsvn.ethereal.com/viewcvs/viewcvs.py?view=rev&rev=13707 The TCP stack (tcp_input.c) in OpenBSD 3.5 and 3.6 allows remote attackers to cause a denial of service (system panic) via crafted values in the TCP timestamp option, which causes invalid arguments to be used when calculating the retransmit timeout. 12250 20050111 027: RELIABILITY FIX: January 11, 2005 1012861 13819 Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a usersrecentposts action. 12756 1013420 Cross-site scripting (XSS) vulnerability in Sun Java System Application Server 7 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 57742 12775 200314 The custom avatar uploading feature (uploader.php) for XOOPS 2.0.9.2 and earlier allows remote attackers to upload arbitrary PHP scripts, whose file extensions are not filtered. http://www.xoops.org/modules/news/article.php?storyid=2114 12754 20050308 [SCAN Associates Security Advisory] xoops 2.0.9.2 and below weak file extension validation 14520 xoops-uploader-file-upload(19634) The web GUI for Novell iChain 2.2 and 2.3 SP2 and SP3 allows attackers to hijack sessions and gain administrator privileges by (1) sniffing the connection on TCP port 51100 and replaying the authentication information or (2) obtaining and replaying the PCZQX02 authentication cookie from the browser. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096885.htm 14527 ichain-gain-access(19646) 1013406 UTStarcom iAN-02EX VoIP Analog Terminal Adaptor (ATA) allows local users to bypass ATA access restrictions by dialing "*#26845#" and causing a device reset. 14544 20050307 Re: Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability The Mini FTP server in Novell iChain 2.2 and 2.3 SP2 and earlier allows remote unauthenticated attackers to obtain the full path of the server via the PWD command. ichain-path-disclosure(19643) 12766 http://www.infobyte.com.ar/adv/ISR-03.html http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096886.htm 1013407 14537 20050315 [ISR] - Novell iChain Mini FTP Server Unauthorized Remote Path Disclosure Vulnerability ApplyYourself i-Class allows remote attackers to obtain sensitive information about their own applications by reusing the hidden ID field, as demonstrated using the id parameter to ApplicantDecision.asp. 1013400 PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code. 14550 webinsta-initdb-file-include(19651) ADV-2005-0248 12773 1013409 The load_elf_library in the Linux kernel before 2.6.11.6 allows local users to cause a denial of service (kernel crash) via a crafted ELF library or executable, which causes a free of an invalid pointer. 14713 FLSA:152532 kernel-loadelflibrary-dos(19867) USN-103-1 12935 RHSA-2005:551 RHSA-2005:529 RHSA-2005:366 RHSA-2005:293 19607 oval:org.mitre.oval:def:10640 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 20060402-01-U The bluez_sock_create function in the Bluetooth stack for Linux kernel 2.4.6 through 2.4.30-rc1 and 2.6 through 2.6.11.5 allows local users to gain privileges via (1) socket or (2) socketpair call with a negative protocol value. kernel-bluezsockcreate-integer-underflow(19844) RHSA-2005:284 RHSA-2005:283 FLSA:152532 oval:org.mitre.oval:def:11719 20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 20050327 local root security bug in linux >= 2.4.6 <= 2.4.30-rc1 and 2.6.x.y <= 2.6.11.5 12911 RHSA-2005:366 RHSA-2005:293 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none. The Plugin Finder Service (PFS) in Firefox before 1.0.3 allows remote attackers to execute arbitrary code via a javascript: URL in the PLUGINSPAGE attribute of an EMBED tag. RHSA-2005:383 http://www.mozilla.org/security/announce/mfsa2005-34.html 14938 oval:org.mitre.oval:def:10279 13228 oval:org.mitre.oval:def:100024 Buffer overflow in CVS before 1.11.20 allows remote attackers to execute arbitrary code. cvs-bo(20148) RHSA-2005:387 SUSE-SA:2005:024 GLSA-200504-16 14976 DSA-742 oval:org.mitre.oval:def:9688 http://bugs.gentoo.org/attachment.cgi?id=54352&action=view Kommander in KDE 3.2 through KDE 3.4.0 executes data files without confirmation from the user, which allows remote attackers to execute arbitrary code. 13313 http://www.kde.org/info/security/advisory-20050420-1.txt 15060 20050422 [KDE Security Advisory]: Kommander untrusted code execution ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.0-kdewebdev-kommander.diff Heap-based buffer overflow in RealPlayer 10 and earlier, Helix Player before 10.0.4, and RealOne Player v1 and v2 allows remote attackers to execute arbitrary code via a long hostname in a RAM file. RHSA-2005:392 RHSA-2005:363 FEDORA-2005-329 http://service.real.com/help/faq/security/050419_player/EN/ http://pb.specialised.info/all/adv/real-ram-adv.txt 20050420 RealNetworks RealPlayer/RealOne Player/Helix Player Remote Heap Overflow RHSA-2005:394 oval:org.mitre.oval:def:11205 ptrace in Linux kernel 2.6.8.1 does not properly verify addresses on the amd64 platform, which allows local users to cause a denial of service (kernel crash). ADV-2005-1878 USN-137-1 13891 FLSA:157459-2 FLSA:157459-3 RHSA-2005:663 RHSA-2005:514 DSA-922 DSA-921 18059 18056 17073 17002 oval:org.mitre.oval:def:11119 The xattr file system code, as backported in Red Hat Enterprise Linux 3 on 64-bit systems, does not properly handle certain offsets, which allows local users to cause a denial of service (system crash) via certain actions on an ext3 file system with extended attributes enabled. RHSA-2005:294 oval:org.mitre.oval:def:11406 13680 DSA-922 DSA-921 18059 18056 zgrep in gzip before 1.3.5 does not properly sanitize arguments, which allows local users to execute arbitrary commands via filenames that are injected into a sed script. GLSA-200505-05 gzip-zgrep-file-installation(20539) ADV-2007-2732 USN-158-1 13582 RHSA-2005:474 16371 FLSA:158801 1013928 19183 18100 RHSA-2005:357 oval:org.mitre.oval:def:9797 http://bugs.gentoo.org/show_bug.cgi?id=90626 20060301-01-U SCOSA-2005.58 25159 OpenPKG-SA-2007.002 MDKSA-2006:027 MDKSA-2006:026 SSA:2006-262 26235 22033 APPLE-SA-2007-07-31 http://docs.info.apple.com/article.html?artnum=306172 oval:org.mitre.oval:def:1107 oval:org.mitre.oval:def:1081 ImageMagick before 6.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image with an invalid tag. RHSA-2005:070 12875 SUSE-SA:2005:017 DSA-702 1013550 oval:org.mitre.oval:def:11022 The TIFF decoder in ImageMagick before 6.0 allows remote attackers to cause a denial of service (crash) via a crafted TIFF file. RHSA-2005:070 SUSE-SA:2005:017 DSA-702 1013550 oval:org.mitre.oval:def:11184 Unknown vulnerability in ImageMagick before 6.1.8 allows remote attackers to cause a denial of service (application crash) via a crafted PSD file. 12876 SUSE-SA:2005:017 1013550 RHSA-2005:070 oval:org.mitre.oval:def:11150 Heap-based buffer overflow in the SGI parser in ImageMagick before 6.0 allows remote attackers to execute arbitrary code via a crafted SGI image file. SUSE-SA:2005:017 DSA-702 RHSA-2005:070 1013550 oval:org.mitre.oval:def:9736 Buffer overflow in Midnight Commander (mc) 4.5.55 and earlier may allow attackers to execute arbitrary code. DSA-698 RHSA-2005:512 Buffer overflow in command.C for rxvt-unicode before 5.3 allows remote attackers to execute arbitrary code via a crafted file containing long escape sequences. GLSA-200503-23 http://bugs.gentoo.org/show_bug.cgi?id=84680 Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows remote attackers to cause a denial of service (application crash). GLSA-200503-16 http://www.ethereal.com/appnotes/enpa-sa-00018.html oval:org.mitre.oval:def:10048 12762 MDKSA-2005:053 Unknown vulnerability in the sFlow dissector in Ethereal 0.9.14 through 0.10.9 allows remote attackers to cause a denial of service (application crash). http://www.ethereal.com/appnotes/enpa-sa-00018.html GLSA-200503-16 oval:org.mitre.oval:def:9866 12762 MDKSA-2005:053 Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root. USN-95-1 RHSA-2005:366 oval:org.mitre.oval:def:10431 CLA-2005:945 Buffer overflow in the administration web server for GoodTech Telnet Server 4.0 and 5.0, and possibly all versions before 5.0.7, allows remote attackers to execute arbitrary code via a long string to port 2380. http://unsecure.altervista.org/security/goodtechtelnet.htm 20050315 GoodTech Telnet Server Buffer Overflow Vulnerability Multiple buffer overflows in OpenSLP before 1.1.5 allow remote attackers to have an unknown impact via malformed SLP packets. 12792 14561 openslp-slp-bo(19683) ADV-2006-3879 USN-98-1 SSRT061149 SUSE-SA:2005:015 GLSA-200503-25 SSRT061149 MDKSA-2005:055 22128 Format string vulnerability in DataRescue Interactive Disassembler and Debugger (IDA) Pro 4.7.0.830 allows remote attackers or local users to cause a denial of service (CPU consumption or application crash) and possibly execute arbitrary code via format string specifiers in a dynamic link library (DLL) name. 14610 http://www.datarescue.com/cgi-local/ultimatebb.cgi?ubb=get_topic;f=2;t=000155;p=0 http://pb.specialised.info/all/adv/ida-debugger-adv.txt 20050316 ADVISORY: DataRescue Interactive Disassembler Pro Debugger Format String Vulnerability VERITAS Backup Exec Server (beserver.exe) 9.0 through 10.0 for Windows allows remote unauthenticated attackers to modify the registry by calling methods to the RPC interface on TCP port 6106. TA05-180A VU#584505 http://seer.support.veritas.com/docs/277429.htm http://seer.support.veritas.com/docs/276605.htm 1014273 15789 20050623 Veritas Backup Exec Server Remote Registry Access Vulnerability VERITAS Backup Exec 9.0 through 10.0 for Windows Servers, and 9.0.4019 through 9.1.307 for Netware, allows remote attackers to cause a denial of service (Remote Agent crash) via (1) a crafted packet in NDMLSRVR.DLL or (2) a request packet with an invalid (non-0) "Error Status" value, which triggers a null dereference. 20050623 Veritas Backup Exec Agent Error Status Remote DoS Vulnerability 20050623 Veritas Backup Exec Remote Agent NDMLSRVR.DLL DoS Vulnerability http://seer.support.veritas.com/docs/277485.htm http://seer.support.veritas.com/docs/276533.htm 1014273 15789 Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for Netware allows remote attackers to execute arbitrary code via a CONNECT_CLIENT_AUTH request with authentication method type 3 (Windows credentials) and a long password argument. TA05-180A VU#492105 14022 http://seer.support.veritas.com/docs/277429.htm http://seer.support.veritas.com/docs/276604.htm 1014273 15789 17624 20050623 Veritas Backup Exec Agent CONNECT_CLIENT_AUTH Buffer Overflow Vulnerability SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter. photopost-uid-sql-injection(19675) 14576 12779 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities The reportpost action in misc.php for PhotoPost PHP 5.0 RC3 does not limit the logging data that is sent to the administrator, which allows remote attackers to send large amounts of email to the admistrator. 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities photopost-email-security-bypass(19676) 12779 14576 adm-photo.php in PhotoPost PHP 5.0 RC3 does not properly verify administrative privileges before manipulating photos, which could allow remote attackers to manipulate other users' photos. 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities photopost-image-modification(19677) 12779 14576 Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP 5.0 RC3 allow remote attackers to inject arbitrary web script or HTML via (1) the check_tags function or (2) the editbio field in the user profile. photopost-editbio-xss(19678) 12779 14576 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities PhotoPost PHP 5.0 RC3 does not fully verify that an uploaded file is an image file, which allows remote attackers to inject arbitrary Javascript by uploading non-image files with an image extension such as .gif. photopost-file-upload(19679) 12779 14576 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities PlatinumFTP 1.0.18, and possibly earlier versions, allows remote attackers to cause a denial of service (server crash) via multiple connection attempts with a \ (backslash) in the username. platinumftp-username-dos(19674) 12790 20050312 PlatinumFTP 1.0.18 remote DoS 20070101 Re: PlatinumFTP 1.0.18 remote DoS paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message. 20050312 [SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB SQL injection vulnerability in (1) viewall.php and (2) category.php in paFileDB 3.1 and earlier allows remote attackers to execute arbitrary SQL commands via the start parameter to pafiledb.php. pafiledb-viewall-category-sql-injection(19688) 12788 20050312 [SECURITYREASON.COM] SQL injection and XSS in paFileDB Cross-site scripting (XSS) vulnerability in (1) viewall.php and (2) category.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the start parameter to pafiledb.php. pafiledb-viewall-category-xss(19690) 12788 20050330 PaFileDB Version 3.1 and below are exploitable via a XSS and a SQL injection vulnerability 20050312 [SECURITYREASON.COM] SQL injection and XSS in paFileDB http://digitalparadox.org/advisories/pafdb.txt Cross-site scripting (XSS) vulnerability in Phorum before 5.0.14a allows remote attackers to inject arbitrary web script or HTML via the filename of an attached file. 14554 12800 20050313 3 XSS Vulnerabilities in Phorum <= 5.0.14 Multiple cross-site scripting (XSS) vulnerabilities in Phorum before 5.0.15 allow remote attackers to inject arbitrary web script or HTML via (1) the subject line to follow.php or (2) the subject line in the user's personal control panel. 14554 12800 20050313 3 XSS Vulnerabilities in Phorum <= 5.0.14 Cross-site scripting (XSS) vulnerability in usersrecentposts in YaBB 2.0 rc1 allows remote attackers to inject arbitrary web script or HTML via the username parameter. 12756 yabb-usersrecentposts-xss(19671) 1013420 20050313 YaBB2 rc1 XSS SQL injection vulnerability in gb_new.inc in SimpGB allows remote attackers to execute arbitrary SQL commands via the quote parameter to guestbook.php. 12801 14583 20050313 SimpGB SQL Injection Vulnerability simpgb-gbnew-sql-injection(19694) Wine 20050211 and earlier creates temp files with world readable permissions and predictable file names, which allows local users to obtain sensitive information, such as passwords. http://www.zone-h.org/advisories/read/id=7300 20050314 [ZH2005-02SA] Insecure tmp file creation in Wine http://bugs.winehq.org/show_bug.cgi?id=2715 wine-registry-information-disclosure(19697) 12791 1013428 LimeWire 4.1.2 through 4.5.6 allows remote attackers to read arbitrary files by specifying the full pathname in a Gnutella GET request. limewire-client-information-disclosure(19693) GLSA-200503-37 14555 20050314 LimeWire Gnutella client two vulnerabilities Directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request. limewire-magnet-directory-traversal(19695) GLSA-200503-37 14555 20050314 LimeWire Gnutella client two vulnerabilities phpAdsNew 2.0.4 allows remote attackers to obtain sensitive information via a direct request to (1) lib-xmlrpcs.inc.php, (2) maintenance-activation.php, (3) maintenance-cleantables.php, (4) maintenance-autotargeting.php, (5) maintenance-reports.php, (6) phpads.php, (7) remotehtmlview.php, (8) click.php, (9) adcontent.php, which reveal the path in a PHP error message. http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc 20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9 1013429 Cross-site scripting (XSS) vulnerability in adframe.php in phpAdsNew 2.0.4-pr1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the refresh parameter. 12803 http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc 14592 20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9 14787 1013429 SQL injection vulnerability in ZPanel 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) uname parameter to index.php or (2) page parameter to zpanel.php. 14602 zpanel-index-sql-injection(19709) 12809 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel PHP remote file inclusion vulnerability in zpanel.php in ZPanel allows remote attackers to (1) execute arbitrary PHP code in ZPanel 2.0 or (2) include local files in ZPanel 2.5 beta 10 and earlier by modifying the page parameter. 12809 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel ZPanel 2.0 and 2.5 beta 10 does not remove or protect installation scripts after they have been used, which allows remote attackers to reinstall the software and possibly cause a denial of service via a direct request to install.php. 14602 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel HolaCMS 1.4.9 does not restrict file access to the holaDB/votes directory, which allows remote attackers to overwrite arbitrary files via a modified vote_filename parameter. http://www.holacms.de/?content=changelog 14566 20050315 Virginity Security Advisory 2005-001 : Hola CMS - File destruction and System access Directory traversal vulnerability in HolaCMS 1.4.9-1 allows remote attackers to overwrite arbitrary files via a "holaDB/votes" followed by a .. (dot dot) in the vote_filename parameter, which bypasses the check by HolaCMS to ensure that the file is in the holaDB/votes directory. 14566 http://www.holacms.de/?content=changelog 20050315 Virginity Security Advisory 2005-002 : Hola CMS - Another File destruction and System access Novell iChain Mini FTP Server 2.3 displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. 12811 http://www.infobyte.com.ar/adv/ISR-04.html 14607 20050315 [ISR] - Novell iChain Mini FTP Server Valid User Disclosure Vulnerability Novell iChain Mini FTP Server 2.3, and possibly earlier versions, does not limit the number of incorrect logins, which makes it easier for remote attackers to conduct brute force login attacks. http://www.infobyte.com.ar/adv/ISR-05.html http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm 14607 20050315 [ISR] - Novell iChain Mini FTP Server Bruteforce Problem 14648 1013408 MySQL 4.1.9, and possibly earlier versions, allows remote attackers with certain privileges to cause a denial of service (application crash) via a use command followed by an MS-DOS device name such as (1) LPT1 or (2) PRN. 14564 20050315 Denial of Service Vulnerability in MySQL Server for Windows http://bugs.mysql.com/bug.php?id=9148 PHP remote file inclusion vulnerability in install.php in mcNews 1.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the l parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2005-0720. 20050317 PHP mcNews arbitrary file inclusion mcnews-install-file-include(19726) 12835 20060906 mcNews v1.3 - Remote File Include 14528 Directory traversal vulnerability in includer.cgi in The Includer allows remote attackers to read arbitrary files via (1) a .. (dot dot) or (2) a full pathname in the URL. 20050317 Another includer.cgi problem? Cross-site scripting (XSS) vulnerability in search.asp in ACS Blog 0.8 through 1.1b allows remote attackers to execute arbitrary web script or HTML via the search parameter. acs-blog-search-xss(19728) 12836 1013470 14625 14861 20050317 XSS in ACS blog The GetEnhMetaFilePaletteEntries API in GDI32.DLL in Windows 2000 allows remote attackers to cause a denial of service (application crash) via a crafted Enhanced Metafile (EMF) file that causes invalid (1) end, (2) emreof, or (3) palent offsets to be used, aka "Enhanced Metafile Vulnerability." TA05-312A VU#134756 win-2000-gdi32dll-dos(19727) ADV-2005-2348 12834 20580 MS05-053 http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf 1015168 17461 17223 14631 20050317 Windows 2000 GDI32.DLL GetEnhMetaFilePaletteEntries() API specially crafted EMF file DOS vulnerability oval:org.mitre.oval:def:671 oval:org.mitre.oval:def:1240 oval:org.mitre.oval:def:1215 oval:org.mitre.oval:def:1152 oval:org.mitre.oval:def:1121 Format string vulnerability in MailEnable 1.8 allows remote attackers to cause a denial of service (application crash) via format string specifiers in the mailto field. 14627 12833 20050317 See-security Advisory: Format string vulnerability in MailEnable 1.8 SQL injection vulnerability in index.php in Subdreamer Light, when magic_quotes_gpc is enabled, allows remote attackers to execute arbitrary SQL commands via certain parameters that are used as global variables, as demonstrated using the imageid parameter, which is not properly handled by imagegallery.php. 12839 http://www.subdreamer.com/forum/showthread.php?t=2501 20060621 Re: possible SQL injection in Subdreamer 20050318 possible SQL injection in Subdreamer Evolution 2.0.3 allows remote attackers to cause a denial of service (application crash or hang) via crafted messages, possibly involving charsets in attachment filenames. RHSA-2005:397 oval:org.mitre.oval:def:10532 http://bugzilla.ximian.com/show_bug.cgi?id=72609 USN-166-1 MDKSA-2005:059 Multiple buffer overflows in Cain & Abel before 2.67 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via (1) an IKE packet with a large ID field that is not properly handled by the PSK sniffer filter, (2) the HTTP sniffer filter, or the (3) POP3, (4) SMTP, (5) IMAP, (6) NNTP, or (7) TDS sniffer filters. 14630 cain-abel-http-filter-bo(19744) cain-abel-ikepsk-bo(19742) 12840 http://www.oxid.it/ 1013476 20050318 Cain & Abel PSK Sniffer Heap overflow Apache Tomcat before 5.x allows remote attackers to cause a denial of service (application crash) via a crafted AJP12 packet to TCP port 8007. http://www.kb.cert.org/vuls/id/JGEI-6A2LEF VU#204710 tomcat-manager-ajp12-dos(19681) 12795 http://www.hitachi-support.com/security_e/vuls_e/HS05-006_e/index-e.html NotifyLink, when configured for client key retrieval, allows remote attackers to obtain AES keys via a direct request to /hwp/get.asp, then uses a weak encryption scheme (fixed byte reordering) to protect the key, which allows remote attackers to obtain the key via a brute force attack. VU#581068 12843 14617 SQL injection vulnerability in NotifyLink before 3.0 allows remote attackers to execute arbitrary SQL commands via the URL. VU#264097 12843 14617 The web interface in NotifyLink 3.0 does not properly restrict access to functions that have been disabled in the GUI, which allows remote authenticated users to bypass intended restrictions via a direct request to certain URLs. VU#131828 12843 14617 The web interface in NotifyLink 3.0 displays passwords in cleartext on the administrative page, which could allow remote attackers or local users to obtain sensitive information. VU#770532 12843 14617 Buffer overflow in Initial Redirect (ir) Squid Proxy Plug-In 0.1 and 0.2 may allow attackers to cause a denial of service and execute arbitrary code via unknown vectors. 12827 13674 http://www.vanheusden.com/ir/ 14832 Unknown vulnerability in lshd in Lysator LSH 1.x and 2.x before 2.0.1 allows remote attackers to cause a denial of service via unknown vectors. DSA-717 14609 [lsh-bugs] 20050316 ANNOUNCE: LSH-2.0.1, fix for denial of service bug lsh-lshd-dos(19724) Multiple "range checking flaws" in the ISO9660 filesystem handler in Linux 2.6.11 and earlier may allow attackers to cause a denial of service or corrupt memory via a crafted filesystem. FLSA:152532 kernel-iso9660-filesystem(19741) ADV-2005-1878 12837 20050317 Linux ISO9660 handling flaws oval:org.mitre.oval:def:9307 http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.12-rc1 RHSA-2006:0191 RHSA-2006:0190 RHSA-2005:663 RHSA-2005:366 MDKSA-2006:072 18684 17002 Buffer overflow in newgrp in Solaris 7 through 9 allows local users to gain root privileges. solaris-newgrp-bo(19729) 12838 57710 1013462 Unknown vulnerability in the DNSd proxy, as used in Symantec Gateway Security 5400 2.x and 5300 1.x, Enterprise Firewall 7.0.x and 8.x, and VelociRaptor 1100/1200/1300 1.5, allows remote attackers to poison the DNS cache and redirect users to malicious sites. symantec-dnsdproxy-redirect(44530) http://www.isc.sans.org/diary.php?date=2005-03-04 1013451 http://securityresponse.symantec.com/avcenter/security/Content/2005.03.15.html 20040615 Symantec Enterprise Firewall DNSD cache poisoning Vulnerability sef-dns-spoofing(16423) 14595 Cross-site scripting (XSS) vulnerability in PunBB 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) email or (2) Jabber parameters. punbb-email-jabber-xss(19725) 1013446 The xvesa code in Novell Netware 6.5 SP2 and SP3 allows remote attackers to redirect the xsession without authentication via a direct request to GUIMirror/Start. 12831 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971038.htm 1013460 Microsoft Office InfoPath 2003 SP1 includes sensitive information in the Manifest.xsf file in a custom .xsn form, which allows attackers to obtain printer and network information, obtain the database name, username, and password, or obtain the internal web server name. 867443 12824 14882 1013454 Unknown vulnerability in Citrix MetaFrame Conferencing Manager 3.0 allows conference members to bypass organizer restrictions to control the keyboard and mouse. 12821 http://support.citrix.com/kb/entry.jspa?externalID=CTX105574 1013457 metaframe-conferencing-gain-access(19723) Citrix Metaframe Password Manager 2.5 and earlier stores a password in cleartext although it is obfuscated when presented to a user, which allows users to view their secondary passwords even if it is not allowed by policy. http://support.citrix.com/kb/entry.jspa?externalID=CTX105762 http://support.citrix.com/kb/entry.jspa?entryID=5970&categoryID=254 24041 http://support.citrix.com/article/CTX105800 1018077 ThePoolClub (1) iPool and (2) iSnooker 1.6.81 and earlier stores usernames and passwords in cleartext in the MyDetails.txt file, which allows local users to gain privileges. isnooker-mydetails-plaintext-password(19718) ipool-mydetails-plaintext-password(19717) 12830 1013459 1013458 14629 The internal_dump function in Mathopd before 1.5p5, and 1.6x before 1.6b6 BETA, when Mathopd is running with the -n option, allows local users to overwrite arbitrary files via a symlink attack on dump files that are triggered by a SIGWINCH signal. 14524 http://www.mail-archive.com/mathopd%40mathopd.org/msg00272.html Buffer overflow in LTris before 1.0.10 allows local users to execute arbitrary code via a crafted highscores file. GLSA 200503-24 14635 http://lgames.sourceforge.net/index.php?action=show_news&news_action=show_item&item_id=108 http://bugs.gentoo.org/show_bug.cgi?id=85770 OllyDbg 1.10 and earlier allows remote attackers to cause a denial of service (application crash) via a dynamic link library (DLL) with a long filename. ollydbg-long-filename-do(19750) 12850 1013478 20050319 OllyDbg long process Module debug Vulnerability Viewcat.php in (1) RUNCMS 1.1A, (2) Ciamos 0.9.2 RC1, e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allow remote attackers to obtain sensitive information via an invalid parameter to the convertorderbytrans function, which reveals the path in a PHP error message. 14641 ciamos-viewcat-path-disclosure(19755) http://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdf 20050319 Ciamos Installation path(IHS) 20050318 runcms installation path highlight.php in (1) RUNCMS 1.1A, (2) CIAMOS 0.9.2 RC1, (3) e-Xoops 1.05 Rev3, and possibly other products based on e-Xoops (exoops), allows remote attackers to read arbitrary PHP files by specifying the pathname in the file parameter, as demonstrated by reading database configuration information from mainfile.php. 14641 ciamos-file-information-disclosure(19754) 12848 http://www.ihsteam.com/download/sections/runcms%20advisory%20-%20eng.pdf http://www.ihsteam.com/download/advisory/Exoops%20highlight%20hole.txt 14648 20050319 Ciamos Highlight.php Security Hole(IHS) 20050318 runcms highlight.php hole 14890 1013485 Cross-site scripting (XSS) vulnerability in setuser.php of the Digitanium addon to PHP-Fusion 5.01 allows remote attackers to inject arbitrary web script or HTML via the (1) user_name or (2) user_pass parameters. 20050319 Re: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection 20050319 Fw: [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Vulnerability 20050319 [PersianHacker.NET 200503-10]PHP-Fusion v5.01 Html Injection Multiple buffer overflows in Xzabite DYNDNSUpdate 0.6.15 and earlier, including the ipcheck function in dyndnsupdate.c, allow remote attackers who spoof a dyndns.org server to execute arbitrary code via unknown vectors. GLSA-200503-27 14663 http://bugs.gentoo.org/show_bug.cgi?id=84659 PHP-Post allows remote attackers to spoof the names of other users by registering with a username containing hex-encoded characters. 12845 20050318 PHP-Post Exploit Cross-site scripting (XSS) vulnerability in PHP-Post before 0.33 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 12845 http://www.php-post.co.uk/index.php?s=content&p=download Belkin 54G (F5D7130) wireless router allows remote attackers to access restricted resources by sniffing URIs from UPNP datagrams, then accessing those URIs, which do not require authentication. 12846 Belkin 54G (F5D7130) wireless router enables SNMP by default in a manner that allows remote attackers to obtain sensitive information. 12846 The SNMP service in the Belkin 54G (F5D7130) wireless router allows remote attackers to cause a denial of service via unknown vectors. 12846 Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up to 1.4.2_06 allows untrusted applications to gain privileges via the value parameter of a property tag in a JNLP file. 12847 GLSA-200503-28 1000200 200255 57740 14640 20050318 Java Web Start argument injection vulnerability http://jouko.iki.fi/adv/ws.html SUSE-SA:2005:032 IceCast 2.20 allows remote attackers to bypass the XSL parser and obtain the source for XSL files via a request for a .xsl file with a trailing . (dot). icecast-get-bypass-security(19760) 12849 20050318 IceCast up to v2.20 multiple vulnerabilities 1013475 14644 Multiple buffer overflows in the XSL parser for IceCast 2.20 may allow attackers to cause a denial of service and possibly execute arbitrary code via (1) a long test value in an xsl:when tag, (2) a long test value in an xsl:if tag, or (3) a long select value in an xsl:value-of tag. icecast-xsl-gain-pivileges(19753) 12849 20050318 IceCast up to v2.20 multiple vulnerabilities 1013475 Linux kernel 2.6 before 2.6.11 does not restrict access to the N_MOUSE line discipline for a TTY, which allows local users to gain privileges by injecting mouse or keyboard events into other user sessions. [linux-kernel] 20050301 Re: Breakage from patch: Only root should be able to set the N_MOUSE line discipline. oval:org.mitre.oval:def:9460 http://linux.bkbits.net:8080/linux-2.6/cset@41fa6464E1UuGu6zmketEYxm73KSyQ FLSA:157459-3 RHSA-2005:366 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0706. Reason: This candidate is a duplicate of CVE-2005-0706. Notes: All CVE users should reference CVE-2005-0706 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. SQL injection vulnerability in (1) people.php, (2) track.php, (3) edit.php, (4) document.php, (5) census.php, (6) passthru.php and possibly other php files in phpMyFamily 1.4.0 allows remote attackers to execute arbitrary SQL commands, as demonstrated via (1) the person parameter to people.php or (2) the Login field. 14642 phpmyfamily-multiple-scripts-sql-injection(19787) 12860 1013493 20050321 phpMyFamily 1.4.0 SQL vulnerabilities Cross-site scripting (XSS) vulnerability in index.php in Kayako eSupport 2.3 allows remote attackers to inject arbitrary web script or HTML via the (1) _i or (2) _c parameter. 13563 20050322 Kayako eSupport Cross Site Scripting CRLF injection vulnerability in search.php in Phorum 5.0.14a allows remote attackers to perform HTTP Response Splitting attacks via the body parameter, which is included in the resulting Location header. 14680 20050322 [ Positive Technologies #SA] Phorum "location" HTTP Response Nortel VPN client 5.01 stores the cleartext password in the memory of the Extranet.exe process, which could allow local users to obtain sensitive information. nortel-contivity-information-disclosure(19791) http://www.nta-monitor.com/news/vpn-flaws/nortel/nortel-client/ 1013512 20050322 Nortel VPN Client Issue: Clear-text password stored in memory Directory traversal vulnerability in the Webmail interface in SurgeMail 2.2g3 allows remote authenticated users to write arbitrary files or directories via a .. (dot dot) in the attach_id parameter. 14658 http://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.surgemail&item=8814&utag= http://www.security.org.sg/vuln/surgemail22g3.html 20050323 [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSS Multiple cross-site scripting (XSS) vulnerabilities in the email auto-reply message in SurgeMail 2.2g3 allow remote attackers to inject arbitrary web script or HTML via the (1) message subject or (2) message header field. 14658 http://netwinsite.com/cgi/dnewsweb.cgi?cmd=article&group=netwin.surgemail&item=8814&utag= http://www.security.org.sg/vuln/surgemail22g3.html 20050323 [SIG^2 G-TEC] SurgeMail Webmail Attachment Upload and XSS Code Ocean FTP server 1.0 allows remote attackers to cause a denial of service via a large number of connections. ocean-ftp-connection-dos(19777) 12859 14662 893 Multiple games developed by FUN labs, including 4X4 Off-road Adventure III, Big Game Hunter, Dangerous Hunts, Deer Hunt, Revolution, Secret Service, Shadow Force, and US Most Wanted, allow remote attackers to cause a denial of service via an empty UDP packet to the server, which cannot detect that a new packet has arrived using the socket ioctl. funlabs-games-upd-dos(19762) 1013492 14638 http://aluigi.altervista.org/adv/funlabsboom-adv.txt Multiple games developed by FUN labs, including 4X4 Off-road Adventure III, Big Game Hunter, Dangerous Hunts, Deer Hunt, Revolution, Secret Service, Shadow Force, and US Most Wanted, allow remote attackers to cause a denial of service (crash from invalid memory access) via a malformed join packet with values that cause the server to copy more memory than was actually provided in the packet. 1013492 14638 http://aluigi.altervista.org/adv/funlabsboom-adv.txt FileZilla FTP server before 0.9.6 allows remote attackers to cause a denial of service via a request for a filename containing an MS-DOS device name such as CON, NUL, COM1, LPT1, and others. 12865 http://sourceforge.net/project/shownotes.php?group_id=21558&release_id=314473 FileZilla FTP server before 0.9.6, when using MODE Z (zlib compression), allows remote attackers to cause a denial of service (infinite loop) via certain file uploads or directory listings. 12865 http://sourceforge.net/project/shownotes.php?group_id=21558&release_id=314473 Microsoft Windows XP SP1 allows local users to cause a denial of service (system crash) via an empty datagram to a raw IP over IP socket (IP protocol 4), as originally demonstrated using code in Python 2.3. 12870 20050322 Possible windows+python bug betaparticle blog (bp blog) stores the database under the web root, which allows remote attackers to obtain sensitive information via a direct request to (1) dbBlogMX.mdb for versions before 3.0, or (2) Blog.mdb for versions 3.0 and later. NOTE: it was later reported that vector 2 also affects versions 6.0 through 9.0. betaparticle-web-root-information-disclosure(19779) 14668 bpblog-blog-info-disclosure(47419) 12861 7499 33233 betaparticle blog (bp blog), posisbly before version 4, allows remote attackers to bypass authentication and (1) upload files via a direct request to upload.asp or (2) delete files via a direct request to myFiles.asp. betaparticle-blog-authentication-bypass(19781) 14668 12861 http://blog.betaparticle.com/template_permalink.asp?id=68 CoolForum 0.8.1 beta and earlier allows remote attackers to obtain sensitive path information via direct requests to (1) entete.php, (2) profile_accueil.php, (3) profile_mdp.php, (4) profile_notify.php, (5) profile_options.php, (6) profile_perso.php, (7) profile_pm.php, or (8) readannonce.php, which leaks the full pathname in a PHP error message. 1013474 CoolForum 0.8.1 beta and earlier allows remote attackers to manipulate SQL commands via certain requests to (1) alert.php or (2) viewip.php, possibly due to a SQL injection vulnerability. 1013474 Cross-site scripting (XSS) vulnerability in avatar.php for CoolForum 0.8 and earlier allows remote attackers to inject arbitrary web script or HTML via the img parameter. coolforum-avatar-xss(19758) 1013474 12852 Multiple SQL injection vulnerabilities in CoolForum 0.8 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the pseudo parameter to entete.php or (2) the login parameter to register.php. coolforum-register-sql-injection(19761) coolforum-adminentete-sql-injection(19759) 1013474 12852 PHP remote file inclusion vulnerability in CzarNews 1.13b allows remote attackers to execute arbitrary PHP code via the tpath parameter to (1) headlines.php or (2) news.php. NOTE: some sources have reported the "dir" parameter as being affected; however, this is likely a cut-and-paste error from the wrong section of the original vulnerability report. Also, the news.php version was later reported to be in 1.12 through 1.14. 14670 czarnews-multiple-scripts-file-include(19765) 18411 12857 14926 14925 1013486 2009 czarnews-news-config-file-include(27733) PHP remote file inclusion vulnerability in TRG News Script 3.0 allows remote attackers to execute arbitrary PHP code via the dir parameter to (1) article.php, (2) authorall.php, (3) comment.php, (4) display.php, or (5) displayall.php. 12855 1013487 14669 Multiple buffer overflows in DeleGate before 8.11.1 may allow attackers to cause a denial of service or execute arbitrary code, possibly due to "overflows on arrays." delegate-bo(19775) http://www.delegate.org/mail-lists/delegate-en/2840 14649 Multiple PHP remote file inclusion vulnerabilities in PHPOpenChat 3.0.1 and earlier allow remote attackers to execute arbitrary PHP code via the phpbb_root_path parameter to (1) poc_loginform.php or (2) phpbb/poc.php, the poc_root_path parameter to (3) phpbb/poc.php, (4) phpnuke/ENGLISH_poc.php, (5) phpnuke/poc.php, or (6) yabbse/poc.php, or (7) the sourcedir parameter to yabbse/poc.php. phpopenchat-file-include(19721) http://www.zone-h.org/advisories/read/id=7310 12817 14809 14808 14807 1013434 14600 20070410 PhpOpenChat <= 3.0.1 (poc.php) Multiple Remote File Include Vulnerabilities Cross-site scripting (XSS) vulnerability in PHPOpenChat v3.x allows remote attackers to inject arbitrary web script or HTML via (1) the chatter parameter to regulars.php or (2) the chatter, chatter1, chatter2, chatter3, or chatter4 parameters to register.php. phpopenchat-regulars-register-xss(19748) 12841 14651 The Boa web server, as used in Samsung ADSL Modem SMDK8947v1.2 and possibly other products, allows remote attackers to read arbitrary files via a full pathname in the HTTP request. http://zone-h.org/en/advisories/read/id=7339/ 12864 http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txt Samsung ADSL Modem SMDK8947v1.2 uses default passwords for the (1) root, (2) admin, or (3) user users, which allows remote attackers to gain privileges via Telnet or an HTTP request to adsl.cgi. http://zone-h.org/en/advisories/read/id=7339/ 12864 1013615 http://exploitlabs.com/files/advisories/EXPL-A-2005-002-samsung-adsl.txt cdrecord before 4:2.0, when DEBUG is enabled, allows local users to overwrite arbitrary files via a symlink attack on temporary files. USN-100-1 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=291376 Integer overflow in Linux kernel 2.6 allows local users to overwrite kernel memory by writing to a sysfs file. SUSE-SA:2005:018 oval:org.mitre.oval:def:10867 FLSA:157459-3 RHSA-2005:366 AS/400 Telnet 5250 terminal emulation clients, as implemented by (1) IBM client access, (2) Bosanova, (3) PowerTerm, (4) Mochasoft, and possibly other emulations, allows malicious AS/400 servers to execute arbitrary commands via a STRPCO (Start PC Organizer) command followed by STRPCCMD (Start PC command), as demonstrated by creating a backdoor account using REXEC. http://www.venera.com/downloads/Attack_5250_terminal_emulations_from_iSeries_server.pdf 20050323 Backdoors in AS/400 emulations allow the server to attack connected PC workstations phpSysInfo 2.3 allows remote attackers to obtain sensitive information via a direct request to (1) class.OpenBSD.inc.php, (2) class.NetBSD.inc.php, (3) class.FreeBSD.inc.php, (4) class.Darwin.inc.php, (5) XPath.class.php, (6) system_header.php, or (7) system_footer.php, which reveal the path in a PHP error message. phpsysinfo-path-disclosure(19808) 14690 20050323 [SECURITYREASON.COM] phpSysInfo 2.3 Multiple vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in phpSysInfo 2.3, when register_globals is enabled, allow remote attackers to inject arbitrary web script or HTML via the (1) sensor_program parameter to index.php, (2) text[language], (3) text[template], or (4) hide_picklist parameter to system_footer.php. phpsysinfo-sensor-program-xss(19807) DSA-724 14690 20050323 [SECURITYREASON.COM] phpSysInfo 2.3 Multiple vulnerabilities 15414 12887 20051115 Advisory 22/2005: Multiple vulnerabilities in phpSysInfo MDKSA-2005:212 DSA-899 DSA-898 DSA-897 17643 17616 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=301118 calendar_scheduler.php in Topic Calendar 1.0.1 module for phpBB, when running on a Microsoft IIS server, allows remote attackers to obtain sensitive information via invalid parameters, which reveal the path in an error message. topic-calendar-path-disclosure(19824) 1013554 14659 20050324 Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB Cross-site scripting (XSS) vulnerability in calendar_scheduler.php in the Topic Calendar 1.0.1 module for phpBB allows remote attackers to inject arbitrary web script or HTML via the start parameter. topic-calendar-start-xss(19821) 1013554 14659 20050324 Multiple vulnerabilities in Topic Calendar 1.0.1 for phpBB Multiple cross-site scripting (XSS) vulnerabilities in test.jsp in Oracle Reports Server 10g (9.0.4.3.3) allow remote attackers to inject arbitrary web script or HTML via the (1) desname or (2) repprod parameter. TA05-292A VU#210524 12892 20050324 Oracle Reports Server 10g Vulnerable to XSS 15134 http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html 17250 Multiple buffer overflows in the (1) AIM, (2) MSN, (3) RSS, and other plug-ins for Trillian 2.0 allow remote web servers to cause a denial of service (application crash) via a long string in an HTTP 1.1 response header. 14689 20050324 LogicLibrary BugScan VSR,Trillian 2.0, 3.0 and 3.1 15004 1013557 Multiple buffer overflows in the Yahoo plug-in for Trillian 2.0, 3.0, and 3.1 allow remote web servers to cause a denial of service (application crash) via a long string in an HTTP 1.1 response header. 14689 20050324 LogicLibrary BugScan VSR,Trillian 2.0, 3.0 and 3.1 Off-by-one buffer overflow in Dnsmasq before 2.21 may allow attackers to execute arbitrary code via the DHCP lease file. dnsmasq-dhcp-offbyone-bo(19825) 12897 14691 http://www.thekelleys.org.uk/dnsmasq/CHANGELOG Dnsmasq before 2.21 allows remote attackers to poison the DNS cache via answers to queries that were not made by Dnsmasq. dnsmasq-dns-cache-poisoning(19826) 12897 14691 http://www.thekelleys.org.uk/dnsmasq/CHANGELOG Cross-site scripting (XSS) vulnerability in MercuryBoard before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the title field of a PM (private message). mercuryboard-title-pm-xss(19797) 12872 14679 PHP remote file include vulnerability in (1) content.php and (2) index.php for Vortex Portal allows remote attackers to execute arbitrary PHP code via a URL in the act parameter. vortexportal-act-file-include(19809) 12878 14959 14958 1013545 14707 20050323 Vortex Portal content.php in Vortex Portal allows remote attackers to obtain sensitive information via an invalid act parameter, which leaks the full pathname in a PHP error message. vortex-portal-path-disclosure(19811) 20050323 Vortex Portal Cross-site scripting (XSS) vulnerability in articles.newcomment for Interspire ArticleLive 2005 allows remote attackers to inject arbitrary web script or HTML via the Articleld parameter. 14708 articlelive-articleid-xss(19817) 12879 20050323 Interspire ArticleLive 2005 (php version) is vulnerable to XSS 20050823 Re: Interspire ArticleLive 2005 (php version) is vulnerable to XSS SQL injection vulnerability in admincore.php in BirdBlog before 1.2.0 allows remote attackers to execute arbitrary SQL commands via the (1) userid or (2) userpw parameters. birdblog-admincore-sql-injection(19799) 12880 1013548 14676 http://cvs.sourceforge.net/viewcvs.py/birdblog/birdblog/admin/admincore.php?r1=1.4&r2=1.5 http://birdblog.sourceforge.net/ChangeLog Multiple cross-site scripting (XSS) vulnerabilities in base.php for DigitalHive 2.0 allow remote attackers to inject arbitrary web script or HTML via (1) the mt parameter to the membres.php page or (2) the -afs-1- query string to the msg.php page. digitalhive-basephp-xss(19803) 12883 1013516 14702 DigitalHive 2.0 allows remote attackers to re-install the product by directly accessing the install script. digitalhive-reinstall(19802) 1013516 Multiple cross-site scripting (XSS) vulnerabilities in XMB Forum 1.9.1 allow remote attackers to inject arbitrary web script or HTML via the (1) Mood or (2) "Send To" fields. 12886 1013515 Cross-site scripting (XSS) vulnerability in Invision Power Board 2.0.2 and earlier allows remote attackers to inject arbitrary web script or HTML via an HTTP POST request. 12888 Eval injection vulnerability in Double Choco Latte before 0.9.4.3 allows remote attackers to execute arbitrary PHP code via the menuAction variable in (1) functions.inc.php or (2) main.php, which causes code to be injected into an eval statement. dcl-file-include(19806) http://sourceforge.net/project/shownotes.php?release_id=315144 1013559 14688 Multiple cross-site scripting (XSS) vulnerabilities in functions.inc.php for Double Choco Latte 0.9.4.3 allow remote attackers to inject arbitrary web script or HTML via the (1) class or (2) method name. dcl-xss(19805) http://sourceforge.net/project/shownotes.php?release_id=315160 1013559 14688 Cross-site scripting (XSS) vulnerability in index.php for Dream4 Koobi CMS 4.2.3 allows remote attackers to inject arbitrary web script or HTML via the area parameter. 12895 1013558 SQL injection vulnerability in Dream4 Koobi CMS 4.2.3 allows remote attackers to execute arbitrary SQL commands via the area parameter. 12896 1013558 14696 Double free vulnerability in gtk 2 (gtk2) before 2.2.4 allows remote attackers to cause a denial of service (crash) via a crafted BMP image. RHSA-2005:344 12950 FLSA-2005:155510 RHSA-2005:343 MDKSA-2005:214 17657 oval:org.mitre.oval:def:9710 CLSA-2005:958 Buffer overflow in smail 3.2.0.120 allows remote attackers or local users to execute arbitrary code via a long string in the MAIL FROM command and possibly other SMTP commands. DSA-722 20050325 smail remote and local root holes modes.c in smail 3.2.0.120 implements signal handlers with certain unsafe library calls, which may allow attackers to execute arbitrary code via signal handler race conditions, possibly using xmalloc. 20050325 smail remote and local root holes OpenmosixCollector and OpenMosixView in OpenMosixView 1.5 allow local users to overwrite or delete arbitrary files via a symlink attack on (1) temporary files in the openmosixcollector directory or (2) nodes.tmp. 12902 14693 20050325 RX250305 - OpenMosixView : Multiple Race conditions - advisory and exploit Netcomm 1300NB DSL Modem allows remote attackers to cause a denial of service (device hang) via a large number of ping packets. 12901 20050325 Netcomm 1300NB DSL Modem Denial of Service Multiple cross-site scripting (XSS) vulnerabilities in review.php in phpMyDirectory 10.1.3-rel allow remote attackers to inject arbitrary web script or HTML via the (1) subcat, (2) page, or (3) subsubcat parameter. 12900 14692 20050325 phpMyDirectory 10.1.3-rel Cross site scripting PHP remote file inclusion vulnerability in catalog.php in E-Store Kit-2 PayPal Edition allows remote attackers to execute arbitrary PHP code by modifying the menu and main parameters to reference a URL on a remote web server that contains the code. 12910 20050325 File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition Cross-site scripting (XSS) vulnerability in downloadform.php in E-Store Kit-2 PayPal Edition allows remote attackers to inject arbitrary web script or HTML via the txn_id parameter. 12909 20050325 File inclusion and XSS vulnerability in E-Store Kit-2 PayPal Edition AS/400 running OS400 5.2 installs and enables LDAP by default, which allows remote authenticated users to obtain OS/400 user profiles by performing a search. 20050325 AS/400 LDAP user accounts disclosure marks.php in NukeBookmarks 0.6 for PHP-Nuke allows remote attackers to obtain sensitive information via an invalid (1) file or (2) category parameter, which reveal the path in an error message. 20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6 http://zone-h.org/advisories/read/id=7356 http://nukebookmarks.sourceforge.net/ Multiple cross-site scripting (XSS) vulnerabilities in NukeBookmarks 0.6 for PHP-Nuke allow remote attackers to inject arbitrary web script or HTML via the (1) catname, (2) markname, (3) comment, or (4) category parameter. http://zone-h.org/advisories/read/id=7356 http://nukebookmarks.sourceforge.net/ 20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6 SQL injection vulnerability in marks.php in NukeBookmarks 0.6 for PHP-Nuke allows remote attackers to execute arbitrary SQL commands via the category parameter. http://zone-h.org/advisories/read/id=7356 http://nukebookmarks.sourceforge.net/ 20050325 ZH2005-03SA -- multiple vulnerabilities in NukeBookmarks .6 Buffer overflow in QuickTime PictureViewer 6.5.1 allows remote attackers to cause a denial of service (application crash) via a JPEG file with crafted Huffman Table (marker DHT) data. 12905 20050326 QuickTime malformed JPEG buffer overflow Remote Desktop in Windows XP SP1 does not verify the "Force shutdown from a remote system" setting, which allows remote attackers to shut down the system by executing TSShutdn.exe. windows-desktop-tsshutdnexe-dos(19819) 889323 1013552 Maxthon 1.2.0 allows remote malicious web sites to obtain potentially sensitive data from the search bar via the m2_search_text property. 12898 14712 http://forum.maxthon.com/forum/index.php?showtopic=18207 http://www.raffon.net/advisories/maxthon/searchbarid.html 20050325 Maxthon browser search bar information disclosure Buffer overflow in a player logging function in the Tincat network library 2.x before 2.0.28, as used in games such as Sacred and The Settlers: Heritage of Kings, allows remote attackers to execute arbitrary code. 12912 20050328 Buffer-overflow in Tincat 2 minor than 2.0.28 (Sacred, Settlers 5 and others) 14767 14762 http://aluigi.altervista.org/adv/tincat2bof-adv.txt Multiple SQL injection vulnerabilities in Valdersoft Shopping Cart 3.0 allow remote attackers to execute arbitrary SQL commands via (1) the id parameter to category.php, (2) the id parameter to item.php, (3) the lang parameter to index.php, (4) the searchQuery parameter to search_result.php, (5) or the searchTopCategoryID parameter to search_result.php. 1013565 20050327 Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0 Multiple cross-site scripting (XSS) vulnerabilities in Valdersoft Shopping Cart 3.0 allow remote attackers to inject arbitrary web script or HTML via (1) the lang parameter to index.php or (2) the searchTopCategoryID parameter to search_result.php. 1013565 20050327 Multiple sql injection, and xss vulnerabilities in Vladersoft Shopping Cart v.3.0 PHP remote file inclusion vulnerability in shoutact.php for TKai's Shoutbox allows remote attackers to execute arbitrary PHP code via the query parameter. 12914 20050328 THai's Shoutbox correction name Multiple cross-site scripting (XSS) vulnerabilities in exoops allow remote attackers to inject arbitrary web script or HTML via (1) the sortdays parameter to viewforum.php or (2) the viewcat parameter to index.php. 1013566 Multiple SQL injection vulnerabilities in exoops may allow remote attackers to execute arbitrary SQL commands via (1) the viewcat parameter to index.php or (2) the artid parameter in the viewarticle action for index.php. 1013566 Unknown vulnerabilities in deplate before 0.7.2 have unknown impact, possibly involving elements.rb. http://sourceforge.net/project/shownotes.php?release_id=315034 1013555 Unknown vulnerability in the regex_replace modifier (modifier.regex_replace.php) in Smarty before 2.6.8 allows attackers to execute arbitrary PHP code. smarty-regexreplace-security-bpass(19880) 1013556 GLSA-200503-35 14729 http://news.php.net/php.smarty.dev/2673 12941 Multiple cross-site scripting (XSS) vulnerabilities in CPG Dragonfly 9.0.2.0 allow remote attackers to inject arbitrary web script or HTML via (1) the profile parameter to index.php or (2) the cat parameter. 1013573 http://security.talte.net/content/view/252/46/ Webmasters-Debutants WD Guestbook 2.8 allows remote attackers to bypass authentication and perform certain administrator actions via a direct HTTP POST request to (1) ajout_admin2.php or (2) suppr.php. 1013570 AIO in the Linux kernel 2.6.11 on the PPC64 or IA64 architectures with CONFIG_HUGETLB_PAGE enabled allows local users to cause a denial of service (system panic) via a process that executes the io_queue_init function but exits without running io_queue_release, which causes exit_aio and is_hugepage_only_range to fail. http://linux.bkbits.net:8080/linux-2.6/cset%404248c8c0es30_4YVdwa6vteKi7h_nw http://groups-beta.google.com/group/linux.kernel/browse_thread/thread/13b43bd5783842f6/7ce3c5a514a497ab?q=io_queue_init&rnum=3#7ce3c5a514a497ab 12987 SUSE-SA:2005:050 PHP remote file inclusion vulnerability in index_header.php for EncapsBB 0.3.2_fixed, and possibly other versions, allows remote attackers to execute arbitrary PHP code via the root parameter. 15078 1013569 14761 The NPSVG3.dll ActiveX control for Adobe SVG Viewer 3.02 and earlier, when running on Internet Explorer, allows remote attackers to determine the existence of arbitrary files by setting the src property to the target filename and using Javascript to determine if the web page immediately stops loading, which indicates whether the file exists or not. http://www.hyperdose.com/advisories/H2005-07.txt http://www.adobe.com/support/techdocs/323585.html 1013890 15255 Adventia Chat 3.1 and Server Pro 3.0 allows remote attackers to inject arbitrary web script or HTML into the chat space, which leaves other users vulnerable to cross-site scripting (XSS) attacks. 12927 1013588 20050329 Adventia Chat http://exploitlabs.com/files/advisories/EXPL-A-2005-003-adventiachat.txt adventia-chat-field-xss(21317) 12940 15156 Multiple SQL injection vulnerabilities in Bugtracker.NET 2.0.1 allow remote attackers to execute arbitrary SQL commands via unknown vectors. 12925 http://sourceforge.net/project/shownotes.php?release_id=315830 Microsoft Outlook 2002 Connector for IBM Lotus Domino 2.0 allows local users to save passwords and login credentials locally, even when password caching is disabled by a group policy. 896093 12913 Unknown vulnerability in the Auto-Protect module in Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (system hang or crash) by triggering a scan of a certain file type. VU#146020 12923 1013587 1013586 1013585 http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.html 14741 The SmartScan feature in the Auto-Protect module for Symantec Norton AntiVirus 2004 and 2005, as also used in Internet Security 2004/2005 and System Works 2004/2005, allows attackers to cause a denial of service (CPU consumption and system crash) by renaming a file on a network share. VU#713620 12924 1013587 1013586 1013585 http://securityresponse.symantec.com/avcenter/security/Content/2005.03.28.html 14741 Cross-site scripting (XSS) vulnerability in Adventia E-Data 2.0 allows remote attackers to inject arbitrary web script or HTML via a query keyword. 1013589 14739 20050329 E-Data http://exploitlabs.com/files/advisories/EXPL-A-2005-004-edata.txt edata-new-user-xss(19889) 12927 Cross-site scripting (XSS) vulnerability in login.asp for Ublog Reload 1.0 through 1.0.4 allows remote attackers to inject arbitrary web script or HTML via the msg parameter. 1013603 12931 http://www.persianhacker.net/news/news-2945.html 15121 14725 20050329 [PersianHacker.NET 200503-11]Ublog reload 1.0.4 and prior Buffer overflow in Sylpheed before 1.0.4 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attachments with MIME-encoded file names. http://sylpheed.good-day.net/changelog.html.en Unknown vulnerability in subs.pl for WebAPP 0.9.9 through 0.9.9.2 has unknown impact and attack vectors, probably involving shell metacharacters or .. sequences. http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=195 http://sourceforge.net/project/shownotes.php?release_id=316038 14716 Multiple cross-site scripting (XSS) vulnerabilities in PhotoPost PHP Pro 5.x allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) password, (3) ppuser, (4) sort, or (5) si parameters to showgallery.php, the (6) ppuser, (7) sort, or (8) si parameters to showmembers.php, or (9) the photo parameter to slideshow.php. 15098 15097 15096 1013581 14742 20050328 Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. SQL injection vulnerability in PhotoPost PHP Pro 5.x may allow remote attackers to execute arbitrary SQL commands via (1) the sl parameter to showmembers.php or (2) the photo parameter to showphoto.php. 15100 15099 1013581 14742 20050328 Re: Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. 20050328 Multiple Sql injection, and multiple XSS vulnerabilities in Photopost PHP Pro Photo Gallery Software. Cross-site scripting (XSS) vulnerability in message.php in Chatness 2.5.1 and earlier allows remote attackers to inject arbitrary web script or HTML via (1) the user field or (2) the message parameter to message.php. 12929 20050329 [PersianHacker.NET 200503-12]Chatness 2.5.1 and prior XSS Vulnerabilities http://www.persianhacker.net/news/news-2946.html 1013604 PHP remote file inclusion vulnerability in The Includer 1.0 and 1.1 allows remote attackers to execute arbitrary PHP code. 12926 Multiple SQL injection vulnerabilities in phpCOIN 1.2.1b and earlier allow remote attackers to execute arbitrary SQL commands (1) via the search engine, (2) the username or email fields in the "forgotten password" feature, or (3) the domain name in a package order. 12917 http://www.gulftech.org/?node=research&article_id=00065-03292005 Directory traversal vulnerability in auxpage.php for phpCOIN 1.2.1b and earlier allows remote attackers to read arbitrary files via the page parameter. 12917 http://www.gulftech.org/?node=research&article_id=00065-03292005 Multiple cross-site scripting (XSS) vulnerabilities in WackoWiki R4 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. http://wackowiki.com/WackoDownload/InEnglish#h4828-4 14720 Multiple SQL injection vulnerabilities in ESMI PayPal Storefront allow remote attackers to execute arbitrary SQL commands via the (1) idpages parameter to pages.php or the (2) id2 parameter to products1.php. 12903 http://www.hackerscenter.com/Archive/view.asp?id=1774 1013563 14711 20050330 Multiple sql injection, and xss vulnerabilities in Pay pal Storefront 15058 15057 Cross-site scripting vulnerability in products1h.php in ESMI PayPal Storefront allows remote attackers to inject arbitrary web script or HTML via the id parameter. 12904 15059 http://www.hackerscenter.com/Archive/view.asp?id=1774 1013563 14711 20050330 Multiple sql injection, and xss vulnerabilities in Pay pal Storefront Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions. http://lkml.org/lkml/2005/2/22/123 oval:org.mitre.oval:def:10037 http://linux.bkbits.net:8080/linux-2.6/cset@421cfc11zFsK9gxvSJ2t__FCmuUd3Q FLSA:157459-3 RHSA-2005:420 Ublog Reload 1.0 through 1.0.4 stores ublogreload.mdb under the web root, which allows remote attackers to read usernames and hashed passwords via a direct request to ublogreload.mdb. 1013603 14725 20050329 [PersianHacker.NET 200503-11]Ublog reload 1.0.4 and prior ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0490. Reason: This candidate was inadvertently referenced in a vendor advisory due to a typo. Notes: All CVE users should reference CVE-2005-0490 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The StgCompObjStream::Load function in OpenOffice.org OpenOffice 1.1.4 and earlier allocates memory based on 16 bit length values, but process memory using 32 bit values, which allows remote attackers to cause a denial of service and possibly execute arbitrary code via a DOC document with certain length values, which leads to a heap-based buffer overflow. 13092 20050412 OpenOffice DOC document Heap Overflow RHSA-2005:375 http://www.openoffice.org/issues/show_bug.cgi?id=46388 GLSA-200504-13 oval:org.mitre.oval:def:9106 SUSE-SR:2005:021 17027 The XP Server process (xp_server) in Sybase Adaptive Server Enterprise (ASE) XP Server 12.x before 12.5.3 ESD#1 allows attackers to cause a denial of service (process crash) via malformed data sent to the XP Server TCP port. sybase-adaptive-server(19354) http://www.sybase.com/detail?id=1034520 12080 http://www.ngssoftware.com/advisories/sybase-ase.txt 13632 20050405 Sybase ASE Multiple Security Issues (#NISR05042005) 20041222 Sybase ASE 12.5.2 vulnerabilities http://www.sybase.com/detail?id=1034752 20050321 Details of Sybase ASE bugs withheld Cisco VPN 3000 series Concentrator running firmware 4.1.7.A and earlier allows remote attackers to cause a denial of service (device reload or drop user connection) via a crafted HTTPS packet. cisco-vpn-3000-dos(19903) 12948 14784 20050330 Cisco VPN 3000 Concentrator Vulnerable to Crafted SSL Attack Unknown vulnerability in Microsoft Jet DB engine (msjet40.dll) 4.00.8618.0, related to insufficient data validation, allows remote attackers to execute arbitrary code via a crafted mdb file. VU#176380 http://www.hexview.com/docs/20050331-1.txt 20050331 [HV-HIGH] Microsoft Jet DB engine vulnerabilities 20060808 Re: Will Microsoft patch remarkable old Msjet40.dll issue? 20060804 Will Microsoft patch remarkable old Msjet40.dll issue? http://blogs.securiteam.com/?p=535 Cross-site scripting (XSS) vulnerability in ACS Blog 1.1.1 allows remote attackers to inject arbitrary web script or HTML via onmouseover or onload events in (1) img, (2) link, or (3) mail tags. acsblog-tags-xss(19864) 1013584 14744 20050328 Multiple XSS vulnerabilities in ACS Blog SQL injection vulnerability in phpCoin 1.2.1b and earlier allows remote attackers to execute arbitrary SQL commands via the (1) term/keywords field on the search page, (2) username or (3) e-mail field on the forgot password page, or (4) domain name on the ordering new package page. 12917 20050329 Multiple phpCoin Vulnerabilities http://www.gulftech.org/?node=research&article_id=00065-03292005 Directory traversal vulnerability in auxpage.php in phpCoin 1.2.1b and earlier allows remote attackers to read and execute arbitrary files via a .. (dot dot) in the page parameter. phpcoin-auxpage-file-include(19896) 12917 http://www.gulftech.org/?node=research&article_id=00065-03292005 20050329 Multiple phpCoin Vulnerabilities SQL injection vulnerability in ad_click.asp for PortalApp allows remote attackers to execute arbitrary SQL commands via the banner_id parameter. portalapp-adclick-sql-injection(19892) 12936 1013591 14749 20050329 Multiple sql injection, and xss vulnerabilities in PortalApp Multiple cross-site scripting (XSS) vulnerabilities in content.asp in Iatek PortalApp allow remote attackers to inject arbitrary web script or HTML via the (1) contenttype or (2) keywords parameter. portalapp-contentasp-xss(19891) 12936 1013591 14749 20050329 Multiple sql injection, and xss vulnerabilities in PortalApp Directory traversal vulnerability in FastStone 4in1 Browser 1.2 allows remote attackers to read arbitrary files via a (1) ... (triple dot) or (2) ..\ (dot dot backslash) in the URL. faststone-dotdot-directory-traversal(19900) 12937 http://www.autistici.org/fdonato/advisory/FastStone4in1Browser1.2-adv.txt 1013596 14743 20050329 directory traversal in FastStone 4in1 Browser 1.2 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: this candidate was created as a result of an analysis error for a researcher advisory for an issue that already existed. It stated an incorrect parameter, which was not part of the vulnerability at all. Notes: CVE users should not reference this candidate at all. Cross-site scripting vulnerability in pafiledb.php in PaFileDB 3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20050330 PaFileDB Version 3.1 and below are exploitable via a XSS and a SQL injection vulnerability pafiledb-action-xss(29394) 20061008 XSS IN paFileDB 3.1 Race condition in bzip2 1.0.2 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by bzip2 after the decompression is complete. TA07-319A DSA-730 bzip2-toctou-symlink(19926) ADV-2007-3868 ADV-2007-3525 12954 20070109 rPSA-2007-0004-1 bzip2 oval:org.mitre.oval:def:10902 20050330 bzip2 TOCTOU file-permissions vulnerability 26444 RHSA-2005:474 OpenPKG-SA-2007.002 MDKSA-2006:026 FLSA:158801 200191 103118 29940 27643 27274 19183 APPLE-SA-2007-11-14 http://docs.info.apple.com/article.html?artnum=307041 20060301-01-U NetBSD-SA2008-004 oval:org.mitre.oval:def:1154 Windows Explorer and Internet Explorer in Windows 2000 SP1 allows remote attackers to cause a denial of service (CPU consumption) via a malformed Windows Metafile (WMF) file. winxp-explorer-wmf-dos(15507) 9892 http://www.securiteam.com/windowsntfocus/5CP081FFFY.html 20050331 WindowsXP malformed .wmf files DoS SQL injection vulnerability in InterAKT MX Shop 1.1.1 allows remote attackers to execute arbitrary SQL commands via the id_ctg parameter. 14793 20050331 MX Shop 1.1.1 and MX Kart 1.1.2 are vulnerable to multiple SQL injection vulnerabilities 12957 Multiple SQL injection vulnerabilities in index.php in InterAKT MX Kart 1.1.2 allow remote attackers to execute arbitrary SQL commands via the (1) idp, (2) id_ctg, or (3) id_man parameter. 14793 20050331 MX Shop 1.1.1 and MX Kart 1.1.2 are vulnerable to multiple SQL injection vulnerabilities Bay Technical Associates RPC-3 Telnet Host 3.05 allows remote attackers to bypass authentication by pressing the escape and enter keys at the username prompt. rpc3-logon-bypass-authentication(19921) 12955 20050331 Bay Technical Associates telnet server logon bypass Format string vulnerability in the log_do function in log.c for YepYep mtftpd 0.0.3, when the statistics option is enabled, allows remote attackers to execute arbitrary code via the CWD command. http://www.tripbit.org/advisories/TA-040305.txt 12947 http://www.securiteam.com/exploits/5KP0W0AF5K.html http://unl0ck.org/files/papers/mtftpd.txt Buffer overflow in the mt_do_dir function in YepYep mtftpd 0.0.3 may allow attackers to execute arbitrary code via a long path. 12947 Multiple vulnerabilities in the SACK functionality in (1) tcp_input.c and (2) tcp_usrreq.c OpenBSD 3.5 and 3.6 allow remote attackers to cause a denial of service (memory exhaustion or system crash). 12951 20050330 [3.5] 030: RELIABILITY FIX: March 30, 2005 20050330 [3.6] 013: RELIABILITY FIX: March 30, 2005 1013611 Cross-site scripting (XSS) vulnerability in Horde 3.0.4 before 3.0.4-RC2 allows remote attackers to inject arbitrary web script or HTML via the parent frame title. 14730 http://lists.horde.org/archives/announce/2005/000176.html SUSE-SR:2005:016 http://cvs.horde.org/diff.php/horde/docs/CHANGES?r1=1.515.2.49&r2=1.515.2.93&ty=h SQL injection vulnerability in index.php for Lighthouse Squirrelcart allows remote attackers to execute arbitrary SQL commands via the (1) crn parameter in a show action or (2) rn parameter in a show_detail action. squirrelcart-index-sql-injection(19904) 12944 14770 An error in the Toshiba ACPI BIOS 1.6 causes the BIOS to only examine the first slot in the Master Boot Record (MBR) table for an active partition, which prevents the system from booting even though the MBR is not malformed. NOTE: it has been debated as to whether or not this issue poses a security vulnerability, since administrative privileges would be required, and other DoS attacks are possible with such privileges. toshiba-acpi-bios-dos(19895) 20050331 RE: Portcullis Security Advisory 05-011 ACPI 1.6 BIOS 20050331 Re: Portcullis Security Advisory 05-011 ACPI 1.6 BIOS 20050329 Portcullis Security Advisory 05-011 ACPI 1.6 BIOS Unknown vulnerability in Kerio Personal Firewall 4.1.2 and earlier allows local users to bypass firewall rules via a malicious process that impersonates a legitimate process that has fewer restrictions. kerio-firewall-rule-security-bypass(19893) 12946 http://www.kerio.com/security_advisory.html#0503 1013607 14717 The gaim_markup_strip_html function in Gaim 1.2.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a string that contains malformed HTML, which causes an out-of-bounds read. 14815 oval:org.mitre.oval:def:11292 20050401 multiple remote denial of service vulnerabilities in Gaim http://gaim.sourceforge.net/security/index.php?id=13 12999 FLSA:158543 RHSA-2005:365 SUSE-SA:2005:036 MDKSA-2005:071 The IRC protocol plugin in Gaim 1.2.0, and possibly earlier versions, allows (1) remote attackers to inject arbitrary Gaim markup via irc_msg_kick, irc_msg_mode, irc_msg_part, irc_msg_quit, (2) remote attackers to inject arbitrary Pango markup and pop up empty dialog boxes via irc_msg_invite, or (3) malicious IRC servers to cause a denial of service (application crash) by injecting certain Pango markup into irc_msg_badmode, irc_msg_banned, irc_msg_unknown, irc_msg_nochan functions. http://sourceforge.net/project/shownotes.php?group_id=235&release_id=317750 14815 gaim-ircmsginvite-dos(19939) gaim-irc-plugin-bo(19937) oval:org.mitre.oval:def:9185 20050401 multiple remote denial of service vulnerabilities in Gaim http://gaim.sourceforge.net/security/index.php?id=14 13003 FLSA:158543 RHSA-2005:365 SUSE-SA:2005:036 MDKSA-2005:071 Gaim 1.2.0 allows remote attackers to cause a denial of service (application crash) via a malformed file transfer request to a Jabber user, which leads to an out-of-bounds read. 1013645 14815 http://sourceforge.net/tracker/?func=detail&aid=1172115&group_id=235&atid=100235 oval:org.mitre.oval:def:9657 http://gaim.sourceforge.net/security/?id=15 13004 FLSA:158543 RHSA-2005:365 SUSE-SA:2005:036 MDKSA-2005:071 Computer Associates (CA) eTrust Intrusion Detection 3.0 allows remote attackers to cause a denial of service via large size values that are not properly validated before calling the CPImportKey function in the Crypto API. 20050405 Computer Associates eTrust Intrusion Detection System CPImportKey DoS Vulnerability Heap-based buffer overflow in the syscall emulation functionality in Mac OS X before 10.3.9 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via crafted parameters. APPLE-SA-2005-04-15 Mac OS X 10.3.9 and earlier allows users to install, create, and execute setuid/setgid scripts, contrary to the intended design, which may allow attackers to conduct unauthorized activities with escalated privileges via vulnerable scripts. APPLE-SA-2005-04-15 Stack-based buffer overflow in the semop system call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. VU#212190 APPLE-SA-2005-04-15 Integer overflow in the searchfs system call in Mac OS X 10.3.9 and earlier allows local users to execute arbitrary code via crafted parameters. VU#185702 APPLE-SA-2005-04-15 Unknown vulnerability in the setsockopt system call in Mac OS X 10.3.9 and earlier allows local users to cause a denial of service (memory exhaustion) via crafted arguments. APPLE-SA-2005-04-15 Unknown vulnerability in the nfs_mount call in Mac OS X 10.3.9 and earlier allows local users to gain privileges via crafted arguments. VU#713614 APPLE-SA-2005-05-19 APPLE-SA-2005-04-15 Integer signedness error in the parse_machfile function in the mach-o loader (mach_loader.c) for the Darwin Kernel as used in Mac OS X 10.3.7, and other versions before 10.3.9, allows local users to cause a denial of service (CPU consumption) via a crafted mach-o header. 1013735 13902 macos-machloader-dos(18979) ADV-2005-0041 12314 P-185 1012941 20050119 Darwin Kernel Vulnerability APPLE-SA-2005-04-15 http://felinemenace.org/advisories/macosx.txt AppleWebKit (WebCore and WebKit), as used in multiple products such as Safari 1.2 and OmniGroup OmniWeb 5.1, allows remote attackers to read arbitrary files via the XMLHttpRequest Javascript component, as demonstrated using automatically mounted disk images and file:// URLs. http://remahl.se/david/vuln/001/ APPLE-SA-2005-04-15 The shmem_nopage function in shmem.c for the tmpfs driver in Linux kernel 2.6 does not properly verify the address argument, which allows local users to cause a denial of service (kernel crash) via an invalid address. USN-103-1 12970 oval:org.mitre.oval:def:10400 http://lkml.org/lkml/2005/2/5/111 http://linux.bkbits.net:8080/linux-2.6/cset@420551fbRlv9-QG6Gw9Lw_bKVfPSsg FLSA:157459-3 RHSA-2005:366 Directory traversal vulnerability in the Object Push service in IVT BlueSoleil 1.4 allows remote attackers to upload arbitrary files via a .. (dot dot) in a PUSH command. bluesoleil-object-push-directory-traversal(19930) 12961 http://www.digitalmunition.com/DMA%5B2005-0401a%5D.txt 14790 20050401 DMA[2005-0401a] - 'IVT BlueSoleil Directory Transversal' Multiple buffer overflows in RUMBA 7.3 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted values in a profile file, as demonstrated using a long SysName field. rumba-profile-values-bo(19934) 12965 20050401 Buffer Overflow within the RUMBA product PHP remote file inclusion vulnerability in index.php in AlstraSoft EPay Pro 2.0 allows remote attackers to execute arbitrary PHP code by modifying the view parameter to reference a URL on a remote web server that contains the code. 12973 14802 20050402 AlstraSoft EPay Pro v2.0 has file include and multiple xss Multiple cross-site scripting (XSS) vulnerabilities in AlstraSoft EPay Pro 2.0 allow remote attackers to inject arbitrary web script or HTML via the (1) payment or (2) send parameter. 12974 14802 20050402 AlstraSoft EPay Pro v2.0 has file include and multiple xss Multiple cross-site scripting (XSS) vulnerabilities in Yet Another Forum.net 0.9.9 allow remote attackers to inject arbitrary web script or HTML via the (1) name, (2) location, or (3) Subject field. 1013632 20050402 Yet Another Forum.net XSS vulnerabilities Quake 3 engine, as used in multiple games, allows remote attackers to cause a denial of service (client disconnect) via a long message, which is not properly truncated and causes the engine to process the remaining data as if it were network data. 12976 14811 20050402 In-game players kicking in the Quake 3 engine http://bani.anime.net/banimod/forums/viewtopic.php?p=27322 http://aluigi.altervista.org/adv/q3msgboom-adv.txt Buffer overflow in the G_Printf function in Star Wars Jedi Knight: Jedi Academy 1.011 and earlier allows remote attackers to execute arbitrary code via a long message using commands such as (1) say and (2) tell. 12977 14809 http://aluigi.altervista.org/adv/jamsgbof-adv.txt 20050402 In-game server buffer-overflow in Jedi Academy 1.011 Unspecified vulnerability in the Mac OS X kernel before 10.3.8 allows local users to cause a denial of service (temporary hang) via unspecified attack vectors related to the fan control unit (FCU) driver. http://docs.info.apple.com/article.html?artnum=301324 NLSCCSTR.DLL in the web service in IBM Lotus Domino Server 6.5.1, 6.0.3, and possibly other versions allows remote attackers to cause a denial of service (deep recursion and nHTTP.exe process crash) via a long GET request containing UNICODE decimal value 430 characters, which causes the stack to be exhausted. NOTE: IBM has reported that it is unable to replicate this issue. ADV-2005-0322 20050406 IBM Lotus Domino Server Web Service DoS Vulnerability http://www-1.ibm.com/support/docview.wss?uid=swg21202446 14858 http://news.zdnet.co.uk/software/applications/0,39020384,39194293,00.htm Unknown vulnerability in IRC Services NickServ LISTLINKS before 5.0.50 allows remote attackers to obtain the links of a nick. 1013622 http://www.ircservices.esper.net/Changes.txt Race condition in gzip 1.2.4, 1.3.3, and earlier, when decompressing a gzipped file, allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by gzip after the decompression is complete. TA06-214A 12996 ADV-2006-3101 19289 20050404 gzip TOCTOU file-permissions vulnerability 15487 DSA-752 101816 SSA:2006-262 22033 21253 18100 RHSA-2005:357 oval:org.mitre.oval:def:10242 APPLE-SA-2006-08-01 SCOSA-2005.58 oval:org.mitre.oval:def:765 oval:org.mitre.oval:def:1169 The find_replen function in jsstr.c in the Javascript engine for Mozilla Suite 1.7.6, Firefox 1.0.1 and 1.0.2, and Netscape 7.2 allows remote attackers to read portions of heap memory in a Javascript string via the lambda replace method. RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 14821 14820 https://bugzilla.mozilla.org/show_bug.cgi?id=288688 15495 12988 RHSA-2005:601 RHSA-2005:384 SUSE-SA:2006:022 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-33.html 1013643 1013635 19823 oval:org.mitre.oval:def:11706 SCOSA-2005.49 oval:org.mitre.oval:def:100025 unshar (unshar.c) in sharutils 4.2.1 allows local users to overwrite arbitrary files via a symlink attack on the unsh.X temporary file. sharutils-temp-file-symlink(19957) RHSA-2005:377 https://bugzilla.ubuntu.com/show_bug.cgi?id=8459 USN-104-1 12981 oval:org.mitre.oval:def:9613 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=302412 RC.BOOT in IBM AIX 5.1, 5.2, and 5.3 does not "use a secure location for temporary files," which allows local users to have an unknown impact, probably by overwriting files. 12992 IY59207 IY59206 IY59205 Cross-site scripting (XSS) vulnerability in index.php in phpMyAdmin before 2.6.2-rc1 allows remote attackers to inject arbitrary web script or HTML via the convcharset parameter. phpmyadmin-convcharset-xss(19940) 12982 GLSA-200504-08 http://www.phpmyadmin.net/home_page/security.php?issue=PMASA-2005-3 http://www.arrelnet.com/advisories/adv20050403.html 14799 20050404 phpMyAdmin Cross-site Scripting Vulnerability Buffer overflow in nwprint in SCO OpenServer 5.0.7 allows local users to execute arbitrary code via a long command line argument. 12986 20050404 possible privilege escalation on Sco OpenServer 5.0.7 Multiple SQL injection vulnerabilities in ProductCart 2.7 allow remote attackers to execute arbitrary SQL commands via (1) the Category or resultCnt parameters to advSearch_h.asp, and possibly (2) the offset parameter to tarinasworld_butterflyjournal.asp. NOTE: it is possible that item (2) is the result of a typo or editing error from the original research report. 12990 15265 15263 14833 Multiple cross-site scripting (XSS) vulnerabilities in ProductCart 2.7 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter to advSearch_h.asp, (2) the redirectUrl parameter to NewCust.asp, (3) the country parameter to storelocator_submit.asp, or (4) the error parameter to techErr.asp. NOTE: it has been reported that storelocator_submit.asp does not exist in ProductCart. 12990 15268 15266 15264 14833 Multiple SQL injection vulnerabilities in the Downloads module for PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the email or url parameters in the Add function, (2) the min parameter in the viewsdownload function, or (3) the min parameter in the search function. 20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Downloads Module cXIb8O3.13 Multiple SQL injection vulnerabilities in the Web_Links module for PHP-Nuke 7.6 allow remote attackers to execute arbitrary SQL commands via (1) the email or url parameters in the Add function, (2) the url parameter in the modifylinkrequestS function, (3) the orderby or min parameters in the viewlink function, (4) the orderby, min, or show parameters in the search function, or (5) the ratenum parameter in the MostPopular function. 20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Web_Links Module cXIb8O3.14 The Web_Links module for PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via an invalid show parameter, which triggers a division by zero PHP error that leaks the full pathname of the server. 20050403 [SECURITYREASON.COM] phpnuke 7.6 Multiple vulnerabilities in Web_Links Module cXIb8O3.14 SQL injection vulnerability in the Top module for PHP-Nuke 6.x through 7.6 allows remote attackers to execute arbitrary SQL commands via the querylang parameter. http://www.waraxe.us/advisory-41.html 20050406 [waraxe-2005-SA#041] - Critical Sql Injection in PhpNuke 6.x-7.6 Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the bid parameter to the EmailStats op in banners.pgp, (2) the ratenum parameter in the TopRated and MostPopular actions in the Web_Links module, (3) the ttitle parameter in the viewlinkdetails, viewlinkeditorial, viewlinkcomments, and ratelink actions in the Web_Links module, or (4) the username parameter in the Your_Account module. phpnuke-modulesphp-xss(19952) 20050403 Full path disclosure and XSS in PHPNuke 20050404 [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12 PHP-Nuke 7.6 allows remote attackers to obtain sensitive information via direct requests to (1) the Surveys module with the file parameter set to comments or (2) 3D-Fantasy/theme.php, which leaks the full pathname of the web server in a PHP error message. phpnuke-modulesphp-path-disclosure(19953) 20050404 [SECURITYREASON.COM] PhpNuke 7.6=>x Multiple vulnerabilities cXIb8O3.12 logwebftbs2000.exe in Logics Software File Transfer (LOG-FT) allows remote attackers to read arbitrary files via modified (1) VAR_FT_LANG and (2) VAR_FT_TMPL parameters. 12998 14851 20050405 Logics Software BS2000 Host to Web Client ALL PLATFORMS Directory traversal vulnerability in index.php for ProfitCode PayProCart 3.0 allows remote attackers to include arbitrary PHP files via .. (dot dot) sequences in the modID parameter. payprocart-dotdot-directory-traversal(19954) 1013640 14832 20050404 Authenticaion bypass, Directory transversal and XSS Cross-site scripting (XSS) vulnerability in usrdetails.php in ProfitCode PayProCart 3.0 allows remote attackers to inject arbitrary web script or HTML via the sgnuptype parameter. Payprocart-usrdetails-xss(19955) 1013640 14832 20050404 Authenticaion bypass, Directory transversal and XSS ProfitCode PayProCart 3.0 allows remote attackers to bypass authentication and gain administrative privileges to the admin control panel, as demonstrated via a direct request to adminshop/index.php with hex-encoded .. sequences in the ftoedit parameter. payprocart-index-bypass-authentication(19956) 1013640 14832 20050404 Authenticaion bypass, Directory transversal and XSS Multiple cross-site scripting (XSS) vulnerabilities in SonicWALL SOHO 5.1.7.0 allow remote attackers to inject arbitrary web script or HTML via (1) the URL or (2) the user login name, which is not filtered when the administrator views the log file. sonicwall-username-code-execution(19960) sonicwall-http-get-requests-xss(19958) 12984 http://www.oliverkarow.de/research/SonicWall.txt 1013638 14823 20050404 SonicWALL SOHO/10 - XSS vulnerability 15262 15261 Unknown vulnerability in the LIST functionality in CommuniGate Pro before 4.3c3 allows remote attackers to cause a denial of service (server crash) via certain multipart messages. communigatepro-list-dos(19961) http://www.stalker.com/CommuniGatePro/History.html 15257 14604 Cross-site scripting (XSS) vulnerability in posts.asp for ASP-DEv XM Forum RC3 allows remote attackers to inject arbitrary web script or HTML via a "javascript:" URL in an IMG tag. 12958 1013614 Multiple buffer overflows in BakBone NetVault 6.x and 7.x allow (1) remote attackers to execute arbitrary code via a modified computer name and length that leads to a heap-based buffer overflow, or (2) local users to execute arbitrary code via a long Name entry in the configure.cfg file. netvault-configurecfg-bo(19932) 12967 20050401 [Hat-Squad Advisory] Bakbone NetVault Heap overflow Vulnerabilities http://www.hat-squad.com/en/000165.html http://www.hat-squad.com/en/000164.html http://www.class101.org/netv-remhbof.pdf http://www.class101.org/netv-locsbof.pdf 1013625 14814 Cross-site scripting (XSS) vulnerability in Comersus Cart 6 allows remote attackers to inject arbitrary web script or HTML via the account username. comersus-username-xss(19962) 13000 1013634 14825 SQL injection vulnerability in content.asp in SiteEnable allows remote attackers to execute arbitrary SQL commands via the sortby parameter. http://www.zone-h.com/en/advisories/read/id=7367/ 12985 1013631 Cross-site scripting (XSS) vulnerability in Iatek SiteEnable allows remote attackers to inject arbitrary web script or HTML via (1) the contenttype parameter to content.asp, (2) the title, or (3) the description. portalapp-contentasp-xss(19891) http://www.zone-h.com/en/advisories/read/id=7367/ 1013631 The SMTP service in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to cause a denial of service (server crash) via an EHLO command with a Unicode string. mailenable-ehlo-dos(19973) mailenable-smtp-dos(19948) 12994 http://www.securiteam.com/windowsntfocus/5HP031PFFG.html http://www.mailenable.com/hotfix/ 1013637 20050405 MailEnable Smtpd remote Dos [x0n3-h4ck] 15232 14812 Buffer overflow in the IMAP service for MailEnable Enterprise 1.04 and earlier and Professional 1.54 allows remote attackers to execute arbitrary code via a long AUTHENTICATE command. mailenable-imap-dos(19947) 12995 http://www.mailenable.com/hotfix/ 1013637 14812 20050405 MailEnable Imapd remote BoF + Exploit [x0n3-h4ck] Buffer overflow in MailEnable Imapd (MEIMAP.exe) allows remote attackers to execute arbitrary code via a long LOGIN command. 20050406 Re: MailEnable Imapd remote BoF + Exploit [x0n3-h4ck] Cross-site scripting (XSS) vulnerability in links_add_form.asp for MaxWebPortal 1.33 and earlier allows remote attackers to inject arbitrary web script or HTML via a Javascript URL in a banner URL. 14752 maxwebportal-linksaddform-xss(19929) 12968 http://www.hackerscenter.com/archive/view.asp?id=1807 1013617 SQL injection vulnerability in the Update_Events function in events_functions.asp in MaxWebPortal 1.33 and earlier allows remote attackers to execute arbitrary SQL commands via the EVENT_ID parameter, as demonstrated using events.asp. 1013617 14752 maxwebportal-eventsfunctions-sql-injection(19928) 12968 http://www.hackerscenter.com/archive/view.asp?id=1807 Buffer overflow in the UniversalAgent for Computer Associates (CA) BrightStor ARCserve Backup allows remote authenticated users to cause a denial of service or execute arbitrary code via an agent request to TCP port 6050 with a large argument before the option field. 20050414 Computer Associates BrightStor ARCserve Backup and BrightStor Enterprise Backup UniversalAgent buffer overflow vulnerability 13102 20050217 RE: BrightStor ARCserve Backup buffer overflow PoC (fixes available) 20050411 Computer Associates BrightStor ARCserve Backup UniversalAgent Buffer Overflow Buffer overflow in the getConfig function in Aeon 0.2a and earlier allows local users to gain privileges via a long HOME environment variable. aeon-getconfig-bo(19951) http://security-tmp.h14.ru/exploits/23laeon.c.txt 20050404 Local buffer overflow on Aeon<=0.2a Secure Shell (SSH) 2 in Cisco IOS 12.0 through 12.3 allows remote attackers to cause a denial of service (device reload) (1) via a username that contains a domain name when using a TACACS+ server to authenticate, (2) when a new SSH session is in the login phase and a currently logged in user issues a send command, or (3) when IOS is logging messages and an SSH session is terminated while the server is sending data. 14854 cisco-ios-ssh-message-log-dos(19990) cisco-ios-authentication-send-dos(19989) cisco-ios-sshv2-tacacs-authentication-dos(19987) 1013655 13043 20050406 Vulnerabilities in Cisco IOS Secure Shell Server oval:org.mitre.oval:def:5455 Memory leak in Secure Shell (SSH) in Cisco IOS 12.0 through 12.3, when authenticating against a TACACS+ server, allows remote attackers to cause a denial of service (memory consumption) via an incorrect username or password. cisco-ios-memory-leak-dos(19991) 1013655 14854 13042 15303 20050406 Vulnerabilities in Cisco IOS Secure Shell Server oval:org.mitre.oval:def:5687 ColdFusion 6.1 Updater 1 places Java .class files under the web root in the /WEB-INF/cfclasses directory, which allows remote attackers to obtain sensitive information. http://www.macromedia.com/devnet/security/security_zone/mpsb05-02.html 20050407 Macromedia Security Bulletin - ColdFusion MX 6.1 Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x to 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) min parameter to the Search module, (2) the categories parameter to the FAQ module, or (3) the ltr parameter to the Encyclopedia module. NOTE: the bid parameter issue in banners.php is already an item in CVE-2005-1000. phpnuke-modulesphp-xss(19952) 20050403 Full path disclosure and XSS in PHPNuke http://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txt modules.php in PHP-Nuke 6.x to 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) my_headlines, (2) userinfo, or (3) search, which reveals the path in a PHP error message. phpnuke-modulesphp-path-disclosure(19953) http://www.securityreason.com/adv/PHPNuke%206.x-7.6-p1.txt 20050403 Full path disclosure and XSS in PHPNuke phpnuke-myheadlines-path-disclosure(44980) The FTP server in AS/400 4.3, when running in IFS mode, allows remote attackers to obtain sensitive information via a symlink attack using RCMD and the ADDLNK utility, as demonstrated using the QSYS.LIB library. http://www.venera.com/downloads/AS400_user_accounts_ftp_disclosure.pdf 15300 20050404 Disclosure of AS/400 user accounts via the FTP server Multiple SQL injection vulnerabilities in SnailSource phpBB 2.0.x mods allow remote attackers to execute arbitrary SQL commands via the (1) file_id parameter to dlman.php in DLMan Pro or (2) id parameter to links.php in Linkz Pro (aka LinksLinks Pro). http://www.snailsource.com/forum/dlman.php?func=file_info&file_id=77 13030 13028 20050404 SQL INJECTION in DLMan Pro. PHPBB Mod. 20050404 SQL INJECTION in LinksLinks Pro. PHPBB Mod. Multiple cross-site scripting (XSS) vulnerabilities in PHP-Nuke 6.x through 7.6 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter in the Your_Account module, (2) avatarcategory parameter in the Your_Account module, or (3) lid parameter in the Downloads module. 20050404 [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3 phpnuke-modules-xss(11994) 7570 20030511 PHPNuke "Your Account" XSS Vulnerability PHP-Nuke 6.x through 7.6 allows remote attackers to obtain sensitive information via a direct request to (1) index.php with the forum_admin parameter set, (2) the Surveys module, or (3) the Your_Account module, which reveals the path in a PHP error message. 20050404 [SECURITYREASON.COM] Full path disclosure and XSS in PHPNuke part 3 Multiple SQL injection vulnerabilities in Active Auction House allow remote attackers to execute arbitrary SQL commands via the (1) catid, (2) SortDir, or (3) Sortby parameter to default.asp, (4) itemID parameter to ItemInfo.asp, or (5) Email field to sendpassword.asp. aah-multiple-scripts-sql-injection(19977) 1013649 13035 13034 13032 14839 20050406 Active Auction House has multiple Sql injection, error and XSS 15283 15282 15281 Multiple cross-site scripting (XSS) vulnerabilities in Active Auction House allow remote attackers to inject arbitrary web script or HTML via the (1) ReturnURL, (2) password, (3) username parameter, (4) ReturnURL parameter to account.asp, (5) Table, (6) Title parameter to sendpassword.asp, or (7) itemid to watchthisitem.asp. aah-multiple-scripts-xss(19975) 1013649 13039 13038 13036 14839 20050406 Active Auction House has multiple Sql injection, error and XSS 15287 15286 15285 15284 RUNCMS 1.1A, and possibly other products based on e-Xoops (exoops), when "Allow custom avatar upload" is enabled, does not properly verify uploaded files, which allows remote attackers to upload arbitrary files. exoops-runcms-upload-files(20001) 13027 14869 20050406 runcms/e-xoops 1.1A and below file upload vulnerability http://www.runcms.org/public/modules/news/ ** REJECT ** cart.php in LiteCommerce might allow remote attackers to obtain sensitive information via invalid (1) category_id or (2) product_id parameters. NOTE: this issue was originally claimed to be due to SQL injection, but the original researcher is known to be frequently inaccurate with respect to bug type and severity. The vendor has disputed this issue, saying "These reports are credited to malicious person we refused to hire. We have not taken legal action against him only because he is located in India. The vulnerabilites reported can not be reproduced, hence information you provide is contrary to fact." Further investigation by CVE personnel shows that an invalid SQL syntax error could be generated, but it only reveals portions of underlying database structure, which is already available in documentation from the vendor, and it does not appear to lead to path disclosure. Therefore, this issue is not a vulnerability or an exposure, and it probably should be REJECTED. CubeCart 2.0.6 allows remote attackers to obtain sensitive information via an invalid (1) language parameter to index.php, (2) PHPSESSID parameter to index.php, (3) product parameter to tellafriend.php, (4) add parameter to view_cart.php, or (5) product parameter to view_product.php, which reveals the path in a PHP error message. 1013660 20050406 [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure 14064 SurgeFTP 2.2m1 allows remote attackers to cause a denial of service (application hang) via the LEAK command. surgeftp-leak-ftp-dos(20011) 14888 13054 http://www.security.org.sg/vuln/surgeftp22m1.html 1013664 20050407 [SIG^2 G-TEC] SurgeFTP LEAK Command Denial-Of-Service Vulnerability Multiple buffer overflows in Pavuk before 0.9.32 have unknown attack vectors and impact. http://sourceforge.net/project/shownotes.php?release_id=313436 14571 FreeBSD 5.x to 5.4 on AMD64 does not properly initialize the IO permission bitmap used to allow user access to certain hardware, which allows local users to bypass intended access restrictions to cause a denial of service, obtain sensitive information, and possibly gain privileges. FreeBSD-SA-05:03 Unknown vulnerability in AIX 5.3.0, when configured as an NIS client, allows remote attackers to gain root privileges. http://www.niscc.gov.uk/niscc/docs/br-20050405-00278.html?lang=en 14856 IY68825 crontab in Vixie cron 4.1, when running with the -e option, allows local users to read the cron files of other users by changing the file being edited to a symlink. NOTE: there is insufficient information to know whether this is a duplicate of CVE-2001-0235. 13024 20050406 crontab from vixie-cron allows read other users crontabs oval:org.mitre.oval:def:11104 RHSA-2006:0117 RHSA-2005:361 SUSE-SR:2007:007 http://support.avaya.com/elmodocs2/security/ASA-2006-118.htm 24995 20666 19532 20060401-01-U Race condition in Core Utilities (coreutils) 5.2.1, when (1) mkdir, (2) mknod, or (3) mkfifo is running with the -m switch, allows local users to modify permissions of other files. 13053 Multiple unknown vulnerabilities in netapplet in Novell Linux Desktop 9 allow local users to gain root privileges, related to "User input [being] passed to network scripts without verification." SUSE-SR:2005:010 The fib_seq_start function in fib_hash.c in Linux kernel allows local users to cause a denial of service (system crash) via /proc/net/route. [bk-commits-head] 20050319 [PATCH] Fix crash while reading /proc/net/route oval:org.mitre.oval:def:9487 13267 FLSA:157459-3 SUSE-SA:2005:068 RHSA-2005:366 17918 Integer overflow in the exif_process_IFD_TAG function in exif.c in PHP before 4.3.11 may allow remote attackers to execute arbitrary code via an IFD tag that leads to a negative byte count. GLSA-200504-15 http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.33&r2=1.118.2.34&ty=u https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154021 USN-112-1 RHSA-2005:406 RHSA-2005:405 oval:org.mitre.oval:def:10822 APPLE-SA-2005-06-08 MDKSA-2005:072 exif.c in PHP before 4.3.11 allows remote attackers to cause a denial of service (memory consumption and crash) via an EXIF header with a large IFD nesting level, which causes significant stack recursion. USN-112-1 RHSA-2005:406 GLSA-200504-15 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=154025 oval:org.mitre.oval:def:10307 APPLE-SA-2005-06-08 http://cvs.php.net/diff.php/php-src/ext/exif/exif.c?r1=1.118.2.29&r2=1.118.2.30&ty=u MDKSA-2005:072 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0941. Reason: This candidate is a duplicate of CVE-2005-0941. Notes: All CVE users should reference CVE-2005-0941 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. OpenText FirstClass 8.0 client does not properly sanitize strings before passing them to the Windows ShellExecute API, which allows remote attackers to execute arbitrary commands via a UNC path in a bookmark. firstclass-bookmark-command-execution(20032) 13079 15356 1013665 14898 20050408 OpenText FirstClass 8.0 Client Arbitrary File Execution Buffer overflow in the kimgio library for KDE 3.4.0 allows remote attackers to execute arbitrary code via a crafted PCX image file. SUSE-SA:2005:022 DSA-714 14908 ADV-2007-4241 ADV-2005-0331 oval:org.mitre.oval:def:5802 oval:org.mitre.oval:def:11081 http://bugs.kde.org/show_bug.cgi?id=102328 13096 FLSA:178606 RHSA-2005:393 http://www.kde.org/info/security/advisory-20050421-1.txt 201320 103170 28114 Meilad File upload script (up.php) mod for phpBB 2.0.x does not properly limit the types of files that can be uploaded, which allows remote authenticated users to execute arbitrary commands by uploading PHP files, then directly requesting them from the uploads directory. 1013671 20050408 phpBB Upload Script "up.php" Arbitrary File Upload SQL injection vulnerability in modules.php in PostNuke 0.760 RC3 allows remote attackers to execute arbitrary SQL statements via the sid parameter. NOTE: the vendor reports that they could not reproduce the issues for 760 RC3, or for .750. 14868 postnuke-sid-sql-injection(20019) 15371 1013670 http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2679 20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 Multiple cross-site scripting vulnerabilities in PostNuke 0.760-RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) module parameter to admin.php or (2) op parameter to user.php. NOTE: the vendor reports that certain issues could not be reproduced for 760 RC3, or for .750. However, the op/user.php issue exists when the pnAntiCracker setting is disabled. 13076 14868 http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2679 http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/user.php.diff?r1=1.18&r2=1.19 postnuke-adminphp-userphp-xss(20018) 13075 15370 1013670 20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 The modload op in the Reviews module for PostNuke 0.760-RC3 allows remote attackers to obtain sensitive information via an invalid id parameter, which reveals the path in a PHP error message. postnuke-modules-full-path-disclosure(20020) 1013670 20050408 Sql injection, xss and path disclosure vulnerabilities in PostNuke 0.760-RC3 http://digitalparadox.org/advisories/postnuke.txt SQL injection vulnerability in profile.php in PunBB 1.2.4 allows remote authenticated users to execute arbitrary SQL commands via the id parameter in a change_email action. 13071 14882 20050408 PunBB <= 1.2.4 - change email to become admin exploit Microsoft Outlook 2003 and Outlook Web Access (OWA) 2003 do not properly display comma separated addresses in the From field in an e-mail message, which could allow remote attackers to spoof e-mail addresses. owa-email-spoofing(20026) 20050408 Microsoft Multiple E-Mail Client Address Spoofing Vulnerability Multiple cross-site scripting (XSS) vulnerabilities in orderwiz.php in ModernBill 4.3.0 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) c_code or (2) aid parameters. 1013672 14890 20050410 Multiple ModernBill 4.3.0 And Earlier Vulnerabilities modernbill-orderwiz-xss(20035) 15426 PHP remote file inclusion vulnerability in news.php in ModernBill 4.3.0 and earlier allows remote attackers to execute arbitrary PHP code by modifying the DIR parameter to reference a URL on a remote web server that contains the code. 1013672 20050410 Multiple ModernBill 4.3.0 And Earlier Vulnerabilities modernbill-news-file-include(20036) 15427 14890 TowerBlog 0.6 and earlier stores the login data file under the web root, which allows remote attackers to obtain the MD5 checksums of the username and password via a direct request to the _dat/login file. 1013675 towerblog-datlogin-information-disclosure(20039) 14884 20050410 TowerBlog <= 0.6 Admin Account View [x0n3-h4ck] 15425 Unknown vulnerability in HP OpenView Network Node Manager (NMM) 6.2 through 6.4, and 7.01 through 7.50, allows remote attackers to cause a denial of service. openview-network-node-manager-dos(19993) 13029 HPSBMA01125 15321 1013651 14865 Cisco IOS 12.2T, 12.3 and 12.3T, when using Easy VPN Server XAUTH version 6 authentication, allows remote attackers to bypass authentication via a "malformed packet." 20050406 Vulnerabilities in the Internet Key Exchange Xauth Implementation oval:org.mitre.oval:def:5852 Cisco IOS 12.2T, 12.3 and 12.3T, when processing an ISAKMP profile that specifies XAUTH authentication after Phase 1 negotiation, may not process certain attributes in the ISAKMP profile that specifies XAUTH, which allows remote attackers to bypass XAUTH and move to Phase 2 negotiations. 20050406 Vulnerabilities in the Internet Key Exchange Xauth Implementation oval:org.mitre.oval:def:5738 Linksys WET11 1.5.4 allows remote attackers to change the password without providing the original password via the data parameter to changepw.html. 20050407 Cisco Linksys WET11 Password Resetting Vulnerability linksys-wet11-security-bypass(20008) 13051 14871 Unknown vulnerability in the TCP/IP functionality (TCPIP.NLM) in Novell Netware 6.x allows remote attackers to cause a denial of service (ABEND by Page Fault Processor Exception) via certain packets. 13067 novell-netware-tcpipnlm-dos(20024) 14874 The secure script in LogWatch before 2.6-2 allows attackers to prevent LogWatch from detecting malicious activity via certain strings in the secure file that are later used as part of a regular expression, which causes the parser to crash, aka "logwatch log processing regular expression DoS." https://bugzilla.redhat.com/bugzilla-old/show_bug.cgi?id=137502 RHSA-2005:364 The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to quickly obtain passwords that are 5 characters or less via brute force methods. 20050429 [CAN-2005-1062] Administration protocol abuse allows local/remote password cracking http://www.kerio.com/security_advisory.html http://research.tic.udc.es/scg/advisories/20050429-1.txt The administration protocol for Kerio WinRoute Firewall 6.x up to 6.0.10, Personal Firewall 4.x up to 4.1.2, and MailServer up to 6.0.8 allows remote attackers to cause a denial of service (CPU consumption) via certain attacks that force the product to "compute unexpected conditions" and "perform cryptographic operations." 20050429 [CAN-2005-1063] Administration protocol abuse leads to Service and System Denial of Service http://www.kerio.com/security_advisory.html The copy_symlink function in rsnapshot 1.2.0 and 1.1.x before 1.1.7 changes the ownership of files that a symlink points to rather than the symlink itself, which allows local users to obtain access to arbitrary files. http://www.rsnapshot.org/security/2005/001.html GLSA-200504-12 1013674 14878 20050410 rsnapshot Security Advisory 001 15420 tetex in Novell Linux Desktop 9 allows local users to determine the existence of arbitrary files via a symlink attack in the /var/cache/fonts directory. 13072 SUSE-SR:2005:010 Race condition in rpdump in Pine 4.62 and earlier allows local users to overwrite arbitrary files via a symlink attack. 14899 20050411 rpdump TOCTOU file-permissions vulnerability 15456 Vulnerability in Access_user Class before 1.75 allows local users to gain access as other users via the password "new". 14897 http://freshmeat.net/projects/access_user/?branch_id=53852&release_id=192770 15348 Cross-site scripting (XSS) vulnerability in sCssBoard 1.11 and earlier allows remote attackers to execute arbitrary Javascript via [url] tags. scssboard-url-tag-xss(20021) 13041 http://sourceforge.net/project/shownotes.php?release_id=318346 1013659 14694 Unknown vulnerability in sCssBoard 1.11 and earlier has unknown impact, related to "an exploit on the Profile page." scssboard-profile-unknown(20022) http://sourceforge.net/project/shownotes.php?release_id=318346 1013659 14694 SQL injection vulnerability in index.php in Invision Power Board 1.3.1 Final and earlier allows remote attackers to execute arbitrary SQL commands via the st parameter. invision-memberlist-sql-injection(20059) 1013676 13097 20050411 Invision board 1.3.1 and below are vulnerable to a sql injection vulnerability [PATCH INCLUDED] SQL injection vulnerability in banner.inc.php in JPortal Web Portal 2.3.1 allows remote attackers to execute arbitrary SQL commands via the haslo parameter. 15476 14919 20050412 Sql injection in jPortal version 2.3.1 (module banner) Cross-site scripting (XSS) vulnerability in PunBB before 1.2.5 allows remote attackers to inject arbitrary web script or HTML. http://www.punbb.org/ 14882 Directory traversal vulnerability in index.php for RadScripts RadBids Gold 2 allows remote attackers to read arbitrary files via the read parameter. radbids-gold-php-xss(20038) 13080 20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2 15428 14906 SQL injection vulnerability in index.php for RadScripts RadBids Gold 2 allows remote attackers to execute arbitrary SQL commands via the mode parameter. radbids-gold-index-sql-injection(20040) 13080 20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2 15429 14906 Multiple cross-site scripting (XSS) vulnerabilities in RadScripts RadBids Gold 2 allow remote attackers to inject arbitrary web script or HTML via (1) the farea parameter to faq.php or the (2) cat, (3) order, or (4) area parameters to index.php. radbids-gold-php-xss(20038) 13080 20050409 Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2 15431 15430 14906 Cross-site scripting (XSS) vulnerability in the discussion board functionality for WebCT Campus Edition 4.1 allows remote attackers to inject arbitrary web script or HTML via the message field. 13101 20050411 WebCT 4.1 vulnerable to XSS attacks Multiple cross-site scripting (XSS) vulnerabilities in XAMPP 1.4.x allow remote attackers to inject arbitrary web script or HTML via (1) cds.php, (2) Guestbook-EN.pl, or (3) phonebook.php. 13128 13127 13126 20050412 XAMPP XAMPP 1.4.x has multiple default or null passwords, which allows attackers to gain privileges. 13131 20050412 XAMPP SQL injection vulnerability in index.php for zOOm Media Gallery 2.1.2 allows remote attackers to execute arbitrary SQL commands via the catid parameter. http://www.securiteam.com/unixfocus/5LP0G0AFFY.html 14929 20050413 zOOM Media Gallery - Simple SQL Injection discovery Directory traversal vulnerability in the Java Archive Tool (Jar) utility in J2SE SDK 1.4.2 and 1.5, and OpenJDK, allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in filenames in a .jar file. https://bugzilla.redhat.com/show_bug.cgi?id=601823 https://bugzilla.redhat.com/show_bug.cgi?id=594497 http://www.securiteam.com/securitynews/5IP0C0AFGW.html 14902 20050412 7a69Adv#23 - Jar tool directory transversal vulnerability [oss-security] 20100608 Re: jar, fastjar directory traversal vulnerabilities [oss-security] 20100608 jar, fastjar directory traversal vulnerabilities Cross-site scripting (XSS) vulnerability in view.php in AzDGDatingPlatinum 1.1.0 allows remote attackers to inject arbitrary web script or HTML via the id parameter. azdgdating-platinum-viewphp-xss(20052) 13082 20050409 AzDGDatingPlatinum multiple vulnerabilities Multiple SQL injection vulnerabilities in AzDGDatingPlatinum 1.1.0 allows remote attackers to execute arbitrary SQL commands via (1) the id parameter to view.php or (2) the from parameter to members/index.php. azdgdating-platinum-sql-injection(20051) 13082 20050409 AzDGDatingPlatinum multiple vulnerabilities azdgdatingplatinum-view-sql-injection(27436) 20060628 AzDGDatingPlatinum<<--v1.1.0 "view.php" SQL Injection 15525 index.php in aeDating 3.2 allows remote attackers to include arbitrary files via the skin parameter. 14913 SQL injection vulnerability in sdating.php in aeDating 3.2 allows remote attackers to execute arbitrary SQL commands files via the event parameter. 14913 Cross-site scripting (XSS) vulnerability in the control panel in aeDating 3.2 allows remote attackers to inject arbitrary web script or HTML. 14913 Buffer overflow in the cmdIS.DLL plugin for AN HTTPD Server 1.42n allows remote attackers to execute arbitrary code via an HTTP request with a long User-Agent header. an-httpd-cmdisdll-bo(20029) 13066 http://www.security.org.sg/vuln/anhttpd142n.html 15361 1013666 14861 CRLF injection vulnerability in the cmdIS.DLL plugin for AN HTTPD Server 1.42n allows remote attackers to spoof or hide entries in the logfile, and possibly read files using an injected type command, via CRLF sequences in an HTTP request. an-httpd-logfile-character-injection(20031) http://www.security.org.sg/vuln/anhttpd142n.html 15362 1013666 14861 Unknown vulnerability in DameWare NT Utilities 4.8 and earlier, and Mini Remote Control 4.8 and earlier, allows local users to gain additional rights. dameware-elevated-privileges(19997) 13023 1013653 14829 http://www.dameware.com/support/security/bulletin.asp?ID=SB5 18732 Unknown vulnerability in DC++ before 0.674 allows attackers to append data to arbitrary files. 14880 http://dcplusplus.sourceforge.net/index.php?t=8&s=1 15433 Directory traversal vulnerability in the readFile and writeFile API for Maxthon 1.2.0 and 1.2.1 allows remote attackers to read or write arbitrary files. 14918 maxthon-directory-traversal(20033) 13074 http://www.raffon.net/advisories/maxthon/multvulns.html 15423 Maxthon 1.2.0 and 1.2.1 allows remote attackers to bypass the security ID and use restricted plugin API functions via script that includes the max.src file into the source page. http://www.raffon.net/advisories/maxthon/multvulns.html 14918 13073 15424 Lightspeed DeluxeFTP 6.01 stores usernames and passwords in plaintext in sites.xml, which is world-readable, which allows local users to gain privileges. 13105 15421 14923 http://lostmon.blogspot.com/2005/04/deluxeftp-plain-text-passwords.html Buffer overflow in the PopUp Plus 2.0.3.8 plugin for Miranda IM, with "Use SmileyAdd Setting" enabled, allows remote attackers to execute arbitrary code. 13048 http://forums.miranda-im.org/showthread.php?p=9624 popupplus-message-bo(20013) 15482 http://www.miranda-im.org/ 1013661 http://sec.org.il/coverages.php?c=89 http://forums.miranda-im.org/showthread.php?t=1070 FTP Now 2.6.14 stores usernames and passwords in plaintext in sites.xml, which is world-readable, which allows local users to gain privileges. ftpnow-sites-information-disclosure(20025) 1013657 14889 15296 Cross-site scripting (XSS) vulnerability in main.asp for Ocean12 Membership Manager Pro 1.x allows remote attackers to inject arbitrary web script or HTML via the page parameter. ocean12-membershipmgr-mainasp-xss(20014) 13046 15306 http://www.hackerscenter.com/archive/view.asp?id=1865 1013667 14864 SQL injection vulnerability in main.asp for Ocean12 Membership Manager Pro 1.x allows remote attackers to execute arbitrary SQL commands via the UserID parameter. ocean12-membershipmgr-mainasp-sql-injection(20015) 13049 15307 http://www.hackerscenter.com/archive/view.asp?id=1865 1013667 14864 Rebrand P2P Share Spy 2.2 stores the user password in plaintext in the txtPassword value in the registry, which allows local users to gain privileges. 1013673 GetDataBack for NTFS 2.31 stores the username and license key in plaintext in the Name value in the License registry key, which may allow local users to obtain sensitive information. getdataback-ntfs-information-disclosure(19967) 15210 1013644 Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code. 15492 GLSA-200504-10 14941 gld-serverc-bo(20066) http://www.gasmi.net/down/gld-history 1013678 20050413 Gld 1.5 released (security fix) 20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities. Format string vulnerability in the ErrorLog function in cnf.c in Greylisting daemon (GLD) 1.3 and 1.4 allows remote attackers to execute arbitrary code via format string specifiers in data that is passed directly to syslog. GLSA-200504-10 14941 gld-cnfc-format-string(20067) 15493 1013678 20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities. Multiple buffer overflows in Lotus Domino Server 6.0.5 and 6.5.4 allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via large amounts of data in certain (1) time or (2) date fields. lotus-timedate-bo(20042) http://www.ngssoftware.com/advisories/lotus-01.txt http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202431 20050412 Remote Buffer Overflow in Lotus Domino 15364 14879 Multiple cross-site scripting (XSS) vulnerabilities in template-functions-post.php in WordPress 1.5 and earlier allow remote attackers to execute arbitrary commands via the (1) content or (2) title of the post. http://wordpress.org/support/topic.php?id=30721 GLSA-200506-04 20050412 WordPress XSS and HTML injection http://bugs.gentoo.org/show_bug.cgi?id=88926 Sygate Security Agent (SSA) in Sygate Secure Enterprise 3.5 through 4.1 does not prevent the security policy from being updated by unprivileged users, which allows local users to modify the policy by exporting the policy file, changing it, and importing it back into SSA. 20050412 IRM 011: Sygate,Security Agent (Sygate Secure Enterprise) Fail Open Multiple cross-site scripting (XSS) vulnerabilities in Centra 7 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name fields. 14930 20050412 Centra 7 XSS Exploit Directory traversal vulnerability in the MimeBodyPart.getFileName method in JavaMail 1.3.2 allows remote attackers to write arbitrary files via a .. (dot dot) in the filename in the Content-Disposition header. 20050412 JavaMail allows directory traversal in attachments PictureViewer in QuickTime for Windows 6.5.2 allows remote attackers to cause a denial of service (application crash) via a GIF image with the maximum depth start value, possibly triggering an integer overflow. 20050413 QuickTime for Windows malformed GIF DoS McAfee Internet Security Suite 2005 uses insecure default ACLs for installed files, which allows local users to gain privileges or disable protection by modifying certain files. 20050418 McAfee Internet Security Suite 2005 Insecure File Permission Vulnerability The ij_untrusted_url function in JunkBuster 2.0.2-r2, with single-threaded mode enabled, allows remote attackers to overwrite the referrer field via a crafted HTTP request. junkbuster-ijuntrustedurl-gain-access(20093) 13147 GLSA-200504-11 DSA-713 http://bugs.gentoo.org/show_bug.cgi?id=88537 15502 14932 The filtering of URLs in JunkBuster before 2.0.2-r3 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via heap corruption. junkbuster-heap-corruption(20094) 13146 GLSA-200504-11 DSA-713 http://bugs.gentoo.org/show_bug.cgi?id=88537 15503 14932 Stack-based buffer overflow in the RespondeHTTPPendiente function in the HTTP server for SUMUS 0.2.2 allows remote attackers to execute arbitrary code via a large packet sent to TCP port 81. sumus-respondehttppendiente-bo(20110) 1013717 20050414 sumus[v0.2.2]: (httpd) remote buffer overflow exploit. Race condition in cpio 2.6 and earlier allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by cpio after the decompression is complete. 13159 oval:org.mitre.oval:def:9783 20050413 cpio TOCTOU file-permissions vulnerability USN-189-1 RHSA-2005:806 RHSA-2005:378 15725 DSA-846 20117 18395 18290 17532 17123 16998 SUSE-SR:2006:010 SCOSA-2005.32 SCOSA-2006.2 FreeBSD-SA-06:03 oval:org.mitre.oval:def:358 IBM WebSphere Application Server 6.0 and earlier, when sharing the document root of the web server, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via an HTTP request with an invalid Host header, which causes the page to be processed by the web server instead of the JSP engine. ibm-websphere-information-disclosure(20099) 1013697 14962 20050413 IBM WebSphere Widespread configuration JSP disclosure 13160 15501 Multiple cross-site scripting (XSS) vulnerabilities in PhpBB Plus 1.52 and earlier allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) groupcp.php, (2) index.php, (3) portal.php, (4) viewforum.php, or (5) viewtopic.php, (6) the c parameter to index.php, or (7) the article parameter to portal.php. phpbb-multiple-modules-xss(20085) 20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modules Multiple SQL injection vulnerabilities in album_search.php in Photo Album 2.0.53 for phpBB allow remote attackers to execute arbitrary SQL commands via the (1) mode or (2) search parameters. phpbb-multiple-modules-sql-injection(20086) 13155 http://www.digitalparadox.org/advisories/phpbbp.txt 20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modules 15931 Multiple cross-site scripting (XSS) vulnerabilities in Photo Album 2.0.53 module for phpBB allow remote attackers to inject arbitrary web script or HTML via the bsid parameter to (1) album_cat.php or (2) album_comment.php. 13158 13157 20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modules Cross-site scripting (XSS) vulnerability in the Calendar module for phpBB allow remote attackers to inject arbitrary web script or HTML via the start parameter to calendar_scheduler.php. 20050413 Multiple Sql injection and XSS vulnerabilities in phpBB Plus and below and some of its modules PHP remote file inclusion vulnerability in index.php in All4WWW-Homepagecreator 1.0a allows remote attackers to execute arbitrary PHP code by modifying the site parameter to reference a URL on a remote web server that contains the code. 13169 14972 20050414 All4WWW-Homepagecreator Remote Command Execution Cross-site scripting (XSS) vulnerability in IISWebAgentIF.dll in the RSA Authentication Agent for Web 5.2 allows remote attackers to inject arbitrary web script or HTML via the postdata parameter. VU#366372 rsa-auth-postdata-xss(20098) http://www.oliverkarow.de/research/rsaxss.txt 1013724 14954 13168 Sudo VISudo 1.6.8 and earlier allows local users to corrupt arbitrary files via a symlink attack on temporary files. 13171 Multiple cross-site scripting (XSS) vulnerabilities in IlohaMail 0.8.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the e-mail (1) body, (2) filename, or (3) MIME type. ilohamail-mail-attached-file-xss(20095) 13175 14957 15506 DSA-1010 1013701 19266 Format string vulnerability in the my_xlog function in lib.c for Oops! Proxy Server 1.5.23 and earlier, as called by the auth functions in the passwd_mysql and passwd_pgsql modules, may allow attackers to execute arbitrary code via a URL. 13172 DSA-726 GLSA-200505-02 http://rst.void.ru/papers/advisory24.txt oops-format-string(20191) Format string vulnerability in cgi.c for Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service and possibly execute arbitrary code via an HTTP GET request containing double-encoded format string specifiers (aka "double expansion error"). GLSA-200504-14 14953 15511 http://bugs.gentoo.org/show_bug.cgi?id=87916 Monkey daemon (monkeyd) before 0.9.1 allows remote attackers to cause a denial of service (memory corruption) via a request for a zero byte file. GLSA-200504-14 15512 14953 http://bugs.gentoo.org/show_bug.cgi?id=87916 Unknown vulnerability in the libgss Generic Security Services Library in Solaris 7, 8, and 9 allows local users to gain privileges by loading their own GSS-API. 57734 14971 15516 Race condition in libsafe 2.0.16 and earlier, when running in multi-threaded applications, allows attackers to bypass libsafe protection and exploit other vulnerabilities before the _libsafe_die function call is completed. 13190 20050415 [Overflow.pl] Libsafe - Safety Check Bypass Vulnerability http://www.overflow.pl/adv/libsafebypass.txt The SIOCGIFCONF ioctl (ifconf function) in FreeBSD 4.x through 4.11 and 5.x through 5.4 does not properly clear a buffer before using it, which allows local users to obtain portions of sensitive kernel memory. freebsd-ifconf-information-disclosure(20114) 15514 14959 FreeBSD-SA-05:04 ADV-2005-2256 15252 17368 APPLE-SA-2005-10-31 Format string vulnerability in the log function in Net::Server 0.87 and earlier, as used in Postfix Greylisting Policy Server (Postgrey) 1.18 and earlier, and possibly other products, allows remote attackers to cause a denial of service (crash) via format string specifiers that are not properly handled before being sent to syslog, as demonstrated using sender addresses to Postgrey. 14958 [postgrey] 20050414 ANNOUNCE: Postgrey 1.21 (SECURITY) postgrey-logging-dos(20108) 15517 20050415 Use of function "log" in Perl module Net::Server [postgrey] 20050414 Re: Problem with crashing postgrey [postgrey] 20050414 Problem with crashing postgrey 13193 MDKSA-2006:131 GLSA-200608-18 DSA-1122 DSA-1121 21452 21164 21152 21149 Multiple SQL injection vulnerabilities in VHCS 2.4 and earlier allow remote attackers to execute arbitrary SQL commands via certain inputs from HTTP POST queries. 15541 1013703 eGroupWare 1.0.6 and earlier, when an e-mail is composed with an attachment but not sent, will send that attachment in the next e-mail, which may cause sensitive information to be sent to the wrong recipient. egroupware-email-information-disclosure(20088) 13137 15499 14940 20050412 eGroupWare Leaks Files Cross-site scripting (XSS) vulnerability in index.php in Pinnacle Cart allows remote attackers to inject arbitrary web script or HTML via the pg parameter. pinnaclecart-index-xss(20092) 13138 15485 http://systemsecure.org/board/index.php?showtopic=8 14924 Unknown vulnerability in Veritas i3 Focalpoint Server 7.1 and earlier has unknown attack vectors and unknown but "critical" impact. 13142 http://seer.support.veritas.com/docs/276119.htm 1013694 14934 20040413 Patch available for critical Veritas i3 Server vulnerability 15498 LG U8120 mobile phone allows remote attackers to cause a denial of service (device crash) via a malformed MIDI file. lg-u8120-mobile-phone-dos(20091) 13154 20050413 LG U8120 Mobile Phone Denial of Service 1013777 The POP3 server in IBM iSeries AS/400 returns different error messages when the user exists or not, which allows remote attackers to determine valid user IDs on the server. 13156 20050414 Enumeration of AS/400 users and their status via POP3 SQL injection vulnerability in exit.php for Serendipity 0.8 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) url_id or (2) entry_id parameters. 13161 http://www.s9y.org/63.html#A9 http://www.s9y.org/5.html 15145 serendipity-urlid-entryid-sql-injection(20119) 15542 1013699 20050413 serendipity SQL Injection vulnerability Cross-site scripting (XSS) vulnerability in search.php for Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to inject arbitrary web script or HTML via the q parameter. http://www.waraxe.us/ftopict-651.html 13170 20050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblog http://echo.or.id/adv/adv12-y3dips-2005.txt Simple PHP Blog (sphpBlog) 0.4.0 stores the (1) password.txt and (2) config.txt files under the web document root, which allows remote attackers to obtain sensitive information and crack passwords via a direct request to these files. http://www.waraxe.us/ftopict-651.html 20050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblog http://echo.or.id/adv/adv12-y3dips-2005.txt Simple PHP Blog (sphpBlog) 0.4.0 allows remote attackers to obtain sensitive information via a direct request to sb_functions.php, which leaks the full pathname in a PHP error message. 20050415 [ECHO_ADV_12$2005] Vulnerabilities in sphpblog http://echo.or.id/adv/adv12-y3dips-2005.txt Unknown vulnerability in WebMail in Kerio MailServer before 6.0.9 allows remote attackers to cause a denial of service (CPU consumption) via certain e-mail messages. http://www.kerio.com/kms_history.html 1013708 Opera 8 Beta 3, when using first-generation vetted digital certificates, displays the Organizational information of an SSL certificate, which is easily spoofed and can facilitate phishing attacks. http://www.geotrust.com/resources/advisory/sslorg/sslorg-advisory.htm 13176 http://www.geotrust.com/resources/advisory/sslorg/index.htm opera-ssl-spoofing(40503) SUSE-SA:2005:031 Cross-site scripting (XSS) vulnerability in myBloggie 2.1.1 allows remote attackers to inject arbitrary web script or HTML via the comments. 13192 20050415 myBloggie 2.1.1 Integer overflow in the readpgm function in pnm.c for GOCR 0.40, when using the netpbm library, allows remote attackers to execute arbitrary code via a PNM file with large width and height values, which leads to a heap-based buffer overflow. http://www.overflow.pl/adv/gocr.txt 20050415 [Overflow.pl] GOCR - Multiple vulnerabilities Heap-based buffer overflow in the readpgm function in pnm.c for GOCR 0.40, when it is not using netpbm, allows remote attackers to execute arbitrary code via a P3 format PNM file with more data than implied by its width and height values. http://www.overflow.pl/adv/gocr.txt 20050415 [Overflow.pl] GOCR - Multiple vulnerabilities Cross-site scripting (XSS) vulnerability in index.php in EasyPHPCalendar before 6.2.8 allows remote attackers to inject arbitrary web script or HTML via the yr parameter. http://www.snkenjoi.com/secadv/secadv4.txt 15544 1013704 http://docs.easyphpcalendar.com/Change%20Log/changeLog.htm popup.php in EasyPHPCalendar before 6.2.8 allows remote attackers to obtain sensitive information via an invalid ev parameter, which reveals the full pathname of the web server in a PHP error message. Version 6.2.8 and above are fixed. http://www.snkenjoi.com/secadv/secadv4.txt 15545 1013704 http://docs.easyphpcalendar.com/Change%20Log/changeLog.htm ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in calendar.pl in CalendarScript 3.20 allows remote attackers to inject arbitrary web script or HTML via the template parameter, a different vulnerability than CVE-2005-1146. http://www.snkenjoi.com/secadv/secadv3.txt 15547 1013705 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. Cross-site scripting (XSS) vulnerability in the login command in calendar.pl in CalendarScript 3.21 allows remote attackers to inject arbitrary web script or HTML via the username parameter, a different vulnerability than CVE-2005-1145. calendarscript-calendarpl-xss(20103) http://www.snkenjoi.com/secadv/secadv3.txt 1013705 calendar.pl in CalendarScript 3.20 allows remote attackers to obtain sensitive information via invalid (1) calendar or (2) template parameters, which leaks the full pathname and debug information. calendarscript-path-disclosure(20102) http://www.snkenjoi.com/secadv/secadv3.txt 15546 1013705 calendar.pl in CalendarScript 3.21 allows remote attackers to obtain sensitive information via invalid (1) year or (2) month parameters, which leaks the full pathname and debug information. calendarscript-path-disclosure(20102) http://www.snkenjoi.com/secadv/secadv3.txt 1013705 SQL injection vulnerability in admin/login.asp in aspclick.it ACNews 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameters. 13148 15494 1013681 Unknown vulnerability in Sun Java System Web Server 6.0 SP7 and earlier, when running on Windows systems, allows attackers to cause a denial of service (hang). 57760 14961 15504 qpopper 4.0.5 and earlier does not properly drop privileges before processing certain user-supplied files, which allows local users to overwrite or create arbitrary files as root. DSA-728 GLSA-200505-17 http://bugs.gentoo.org/show_bug.cgi?id=90622 15505 15478 15475 popauth.c in qpopper 4.0.5 and earlier does not properly set the umask, which may cause qpopper to create files with group or world-writable permissions. DSA-728 GLSA-200505-17 http://bugs.gentoo.org/show_bug.cgi?id=90622 http://bugs.gentoo.org/attachment.cgi?id=58329&action=view 15505 15478 15475 Firefox before 1.0.3 and Mozilla Suite before 1.7.7, when blocking a popup, allows remote attackers to execute arbitrary code via a javascript: URL that is executed when the user selects the "Show javascript" option. RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 14992 14938 https://bugzilla.mozilla.org/show_bug.cgi?id=289204 http://www.mozilla.org/security/announce/mfsa2005-35.html oval:org.mitre.oval:def:9584 15495 RHSA-2005:384 SCOSA-2005.49 oval:org.mitre.oval:def:100023 Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary script in other domains via a setter function for a variable in the target domain, which is executed when the user visits that domain, aka "Cross-site scripting through global scope pollution." https://bugzilla.mozilla.org/show_bug.cgi?id=289675 RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 14992 14938 http://www.mozilla.org/security/announce/mfsa2005-36.html oval:org.mitre.oval:def:10339 15495 13230 RHSA-2005:384 SCOSA-2005.49 oval:org.mitre.oval:def:100022 The favicon functionality in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to execute arbitrary code via a <LINK rel="icon"> tag with a javascript: URL in the href attribute, aka "Firelinking." VU#973309 https://bugzilla.mozilla.org/show_bug.cgi?id=290036 RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 14992 14938 15495 13216 RHSA-2005:384 http://www.mozilla.org/security/announce/mfsa2005-37.html http://www.mikx.de/firelinking/ oval:org.mitre.oval:def:10655 SCOSA-2005.49 oval:org.mitre.oval:def:100021 Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to execute arbitrary script and code via a new search plugin using sidebar.addSearchEngine, aka "Firesearching 1." https://bugzilla.mozilla.org/show_bug.cgi?id=290037 mozilla-plugin-xss(20125) 13211 RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 1013745 14996 14992 14938 http://www.mozilla.org/security/announce/mfsa2005-38.html http://www.mikx.de/firesearching/ oval:org.mitre.oval:def:11230 15495 RHSA-2005:384 SCOSA-2005.49 oval:org.mitre.oval:def:100020 Firefox before 1.0.3, Mozilla Suite before 1.7.7, and Netscape 7.2 allows remote attackers to replace existing search plugins with malicious ones using sidebar.addSearchEngine and the same filename as the target engine, which may not be displayed in the GUI, which could then be used to execute malicious script, aka "Firesearching 2." https://bugzilla.mozilla.org/show_bug.cgi?id=290037 mozilla-plugin-xss(20125) 13211 RHSA-2005:386 RHSA-2005:383 14996 14992 14938 http://www.mozilla.org/security/announce/mfsa2005-38.html http://www.mikx.de/firesearching/ oval:org.mitre.oval:def:9961 15495 RHSA-2005:384 SCOSA-2005.49 Multiple "missing security checks" in Firefox before 1.0.3 allow remote attackers to inject arbitrary Javascript into privileged pages using the _search target of the Firefox sidebar. https://bugzilla.mozilla.org/show_bug.cgi?id=290079 RHSA-2005:383 14938 http://www.mozilla.org/security/announce/mfsa2005-39.html oval:org.mitre.oval:def:11734 13231 oval:org.mitre.oval:def:100019 The native implementations of InstallTrigger and other functions in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 do not properly verify the types of objects being accessed, which causes the Javascript interpreter to continue execution at the wrong memory address, which may allow attackers to cause a denial of service (application crash) and possibly execute arbitrary code by passing objects of the wrong type. https://bugzilla.mozilla.org/show_bug.cgi?id=290162 mozilla-installtrigger-command-execution(20123) 13232 RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 1013743 1013742 14992 14938 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-40.html oval:org.mitre.oval:def:10629 15495 RHSA-2005:601 RHSA-2005:384 SUSE-SA:2006:022 19823 SCOSA-2005.49 oval:org.mitre.oval:def:100018 The privileged "chrome" UI code in Firefox before 1.0.3 and Mozilla Suite before 1.7.7 allows remote attackers to gain privileges by overriding certain properties or methods of DOM nodes, as demonstrated using multiple attacks involving the eval function or the Script object. https://bugzilla.mozilla.org/show_bug.cgi?id=289961 https://bugzilla.mozilla.org/show_bug.cgi?id=289083 https://bugzilla.mozilla.org/show_bug.cgi?id=289074 RHSA-2005:386 RHSA-2005:383 GLSA-200504-18 14992 14938 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-41.html oval:org.mitre.oval:def:11291 15495 13233 RHSA-2005:601 RHSA-2005:384 SUSE-SA:2006:004 19823 SCOSA-2005.49 oval:org.mitre.oval:def:100017 Multiple SQL injection vulnerabilities in OneWorldStore allow remote attackers to execute arbitrary SQL commands via the idProduct parameter to (1) owAddItem.asp or (2) owProductDetail.asp, (3) idCategory parameter to owListProduct.asp, or (4) bSpecials parameter to owListProduct.asp. 13183 13182 13181 14969 oneworldstore-product-category-sql-injection(20097) 15520 15519 15518 http://www.oneworldstore.com/support_security_issue_updates.asp#April_15_2005_DCrab 1013720 20050414 Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore Multiple cross-site scripting (XSS) vulnerabilities in OneWorldStore allow remote attackers to inject arbitrary web script or HTML via the (1) sEmail parameter to owContactUs.asp, (2) bSub parameter to owListProduct.asp, or the (3) Name, (4) Email, or (5) Comment fields in owProductDetail.asp. 13186 13185 13184 1013720 14969 oneworldstore-xss(20096) 15523 15522 15521 http://www.oneworldstore.com/support_security_issue_updates.asp#April_15_2005_DCrab 20050414 Multiple multiple sql injection/errors and xss vulnerabilities in OneWorldStore Multiple buffer overflows in Yager 5.24 and earlier allow remote attackers execute arbitrary code via (1) a crafted nickname or (2) a packet with a large amount of data. yager-datablock-bo(20101) yager-nickname-bo(20100) 13178 13177 15508 15507 14967 http://aluigi.altervista.org/adv/yagerbof-adv.txt 20050414 Multiple vulnerabilities in Yager 5.24 Yager 5.24 and earlier allows remote attackers to cause a denial of service (application hang) via a packet with a game header that provides less data than indicated by the length. yager-freeze-datablock-dos(20104) 13179 15509 14967 http://aluigi.altervista.org/adv/yagerbof-adv.txt 20050414 Multiple vulnerabilities in Yager 5.24 Yager 5.24 and earlier allows remote attackers to cause a denial of service (application crash) via certain malformed data. yager-corrupt-data-dos(20105) http://aluigi.altervista.org/adv/yagerbof-adv.txt 20050414 Multiple vulnerabilities in Yager 5.24 The DNTUS26 process in Dameware NT Utilities and the DWRCS process in MiniRemote Control 4.9 and earlier stores the username and password in cleartext in memory, which could allow attackers to obtain sensitive information. http://www.shellsec.net/leer_advisory.php?id=7 1013725 20050415 Dameware NT Utilities and MiniRemote Control <= 4.9 vulnerability 15275 Musicmatch 10.00.2047 and earlier store log files in the Program Files directory instead of the user profile, which may allow local users to obtain sensitive information. http://www.hyperdose.com/advisories/H2005-02.txt 20050415 Improper log file storage in Musicmatch software DiagCollectionControl.dll in Musicmatch 10.00.2047 and earlier allows remote attackers to overwrite arbitrary files via the bstrSavePath argument. 13167 20050415 Arbitrary file overwrite possible by Musicmatch ActiveX control Mafia Blog .4 BETA does not properly protect the admin directory, which allows remote attackers to execute arbitrary PHP code by using writeinfo.php to inject the code into info.php. 13194 20050415 Mafia Blog http://chrisnowak.org/projects/mafia/ SQL injection vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to execute arbitrary SQL commands via the id parameter. 20050416 phpBB datenbank mod has XSS/SQL Injection in the id variable Cross-site scripting (XSS) vulnerability in mod.php in the datenbank module for phpBB allows remote attackers to inject arbitrary web script or HTML via the id parameter. 20050416 phpBB datenbank mod has XSS/SQL Injection in the id variable phpbb-modphp-xss(20146) 13210 15812 Cross-site scripting (XSS) vulnerability in init.inc.php in Coppermine Photo Gallery 1.3.x allows remote attackers to inject arbitrary web script or HTML via the X-Forwarded-For parameter. 13218 15004 http://coppermine.sourceforge.net/board/index.php?topic=17134 20050418 Vulnerability in Coppermine Photo Gallery 1.3.* Buffer overflow in PMSoftware Simple Web Server 1.0 allows remote attackers to execute arbitrary code via a long GET request. 20050418 ERNW Security Advisory 01/2005 MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory. VU#259798 http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt 20050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC ADV-2006-2074 ADV-2005-1066 oval:org.mitre.oval:def:10229 kerberos-kdc-krb5-tcp-connection-dos(21327) USN-224-1 TLSA-2005-78 2005-0036 14240 RHSA-2005:567 SUSE-SR:2005:017 DSA-757 IY85474 101809 1014460 20364 17899 16041 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20050703-01-U oval:org.mitre.oval:def:397 Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request. VU#885830 DSA-757 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt ADV-2006-2074 ADV-2005-1066 oval:org.mitre.oval:def:9902 kerberos-kdc-krb5-udp-tcp-bo(21328) USN-224-1 TLSA-2005-78 2005-0036 14236 RHSA-2005:567 RHSA-2005:562 SUSE-SR:2005:017 IY85474 101809 1014460 20364 17899 17135 16041 20050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20050703-01-U oval:org.mitre.oval:def:736 Race condition in JFS2 on AIX 5.2 and 5.3, when deleting a file while I/O is still occurring for that file, may write data to a different file, which could leak sensitive information. aix-jfs2-race-condition(20604) IY70034 IY70032 Unknown vulnerability in (1) Webmin and (2) Usermin before 1.200 causes Webmin to change permissions and ownership of configuration files, with unknown impact. webmin-config-file-permissions(20607) 1013723 http://www.webmin.com/uchanges.html http://www.webmin.com/changes.html SQL injection vulnerability in Oracle Forms 10g allows remote attackers to execute arbitrary SQL commands via the Query/Where feature. oracle-forms-query-where-popup-sql-injection(20080) http://www.securiteam.com/securitynews/5HP0I0UFFI.html http://www.red-database-security.com/wp/sql_injection_forms_us.pdf Unknown vulnerability in Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, related to SNMP authentication, allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-0703. xerox-workcentre-snmp-auth-bypass(20192) http://www.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf 13196 14507 HTTP Response Splitting vulnerability in the Surveys module in PHP-Nuke 7.6 allows remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the forwarder parameter. php-nuke-http-response-splitting(20116) 15647 http://www.digitalparadox.org/advisories/pnuke.txt 14965 20050415 Http Response Splitting Vulnerability In PHP-NUKE 7.6 and below ** DISPUTED ** NOTE: this issue has been disputed by the vendor. PHP remote code injection vulnerability in loader.php for Ariadne CMS 2.4 allows remote attackers to execute arbitrary PHP code by modifying the ariadne parameter to reference a URL on a remote web server that contains the code. NOTE: the vendor has disputed this issue, saying that loader.php first requires the "ariadne.inc" file, which defines the $ariadne variable, and thus it cannot be modified by an attacker. In addition, CVE personnel have partially verified the dispute via source code inspection of Ariadne 2.4 as available on July 5, 2005. ariadne-loaderphp-file-include(20611) 15549 1013721 Unknown vulnerability in Incoming Remote Command (iSeries Access for Windows Remote Command service) in IBM OS/400 R510, R520, and R530 allows attackers to cause a denial of service (IRC shutdown) via certain inputs. ibm-irc-dos(20612) http://www-1.ibm.com/support/docview.wss?uid=nas29afd3991f5f290b086256fdb0053b293 14970 Cross-site scripting (XSS) vulnerability in mvnForum 1.0 RC4 allows remote attackers to inject arbitrary web script or HTML via the Search parameter. mvnforum-search-xss(20613) 13213 15760 The TCP/IP stack in multiple operating systems allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the correct sequence number but the wrong Acknowledgement number, which generates a large number of "keep alive" packets. NOTE: some followups indicate that this issue could not be replicated. 13215 20050418 Re: TCP/IP Stack Vulnerability 20050418 Re: TCP/IP Stack Vulnerability 20050416 TCP/IP Stack Vulnerability multiple-tcpip-dos(40502) Unquoted Windows search path vulnerability in Musicmatch Jukebox 10.00.2047 and earlier allows local users to gain privileges via a malicious C:\program.exe file, which is run by MMFWLaunch.exe when it attempts to execute launch.exe. http://www.hyperdose.com/advisories/H2005-05.txt 1013718 jukebox-mmfwlaunch-gain-privileges(20129) 20050414 Trojan file issue in Musicmatch software Musicmatch Jukebox 10.00.2047 and earlier adds the musicmatch.com domain to the Trusted Sites zone in Internet Explorer, which allows systems in the domain to conduct unauthorized activities, as demonstrated using cross-site scripting (XSS) attacks. http://www.hyperdose.com/advisories/H2005-04.txt 1013718 20050414 Trusted Site Cross Site Scripting Elevation of Privilege in Musicmatch jukebox-mmfwlaunch-gain-privileges(20129) Heap-based buffer overflow in WinHex 12.05 SR-14, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. NOTE: since this overflow is in the command line of an unprivileged program, it is highly likely that this is not a vulnerability. winhex-filename-bo(20139) http://www.unl0ck.org/files/papers/winhex.txt 1013727 Cross-site scripting (XSS) vulnerability in comersus_searchItem.asp in Comersus 3.90 to 4.51 allows remote attackers to inject arbitrary web script or HTML via the curPage parameter. 13125 comersus-comersussearchitem-xss(20147) 15539 1013747 http://lostmon.blogspot.com/2005/04/comersus-asp-shopping-cart-variable.html Cross-site scripting (XSS) vulnerability in WebcamXP PRO v2.16.468 and earlier allows remote attackers to inject arbitrary web script or HTML via the chat name, as demonstrated by using an IFRAME to redirect users to other sites. The vulnerability has reportedly been fixed in the beta version 2.16.478. webcamxp-chat-xss(20166) 1013753 14999 WebcamXP PRO v2.16.468 and earlier allows remote attackers to cause a denial of service via a long chat name, which takes up too much display space and prevents the chat frame from being properly rendered. 1013753 webcamxp-chatname-dos(20615) The Web View DLL (webvw.dll), as used in Windows Explorer on Windows 2000 systems, does not properly filter an apostrophe ("'") in the author name in a document, which allows attackers to execute arbitrary script via extra attributes when Web View constructs a mailto: link for the preview pane when the user selects the file. 13248 http://security.greymagic.com/security/advisories/gm015-ie windows-web-view-command-execution(20380) ADV-2005-0509 20050419 File Selection May Lead to Command Execution (GM#015-IE) MS05-024 oval:org.mitre.oval:def:3585 Unknown vulnerability in HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23, when running TCP/IP on IPv4, allows remote attackers to cause a denial of service via certain packets, related to the PMTU, a different vulnerability than CVE-2004-1060. SSRT5954 HPSBUX01137 13367 262 oval:org.mitre.oval:def:935 oval:org.mitre.oval:def:1607 oval:org.mitre.oval:def:1552 oval:org.mitre.oval:def:1533 oval:org.mitre.oval:def:1407 The bbencode_second_pass and make_clickable functions in bbcode.php for phpBB before 2.0.15, as used in viewtopic.php, privmsg.php, and other scripts, allow remote attackers to execute arbitrary script via a BBcode tag with a (1) javascript:, (2) applet:, (3) about:, (4) activex:, (5) chrome:, or (6) script: URI scheme, as demonstrated using the URL tag. VU#113196 13545 http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=288194 1013918 15298 phpbb-url-bbcode-file-include(20574) 16439 1014117 20050507 phpbb 2.0.15 released - patches high critical vuln 20050508 phpbb 2.0.15 released - patches high critical vuln http://castlecops.com/t123194-.html Stack-based buffer overflow in the ieee_putascii function for nasm 0.98 and earlier allows attackers to execute arbitrary code via a crafted asm file, a different vulnerability than CVE-2004-1287. RHSA-2005:381 13506 oval:org.mitre.oval:def:11256 Multiple heap-based buffer overflows in the code used to handle (1) MMS over TCP (MMST) streams or (2) RealMedia RTSP streams in xine-lib before 1.0, and other products that use xine-lib such as MPlayer 1.0pre6 and earlier, allow remote malicious servers to execute arbitrary code. http://www.mplayerhq.hu/homepage/design7/news.html#vuln11 http://www.mplayerhq.hu/homepage/design7/news.html#vuln10 15014 mplayer-mmst-stream-bo(20175) mplayer-rtsp-stream-bo(20171) 13271 20050421 [PLSN-0003] - Remote exploits in MPlayer 15712 15711 GLSA-200504-19 1013771 20050421 xine security announcement: multiple heap overflows in MMS and Real RTSP streaming clients http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/mms.c?r1=1.55&r2=1.56&diff_format=u http://cvs.sourceforge.net/viewcvs.py/xine/xine-lib/src/input/librtsp/rtsp.c?r1=1.18&r2=1.19&diff_format=u SQL injection vulnerability in kb.php in the Knowledge Base module for phpBB allows remote attackers to obtain sensitive information and execute SQL commands via the cat parameter. 20050418 phpBB - Knowledge Base MOD - SQL-Injection and Full Path Disclosure SQL injection vulnerability in the SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET procedure in Oracle Database Server 10g allows remote attackers to execute arbitrary SQL commands via the CHANGE_SET_NAME parameter. TA05-117A VU#948486 http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf 20050418 [AppSecInc Team SHATTER Security Advisory] SQL Injection in CREATE_SCN_CHANGE_SET procedure Directory traversal vulnerability in apexec.pl for Anaconda Foundation Directory allows remote attackers to read arbitrary files via hex-encoded null characters (%00) in the middle of ".." sequences in the template parameter. 20050419 Directoy Traversal Attack in apexec.pl (.%00./-Bug) SQL injection vulnerability in printthread.php in UBB.Threads allows remote attackers to execute arbitrary SQL commands via the main parameter. 15024 13253 15698 20050419 UBB Thread printthread.php SQL Injection PHP remote file inclusion vulnerability in main_index.php in AZ Bulletin Board (AZbb) 1.0.07a through 1.0.07c allows remote attackers to execute arbitrary PHP code by modifying the (1) dir_src or (2) abs_layer parameter to reference a URL on a remote web server that contains the code. 15013 http://azbb.cyaccess.com/azbb.php?1091778548 az-bulletin-board-file-include(20181) http://www.gulftech.org/?node=research&article_id=00068-04192005 20050420 Multiple Security Issues Found In AZBB Multiple directory traversal vulnerabilities in AZ Bulletin board (AZbb) before 1.0.08 allow (1) remote authenticated users with administrative privileges to delete arbitrary files via a .. (dot dot) in the URL to admin_avatar.php or admin_attachment.php or (2) remote attackers to enumerate files via a .. (dot dot) in the attachment parameter to attachment.php, which displays a different message when a file exists or does not exist. 15013 http://azbb.cyaccess.com/azbb.php?1091778548 az-bulletin-board-file-existence(20183) az-bulletin-board-file-modification(20180) 15702 15701 http://www.gulftech.org/?node=research&article_id=00068-04192005 20050420 Multiple Security Issues Found In AZBB Multiple cross-site scripting (XSS) vulnerabilities in eGroupware before 1.0.0.007 allow remote attackers to inject arbitrary web script or HTML via the (1) ab_id, (2) page, (3) type, or (4) lang parameter to index.php or (5) category_id parameter. 13212 http://sourceforge.net/project/shownotes.php?release_id=320768 GLSA-200504-24 14982 15751 http://www.gulftech.org/?node=research&article_id=00069-04202005 20050420 Multiple eGroupware Vulnerabilities Multiple SQL injection vulnerabilities in index.php in eGroupware before 1.0.0.007 allow remote attackers to execute arbitrary SQL commands via the (1) filter or (2) cats_app parameter. 13212 http://sourceforge.net/project/shownotes.php?release_id=320768 GLSA-200504-24 14982 15753 http://www.gulftech.org/?node=research&article_id=00069-04202005 20050420 Multiple eGroupware Vulnerabilities Desktop Rover 3.0, and possibly earlier versions, allows remote attackers to cause a denial of service (application crash) via a crafted packet to TCP port 61427, which causes an invalid memory access. http://www.evilpacket.net/advisories/EP-000-0003.html 15032 20050420 Neslo Desktop Rover Remote DoS Vulnerability The Telnet client for Microsoft Windows XP, Windows Server 2003, and Windows Services for UNIX allows remote attackers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. VU#800829 MS05-033 15690 20050614 Multiple Vendor Telnet Client Information Disclosure Vulnerability 13940 1014203 oval:org.mitre.oval:def:784 oval:org.mitre.oval:def:605 oval:org.mitre.oval:def:1132 Buffer overflow in the Server Message Block (SMB) functionality for Microsoft Windows 2000, XP SP1 and SP2, and Server 2003 and SP1 allows remote attackers to execute arbitrary code via unknown vectors, aka the "Server Message Block Vulnerability." TA05-165A VU#489397 MS05-027 15694 oval:org.mitre.oval:def:467 oval:org.mitre.oval:def:259 oval:org.mitre.oval:def:1142 Buffer overflow in the Web Client service in Microsoft Windows XP and Windows Server 2003 allows remote authenticated users to execute arbitrary code via a crafted WebDAV request containing special parameters. MS05-028 15696 oval:org.mitre.oval:def:721 oval:org.mitre.oval:def:1255 Integer overflow in Microsoft Windows 98, 2000, XP SP2 and earlier, and Server 2003 SP1 and earlier allows remote attackers to execute arbitrary code via a crafted compiled Help (.CHM) file with a large size field that triggers a heap-based buffer overflow, as demonstrated using a "ms-its:" URL in Internet Explorer. TA05-165A VU#851869 MS05-026 15683 20050614 eEye Advisory - EEYEB-20050316 - HTML Help File Parsing Buffer Overflow 13953 oval:org.mitre.oval:def:463 oval:org.mitre.oval:def:381 oval:org.mitre.oval:def:1057 Buffer overflow in the PNG image rendering component of Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted PNG file. TA05-165A VU#189754 MS05-025 13941 1014201 oval:org.mitre.oval:def:782 oval:org.mitre.oval:def:770 oval:org.mitre.oval:def:258 oval:org.mitre.oval:def:1239 oval:org.mitre.oval:def:1115 Buffer overflow in Microsoft Step-by-Step Interactive Training (orun32.exe) allows remote attackers to execute arbitrary code via a bookmark link file (.cbo, cbl, or .cbm extension) with a long User field. MS05-031 15669 20050614 Microsoft Windows Interactive Training Buffer Overflow Vulnerability 13944 1014194 oval:org.mitre.oval:def:1224 Stack-based buffer overflow in the news reader for Microsoft Outlook Express (MSOE.DLL) 5.5 SP2, 6, and 6 SP1 allows remote malicious NNTP servers to execute arbitrary code via a LIST response with a long second field. VU#130614 MS05-030 20050614 Microsoft Outlook Express NNTP Response Parsing Buffer Overflow Vulnerability 13951 1014200 oval:org.mitre.oval:def:989 oval:org.mitre.oval:def:167 oval:org.mitre.oval:def:1088 Microsoft Agent allows remote attackers to spoof trusted Internet content and execute arbitrary code by disguising security prompts on a malicious Web page. MS05-032 15689 13948 oval:org.mitre.oval:def:906 oval:org.mitre.oval:def:682 oval:org.mitre.oval:def:1194 Microsoft ISA Server 2000 allows remote attackers to poison the ISA cache or bypass content restriction policies via a malformed HTTP request packet containing multiple Content-Length headers. MS05-034 15693 13956 1014193 oval:org.mitre.oval:def:1145 Microsoft ISA Server 2000 allows remote attackers to connect to services utilizing the NetBIOS protocol via a NetBIOS connection with an ISA Server that uses the NetBIOS (all) predefined packet filter. VU#367077 MS05-034 15693 13954 1014193 oval:org.mitre.oval:def:468 The Microsoft Windows kernel in Microsoft Windows 2000 Server, Windows XP, and Windows Server 2003 allows remote attackers to cause a denial of service (crash) via crafted Remote Desktop Protocol (RDP) requests. TA05-221A VU#490628 14259 MS05-041 http://www.microsoft.com/technet/security/advisory/904797.mspx [Dailydave] 20050714 SPIKE actually scores. http://security-protocols.com/modules.php?name=News&file=article&sid=2783 20050715 Any info on potential 0day RDP vuln? oval:org.mitre.oval:def:618 oval:org.mitre.oval:def:609 oval:org.mitre.oval:def:376 oval:org.mitre.oval:def:346 oval:org.mitre.oval:def:180 oval:org.mitre.oval:def:100092 Buffer overflow in the Microsoft Color Management Module for Windows allows remote attackers to execute arbitrary code via an image with crafted ICC profile format tags. TA05-193A VU#720742 MS05-036 16004 14214 oval:org.mitre.oval:def:769 oval:org.mitre.oval:def:440 oval:org.mitre.oval:def:330 oval:org.mitre.oval:def:1280 oval:org.mitre.oval:def:1125 Shoutbox SCRIPT 3.0.2 and earlier allows remote attackers to obtain sensitive information via a direct request to db/settings.dat, which displays usernames and password hashes. knusperleicht-settings-info-disclosure(20177) 15695 15015 20050419 Shoutbox SCRIPT <= 3.0.2 Administrative MD5 Username and Password Retrieval [x0n3-h4ck] SQL injection vulnerability in login.asp for Ecommerce-Carts EcommPro 3.0 allows remote attackers to execute arbitrary SQL commands via the password field. ecomm-pro-sql-injection(20200) http://www.ihssecurity.com/download/advisory/ecomerce-cart.txt 20050419 Ecommerce-Carts SQL injection vulnerability ( IHSTeam ) cat_for_gen.php in Annuaire Netref 4.2 allows remote attackers to execute arbitrary PHP code by setting the ad_direct parameter to reference cat_for_gen.php, then including the code in the m_for_racine parameter, which is then written to cat_for_gen.php. netref-catforgen-code-execution(20198) 15717 15040 20050419 Annuaire Netref v4.2 [ fwrite php ] vulnerability Multiple SQL injection vulnerabilities in Ocean12 Calendar manager 1.01 allow remote attackers to execute arbitrary SQL commands via the Admin_id field. ocean12-calendar-manager-sql-injection(20174) 1013762 15026 20050420 [HSC Security Group] Ocean12 Calendar manager 1.01 SQL injection Multiple SQL injection vulnerabilities in DUware DUportal Pro 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the iData parameter to detail.asp or result.asp, the (5) POL_ID, (6) POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters to toppages.asp, a different set of vulnerabilities than CVE-2005-1236. duportal-multiple-sql-injection(20197) http://www.securiteam.com/windowsntfocus/5TP0O0AFFQ.html 15031 duportal-default-cat-sql-injection(30671) 13285 20061202 [Aria-Security Team] DuWare DuPortal SQL Injection Vuln 20050420 DUportal Pro 3.4 has MANY Sql injection and Sql Errors. SQL injection vulnerability in Coppermine Photo Gallery 1.3.2 allows remote attackers to execute arbitrary SQL commands via the favs parameter to (1) init.inc.php or (2) zipdownload.php. 15004 coppermine-initincphp-sql-injection(20205) http://www.waraxe.us/advisory-42.html 20050420 [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2 Coppermine Photo Gallery 1.3.2 stores passwords in plaintext, which allows remote attackers to obtain sensitive information. coppermine-password-plaintext(20206) http://www.waraxe.us/advisory-42.html 20050420 [waraxe-2005-SA#042] - Multiple vulnerabilities in Coppermine Photo Gallery 1.3.2 Cross-site scripting (XSS) vulnerability in PHProjekt 4.2 and earlier allows remote attackers to inject arbitrary web script or HTML via the chatroom text submission form. phprojekt-url-tag-xss(20212) 15720 15039 20050420 Secure Science Corporation Application Software Advisory 055 Directory traversal vulnerability in gunzip -N in gzip 1.2.4 through 1.3.5 allows remote attackers to write to arbitrary directories via a .. (dot dot) in the original filename within a compressed file. TA06-214A http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305255 gzip-n-directory-traversal(20199) ADV-2006-3101 15047 oval:org.mitre.oval:def:11057 19289 15721 DSA-752 101816 SSA:2006-262 22033 21253 18100 RHSA-2005:357 20050420 gzip directory traversal vulnerability APPLE-SA-2006-08-01 SCOSA-2005.58 oval:org.mitre.oval:def:382 oval:org.mitre.oval:def:170 Directory traversal vulnerability in cpio 2.6 and earlier allows remote attackers to write to arbitrary directories via a .. (dot dot) in a cpio file. cpio-directory-traversal(20204) USN-189-1 13291 17939 MDKSA-2007:233 DSA-846 27857 20117 18395 18290 17123 16998 20050420 cpio directory traversal vulnerability SUSE-SR:2006:010 SCOSA-2005.32 SCOSA-2006.2 FreeBSD-SA-06:03 Directory traversal vulnerability in Yawcam 0.2.5 allows remote attackers to read arbitrary files via "..\" (dot dot backslash) sequences in a GET request. 15732 http://www.autistici.org/fdonato/advisory/Yawcam0.2.5-adv.txt 15052 20050421 directory traversal in Yawcam 0.2.5 Cross-site scripting (XSS) vulnerability in the NewTerm function in GlossaryModel.php in JAWS 0.4 allows remote attackers to inject arbitrary web script or HTML via the (1) term or (2) description. 13254 http://www.securiteam.com/unixfocus/5RP0M0AFFS.html 20050418 XSS bug in JAWS gadget Glossary (0.4-latestbeta (beta 2)) Buffer overflow in Sun Java System Web Proxy Server (aka Sun ONE Proxy Server) 3.6 SP6 allows remote attackers to execute arbitrary code via unknown vectors. 57763 Cross-site scripting (XSS) vulnerability in index.php in PHP Labs proFile allows remote attackers to inject arbitrary web script or HTML via the (1) dir or (2) file parameters. profile-indexphp-xss(20169) ADV-2005-0370 http://www.snkenjoi.com/secadv/secadv7.txt 13282 13276 15697 1013756 15027 Multiple SQL injection vulnerabilities in phpbb-Auction allow remote attackers to execute arbitrary SQL commands via the (1) u parameter to auction_rating.php or (2) ar parameter to action_offer.php. 15029 phpbb-auction-sql-injection(20203) http://www.snkenjoi.com/secadv/secadv9.txt 13284 13283 http://www.phpbb-auction.com/sutra5600.html 15705 15704 1013779 20060725 PHP-Auction SQL injection http://www.aria-security.net/advisory/phpauction.txt auction_my_auctions.php in phpbb-Auction 1.2m and earlier allows remote attackers to obtain sensitive information via an invalid mode parameter, which leaks the full path in a PHP error message. Fixed updated version on http://www.phpbb-auction.com/ http://www.phpbb-auction.com/sutra5600.html http://www.snkenjoi.com/secadv/secadv9.txt 15706 1013779 15029 Multiple SQL injection vulnerabilities in DUware DUportal 3.1.2 and 3.1.2 SQL allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to channel.asp or search.asp, (2) iData parameter to detail.asp or inc_rating.asp, (3) iCat parameter to detail.asp or type.asp, (4) DAT_PARENT parameter to inc_poll_voting.asp, or (5) iRate parameter to inc_rating.asp, a different set of vulnerabilities than CVE-2005-1224. 13288 http://www.digitalparadox.org/advisories/dup.txt 15044 SQL injection vulnerability in news.php in FlexPHPNews 0.0.3 allows remote attackers to execute arbitrary SQL commands via the newsid parameter. flexphpnews-newsphp-sql-injection(20214) ADV-2005-0373 13297 15715 14905 flexphpnew-news-sql-injection(33362) 23247 3631 20070411 Rediscovery: Flexphpnews news.php/newsid SQL injection By design, the built-in FTP server for iSeries AS/400 systems does not support a restricted document root, which allows attackers to read or write arbitrary files, including sensitive QSYS databases, via a full pathname in a GET or PUT request. http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) Directory traversal vulnerability in the third party tool from Raz-Lee, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. Fix is available on http://www.razlee.com/ http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 13310 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) Directory traversal vulnerability in the third party tool from Castlehill, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) Directory traversal vulnerability in the third party tool from Powertech, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 13312 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) Directory traversal vulnerability in the third party tool from Bsafe, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) Directory traversal vulnerability in the third party tool from SafeStone, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 20050420 Canonicalization and directory traversal in iSeries FTP security products multiple-vendor-security-bypass(20260) ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable." multiple-vendor-security-bypass(20260) http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf 20050420 Canonicalization and directory traversal in iSeries FTP security products 15791 1013810 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.2, when using HTML Tidy ($wgUseTidy), allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 13301 http://sourceforge.net/project/shownotes.php?release_id=322146 14993 mediawiki-unknown-xss(20210) 15719 Format string vulnerability in the snmppd_log function in snmppd_util.c for snmppd 0.4.5 and earlier may allow remote attackers to cause a denial of service or execute arbitrary code via format string specifiers that are not properly handled in a syslog call. http://x82.inetcop.org/h0me/adv1sor1es/INCSA.2005-0x82-027-SNMPPD.txt 20050425 [INetCop Security Advisory] Snmppd potentially format string vulnerability. 15120 webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to cause a denial of service via malformed ASN.1 packets in corrupt client certificates to an SSL server, as demonstrated using an exploit for the OpenSSL ASN.1 parsing vulnerability. 20040115 OpenSSL ASN.1 parsing bugs PoC / brute forcer http://www.cirt.dk/advisories/cirt-31-advisory.pdf http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097379.htm 20050424 [CIRT.DK - Advisory] Novell Nsure Audit 1.0.1 Denial of Service Buffer overflow in Apple iTunes before 4.8 allows remote attackers to execute arbitrary code via a crafted MPEG4 file. 13565 1013927 15310 APPLE-SA-2005-05-09 apple-itunes-mpeg4-bo(20498) ADV-2005-0504 16243 http://www.ngssoftware.com/advisories/itunes.txt http://docs.info.apple.com/article.html?artnum=301596 The IMAP daemon (IMAPD32.EXE) in Ipswitch Collaboration Suite (ICS) allows remote attackers to cause a denial of service (CPU consumption) via an LSUB command with a large number of null characters, which causes an infinite loop. http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html 13727 20050524 Ipswitch IMail IMAP LSUB DoS Vulnerability 1014047 SQL injection vulnerability in the logon screen of the web front end (NmConsole/Login.asp) for IpSwitch WhatsUp Professional 2005 SP1 allows remote attackers to execute arbitrary SQL commands via the (1) User Name field (sUserName parameter) or (2) Password (sPassword parameter). http://www.ipswitch.com/forums/shwmessage.aspx?ForumID=20&MessageID=7699 20050622 IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerability http://www.corsaire.com/advisories/c050323-001.txt http://secunia.com/secunia_research/2005-13/advisory/ Directory traversal vulnerability in the Web Calendaring server in Ipswitch Imail 8.13, and other versions before IMail Server 8.2 Hotfix 2, allows remote attackers to read arbitrary files via "..\" (dot dot backslash) sequences in the query string argument in a GET request to a non-existent .jsp file. http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html 13727 20050524 Ipswitch IMail Web Calendaring Arbitrary File Read Vulnerability 1014047 Stack-based buffer overflow in the IMAP server for Ipswitch IMail 8.12 and 8.13, and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to cause a denial of service (crash) via a SELECT command with a large argument. http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html 13727 20050524 Ipswitch IMail IMAP SELECT Command DoS Vulnerability 1014047 Multiple stack-based buffer overflows in the IMAP server in IMail 8.12 and 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allow remote attackers to execute arbitrary code via a LOGIN command with (1) a long username argument or (2) a long username argument that begins with a special character. http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html 13727 20050524 Ipswitch IMail IMAP LOGIN Remote Buffer Overflow Vulnerabilities 1014047 Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to execute arbitrary code via a STATUS command with a long mailbox name. http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html 13727 20050524 Ipswitch IMail IMAP STATUS Remote Buffer Overflow Vulnerability 1014047 bzip2 allows remote attackers to cause a denial of service (hard drive consumption) via a crafted bzip2 file that causes an infinite loop (a.k.a "decompression bomb"). TA07-319A ADV-2007-3868 ADV-2007-3525 oval:org.mitre.oval:def:10700 USN-127-1 26444 13657 RHSA-2005:474 FLSA:158801 DSA-741 200191 103118 27643 27274 19183 15447 APPLE-SA-2007-11-14 http://docs.info.apple.com/article.html?artnum=307041 20060301-01-U oval:org.mitre.oval:def:749 Stack-based buffer overflow in the URL parsing function in Gaim before 1.3.0 allows remote attackers to execute arbitrary code via an instant message (IM) with a large URL. http://gaim.sourceforge.net/security/index.php?id=16 ADV-2005-0519 RHSA-2005:432 RHSA-2005:429 oval:org.mitre.oval:def:10725 13590 FLSA:158543 Gaim 1.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a malformed MSN message. http://gaim.sourceforge.net/security/index.php?id=17 ADV-2005-0519 RHSA-2005:429 oval:org.mitre.oval:def:10861 13591 FLSA:158543 SUSE-SA:2005:036 The elf_core_dump function in binfmt_elf.c for Linux kernel 2.x.x to 2.2.27-rc2, 2.4.x to 2.4.31-pre1, and 2.6.x to 2.6.12-rc4 allows local users to execute arbitrary code via an ELF binary that, in certain conditions involving the create_elf_tables function, causes a negative length argument to pass a signed integer comparison, leading to a buffer overflow. ADV-2005-0524 13589 20050511 Linux kernel ELF core dump privilege elevation http://www.isec.pl/vulnerabilities/isec-0023-coredump.txt oval:org.mitre.oval:def:10909 FLSA:157459-2 FLSA:157459-1 FLSA:157459-3 RHSA-2005:551 RHSA-2005:529 RHSA-2005:472 19607 19185 20060402-01-U oval:org.mitre.oval:def:1122 Raw character devices (raw.c) in the Linux kernel 2.6.x call the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space, a similar vulnerability to CVE-2005-1589. [linux-kernel] 20050517 [PATCH] Fix root hole in raw device 20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability ADV-2005-0557 oval:org.mitre.oval:def:10264 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10 20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability 13651 FLSA:157459-3 RHSA-2005:420 The mmap function in the Linux Kernel 2.6.10 can be used to create memory maps with a start address beyond the end address, which allows local users to cause a denial of service (kernel crash). USN-137-1 oval:org.mitre.oval:def:10466 13893 FLSA:157459-3 RHSA-2005:514 DSA-922 1014152 18056 17073 Apache SpamAssassin 3.0.1, 3.0.2, and 3.0.3 allows remote attackers to cause a denial of service (CPU consumption and slowdown) via a message with a long Content-Type header without any boundaries. http://www.vuxml.org/freebsd/cc4ce06b-e01c-11d9-a8bd-000cf18bbe54.html GLSA-200506-17 http://bugs.gentoo.org/show_bug.cgi?id=94722 MDKSA-2005:106 DSA-736 oval:org.mitre.oval:def:10901 [spamassassin-announce] 20050615 Denial of Service Vulnerability in Apache SpamAssassin 3.0.1-3.0.3 13978 RHSA-2005:498 The bgp_update_print function in tcpdump 3.x does not properly handle a -1 return value from the decode_prefix4 function, which allows remote attackers to cause a denial of service (infinite loop) via a crafted BGP packet. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=159208 2005-0028 FEDORA-2005-406 15634 oval:org.mitre.oval:def:11148 13906 FLSA:156139 RHSA-2005:505 DSA-854 17118 Off-by-one error in the mod_ssl Certificate Revocation List (CRL) verification callback in Apache, when configured to use a CRL, allows remote attackers to cause a denial of service (child process crash) via a CRL that causes a buffer overflow of one null byte. MDKSA-2005:129 RHSA-2005:582 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=163013 ADV-2006-0789 SSRT051251 SSRT051251 oval:org.mitre.oval:def:9589 14366 SUSE-SA:2005:046 SUSE-SR:2005:018 DSA-805 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 604 19185 19072 TSLSA-2005-0059 oval:org.mitre.oval:def:1747 oval:org.mitre.oval:def:1714 oval:org.mitre.oval:def:1346 Gaim before 1.3.1 allows remote attackers to cause a denial of service (application crash) via a Yahoo! message with non-ASCII characters in a file name. USN-139-1 13931 GLSA-200506-11 oval:org.mitre.oval:def:9544 http://gaim.sourceforge.net/security/?id=18 FLSA:158543 RHSA-2005:518 SUSE-SA:2005:036 MDKSA-2005:099 DSA-734 oval:org.mitre.oval:def:744 The (1) check_update.sh and (2) rkhunter script in Rootkit Hunter before 1.2.3-r1 create temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack. 13399 GLSA-200504-25 rootkit-hunter-checkupdate-symlink(20279) 15861 15127 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1343. Reason: This candidate is a reservation duplicate of CVE-2005-1343. Notes: All CVE users should reference CVE-2005-1343 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Stack-based buffer overflow in the Backup Agent for Microsoft SQL Server in BrightStor ARCserve Backup Agent for SQL Server 11.0 allows remote attackers to execute arbitrary code via a long string sent to port (1) 6070 or (2) 6050. VU#279774 brightstor-enterprise-backup-bo(21656) http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=33239 14453 20050803 CA BrightStor ARCserve Backup Agent for MS SQL Server Buffer Overflow Stack-based buffer overflow in the getIfHeader function in the WebDAV functionality in MySQL MaxDB before 7.5.00.26 allows remote attackers to execute arbitrary code via an HTTP unlock request and a long "If" parameter. 20050426 MySQL MaxDB Webtool Remote 'If' Stack Overflow Vulnerability Heap-based buffer overflow in the ReadPNMImage function in pnm.c for ImageMagick 6.2.1 and earlier allows remote attackers to cause a denial of service (application crash) via a PNM file with a small colors value. http://www.imagemagick.org/script/changelog.php 13351 http://www.overflow.pl/adv/imheapoverflow.txt 20050424 [Overflow.pl] ImageMagick ReadPNMImage() Heap Overflow oval:org.mitre.oval:def:10003 http://bugs.gentoo.org/show_bug.cgi?id=90423 RHSA-2005:413 MDKSA-2005:107 oval:org.mitre.oval:def:711 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1766. Reason: This candidate is a duplicate of CVE-2005-1766. Notes: This duplicate occurred due to insufficient coordination across three separate parties. All CVE users should reference CVE-2005-1766 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The isis_print function, as called by isoclns_print, in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero length, as demonstrated using a GRE packet. 20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits. RHSA-2005:421 RHSA-2005:417 oval:org.mitre.oval:def:10159 13392 FLSA:156139 18146 15125 SCOSA-2005.60 tcpdump 3.8.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted (1) BGP packet, which is not properly handled by RT_ROUTING_INFO, or (2) LDP packet, which is not properly handled by the ldp_print function. 20050426 tcpdump[v3.8.x/v3.9.1]: ISIS, BGP, and LDP infinite loop DOS exploits. RHSA-2005:421 RHSA-2005:417 oval:org.mitre.oval:def:9601 13389 FLSA:156139 DSA-850 18146 17101 15125 SCOSA-2005.60 The rsvp_print function in tcpdump 3.9.1 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. 20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS. RHSA-2005:421 RHSA-2005:417 oval:org.mitre.oval:def:10732 13390 FLSA:156139 18146 15125 SCOSA-2005.60 Ethereal 0.10.10 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. 13391 20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS. Multiple cross-site scripting (XSS) vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote attackers to inject arbitrary web script or HTML via (1) the src parameter in an IMG tag, (2) User settings, or (3) Address book input boxes in the webmail interface. argosoft-mail-server-html-tag-filter-xss(20225) 13326 15100 20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6 Multiple directory traversal vulnerabilities in Argosoft Mail Server Pro 1.8.7.6 allow remote authenticated users to (1) read arbitrary files via the UIDL parameter to the msg script or (2) copy or move the user's .eml file to arbitrary locations via the delete script, a different vulnerability than CVE-2005-0367. argosoft-mail-server-dir-traversal(20229) argosoft-mail-server-eml-files-dir-traversal(20226) 15823 15821 20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6 The addnew script in Argosoft Mail Server Pro 1.8.7.6 allows remote attackers to create arbitrary accounts, even if "Allow Creation of Accounts From the Web Interface" is disabled, via a direct HTTP POST request. argosoft-mail-server-add-new-mail-account(20228) 13323 15822 20050422 Multiple vulnerabilities in Argosoft Mail Server 1.8.7.6 Cross-site scripting (XSS) vulnerability in thread.php in WoltLab Burning Board 2.3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the hilight parameter. 1013790 15058 13325 20050422 [SePro Bugtraq] WBB - WoltLab Burning Board <= 2.3.1 - XSS Unquoted Windows search path vulnerability in BitDefender 8 allows local users to prevent BitDefender from starting by creating a malicious C:\program.exe, possibly due to the lack of quoting of the full pathname when executing a process. 15818 15076 20050422 BitDefender 8 - Race condition vulnerability Multiple SQL injection vulnerabilities in BK Forum 4.0 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to member.asp, (2) forum parameter to forum.asp, or (3) various parameters in register.asp. http://www.digitalparadox.org/advisories/bkdev.txt 1013793 15072 20060423 BK Forum <= 4.0 Remote SQL Injection 20060421 BK Forum <<--V.4.0 SQL Injection 15786 15785 15784 20050423 Multiple Sql injection vulnerabilities in BK Forum v.4 inc_login_check.asp ACS Blog 0.8 through 1.1.3 allows remote attackers to gain administrator privileges via the "in" value in a cookie. 1013795 15105 15787 20050423 ACSblog bug index.cgi in E-Cart 2004 1.1 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and possibly (2) cat parameters. 1013780 15054 20050423 E-Cart v1.1 Remote Command Execution Multiple cross-site scripting (XSS) vulnerabilities in phpBB 2.0.14 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) u parameter to profile.php, (2) highlight parameter to viewtopic.php, or (3) forumname or forumdesc parameters to admin_forums.php. http://neosecurityteam.net/Advisories/Advisory-14.txt 20050423 -==phpBB 2.0.14 Multiple Vulnerabilities==- Multiple SQL injection vulnerabilities in CartWIZ ASP Cart allow remote attackers to execute arbitrary SQL commands via the idProduct parameter to (1) addToCart.asp or (2) productDetails.asp, the (3) priceFrom, (4) idCategory, or (5) priceTo parameter to searchResults.asp, or (6) the idParentCategory parameter to productCatalogSubCats.asp. cartwiz-multiple-sql-injection(20246) 1013792 15055 15774 15773 15772 15771 20050423 Multiple Sql injection and XSS in CartWIZ ASP Cart Multiple cross-site scripting (XSS) vulnerabilities in CartWIZ ASP Cart allow remote attackers to inject arbitrary web script or HTML via the idProduct parameter to (1) tellAFriend.asp or (2) addToWishlist.asp, redirect parameter to (3) access.asp or (4) login.asp, message parameter to (5) login.asp or (6) error.asp, or (7) sku or (8) name parameter to searchResults.asp. cartwiz-multiple-script-xss(20249) 15780 15778 15777 15776 15775 1013792 15055 20050423 Multiple Sql injection and XSS in CartWIZ ASP Cart Multiple SQL injection vulnerabilities in default.asp in StorePortal 2.63 allow remote attackers to execute arbitrary SQL commands via the (1) language, (2) bpic, (3) idcategory, (4) content, (5) keyword, or (6) idproduct parameter. 15071 http://digitalparadox.org/advisories/storeportal.txt 20050424 Multiple SQL Injections in StorePortal 2.63 The affix_sock_register in the Affix Bluetooth Protocol Stack for Linux might allow local users to gain privileges via a socket call with a negative protocol value, which is used as an array index. http://affix.sourceforge.net/patch_hci_3_2_0 http://www.digitalmunition.com/DMA%5B2005-0423a%5D.txt 20050424 DMA[2005-0423a] - 'Nokia Affix Bluetooth Integer Underflow' include.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050425 remote command execution in include.cgi script include.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 20050425 remote command execution in include.cgi script Cross-site scripting (XSS) vulnerability in the include.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument. 20050425 remote command execution in include.cgi script The inserter.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050425 remote command execution in inserter.cgi script The inserter.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 20050425 remote command execution in inserter.cgi script Cross-site scripting (XSS) vulnerability in the inserter.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument. 20050425 remote command execution in inserter.cgi script nProtect:Netizen 2005.3.17.1 does not properly verify that the update module is downloaded from an authorized site, which allows remote malicious web sites to write arbitrary files. http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/80_e.html 15788 15101 http://jvn.jp/jp/JVN%23AF02FB4B/index.html 20050425 [SNS Advisory No.80] nProtect:Netizen Arbitrary File Download Vulnerability SQL injection vulnerability in Confixx 3.08 and earlier allows remote attackers to execute arbitrary SQL commands via the "change user" field. 13355 15815 15121 694 20050425 Sql Injection in Confixx 3.06 & 3.08 & 3.?? ? The citat.pl script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050424 remote command execution in citat.pl script The citat.pl script allows remote attackers to execute arbitrary files via shell metacharacters in the argument. 20050424 remote command execution in citat.pl script The hyper.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050424 hyper.cgi script file show bug The Adobe Reader control in Adobe Reader and Acrobat 7.0 and 7.0.1 allows remote attackers to determine the existence of files via Javascript containing XML script, aka the "XML External Entity vulnerability." 13962 http://www.adobe.com/support/techdocs/331710.html The (1) stopserver.sh and (2) startserver.sh scripts in Adobe Version Cue on Mac OS X uses the current working directory to find and execute the productname.sh script, which allows local users to execute arbitrary code by copying and calling the scripts from a user-controlled directory. http://www.securiteam.com/exploits/5EP0D20FQC.html 20050516 Mac OS X - Adobe Version Cue local root exploit [c version exploit] version-cue-gain-privileges(18445) 11833 12298 12297 http://www.adobe.com/support/techdocs/331621.html 1012446 13399 20041206 Local root exploit on Mac OS X with Adobe Version Cue SqWebMail allows remote attackers to inject arbitrary web script or HTML via CRLF sequences in the redirect parameter followed by the desired script or HTML. 13374 15119 Cross-site scripting (XSS) vulnerability in bBlog 0.7.4 allows remote attackers to inject arbitrary web script or HTML via the (1) entry title field or (2) comment body text. 15755 15754 1013811 http://sourceforge.net/tracker/index.php?func=detail&aid=1188735&group_id=81992&atid=564683 SQL injection vulnerability in bBlog 0.7.4 allows remote attackers to execute arbitrary SQL commands via the postid parameter. 15756 1013811 http://sourceforge.net/tracker/index.php?func=detail&aid=1188735&group_id=81992&atid=564683 Cross-site scripting (XSS) vulnerability in Yappa-NG before 2.3.2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 13372 http://sourceforge.net/project/shownotes.php?release_id=323206 15107 15828 PHP remote file inclusion vulnerability in Yappa-NG before 2.3.2 allows remote attackers to execute arbitrary PHP code via unknown vectors. 13371 15107 15829 http://sourceforge.net/project/shownotes.php?release_id=323206 Cross-site scripting (XSS) vulnerability in Horde Passwd module before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15075 [sork] 20050422 Passwd 2.2.2 (final) http://cvs.horde.org/diff.php/passwd/docs/CHANGES?r1=1.1.1.1.2.28&r2=1.1.1.1.2.33&ty=h Cross-site scripting (XSS) vulnerability in Horde Kronolith module before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15080 [kronolith] 20050422 Kronolith 1.1.4 (final) http://cvs.horde.org/diff.php/kronolith/docs/CHANGES?r1=1.69.2.39&r2=1.69.2.41&ty=h Cross-site scripting (XSS) vulnerability in Horde Turba module before 1.2.5 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15074 [turba] 20050422 Turba 1.2.5 (final) http://cvs.horde.org/diff.php/turba/docs/CHANGES?r1=1.61.2.74&r2=1.61.2.77&ty=h Cross-site scripting (XSS) vulnerability in Horde Accounts module before 2.1.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15081 http://cvs.horde.org/diff.php/accounts/docs/CHANGES?r1=1.1.1.1.2.15&r2=1.1.1.1.2.18&ty=h Cross-site scripting (XSS) vulnerability in Horde Chora module before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 20050422 Chora 1.2.3 (final) 15083 http://cvs.horde.org/diff.php/chora/docs/CHANGES?r1=1.45.2.34&r2=1.45.2.37&ty=h Cross-site scripting (XSS) vulnerability in Horde Forwards E-Mail Forwarding Manager before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15082 [sork] 20050422 Forwards 2.2.2 (final) http://cvs.horde.org/diff.php/forwards/docs/CHANGES?r1=1.1.1.1.2.20&r2=1.1.1.1.2.23&ty=h Cross-site scripting (XSS) vulnerability in Horde IMP Webmail client before 3.2.8 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15080 [imp] 20050422 IMP 3.2.8 (final) http://cvs.horde.org/diff.php/imp/docs/CHANGES?r1=1.389.2.119&r2=1.389.2.125&ty=h Cross-site scripting (XSS) vulnerability in Horde Mnemo Note Manager before 1.1.4 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15078 [mnemo] 20050422 Mnemo 1.1.4 (final) http://cvs.horde.org/diff.php/mnemo/docs/CHANGES?r1=1.4.2.31&r2=1.4.2.33&ty=h Cross-site scripting (XSS) vulnerability in Horde Vacation module before 2.2.2 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. 15073 [sork] 20050422 Vacation 2.2.2 (final) http://cvs.horde.org/diff.php/vacation/docs/CHANGES?r1=1.1.1.1.2.21&r2=1.1.1.1.2.26&ty=h Cross-site scripting (XSS) vulnerability in Horde Nag Task List Manager before 1.1.3 allows remote attackers to inject arbitrary web script or HTML via the parent's frame page title. [nag] 20050422 Nag 1.1.3 (final) 15079 http://cvs.horde.org/diff.php/nag/docs/CHANGES?r1=1.54.2.33&r2=1.54.2.35&ty=h Buffer overflow in NetFtpd for NetTerm 5.1.1 and earlier allows remote attackers to execute arbitrary code via a long USER command. netterm-netftpd-user-bo(20285) ADV-2005-0407 13396 20050426 ADV: NetTerm's NetFtpd 4.2.2 Buffer Overflow + PoC Exploit http://www.securenetterm.com/html/what_s_new.html 15865 15140 Multiple cross-site scripting (XSS) vulnerabilities in index.php for phpMyVisites allow remote attackers to inject arbitrary web script or HTML via the (1) part, (2) per, or (3) site parameters. phpmyvisites-index-xss(20255) ADV-2005-0378 15789 15084 set_lang.php in phpMyVisites 1.3 allows remote attackers to read and include arbitrary files via the mylang parameter. 13370 20050426 [exploits] phpMyVisites 1.3 local file retrieval http://cvs.sourceforge.net/viewcvs.py/phpmyvisites/phpmyvisites/include/set_lang.php?r1=1.5&r2=1.6 Buffer overflow in VooDoo cIRCle BOTNET before 1.0.33 allows remote authenticated attackers to cause a denial of service (client crash) via a crafted packet. http://sourceforge.net/project/shownotes.php?release_id=323254 15830 15110 Cross-site scripting (XSS) vulnerability in pms.php for Woltlab Burning Board 2.3.1 PL2 and earlier allows remote attackers to inject arbitrary web script or HTML via the folderid parameter. 13353 20050424 WoltLab Burning Board <= 2.3.1 PL2 - XSS Vulnerability (24.04.05) OneWorldStore allows remote attackers to cause a denial of service (application crash) via a direct request to owConnections/chksettings.asp. 13322 http://www.oneworldstore.com/support_security_issue_updates.asp#April_20_2005_Lostmon http://lostmon.blogspot.com/2005/04/oneworldstore-critical-failure.html 15724 1013782 15057 owOfflineCC.asp in OneWorldStore allows remote attackers to obtain sensitive information by modifying the idOrder parameter. 13361 http://www.oneworldstore.com/support_security_issue_updates.asp#April_24_2005_Lostmon 1013796 15104 http://lostmon.blogspot.com/2005/04/oneworldstore-user-information.html 15781 AppKit in Mac OS X 10.3.9 allows attackers to cause a denial of service (Cocoa application crash) via a malformed TIFF image that causes the NXSeek to use an incorrect offset, leading to an unhandled exception. APPLE-SA-2005-05-03 The AppleScript Editor in Mac OS X 10.3.9 does not properly display script code for an applescript: URI, which can result in code that is different than the actual code that would be run, which could allow remote attackers to trick users into executing malicious code via certain URI characters such as NULL, control characters, and homographs. 13480 15227 APPLE-SA-2005-05-03 ADV-2005-0455 http://remahl.se/david/vuln/010/ Bluetooth-enabled systems in Mac OS X 10.3.9 enables the Bluetooth file exchange service by default, which allows remote attackers to access files without the user being notified, and local users to access files via the default directory. TA05-136A VU#258390 APPLE-SA-2005-05-03 http://docs.info.apple.com/article.html?artnum=301381 http://www.digitalmunition.com/DMA%5B2005-0502a%5D.txt Directory traversal vulnerability in the Bluetooth file and object exchange (OBEX) services in Mac OS X 10.3.9 allows remote attackers to read arbitrary files. APPLE-SA-2005-05-03 13491 http://www.digitalmunition.com/DMA%5B2005-0502a%5D.txt APPLE-SA-2005-06-08 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1579. Reason: This candidate is a duplicate of CVE-2005-1579. Notes: All CVE users should reference CVE-2005-1579 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Unknown vulnerability in Mac OS X 10.3.9 allows local users to gain privileges via (1) chfn, (2) chpass, and (3) chsh, which "use external helper programs in an insecure manner." TA05-136A VU#331694 APPLE-SA-2005-05-03 Buffer overflow in the Foundation framework for Mac OS X 10.3.9 allows local users to execute arbitrary code via a long environment variable. TA05-136A VU#582934 APPLE-SA-2005-05-03 Apple Help Viewer 2.0.7 and 3.0.0 in Mac OS X 10.3.9 allows remote attackers to read and execute arbitrary scrpts with less restrictive privileges via a help:// URI. http://remahl.se/david/vuln/004/ APPLE-SA-2005-05-03 Mac OS X 10.3.9, when using an LDAP server that does not use ldap_extended_operation, may store initial LDAP passwords for new accounts in plaintext. APPLE-SA-2005-05-03 lukemftpd in Mac OS X 10.3.9 allows remote authenticated users to escape the chroot environment by logging in with their full name. APPLE-SA-2005-05-03 The HTTP proxy service in Server Admin for Mac OS X 10.3.9 does not restrict access when it is enabled, which allows remote attackers to use the proxy. APPLE-SA-2005-05-03 Apple Terminal 1.4.4 allows attackers to execute arbitrary commands via terminal escape sequences. VU#994510 13480 1013882 15227 APPLE-SA-2005-05-03 ADV-2005-0455 16083 http://remahl.se/david/vuln/012/ The x-man-page: URI handler for Apple Terminal 1.4.4 in Mac OS X 10.3.9 does not cleanse terminal escape sequences, which allows remote attackers to execute arbitrary commands. VU#356070 TA05-136A 13480 15227 APPLE-SA-2005-05-03 ADV-2005-0455 16084 http://remahl.se/david/vuln/011/ Stack-based buffer overflow in the VPN daemon (vpnd) for Mac OS X before 10.3.9 allows local users to execute arbitrary code via a long -i (Server_id) argument. TA05-136A VU#706838 APPLE-SA-2005-05-03 APPLE-SA-2005-06-08 Buffer overflow in htdigest in Apache 2.0.52 may allow attackers to execute arbitrary code via a long realm argument. NOTE: since htdigest is normally only locally accessible and not setuid or setgid, there are few attack vectors which would lead to an escalation of privileges, unless htdigest is executed from a CGI program. Therefore this may not be a vulnerability. http://www.securiteam.com/unixfocus/5EP061FEKC.html 12848 http://www.lucaercoli.it/advs/htdigest.txt APPLE-SA-2005-05-03 13537 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Squid 2.5.STABLE9 and earlier does not trigger a fatal error when it identifies missing or invalid ACLs in the http_access configuration, which could lead to less restrictive ACLs than intended by the administrator. http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-acl_error http://www.squid-cache.org/bugs/show_bug.cgi?id=1255 RHSA-2005:415 DSA-721 oval:org.mitre.oval:def:10513 CLA-2005:948 FLSA-2006:152809 Multiple Symantec AntiVirus products, including Norton AntiVirus 2005 11.0.0, Web Security Web Security 3.0.1.72, Mail Security for SMTP 4.0.5.66, AntiVirus Scan Engine 4.3.7.27, SAV/Filter for Domino NT 3.1.1.87, and Mail Security for Exchange 4.5.4.743, when running on Windows, allows remote attackers to cause a denial of service (component crash) and avoid detection via a crafted RAR file. http://securityresponse.symantec.com/avcenter/security/Content/2005.04.27.html ** UNVERIFIABLE ** NOTE: this issue describes a problem that can not be independently verified as of 20050421. Adobe Acrobat reader (AcroRd32.exe) 6.0 and earlier allows remote attackers to cause a denial of service ("Invalid-ID-Handle-Error" error) and modify memory beginning at a particular address, possibly allowing the execution of arbitrary code, via a crafted PDF file. NOTE: the vendor has stated that the reporter refused to provide sufficient details to confirm the issue. In addition, due to the lack of details in the original advisory, an independent verification is not possible. Finally, the reliability of the original reporter is unknown. This item has only been assigned a CVE identifier for tracking purposes, and to serve as a concrete example of the newly defined UNVERIFIABLE and PRERELEASE content decisions in CVE, which must be discussed by the Editorial Board. Without additional details or independent verification by reliable sources, it is highly likely that this item will be REJECTED. acrobat-reader-invalid-id-handle-bo(20216) 15850 http://www.alphahackers.com/advisories/acrobat6.txt 1013774 Buffer overflow in HTTPMail in MailEnable Enterprise 1.04 and earlier and Professional 1.54 and earlier allows remote attackers to execute arbitrary code via a long HTTP Authorization header. 20050424 MailEnable HTTPS Buffer Overflow [x0n3-h4ck] http://www.x0n3-h4ck.org/upload/x0n3-h4ck_mailenable_https.pl 15737 1013786 Buffer overflow in Convert-UUlib (Convert::UUlib) before 1.051 allows remote attackers to execute arbitrary code via a malformed parameter to a read operation. 15130 convert-uulib-bo(20275) GLSA-200504-26 13401 MDKSA-2006:022 The ad.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050424 remote command execution in ad.cgi script The ad.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 20050424 remote command execution in ad.cgi script Cross-site scripting (XSS) vulnerability in the ad.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument. 20050424 remote command execution in ad.cgi script The forum.pl script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050424 remote command execution in forum.pl script The forum.pl script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 20050424 remote command execution in forum.pl script includer.cgi in The Includer allows remote attackers to read arbitrary files via a full pathname in the argument, a similar vulnerability to CVE-2005-0801. 20050424 remote command execution in includer.cgi script Cross-site scripting (XSS) vulnerability in includer.cgi script in The Includer allows remote attackers to inject arbitrary web script or HTML via the argument. 20050424 remote command execution in includer.cgi script text.cgi script allows remote attackers to read arbitrary files via a full pathname in the argument. 20050425 remote command execution in text.cgi script text.cgi script allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 20050425 remote command execution in text.cgi script Cross-site scripting (XSS) vulnerability in text.cgi script allows remote attackers to inject arbitrary web script or HTML via the argument. 20050425 remote command execution in text.cgi script PHP remote file inclusion vulnerability in error.php in GrayCMS 1.1 allows remote attackers to execute arbitrary PHP code by modifying the path_prefix parameter to reference a URL on a remote web server that contains the code. graycms-pathprefix-error-include(20278) 13381 15860 15133 20050426 GrayCMS php code injection Multiple SQL injection vulnerabilities in MetaCart e-Shop 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) intProdID parameter in product.asp or (2) strCatalog_NAME parameter to productsByCategory.asp. metacart-eshop-sql-injection(20283) 13377 13376 20050426 Multiple SQL Injections in MetaCart e-Shop V-8 Multiple SQL injection vulnerabilities in MetaCart 2.0 for Paypal allow remote attackers to execute arbitrary SQL commands via the (1) intProdID parameter to product.asp, (2) intCatalogID or (3) strSubCatalogID parameters to productsByCategory.asp, (4) chkText, (5) strText, (6) chkPrice, (7) intPrice, (8) chkCat, or (9) strCat parameters to searchAction.asp. 20050426 Multiple SQL Injections in MetaCart2 for SQL Server Special Edition U.K Multiple SQL injection vulnerabilities in MetaCart 2.0 for PayFlow allow remote attackers to execute arbitrary commands via (1) intCatalogID, (2) strSubCatalogID, or (3) strSubCatalog_NAME parameter to productsByCategory.asp, (4) curCatalogID, (5) strSubCatalog_NAME, (6) intCatalogID, or (7) page parameter to productsByCategory.asp or (8) intProdID parameter to product.asp. 20050426 MetaCart2 for PayFlow Multiple Sql Injection Vulnerabilities Multiple SQL injection vulnerabilities in MetaBid Auctions allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password fields in logIn.asp, or (3) intAuctionID parameter to item.asp. metabid-item-login-sql-injection(20286) 13395 15869 15868 15136 http://digitalparadox.org/advisories/metabid.txt 20050426 Multiple SQL Injections in MetaBid Auctions Pico Server (pServ) 3.2 and earlier allows remote attackers to execute arbitrary commands via a URL with multiple leading "/" (slash) characters and ".." sequences. 13642 http://www.redteam-pentesting.de/advisories/rt-sa-2005-010.txt http://sourceforge.net/project/shownotes.php?release_id=327708 20050516 Advisory: Pico Server (pServ) Remote Command Injection Pico Server (pServ) 3.2 and earlier allows remote attackers to obtain the source code for CGI scripts via "dirname/../cgi-bin" in a URL. 13638 http://www.redteam-pentesting.de/advisories/rt-sa-2005-011.txt http://sourceforge.net/project/shownotes.php?release_id=327708 20050516 Pico Server (pServ) Information Disclosure Of CGI Sources Pico Server (pServ) 3.2 and earlier allows local users to read arbitrary files as the pServ user via a symlink to a file outside of the web document root. http://www.redteam-pentesting.de/advisories/rt-sa-2005-012.txt 20050516 Pico Server (pServ) Local Information Disclosure The key_user_lookup function in security/keys/key.c in Linux kernel 2.6.10 to 2.6.11.8 may allow attackers to cause a denial of service (oops) via SMP. http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 http://linux.bkbits.net:8080/linux-2.6/cset%40423078fafVa6mAyny23YZ87hDipmTw FLSA:157459-3 The (1) it87 and (2) via686a drivers in I2C for Linux 2.6.x before 2.6.11.8, and 2.6.12 before 2.6.12-rc2, create the sysfs "alarms" file with write permissions, which allows local users to cause a denial of service (CPU consumption) by attempting to write to the file, which does not have an associated store function. http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.8 http://lkml.org/lkml/2005/4/20/159 FLSA:157459-3 Unknown vulnerability in Radia Management Agent (RMA) in HP OpenView Radia Management Portal (RMP) 1.x and 2.x allows remote attackers to execute arbitrary commands via unknown vectors. 1013829 HPSBMA01138 hp-openview-radia-gain-access(20307) 13414 15960 15089 SSRT5958 20050428 High risk flaw in HP OpenView Radia Management Agent BPFTPServer service in BulletProof FTP Server 2.4.0.31 does not properly drop privileges before opening files through the Help menu, which allows local users to gain privileges. bpftp-gain-privilege(20301) ADV-2005-0419 13410 15898 15152 20050427 Privilege escalation in BulletProof FTP Server v2.4.0.31 nvstatsmngr.exe process in BakBone NetVault 7.1 does not properly drop privileges before opening files, which allows local users to gain privileges via the Help menu. bakbone-netvault-gain-privileges(20302) ADV-2005-0420 13408 15900 15158 20050427 Privilege escalation in BakBone NetVault 7.1 Multiple SQL injection vulnerabilities in index.php in Dream4 Koobi CMS 4.2.3 allow remote attackers to execute arbitrary SQL commands via the (1) q or (2) p parameters. koobi-parameter-search-sql-injection(20293) 13413 13412 15997 14696 20050427 SQL-injections in koobi-cms Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to inject arbitrary web script or HTML via (1) exercise_result.php, (2) exercice_submit.php, (3) agenda.php, (4) learningPathList.php, (5) learningPathAdmin.php, (6) learningPath.php, (7) userLog.php, (8) tool parameter to toolaccess_details.php, (9) data parameter to user_access_details.php, or (10) coursePath parameter to myagenda.php. claroline-multiple-scripts-xss(20295) 13407 http://www.claroline.net/news.php#85 1013822 15161 15725 20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline Multiple SQL injection vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary SQL commands via (1) learningPath.php, (2) learningPathAdmin.php, (3) learnPath_details.php, (4) modules_pool.php, (5) module.php, (6) uInfo parameter in userInfo.php, or (7) exo_id parameter to exercises_details.php. claroline-multiple-sql-injection(20298) 13407 http://www.claroline.net/news.php#85 1013822 15161 15725 20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline Multiple directory traversal vulnerabilities in (1) document.php or (2) insertMyDoc.php in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote project administrators to upload arbitrary files. claroline-document-directory-traversal(20287) 13407 http://www.claroline.net/news.php#85 1013822 15161 15725 20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline Multiple PHP remote file inclusion vulnerabilities in Claroline 1.5.3 through 1.6 Release Candidate 1, and possibly Dokeos, allow remote attackers to execute arbitrary PHP code via unknown vectors. claroline-file-include(20300) 13407 http://www.claroline.net/news.php#85 1013822 15161 15725 20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline SQL injection vulnerability in posting_notes.php in the notes module for phpBB allows remote attackers to execute arbitrary SQL commands via the p parameter, which is used in the $post_id variable, and other attack vectors. 13417 phpbb-notes-module-sql-injection(20303) ADV-2005-0416 15899 1013827 15154 http://www.gulftech.org/?node=research&article_id=00070-04272005 20050427 phpBB Notes Mod SQL Injection Vulnerability The LAM runtime environment package (lam-runtime-7.0.6-2mdk) on Mandrake Linux installs the mpi user without a password, which allows local users to gain privileges. 13431 20050428 insecure user account lam-runtime-7.0.6-2mdk rpm Cross-site scripting (XSS) vulnerability in BEA Admin Console 8.1 allows remote attackers to execute arbitrary web script or HTML via the server parameter to a JndiFramesetAction action. weblogic-jndiframesetaction-xss(20276) 13400 http://www.red-database-security.com/advisory/bea_css_in_admin_console.html 15895 1013817 15128 20050428 Cross Site Scripting in BEA Admin Console Multiple cross-site scripting (XSS) vulnerabilities in Oracle Webcache 9i allow remote attackers to inject arbitrary web script or HTML via the (1) cache_dump_file or (2) PartialPageErrorPage parameter. oracle9ias-application-cache-xss(20309) 13422 13421 http://www.red-database-security.com/advisory/oracle_webcache_CSS_vulnerabilities.html 15910 15143 20050428 Cross Site Scripting in Oracle Webcache 9i Adminstrator Application The webcacheadmin module in Oracle Webcache 9i allows remote attackers to corrupt arbitrary files via a full pathname in the cache_dump_file parameter. oracle9ias-application-cache-file-corruption(20310) 13420 http://www.red-database-security.com/advisory/oracle_webcache_append_file_vulnerabilitiy.html 15909 15143 20050428 File appending vulnerability in Oracle Webcache 9i The OHS component 1.0.2 through 10.x, when UseWebcacheIP is disabled, in Oracle Application Server allows remote attackers to bypass HTTP Server mod_access restrictions via a request to the webcache TCP port 7778. oracle9ias-application-cache-url-bypass(20311) 13418 http://www.red-database-security.com/advisory/oracle_webcache_bypass.html 15908 15143 20050428 Webcache Client Requests Bypass OHS mod_access Restrictions Multiple SQL injection vulnerabilities in phpCoin 1.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) search parameter to index.php, (2) phpcoinsessid parameter to login.php, (3) id, (4) dtopic_id, or (5) dcat_id to mod.php. phpcoin-multiple-sql-injection(20308) ADV-2005-0423 13433 1013834 20050428 Multiple Sql injections in phpCoin v1.2.2 and below http://digitalparadox.org/viewadvisories.ah?view=36 http://pridels0.blogspot.com/2006/03/phpcoin-poc.html Safari 1.3 allows remote attackers to cause a denial of service (application crash) via a long https URL that triggers a NULL pointer dereference. 16006 1013835 20050429 Re: Safari HTTPS Overflow 20050429 Re: Safari HTTPS Overflow 20050428 Safari HTTPS Overflow PHP-Nuke 7.6 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) ipban.php, (2) db.php, (3) lang-norwegian.php, (4) lang-indonesian.php, (5) lang-greek.php, (6) a request to Web_Links with the portuguese language (lang-portuguese.php), (7) a request to Web_Links with the indonesian language (lang-indonesian.php), (8) a request to the survey module with the indonesian language (lang-indonesian.php), (9) a request to the Reviews module with the portuguese language, or (10) a request to the Journal module with the portuguese language, which reveal the path in an error message. 20050429 Multiples Full Path Disclosure in php-nuke 7.6 (and below) Cocktail 3.5.4 and possibly earlier in Mac OS X passes the administrative password on the command line to sudo in cleartext, which allows local users to gain sensitive information by running listing processes. 13449 16046 15201 20050429 Mac OS X Cocktail 3.5.4 admin password disclosure Cross-site scripting (XSS) vulnerability in SURVIVOR before 0.9.6 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 13415 http://www.columbia.edu/acis/dev/projects/survivor/doc/todo.html#changelog 15905 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0175. Reason: This candidate is a duplicate of CVE-2005-0175. Notes: All CVE users should reference CVE-2005-0175 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0174. Reason: This candidate is a duplicate of CVE-2005-0174. Notes: All CVE users should reference CVE-2005-0174 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the add_port function in APSIS Pound 1.8.2 and earlier allows remote attackers to execute arbitrary code via a long Host HTTP header. 13436 pound-addport-bo(20316) ADV-2005-0437 15963 DSA-934 [pound_list] 20050426 remote buffer overflow in pound 1.8.2 + question abotu Host header 1013824 GLSA-200504-29 18381 15679 15202 15142 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=307852 The SQL install script in phpMyAdmin 2.6.2 is created with world-readable permissions, which allows local users to obtain the initial database password by reading the script. ADV-2005-0436 16053 GLSA-200504-30 Multiple buffer overflows in ArcGIS for ESRI ArcInfo Workstation 9.0 allow local users to execute arbitrary code via long command line arguments to (1) asmaster, (2) asuser, (3) asutility, (4) se, or (5) asrecovery. http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt 1013852 15196 http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015 20050430 DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities Format string vulnerability in ArcGIS for ESRI ArcInfo Workstation 9.0 allows local users to gain privileges via format string specifiers in the ARCHOME environment variable to (1) wservice or (2) lockmgr. http://www.digitalmunition.com/DMA%5B2005-0425a%5D.txt 1013852 15196 http://support.esri.com/index.cfm?fa=downloads.patchesServicePacks.viewPatch&PID=14&MetaID=1015 20050430 DMA[2005-0425a] - 'ESRI ArcGIS 9.x multiple local vulnerabilities Buffer overflow in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier may allow local users to gain privileges via a long (1) XAPPLRESLANGPATH or (2) XAPPLRESDIR environment variable, or (3) command line argument. 15197 20050501 DMA[2005-0501a] - 'ARPUS/Ce setuid buffer overflow and file overwrite' http://www.digitalmunition.com/DMA[2005-0501a].txt 1013855 Race condition in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier allows local users to write to arbitrary files via a symlink attack on the ce_edit_log temporary file. Upgrade to version 2.6 16050 http://www.digitalmunition.com/DMA[2005-0501a].txt 1013855 15197 20050501 DMA[2005-0501a] - 'ARPUS/Ce setuid buffer overflow and file overwrite' SQL injection vulnerability in search.php for PHP-Calendar before 0.10.3 allows remote attackers to execute arbitrary SQL commands via unknown vectors. php-calendar-searchphp-sql-injection(20297) 13405 15116 ADV-2005-0418 15866 http://sourceforge.net/project/shownotes.php?release_id=323483 phpcart.php in PHPCart 3.2 allows remote attackers to change product price information by modifying the (1) price or (2) postage parameters. NOTE: it was later reported that 3.4 through 4.6.4 are also affected. phpcart-phpcart-data-manipulation(44766) 30887 13406 20080828 XSS and Data Manipulation attacks found in CMS PHPCart. 15859 15147 http://lostmon.blogspot.com/2005/04/phpcart-price-manipulation.html FreeBSD 4.6 to 4.11 and 5.x to 5.4 uses insecure default permissions for the /dev/iir device, which allows local users to execute restricted ioctl calls to read or modify data on hardware that is controlled by the iir driver. FreeBSD-SA-05:06 The i386_get_ldt system call in FreeBSD 4.7 to 4.11 and 5.x to 5.4 allows local users to access sensitive kernel memory via arguments with negative or very large values. FreeBSD-SA-05:07 Format string vulnerability in the client for Mtp-Target 1.2.2 and earlier allows remote attackers to execute arbitrary code via game messages or other text. 20050501 Clients format string and server crash in Mtp-Target 1.2.2 http://aluigi.altervista.org/adv/mtpbugs-adv.txt Integer signedness error in certain older versions of the NeL library, as used in Mtp-Target 1.2.2 and earlier, and possibly other products, allows remote attackers to cause a denial of service (memory consumption or server crash) via a negative value in a STLport call, which is not caught by a signed comparison. 20050501 Clients format string and server crash in Mtp-Target 1.2.2 http://aluigi.altervista.org/adv/mtpbugs-adv.txt Multiple cross-site scripting (XSS) vulnerabilities in JustWilliam's Amazon Webstore 04050100 allow remote attackers to inject arbitrary web script or HTML via the (1) image parameter to closeup.php, the (2) currentIsExpanded or (3) searchFor parameters to index.php, (4) the currentNumber parameter to software_CAD_Technical_60002_uk.htm, or (5) a cookie. 13427 15894 1013836 15155 http://lostmon.blogspot.com/2005/04/amazon-webstore-script-injection-and.html 15892 MyPHP Forum 1.0 allows remote attackers to spoof the username by modifying the (1) nbuser parameter to post.php or (2) sender parameter to privmsg.php. 20050426 myPHP Forum v3 (possible v1 & 2 also) Identification 'spoof' 15902 13430 15903 15166 HTTP response splitting vulnerability in the @SetHTTPHeader function in Lotus Domino 6.5.x before 6.5.4 and 6.0.x before 6.0.5 allows attackers to poison the web cache via malicious applications. 1013839 lotus-sethttpheader-injection(20045) 15365 14879 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202437 The kernel in FreeBSD 4.x to 4.11 and 5.x to 5.4 does not properly clear certain fixed-length buffers when copying variable-length data for use by applications, which could allow those applications to read previously used sensitive memory. FreeBSD-SA-05:08 ADV-2005-2256 15252 13526 17368 APPLE-SA-2005-10-31 Skype for Windows 1.2.0.0 to 1.2.0.46 allows local users to bypass the identity check for an authorized application, then call arbitrary Skype API functions by modifying or replacing that application. http://www.skype.com/security/ssa-2005-01.html Apple Keynote 2.0 and 2.0.1 allows remote attackers to read arbitrary files via the keynote: URI handler in a crafted Keynote presentation. http://remahl.se/david/vuln/016/ APPLE-SA-2005-05-25 1014053 15508 PostgreSQL 7.3.x through 8.0.x gives public EXECUTE access to certain character conversion functions, which allows unprivileged users to call those functions with malicious values, with unknown impact, aka the "Character conversion vulnerability." http://www.postgresql.org/about/news.315 [pgsql-announce] 20050502 IMPORTANT: two new PostgreSQL security problems found ADV-2005-0453 oval:org.mitre.oval:def:10050 13476 FLSA-2006:157366 RHSA-2005:433 SUSE-SA:2005:036 oval:org.mitre.oval:def:676 The tsearch2 module in PostgreSQL 7.4 through 8.0.x declares the (1) dex_init, (2) snb_en_init, (3) snb_ru_init, (4) spell_init, and (5) syn_init functions as "internal" even when they do not take an internal argument, which allows attackers to cause a denial of service (application crash) and possibly have other impacts via SQL commands that call other functions that accept internal arguments. 13475 http://www.postgresql.org/about/news.315 [pgsql-announce] 20050502 IMPORTANT: two new PostgreSQL security problems found ADV-2005-0453 oval:org.mitre.oval:def:9343 FLSA-2006:157366 RHSA-2005:433 SUSE-SA:2005:036 oval:org.mitre.oval:def:1086 Cybration ICUII 7.0 stores passwords in plaintext in the world-readable icuii.ini file, which allows local users to gain privileges. icuii-password-disclosure(20321) 13441 14688 1013828 15171 http://osvdb.org/ref/14/14688-icuii.txt SQL injection vulnerability in verify.asp for Ecomm Professional Guestbook 3.x allows remote attackers to execute arbitrary SQL commands via the AdminPWD parameter. 15967 15190 Multiple SQL injection vulnerabilities in enVivo!CMS allow remote attackers to execute arbitrary SQL commands and gain privileges via the (1) username or (2) password parameters to admin_login.asp, or the (3) searchstring and possibly (4) ID parameters to default.asp. envivo-username-password-sql-injection(20313) 13440 13439 13437 15966 15965 1013843 15173 http://digitalparadox.org/viewadvisories.ah?view=37 24860 15964 http://securityvulns.ru/Rdocument425.html 20070711 durito: enVivo!CMS SQL injection ExoticSoft FilePocket 1.2 stores sensitive proxy information, including proxy passwords, in plaintext in the registry, which allows local users to gain privileges. 13445 14685 1013823 filepocket-registry-plaintext-password(26187) Buffer overflow in GlobalSCAPE Secure FTP Server 3.0.2 allows remote authenticated users to execute arbitrary code via a long FTP command. 13454 http://www.cuteftp.com/gsftps/history.asp 20050501 Remote buffer overflow in GlobalScape Secure FTP server 3.0.2 Directory traversal vulnerability in 04WebServer 1.81 allows remote attackers to read files outside of the web root but within the installation folder. ADV-2005-0448 http://www.soft3304.net/04WebServer/Security.html 16067 15230 http://osvdb.org/ref/16/16067-04webserver.txt Multiple SQL injection vulnerabilities in MaxWebPortal 2.x, 1.35, and other versions allow remote attackers to execute arbitrary SQL commands via (1) article_popular.asp, (2) arguments to dl_popular.asp, (3) arguments to links_popular.asp, (4) arguments to pic_popular.asp, (5) article_rate.asp, (6) dl_rate.asp, (7) links_rate.asp, (8) pic_rates.asp, (9) article_toprated.asp, (10) dl_toprated.asp, (11) links_toprated.asp, (12) arguments to pic_toprated.asp, or (13) the TOPIC_ID or Forum_ID parameters to custom_link.asp. The vulnerabilities have been partially fixed in versions 1.3.5 and 2.0. The remaining vulnerabilities will reportedly be fixed in the upcoming 2.1 version. http://www.maxwebportal.info/downloads/mwp_security_fixes.zip 13466 1013845 15214 http://www.maxwebportal.info/topic.asp?TOPIC_ID=2482&FORUM_ID=1&CAT_ID=1&Forum_Title=General+Chat&Topic_Title=Security+Update NetLeaf Limited NotJustBrowsing 1.0.3 stores the View Lock Password in plaintext in the notjustbrowsing.prf file, which allows local users to gain privileges. notjustbrowsing-password-disclosure(20319) 13442 14687 1013826 15184 SQL injection vulnerability in the admin login panel for Ocean12 Mailing List Manager 1.06 allows remote attackers to execute arbitrary SQL commands via the Admin_id parameter. 15959 1013833 15178 20050428 [HSC Security Group] Ocean12 Mailing List Manager Pro SQL injection Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to determine the full pathname of the server via a request for an invalid page, as demonstrated using "%20" (hex-encoded space). http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt 1013860 Directory traversal vulnerability in Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to read arbitrary files via ".." (dot dot) sequences in an HTTP request. http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt 1013860 Raysoft/Raybase Video Cam Server 1.0.0 beta allows remote attackers to conduct administrator operations and cause a denial of service (server or camera shutdown) via a direct request to admin.html. http://www.autistici.org/fdonato/advisory/VideoCamServer1.0.0-adv.txt 1013860 Directory traversal vulnerability in the mail program in 602LAN SUITE 2004.0.05.0413 allows remote attackers to cause a denial of service and determine the presence of arbitrary files via .. sequences in the A parameter. 16069 15231 StumbleInside GoText 1.01 stores sensitive username, mail address,and phone number information in plaintext in the GoText.bin file, which allows local users to obtain that information. gotext-user-information-disclosure(20315) 13443 14686 1013825 Uapplication Uguestbook 1.0 stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for mdb-database/guestbook.mdb. uapplication-information-disclosure(20314) 20070107 Uguestbook Remote Password Disclosure Vulnerability 15995 1013830 Uapplication Ublog Reload stores sensitive information under the web root with insufficient access control, which allows remote attackers to download a database via a direct request for mdb-database/blog.mdb (aka mdb-database/blog.msb). uapplication-information-disclosure(20314) 15996 1013830 Uapplication Uphotogallery stores the database under the web document root, which allows remote attackers to obtain sensitive information via a direct request to uphotogallery.mdb. uapplication-information-disclosure(20314) 15994 1013830 edit_image.asp in Uapplication Uphotogallery allows remote attackers to upload arbitrary files. uapplication-information-disclosure(20314) 1013830 SQL injection vulnerability in login.asp in WWWguestbook 1.1 allows remote attackers to execute arbitrary SQL commands via the password parameter. 13404 1013837 15968 Mac OS X 10.3.x and earlier uses insecure permissions for a pseudo terminal tty (pty) that is managed by a non-setuid program, which allows local users to read or modify sessions of other users. 20050501 Insecure pty permissions in OS X < 10.4 The "record packet parsing" in GnuTLS 1.2 before 1.2.3 and 1.0 before 1.0.25 allows remote attackers to cause a denial of service, possibly related to padding bytes in gnutils_cipher.c. gnutls-record-parsing-dos(20328) 13477 16054 1013861 15193 oval:org.mitre.oval:def:9238 [gnutls-dev] 20050428 GnuTLS 1.2.3 and 1.0.25 RHSA-2005:430 Multiple unknown vulnjerabilities HP OpenView Event Correlation Services (OV ECS) 3.32 and 3.33 allow attackers to cause a denial of service or execute arbitrary code. 15226 HPSBMA01141 Multiple unknown vulnerabilities in OpenView Network Node Manager (OV NNM) 6.2, 6.4, 7.01, and 7.50 allow attackers to cause a denial of service or execute arbitrary code. 15223 HPSBMA01140 Open WebMail (OWM) before 2.51 20050430 allows remote authenticated users to execute arbitrary commands via shell metacharacters in a filename. http://sourceforge.net/forum/message.php?msg_id=3128678 1013859 15225 Multiple cross-site scripting (XSS) vulnerabilities in osTicket allow remote attackers to inject arbitrary web script or HTML via (1) the t parameter to view.php, (2) the osticket_title parameter to header.php, (3) the em parameter to admin_login.php, (4) the e parameter to user_login.php, (5) the err parameter to open_submit.php, or (6) the name and subject fields when adding a ticket. http://www.gulftech.org/?node=research&article_id=00071-05022005 15216 16274 16273 16272 16271 16270 Multiple SQL injection vulnerabilities in osTicket allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to admin.php or (2) cat parameter to view.php. http://www.gulftech.org/?node=research&article_id=00071-05022005 15216 16277 PHP remote file inclusion vulnerability in main.php in osTicket allows remote attackers to execute arbitrary PHP code via the include_dir parameter. 16278 http://www.gulftech.org/?node=research&article_id=00071-05022005 15216 Directory traversal vulnerability in attachments.php in osTicket allows remote attackers to read arbitrary files via .. sequences in the file parameter. http://www.gulftech.org/?node=research&article_id=00071-05022005 15216 16279 Multiple cross-site scripting (XSS) vulnerabilities in ViArt Shop Enterprise 2.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) various parameters to basket.php, (2) the nickname, email, topic, and message fields in forum.php, as demonstrated using forum_new_thread.php and forum_thread.php, (3) the page parameter to page.php, (4) category_id and item_id parameters to reviews.php, (5) the category_id parameter to product_details.php, (6) the category_id or search_string parameters to products.php, or (7) the rp or page parameters to news_view.php. 13462 15958 15957 15956 15955 15954 15953 15952 15951 1013853 15181 http://lostmon.blogspot.com/2005/04/viart-shop-enterprise-multiple.html Format string vulnerability in Lotus Domino 6.0.x before 6.0.5 and 6.5.x before 6.5.4 allows remote attackers to cause a denial of service via the Notes protocol (NRPC). http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202525 lotus-nrpc-format-string(20043) 13446 15366 1013842 14879 Buffer overflow in the Lotus Notes client for Domino 6.5 before 6.5.4 and 6.0 before 6.0.5 allows local users to cause a denial of service (client crash) and possibly execute arbitrary code via the NOTES.INI file. http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21202526 lotus-notesini-bo(20044) 13447 15367 1013841 Multiple cross-site scripting (XSS) vulnerabilities in index.php for Invision Power Board (IPB) 2.0.3 and 2.1 Alpha 2 allows remote attackers to inject arbitrary web script or HTML via the (1) act, (2) Members, (3) calendar, or (4) HID parameters. 1013863 Multiple cross-site scripting (XSS) vulnerabilities in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to inject arbitrary web script or HTML via (1) the v, show, or sec_name parameters to main.php, (2) the inadmin, newsev, or postid parameters to 5.php, or (3) the id parameter to 0.php. http://www.gulftech.org/?node=research&article_id=00072-05032005 15213 http://forum.sitepanel2.com/index.php?showtopic=271 16264 16263 16262 Multiple directory traversal vulnerabilities in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to (1) delete arbitrary files via the id parameter in a rmattach action to 5.php, or (2) read arbitrary files via the lang parameter to index.php. http://www.gulftech.org/?node=research&article_id=00072-05032005 15213 http://forum.sitepanel2.com/index.php?showtopic=271 16266 SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to upload and execute arbitrary files such as PHP scripts via an attachment to a trouble ticket. http://www.gulftech.org/?node=research&article_id=00072-05032005 15213 http://forum.sitepanel2.com/index.php?showtopic=271 PHP remote file inclusion vulnerability in main.php in SitePanel 2.6.1 and earlier (SitePanel2) allows remote attackers to execute arbitrary PHP code via the p parameter. http://www.gulftech.org/?node=research&article_id=00072-05032005 15213 16268 http://forum.sitepanel2.com/index.php?showtopic=271 Cross-site scripting (XSS) vulnerability in the BBCode plugin for Serendipity before 0.8 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 13411 http://www.s9y.org/63.html#A9 15876 15145 Unknown vulnerability in serendipity_config_local.inc.php for Serendipity before 0.8 has unknown impact. http://www.s9y.org/63.html#A9 15145 Unknown vulnerability in "the function used to validate path-names for uploading media" in Serendipity before 0.8 has unknown impact. http://www.s9y.org/63.html#A9 15145 15877 The media manager in Serendipity before 0.8 allows remote attackers to upload and execute arbitrary (1) .php or (2) .shtml files. http://www.s9y.org/63.html#A9 15145 15878 Serendipity before 0.8 allows Chief users to "hide plugins installed by other users." http://www.s9y.org/63.html#A9 15145 fetchnews in leafnode 1.9.48 to 1.11.1 allows remote NNTP servers to cause a denial of service (crash) by closing the connection while fetchnews is reading (1) an article header or (2) an article body, which also prevents fetchnews from querying other servers. http://leafnode.sourceforge.net/leafnode-SA-2005-01.txt ADV-2005-0468 15252 SQL injection vulnerability in the radius_xlat function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote authenticated users to execute arbitrary SQL commands via (1) group_membership_query, (2) simul_count_query, or (3) simul_verify_query configuration entries. 13540 GLSA-200505-13 freeradius-xlat-sql-injection(20449) 1013909 SUSE-SR:2005:014 http://www.freeradius.org/security.html 20050520 ERRATA: [ GLSA 200505-13 ] FreeRADIUS: SQL injection and Denial of Service vulnerability oval:org.mitre.oval:def:9610 RHSA-2005:524 Buffer overflow in the sql_escape_func function in the SQL module for FreeRADIUS 1.0.2 and earlier allows remote attackers to cause a denial of service (crash). 13541 GLSA-200505-13 freeradius-sqlescapefunc-bo(20450) 1013909 SUSE-SR:2005:014 http://www.freeradius.org/security.html 20050520 ERRATA: [ GLSA 200505-13 ] FreeRADIUS: SQL injection and Denial of Service vulnerability oval:org.mitre.oval:def:9579 RHSA-2005:524 Multiple unknown vulnerabilities in the (1) DHCP and (2) Telnet dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (abort). http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9700 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown vulnerabilities in the (1) AIM, (2) LDAP, (3) FibreChannel, (4) GSM_MAP, (5) SRVLOC, and (6) NTLMSSP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash). http://www.ethereal.com/appnotes/enpa-sa-00019.html http://www.ethereal.com/news/item_20050504_01.html oval:org.mitre.oval:def:9825 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown "other problems" in the KINK dissector in Ethereal before 0.10.11 have unknown impact and attack vectors. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:11348 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown vulnerabilities in the (1) WSP, (2) BER, (3) SMB, (4) NDPS, (5) IAX2, (6) RADIUS, (7) TCAP, (8) MRDISC, (9) 802.3 Slow, (10) SMBMailslot, or (11) SMB PIPE dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error). http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:11494 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (assert error) via an invalid protocol tree item length. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9970 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple buffer overflows in the (1) SIP, (2) CMIP, (3) CMP, (4) CMS, (5) CRMF, (6) ESS, (7) OCSP, (8) X.509, (9) ISIS, (10) DISTCC, (11) FCELS, (12) Q.931, (13) NCP, (14) TCAP, (15) ISUP, (16) MEGACO, (17) PKIX1Explitit, (18) PKIX_Qualified, (19) Presentation dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9853 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Double free vulnerability in the ICEP dissector in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html 13504 RHSA-2005:427 FLSA-2006:152922 oval:org.mitre.oval:def:9713 CLSA-2005:963 Multiple format string vulnerabilities in the (1) DHCP and (2) ANSI A dissectors in Ethereal before 0.10.11 may allow remote attackers to execute arbitrary code. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:10713 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (infinite loop). http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9534 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Unknown vulnerability in the NCP dissector in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (long loop). http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:10224 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Unknown vulnerability in the DICOM dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (large memory allocation) via unknown vectors. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:11024 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Unknown vulnerability in the NDPS dissector in Ethereal before 0.10.11 allows remote attackers to cause a denial of service (memory exhaustion) via unknown vectors. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9654 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown vulnerabilities in the (1) WSP, (2) Q.931, (3) H.245, (4) KINK, (5) MGCP, (6) RPC, (7) SMBMailslot, and (8) SMB NETLOGON dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (crash) via unknown vectors that lead to a null dereference. 13504 RHSA-2005:427 FLSA-2006:152922 http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:10049 CLSA-2005:963 Unknown vulnerability in the GSM dissector in Ethereal before 0.10.11 allows remote attackers to cause the dissector to access an invalid pointer. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:9598 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Multiple unknown vulnerabilities in the (1) TZSP, (2) MGCP, (3) ISUP, (4) SMB, or (5) Bittorrent dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (segmentation fault) via unknown vectors. http://www.ethereal.com/news/item_20050504_01.html http://www.ethereal.com/appnotes/enpa-sa-00019.html oval:org.mitre.oval:def:11804 13504 RHSA-2005:427 FLSA-2006:152922 CLSA-2005:963 Heap-based buffer overflow in RSA SecurID Web Agent 5, 5.2, and 5.3 allows remote attackers to execute arbitrary code via crafted chunked-encoding data. 15222 20050506 [SEC-1 LTD] RSA SecurID Web Agent Heap Overflow Certain system calls in Apple Mac OS X 10.4.1 do not properly enforce the permissions of certain directories without the POSIX read bit set, but with the execute bits set for group or other, which allows local users to list files in otherwise restricted directories. APPLE-SA-2005-05-19 SecurityAgent in Apple Mac OS X 10.4.1 allows attackers with physical access to bypass the locked screensaver and launch background applications by opening a URL from a text input field. APPLE-SA-2005-05-19 Dashboard in Apple Mac OS X 10.4.1 allows remote attackers to install widgets via Safari without prompting the user, a different vulnerability than CVE-2005-1933. 13694 APPLE-SA-2005-05-19 The XMLHttpRequest object in Opera 8.0 Final Build 1095 allows remote attackers to bypass access restrictions and perform unauthorized actions on other domains via a redirect. http://secunia.com/secunia_research/2005-4/advisory/ 15008 13970 Firefox 1.0.3 allows remote attackers to execute arbitrary Javascript in other domains by using an IFRAME and causing the browser to navigate to a previous javascript: URL, which can lead to arbitrary code execution when combined with CVE-2005-1477. VU#534710 15292 https://bugzilla.mozilla.org/show_bug.cgi?id=293302 https://bugzilla.mozilla.org/show_bug.cgi?id=292691 mozilla-javascript-code-execution(20443) ADV-2005-0493 13544 http://www.mozilla.org/security/announce/mfsa2005-42.html 1013913 oval:org.mitre.oval:def:10045 http://greyhatsecurity.org/vulntests/ffrc.htm http://greyhatsecurity.org/firefox.htm 15495 RHSA-2005:435 RHSA-2005:434 20050508 Firefox Remote Compromise Technical Details 20050508 Firefox Remote Compromise Leaked SCOSA-2005.49 oval:org.mitre.oval:def:100002 The install function in Firefox 1.0.3 allows remote web sites on the browser's whitelist, such as update.mozilla.org or addon.mozilla.org, to execute arbitrary Javascript with chrome privileges, leading to arbitrary code execution on the system when combined with vulnerabilities such as CVE-2005-1476, as demonstrated using a javascript: URL as the package icon and a cross-site scripting (XSS) attack on a vulnerable whitelist site. VU#648758 15292 https://bugzilla.mozilla.org/show_bug.cgi?id=293302 https://bugzilla.mozilla.org/show_bug.cgi?id=292691 mozilla-javascript-code-execution(20443) ADV-2005-0493 13544 http://www.mozilla.org/security/announce/mfsa2005-42.html 1013913 oval:org.mitre.oval:def:9231 http://greyhatsecurity.org/vulntests/ffrc.htm http://greyhatsecurity.org/firefox.htm 15495 RHSA-2005:435 RHSA-2005:434 20050508 Firefox Remote Compromise Technical Details 20050508 Firefox Remote Compromise Leaked SCOSA-2005.49 oval:org.mitre.oval:def:100001 Format string vulnerability in dSMTP (dsmtp.exe) in DMail 3.1a allows remote attackers to execute arbitrary code via format string specifiers in the xtellmail command. dmail-dsmtpexe-format-string(20414) 13505 http://www.security.org.sg/vuln/dmail31a.html 1013885 15242 20050505 dSMTP - SMTP Mail Server 3.1b Linux Remote Root Format String Exploit SQL injection vulnerability in jgs_portal.php in JGS-Portal 3.0.1 and earlier allows remote attackers to execute arbitrary SQL commands via the id parameter. 15219 jgsportal-sql-injection(20371) 13451 1013866 20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05) 20050430 JGS-Portal 3.0.1 SQL-Injection Directory traversal vulnerability in RaidenFTPD before 2.4.2241 allows remote attackers to read arbitrary files via a "..\\" (dot dot backslash) in the urlget site command. 15037 raidenftpd-directory-traversal(20368) 13292 15713 20050502 Directory Traversal Vuln - RaidenFTPD 2.4 < Build 2241 http://forum.raidenftpd.com/showflat.php?Board=UBB13&Number=45685 Multiple SQL injection vulnerabilities in Aaron Outpost ASP Inline Corporate Calendar allow remote attackers to execute arbitrary SQL commands via the Event_ID parameter to (1) defer.asp or (2) details.asp. asp-inline-corporate-calendar-sql-injection(20416) 1013884 15239 16193 16192 20050503 [HSC Security Group] ASP Inline Corporate Calendar SQL injection ArticleLive 2005 allows remote attackers to gain privileges by modifying the (1) auth and (2) userId fields in a cookie. articlelive-bypass-security(20431) 13493 http://www.digitalparadox.org/advisories/inal.txt 1013895 15250 20050503 Authentication bypass, sql injections and xss in ArticleLive 2005 Multiple cross-site scripting (XSS) vulnerabilities in ArticleLive 2005 allow remote attackers to inject arbitrary web script or HTML via the (1) Query, (2) Username, (3) LastName, (4) Biography, or (5) BlogId parameter. articlelive-multiple-xss(20430) 13493 1013895 15250 16183 20050503 Authentication bypass, sql injections and xss in ArticleLive 2005 Directory traversal vulnerability in Golden FTP server pro 2.52 allows remote attackers to read arbitrary files via a "\.." (backward slash dot dot) with a leading '"' (double quote) in the GET command. goldenftp-dotdot-directory-traversal(20668) 13479 15175 20050504 Golden Ftp Server Pro - Directory Traversal Vuln Golden FTP Server Pro allows 2.52 allows remote attackers to obtain sensitive information via a GET request for a file that does not exist, which reveals the absolute path of the FTP server in the resulting FTP error message. goldenftp-information-disclosure(20674) 15175 20050504 Golden Ftp Server Pro - Directory Traversal Vuln Multiple cross-site scripting vulnerabilities in FishCart 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) trackingnum, (2) reqagree, or (3) m parameter to upstracking.php or (4) nlst parameter to display.php. NOTE: the vendor was not able to reproduce some of the reported vectors but believes that they have been addressed. The original researcher is known to be unreliable. fishcart-multiple-xss(20384) 13499 20070123 Re: Multiple SQL injections and XSS in FishCart 3.1 16281 16280 [fishcart] 20050521 Re: Concerned about security http://www.digitalparadox.org/advisories/fishc.txt 15232 20050504 Multiple SQL injections and XSS in FishCart 3.1 ** DISPUTED ** Multiple SQL injection vulnerabilities in FishCart 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) cartid parameter to upstnt.php or (2) psku parameter to display.php. NOTE: the vendor disputes this report, saying that they are forced SQL errors. The original researcher is known to be unreliable. fishcart-multiple-sql-injection(20386) 13499 20070123 Re: Multiple SQL injections and XSS in FishCart 3.1 16283 16282 http://www.digitalparadox.org/advisories/fishc.txt 15232 20050504 Multiple SQL injections and XSS in FishCart 3.1 Multiple cross-site scripting (XSS) vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allow remote authenticated users to inject arbitrary web script or HTML via (1) the E-mail address, Note, or Public Certificate fields to address.html, (2) addressaction.html, (3) the Signature field to settings.html, or (4) the Shared calendars to calendarsettings.html. merak-icewarp-script-xss(20467) 20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 Unknown vulnerability in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to obtain the full path of the server via certain requests to (1) calendar_addevent.html, (2) calendar_event.html, or (3) calendar_task.html. 15249 merak-icewarp-script-path-disclosure(20469) 20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2, when the mailbox.dat file does not exist, allows remote authenticated users to determine if a file exists via the folder parameter to attachment.html. merak-icewarp-file-existence(20472) 15249 20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 allows remote authenticated users to (1) move their home directory via viewaction.html or (2) move arbitrary files via the importfile parameter to importaction.html. merak-icewarp-directory-relocation(20471) 15249 20050504 Multiple vulnerabilities in Merak Mail Server 8.0.3 with Icewarp Web Mail 5.4.2 Cross-site scripting (XSS) vulnerability in user.cgi in Gossamer Threads Links SQL 2.x and 3.0 allows remote attackers to inject arbitrary web script or HTML via the url parameter. 1013891 links-usercgi-addcgi-xss(20415) 13484 16189 http://www.gossamer-threads.com/forum/Gossamer_Links_3.0.1_Released_P280986/ 15253 20050504 Gossamer Threads Links SQL login XSS Vulnerability http://gossamer-threads.com/perl/gforum/gforum.cgi?post=281029; Directory traversal vulnerability in SimpleCam 1.2 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the URL. 1013888 13495 http://www.autistici.org/fdonato/advisory/SimpleCam1.2-adv.txt simplecam-dotdot-directory-traversal(20411) 20050504 directory traversal in SimpleCam 1.2 Multiple cross-site scripting (XSS) vulnerabilities in admin.cgi in MegaBook 2.0 and 2.1 allow remote attackers to inject arbitrary web script or HTML via the (1) entryid or (2) password parameter. megabook-admincgi-xss(20669) 13522 20050508 Re: MegaBook V2.0 - Cross Site Scripting Exploit 20050505 MegaBook V2.0 - Cross Site Scripting Exploit Oracle Database 9i and 10g disables Fine Grained Audit (FGA) after the SYS user executes a SELECT statement on an FGA object, which makes it easier for attackers to escape detection. Applying patchset 10.1.0.4 is fixing this issue for Oracle 10g. Oracle 9i is still vulnerable. VU#777773 oracle-audit-data-manipulation(20407) http://www.red-database-security.com/advisory/oracle-fine-grained-auditing-issue.html 20050505 Oracle 9i / 10g Fine Grained Auditing Issue The DBMS_Scheduler in Oracle 10g allows remote attackers with CREATE JOB privileges to gain additional privileges by changing SESSION_USER to the SYS user. Applying patchset 10.1.0.4 is fixing this issue. http://www.red-database-security.com/exploits/oracle_exploit_dbms_scheduler_select_user.html oracle10g-gain-privileges(20410) 13509 20050505 Oracle 10g DBMS_SCHEDULER SESSION_USER issue index.php in myBloggie 2.1.1 allows remote attackers to obtain sensitive information via an invalid post_id parameter, which reveals the path in an error message. mybloggie-postid-path-disclosure(20433) http://mywebland.com/forums/viewtopic.php?t=180 20050505 Multiple vulnerabilities in myBloggie 2.1.1 Multiple cross-site scripting (XSS) vulnerabilities in myBloggie 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) year parameter in viewmode.php, or the (2) cat_id, (3) month_no, or (4) post_id parameter in index.php, which are not properly sanitized before they are displayed in an error message. NOTE: issues 2, 3, and 4 may be due to a problem in associated products rather than myBloggie itself. Download newest myBloggie from http://mywebland.com/ mybloggie-script-injection(20436) mybloggie-viewmodephp-xss(20434) 13507 20050505 Multiple vulnerabilities in myBloggie 2.1.1 delcomment.php in myBloggie 2.1.1 allows remote attackers to delete arbitrary comments by modifying the comment_id parameter. mybloggie-delcomment-bypass-security(20437) 13507 14980 20050505 Multiple vulnerabilities in myBloggie 2.1.1 Multiple SQL injection vulnerabilities in myBloggie 2.1.1 allow remote attackers to execute arbitrary SQL commands via (1) the keyword parameter in search.php; or (2) the date_no parameter in viewdate mode, (3) the cat_id parameter in viewcat mode, the (4) month_no or (5) year parameter in viewmonth mode, or (6) post_id parameter in viewid mode to index.php. NOTE: item (1) was discovered to affect 2.1.3 as well. mybloggie-sql-injection(20439) 15017 13507 14980 20050527 SQL Injection Exploit for myBloggie 2.1.1 - 2.1.2 20050505 Multiple vulnerabilities in myBloggie 2.1.1 MidiCart PHP Shopping Cart allows remote attackers to obtain sensitive information via a direct request to (1) search_list.php, (2) item_list.php, or (3) item_show.php, which reveal the path in a PHP error message. midicart-path-disclosure(20425) 16172 http://www.hackgen.org/advisories/hackgen-2005-004.txt 20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart Cross-site scripting (XSS) vulnerability in MidiCart PHP Shopping Cart allows remote attackers to inject arbitrary web script or HTML via the (1) searchstring parameter to search_list.php or the (2) secondgroup or (3) maingroup parameters to item_list.php. midicart-xss(20427) 13518 13517 13516 16174 16173 http://www.hackgen.org/advisories/hackgen-2005-004.txt 15269 20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart Multiple SQL injection vulnerabilities in MidiCart PHP Shopping Cart allow remote attackers to execute arbitrary SQL commands via the (1) searchstring parameter to search_list.php, the (2) maingroup or (3) secondgroup parameters to item_list.php, or (4) code_no parameter to item_show.php. midicart-sql-injection(20428) 13515 13514 13513 13512 16177 16176 16175 http://www.hackgen.org/advisories/hackgen-2005-004.txt 15269 20050505 [hackgen-2005-#004] - Multiple bugs in MidiCart PHP Shopping Cart GameSpy SDK CD-Key Validation Toolkit, as used by many online games, allows remote attackers to bypass the CD key validation by sending a spoofed \disc\ command, which tells the server the CD key is no longer in use. gamespy-sdk-cdkey-gain-access(20422) 15254 http://aluigi.altervista.org/adv/gskeyinuse-adv.txt 20050504 Gamespy cd-key validation system: Cd-key never in use The new account wizard in Mail.app 2.0 in Mac OS 10.4, when configuring an IMAP mail account and checking the credentials, does not prompt the user to use SSL until after the password has already been sent, which causes the password to be sent in plaintext. mailapp-account-wizard-plaintext-password(20670) 20050504 Mac OS 10.4: new-account-wizzard in Mail 2.0 sends clear-text passwords SQL injection vulnerability in out.php in CJ Ultra (CJUltra) Plus 1.0.3 and 1.0.4 allows remote attackers to execute arbitrary SQL commands via the perm parameter. 15281 20050505 Sql Injection in CJ Ultra Plus v1.0.3-1.0.4 Buffer overflow in the Tomcat plugin in 4d WebSTAR 5.33 and 5.4 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long URL. 4d-webstar-plugin-bo(20478) 13538 16154 15278 20050506 4d WebSTAR 5.x Web Server Mac OS X Buffer Overflow Multiple cross-site scripting (XSS) vulnerabilities in PwsPHP 1.2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) month or (2) annee parameters to the news module, (3) nbractif or (4) annee parameters to the stats module, (5) id parameter to profil.php, (6) mb_lettre or (7) lettre parameter to memberlist.php, or (8) chaine_search, or (9) auteur_search parameter to the recherche module. pwsphp-mulitple-scripts-xss(20500) ADV-2005-0503 16232 16231 16230 16229 16228 15315 20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilities SQL injection vulnerability in profil.php in PwsPHP 1.2.2 allows remote attackers to execute arbitrary SQL commands via the id parameter. pwsphp-id-sql-injection(20501) 13563 16233 15315 20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilities PwsPHP 1.2.2 allows remote attackers to obtain sensitive information via a direct request to the admin directory, which reveals the path in an error message. 16234 15315 20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilities PwsPHP 1.2.2 allows remote attackers to bypass authentication and post arbitrary comments via the Pseudo cookie. pwsphp-cookie-spoof-identity(20503) 16235 15315 20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilities The Admin panel in PwsPHP 1.2.2 does not properly verify uploaded picture files, which allows remote attackers to upload and possibly execute arbitrary files. pwsphp-admin-panel-file-upload(20508) 16236 15315 20050507 PwsPHP v1.2.2 Final - Multiples vulnerabilities Integer overflow in the stralloc_readyplus function in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large SMTP request. http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html 1013911 20050506 64 bit qmail fun commands.c in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long SMTP command without a space character, which causes an array to be referenced with a negative index. http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html 1013911 20050506 64 bit qmail fun Integer signedness error in the qmail_put and substdio_put functions in qmail, when running on 64 bit platforms with a large amount of virtual memory, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a large number of SMTP RCPT TO commands. http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html 1013911 20050506 64 bit qmail fun DList (dlist.exe) in DMail 3.1a allows remote attackers to bypass authentication, read log files, and shutdown the system via a sendlog command with an incorrect password hash, which is not properly handled by the _cmd_sendlog function. dmail-dlist-bypass-authentication(20412) 13497 http://www.security.org.sg/vuln/dmail31a.html 15242 Unknown vulnerability in Cisco Firewall Services Module (FWSM) 2.3.1 and earlier, when using URL, FTP, or HTTPS filtering exceptions, allows certain TCP packets to bypass access control lists (ACLs). ADV-2005-0527 20050511 FWSM URL Filtering Solution TCP ACL Bypass Vulnerability Unknown vulnerability in Solaris 7 through 9, when using Federated Naming Services (FNS), autofs, and FNS X.500 configuration, allows local users to cause a denial of service (automountd crash) when "accessing" /xfn/_x500. 57786 ADV-2005-0517 Squid 2.5 STABLE9 and earlier, when the DNS client port is unfiltered and the environment does not prevent IP spoofing, allows remote attackers to spoof DNS lookups. http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-dns_query 15294 ADV-2005-0521 FEDORA-2005-373 oval:org.mitre.oval:def:9976 13592 RHSA-2005:489 DSA-751 FLSA-2006:152809 Buffer overflow in the header_get_field_name function in header.c for GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via a crafted e-mail. 13766 20050525 GNU Mailutils 0.6 mail header_get_field_name() Buffer Overflow Vulnerability DSA-732 1014052 15442 Integer overflow in the fetch_io function of the imap4d server in GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via a partial message request with a large value in the END parameter, which leads to a heap-based buffer overflow. 13763 20050525 GNU Mailutils 0.6 imap4d fetch_io Heap overflow Vulnerability DSA-732 1014052 15442 The imap4d server for GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows authenticated remote users to cause a denial of service (CPU consumption) via a large range value in the FETCH command. 13765 20050525 GNU Mailutils 0.6 imap4d FETCH Commad Resource Consumption DoS Vulnerability DSA-732 1014052 15442 Format string vulnerability in imap4d server in GNU Mailutils 0.5 and 0.6, and other versions before 0.6.90, allows remote attackers to execute arbitrary code via format string specifiers in the command tag for IMAP commands. 13764 20050525 GNU Mailutils 0.6 imap4d Format String Vulnerability DSA-732 1014052 15442 PHP file inclusion vulnerability in top_graph_header.php in Cacti 0.8.6d and possibly earlier versions allows remote attackers to execute arbitrary PHP code via the config[library_path] parameter. 20050622 Multiple Vendor Cacti Remote File Inclusion Vulnerability GLSA-200506-20 http://www.cacti.net/release_notes_0_8_6e.php cacti-topgraphheader-file-include(21118) 17426 DSA-764 1014252 16136 15931 15490 CLSA-2005:978 SQL injection vulnerability in config_settings.php for Cacti before 0.8.6e allows remote attackers to execute arbitrary SQL commands via the id parameter. 20050622 Multiple Vendor Cacti Multiple SQL Injection Vulnerabilities GLSA-200506-20 http://www.cacti.net/release_notes_0_8_6e.php cacti-configsettings-sql-injection(21120) 14027 17424 DSA-764 1014252 15931 15490 CLSA-2005:978 PHP remote file inclusion vulnerability in config_settings.php in Cacti before 0.8.6e allows remote attackers to execute arbitrary PHP code via the config[include_path] parameter. 20050622 Multiple Vendor Cacti config_settings.php Remote Code Execution Vulnerability GLSA-200506-20 http://www.cacti.net/release_notes_0_8_6e.php cacti-configsettings-file-include(21119) 14028 17425 DSA-764 1014252 15931 15490 CLSA-2005:978 Eval injection vulnerability in awstats.pl in AWStats 6.4 and earlier, when a URLPlugin is enabled, allows remote attackers to execute arbitrary Perl code via the HTTP Referrer, which is used in a $url parameter that is inserted into an eval function call. awstats-eval-execute-commands(21769) 18696 1014636 16412 USN-167-1 14525 http://www.securiteam.com/unixfocus/5DP0J00GKE.html SUSE-SR:2005:019 20050809 AWStats ShowInfoURL Remote Command Execution Vulnerability DSA-892 17463 Untrusted search path vulnerability in the crttrap command in QNX Neutrino RTOS 6.2.1 allows local users to load arbitrary libraries via a LD_LIBRARY_PATH environment variable that references a malicious library. ADV-2006-0474 20060207 QNX Neutrino RTOS crttrap Arbitrary Library Loading Vulnerability 18750 qnx-crttrap-privilege-elevation(24560) 16539 1015599 Sophos Anti-Virus 5.0.1, with "Scan inside archive files" enabled, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a Bzip2 archive with a large 'Extra field length' value. sophos-bzip2-dos(21373) 14270 20050714 Sophos Anti-Virus Zip File Handling DoS Vulnerability 1014488 Firefox before 1.0.4 and Mozilla Suite before 1.7.8 does not properly implement certain security checks for script injection, which allows remote attackers to execute script via "Wrapped" javascript: URLs, as demonstrated using (1) a javascript: URL in a view-source: URL, (2) a javascript: URL in a jar: URL, or (3) "a nested variant." http://www.mozilla.org/security/announce/mfsa2005-43.html ADV-2005-0530 1013963 1013962 oval:org.mitre.oval:def:10351 15495 13641 RHSA-2005:435 RHSA-2005:434 SCOSA-2005.49 oval:org.mitre.oval:def:100015 Firefox before 1.0.4 and Mozilla Suite before 1.7.8 do not properly limit privileges of Javascript eval and Script objects in the calling context, which allows remote attackers to conduct unauthorized activities via "non-DOM property overrides," a variant of CVE-2005-1160. ADV-2005-0530 15495 13645 RHSA-2005:601 RHSA-2005:435 RHSA-2005:434 SUSE-SA:2006:004 SUSE-SA:2006:022 http://www.mozilla.org/security/announce/mfsa2005-44.html 1013965 1013964 19823 oval:org.mitre.oval:def:10791 SCOSA-2005.49 oval:org.mitre.oval:def:100014 Multiple stack-based and heap-based buffer overflows in Remote Management authentication (zenrem32.exe) on Novell ZENworks 6.5 Desktop and Server Management, ZENworks for Desktops 4.x, ZENworks for Servers 3.x, and Remote Management allows remote attackers to execute arbitrary code via (1) unspecified vectors, (2) type 1 authentication requests, and (3) type 2 authentication requests. novell-zenwork-remote-management-2-bo(20645) novell-zenwork-remote-management-1-bo(20644) novell-zenwork-remote-management-bo(20639) ADV-2005-0571 13678 http://www.rem0te.com/public/images/zen.pdf http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097644.htm 1014005 15433 20050518 NOVELL ZENWORKS MULTIPLE =?utf-8?Q?REM=C3=98TE?= STACK & HEAP OVERFLOWS Stack-based buffer overflow in libTIFF before 3.7.2 allows remote attackers to execute arbitrary code via a TIFF file with a malformed BitsPerSample tag. libtiff-bitspersample-bo(20533) http://bugs.gentoo.org/show_bug.cgi?id=91584 GLSA-200505-07 15320 http://bugzilla.remotesensing.org/show_bug.cgi?id=843 USN-130-1 13585 16350 MDKSA-2006:042 DSA-755 1013944 18943 18289 16872 SCOSA-2005.34 SCOSA-2006.3 Integer overflow in the ELF parser in HT Editor before 0.8.0 allows remote attackers to execute arbitrary code via a crafted ELF file, which leads to a heap-based buffer overflow. GLSA-200505-08 DSA-743 Buffer overflow in the PE parser in HT Editor before 0.8.0 allows remote attackers to execute arbitrary code via a crafted PE file. GLSA-200505-08 DSA-743 Heap-based buffer overflow in the demo version of Bakbone Netvault, and possibly other versions, allows remote attackers to execute arbitrary commands via a large packet to port 20031. 20050512 Netvault Remote Heap Overflow (another one) SQL injection vulnerability in index.php in Advanced Guestbook 2.3.1 allows remote attackers to execute arbitrary SQL commands via the entry parameter. 13548 20050508 Advanced Guestbook 2.3.1 Directory traversal vulnerability in easymsgb.pl in Easy Message Board allows remote attackers to read arbitrary files via a .. (dot dot) in the print parameter. http://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt 13551 16162 20050508 Easy Message Board Directory Traversal and Remote Command easymsgb.pl in Easy Message Board allows remote attackers to execute arbitrary commands via shell metacharacters in the print parameter. http://www.soulblack.com.ar/repo/papers/easymsgb_advisory.txt 13555 16163 15295 20050508 Easy Message Board Directory Traversal and Remote Command Sophos Anti-Virus 3.93 does not check downloaded files for viruses when they have only been written, which creates a race condition and may allow remote attackers to bypass virus protection if the file is executed before the antivirus starts on system reboot. sophos-download-virus-undetected(20519) 20050509 Viruses can evade Sophos Anti-Virus GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0, when set to create JPEG images, does not properly protect an image even when a password and username is assigned, which may allow remote attackers to gain sensitive information via a direct request to the image. geovision-authentication(20537) 13571 16340 http://www.esqo.com/research/advisories/2005/100505-1.txt 15330 20050510 Esqo advisory: GeoVision Digital Video Surveillance System - Multiple authentication issues GeoVision Digital Video Surveillance System 6.04, 6.1 and 7.0 uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via sniffing. http://www.esqo.com/research/advisories/2005/100505-1.txt 20050510 Esqo advisory: GeoVision Digital Video Surveillance System - Multiple authentication issues geovision-authentication-plaintext(20538) 16341 SQL injection vulnerability in view_user.php in WowBB 1.6, 1.61, and 1.62 allows remote attackers to execute arbitrary SQL commands via the sort_by parameter. wowbb-viewuser-sql-injection(20565) 13569 16543 12843 20050510 WowBB view_user.php SQL Injection Vulnerability Cross-site scripting (XSS) vulnerability in the JRun Web Server in ColdFusion MX 7.0 allows remote attackers to inject arbitrary script or HTML via the URL, which is not properly quoted in the resulting default 404 error page. coldfusion-mx7-default-page-xss(20550) http://www.macromedia.com/devnet/security/security_zone/mpsb05-03.html 20050510 New Macromedia Security Zone Bulletin Posted Gamespy cd-key validation system allows remote attackers to cause a denial of service (cd-key already in use) by capturing and replaying a cd-key authorization session. gamespy-sdk-cdkey-mult-games-dos(20417) 15254 20050504 Gamespy cd-key validation system: "Cd-key in use" DoS versus many games http://aluigi.altervista.org/adv/gskeyinuse-adv.txt 20050510 Gamespy cd-key validation system: "Cd-key in use" DoS versus many games Multiple cross-site scripting (XSS) vulnerabilities in WebApp Guestbook PRO 3.2.1 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) title or (2) content of a message. webapp-php-guestbook-pro-xss(20544) http://www.soulblack.com.ar/repo/papers/guesbookpro_advisory.txt 13593 16349 1013940 15290 20050511 Guesbook Pro XSS & HTML Injection The web module in Neteyes Nexusway allows remote attackers to bypass authentication and gain administrator privileges by setting the cyclone500_auth cookie. 15150 nexusway-configuration-modification(20554) 16446 20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability 20050510 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability The web module in Neteyes Nexusway allows remote attackers to execute arbitrary commands via hex-encoded shell metacharacters in the ip parameter for (1) nslookup.cgi or (2) ping.cgi. 15150 nexusway-web-command-execution(20557) 16449 16448 20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability 20050510 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability The SSH module in Neteyes Nexusway allows remote attackers to execute arbitrary commands via shell metacharacters in arguments to certain commands, as demonstrated using ping and traceroute. 15150 nexusway-ssh-command-execution(20555) 16447 20050511 [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability 20050510 [Full-disclosure] [Scan Associates Advisory] Neteyes Nexusway multiple vulnerability Multiple cross-site scripting (XSS) vulnerabilities in post.asp in MaxWebPortal 1.3.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) mod, (2) M, or (3) type parameter. maxwebportal-postasp-xss(20560) 15329 20050511 [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS 13601 http://www.hackerscenter.com/archive/view.asp?id=2542 16501 Multiple SQL injection vulnerabilities in MaxWebPortal 1.3.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) fpassword parameter to inc_functions.asp, (2) txtAddress, (3) message, or (4) subject parameter to post_info.asp, (5) andor parameter to search.asp, (6) verkey parameter to pop_profile.asp, or (7) Remove or (8) Delete parameter to pm_delete2.asp. maxwebportal-postasp-sql-injection(20562) 15329 13601 16510 16506 16504 16503 16502 http://www.hackerscenter.com/archive/view.asp?id=2542 20050511 [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 displays a different error message depending on whether a product exists or not, which allows remote attackers to determine hidden products. https://bugzilla.mozilla.org/show_bug.cgi?id=287109 16425 http://www.bugzilla.org/security/2.16.8/ 15338 20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8 ADV-2005-0533 13606 CLSA-2005:1040 post_bug.cgi in Bugzilla 2.10 through 2.18, 2.19.1, and 2.19.2 allows remote authenticated users to "enter bugs into products that are closed for bug entry" by modifying the URL to specify the name of the product. https://bugzilla.mozilla.org/show_bug.cgi?id=287109 16426 http://www.bugzilla.org/security/2.16.8/ 15338 20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8 bugzilla-postbug-weak-security(42797) Bugzilla 2.17.1 through 2.18, 2.19.1, and 2.19.2, when a user is prompted to log in while attempting to view a chart, displays the password in the URL, which may allow local users to gain sensitive information from web logs or browser history. https://bugzilla.mozilla.org/show_bug.cgi?id=287436 16427 15338 ADV-2005-0533 20050512 Security Advisory for Bugzilla 2.18, 2.19.2, and 2.16.8 13605 CLSA-2005:1040 Acrowave AAP-3100AR wireless router allows remote attackers to bypass authentication by pressing CTRL-C at the username or password prompt in a telnet session, which causes the shell to crash and restart, then leave the user in the new shell. 16445 15343 20050512 Acrowave AAP-3100AR authetication bypass SQL injection vulnerability in topic.php in DirectTopics 2.1 and 2.2 allows remote attackers to execute arbitrary SQL commands via the topic parameter. 20050512 Directtopics Multiple Vulnerabilities (Security Advisory) topic.php in DirectTopics 2.1 and 2.2 allows remote attackers to obtain sensitive information via an invalid topic parameter, which reveals the path in an error message. 20050512 Directtopics Multiple Vulnerabilities (Security Advisory) Cross-site scripting (XSS) vulnerability in DirectTopics 2.1 and 2.2 allows remote attackers to inject arbitrary web script via a javascript: URL in (1) a thread or (2) an IMG tag. 20050512 Directtopics Multiple Vulnerabilities (Security Advisory) forum.asp in bttlxeForum 2.0 allows remote attackers to obtain full path information via a certain hex-encoded argument to the page parameter, possibly due to a SQL injection vulnerability. 1013934 Multiple directory traversal vulnerabilities in ShowOff! 1.5.4 allow remote attackers to read arbitrary files via ".." sequences in arguments to the (1) ShowAlbum, (2) ShowVideo, or (3) ShowGraphic scripts. 16332 15300 ShowOff! 1.5.4 allows remote attackers to cause a denial of service (server crash) via a malformed request to port 8083. 16333 15300 SQL injection vulnerability in admin_login.asp for ASP Virtual News Manager allows remote attackers to execute arbitrary SQL commands via the password parameter. http://www.under9round.com/avn13.txt 1013933 Windows Media Player 9 and 10, in certain cases, allows content protected by Windows Media Digital Rights Management (WMDRM) to redirect the user to a web site to obtain a license, even when the "Acquire licenses automatically for protected content" setting is not enabled. 892313 The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows allows remote attackers to hide the real file types of downloaded files via the Content-Type HTTP header and a filename containing whitespace, dots, or ASCII byte 160. 16431 http://secunia.com/secunia_research/2004-11/advisory/ 12979 The file download dialog in Mozilla Firefox 0.10.1 and 1.0 for Windows uses the Content-Type HTTP header to determine the file type, but saves the original file extension when "Save to Disk" is selected, which allows remote attackers to hide the real file types of downloaded files. http://secunia.com/secunia_research/2004-11/advisory/ 12979 16432 APG Technology ClassMaster does not properly restrict access to sensitive folders, which allows remote attackers to access folders via a network share. 13604 http://www.securiteam.com/windowsntfocus/5SP0D0AFPQ.html EnCase Forensic Edition 4.18a does not support Device Configuration Overlays (DCO), which allows attackers to hide information without detection. 15340 Apple QuickTime Player 7.0 on Mac OS X 10.4 allows remote attackers to obtain sensitive information via a .mov file with a Quartz Composer composition (.qtz) file that uses certain patches to read local information, then other patches to send the information to the attacker. 13603 15307 ADV-2005-0531 16376 1013961 http://remahl.se/david/vuln/018 APPLE-SA-2005-05-31 [quartzcomposer-dev] 20050511 Re: Quartz Quicktime embedded in remote webpages... [quartzcomposer-dev] 20050510 Quartz Quicktime embedded in remote webpages... 20050511 [DR018] Quartz Composer / QuickTime 7 information leakage http://docs.info.apple.com/article.html?artnum=301714 users.ini.php in BoastMachine 3.0 does not properly restrict the types of files that can be uploaded, which allows remote attackers to execute arbitrary code. 13600 16334 http://www.kernelpanik.org/docs/kernelpanik/bmachines.txt 15312 Cross-site scripting (XSS) vulnerability in Bug Report 1.0 allows remote attackers to inject arbitrary web script or HTML via various fields to bug_report.php, which are not filtered or quoted when processed by bug_list.php or admin/index.php. 1013957 Cross-site scripting (XSS) vulnerability in index.php for 1Two News 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) nom, (2) email, (3) siteweb, or (4) commentaire variables. 1013960 1Two News 1.0 allows remote attackers to (1) delete images for new stories via a direct request to admin/delete.php or (2) upload arbitrary images via a direct request to admin/upload.php. 1013960 Cross-site scripting (XSS) vulnerability in index.php for Quick.Forum 2.1.6 allows remote attackers to inject arbitrary web script or HTML via the topic field in a NewTopic action. 13602 16327 15200 http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html Multiple SQL injection vulnerabilities in Quick.Forum 2.1.6 allow remote attackers to execute arbitrary SQL commands via the (1) iCategory or (2) page parameter to index.php, or (3) iCategory parameter in the query string to the forum directory. 16326 15200 http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html Quick.Forum 2.1.6 stores potentially sensitive information such as usernames, banned IP addresses, censored words, and backups under the web document root, which allows remote attackers to obtain that information via a direct request to (1) db/users.txt, (2) db/banList.txt, (3) db/censureWords.txt, or (4) backup files. 16329 16328 15200 http://lostmon.blogspot.com/2005/05/quickforum-topic-field-xss-and-page.html Cross-site scripting (XSS) vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to inject arbitrary web script or HTML via the sWord parameter. 13599 16330 15297 http://lostmon.blogspot.com/2005/05/quickcart-sword-variable-xss-and.html http://opensolution.org/forum/?p=readTopic&nr=948 ** DISPUTED ** SQL injection vulnerability in index.php for Quick.cart 0.3.0 allows remote attackers to execute arbitrary SQL commands via the iCategory parameter. NOTE: the vendor has privately disputed this issue, saying that Quick.cart does not even use SQL and therefore can not be vulnerable to SQL injection. 16331 http://lostmon.blogspot.com/2005/05/quickcart-sword-variable-xss-and.html The pkt_ioctl function in the pktcdvd block device ioctl handler (pktcdvd.c) in Linux kernel 2.6.12-rc4 and earlier calls the wrong function before passing an ioctl to the block device, which crosses security boundaries by making kernel address space accessible from user space and allows local users to cause a denial of service and possibly execute arbitrary code, a similar vulnerability to CVE-2005-1264. [linux-kernel] 20050517 [PATCH] Fix root hole in pktcdvd 20050516 Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability ADV-2005-0557 MDKSA-2005:219 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.10 20050517 Linux kernel pktcdvd ioctl break user space limit vulnerability [corrected] 20050517 Re: Linux kernel pktcdvd and rawdevice ioctl break user space limit vulnerability 13651 MDKSA-2005:219 17826 The Altiris Client Service for Windows (ACLIENT.EXE) 6.0.88 allows local users to disable password protection and access the administrative interface by finding and showing the "Altiris Client Service" hidden window, disabling the password protection, disabling the "Hide client tray icon box" option, then opening the AClient tray icon and using the View Log File option, a different vulnerability than CVE-2004-2070. 15897 15159 20050427 Privilege escalation and password protection bypass in Altiris Client Service for Windows (Version 6.0.88) Unknown vulnerability in NIS+ on Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (rpc.nisd disabled and NIS+ unavailable) via unknown vectors. 57780 ADV-2005-0492 Multiple "javascript vulerabilities in BB code" in BirdBlog before 1.3.1 allow remote attackers to inject arbitrary Javascript. http://sourceforge.net/project/shownotes.php?release_id=324788 15206 Cross-site scripting (XSS) vulnerability in catalog.php for CodeThat ShoppingCart 1.3.1 allows remote attackers to inject arbitrary web script or HTML via the id parameter. 13560 16155 1013924 15251 http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html SQL injection vulnerability in catalog.php for CodeThat ShoppingCart 1.3.1 allows remote attackers to execute arbitrary SQL commands via the id parameter. 15251 13560 16156 1013924 http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html CodeThat ShoppingCart 1.3.1 stores config.ini under the web root, which allows remote attackers to obtain sensitive information via a direct request. 15251 13560 16157 1013924 http://lostmon.blogspot.com/2005/05/codethat-shoppingcart-critical.html index.php in Fusion SBX 1.2 and earlier does not properly use the extract function, which allows remote attackers to bypass authentication by setting the is_logged parameter or execute arbitrary code via the maxname2 parameter. 15257 fusion-islogged-authentication-bypass(20531) ADV-2005-0508 http://www.securiteam.com/exploits/5OP042KFPU.html 16217 16216 http://www.exploits.co.in/Article1134.html Cross-site scripting (XSS) vulnerability in (1) search.php and (2) topics.php for Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the highlite parameter. http://www.gulftech.org/?node=research&article_id=00073-05052005 http://forums.invisionpower.com/index.php?showtopic=168016 ADV-2005-0487 invision-powerboard-highlite-xss(20445) 13534 16298 1013907 15265 20050506 Multiple Vulnerabilities In Invision Power Board SQL injection vulnerability in Invision Power Board (IPB) 2.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via a crafted cookie password hash (pass_hash) that modifies the internal $pid variable. http://www.gulftech.org/?node=research&article_id=00073-05052005 http://forums.invisionpower.com/index.php?showtopic=168016 13529 invision-powerboard-login-sql-injection(20446) http://www.securiteam.com/exploits/5GP0E2KFQQ.html 16297 1014499 1013907 15265 1013 20050526 Invision Power Board 1.* and 2.* Exploit (BID 13529) 20050506 Multiple Vulnerabilities In Invision Power Board Cross-site scripting (XSS) vulnerability in Kryloff Technologies Subject Search Server (SSServer) 1.1 allows remote attackers to inject arbitrary web script or HTML via the "Search For" field. ssserver-searchfor-xss(20558) 13574 1013938 15288 A "mathematical flaw" in the implementation of the El Gamal signature algorithm for LibTomCrypt 1.0 to 1.0.2 allows attackers to generate valid signatures without having the private key. libtomcrypt-signature-security-bypass(20455) 20050503 Secure Science Corporation Advisory CSA-056 13473 http://www.securiteam.com/unixfocus/5JP092AFPG.html 16188 15233 MRO Maximo Self Service 4 and 5 stores certain information under the web document root using file extensions that are not processed by Tomcat, which allows remote attackers to obtain sensitive information via a direct request for the file, such as MXServer.properties. maximo-information-disclosure(20452) 13508 20050505 MRO Maximo v4 & v5 16161 15176 SQL injection vulnerability in login.asp for Net56 Browser Based File Manager 1.0 allows remote attackers to execute arbitrary SQL commands and bypass authentication via the password field. browser-based-file-mgr-sql-injection(20504) 13547 16544 20050508 Browser Based File Manager Administration Vulnerability NiteEnterprises Remote File Manager 1.0 allows remote attackers to cause a denial of service (crash) via a crafted string to TCP port 7080. ADV-2005-0501 13550 16158 15299 20050508 Server Remote File Manager DOS Exploit PHP Advanced Transfer Manager (phpATM) 1.21 allows remote attackers to upload arbitrary files via filenames containing multiple file extensions, as demonstrated using a filename ending in "php.ns", which allows execution of arbitrary PHP code. 13542 20051029 uplod phpshell in PHP Advanced Transfer Manager 20051030 Re: uplod phpshell in PHP Advanced Transfer Manager 16160 15279 20050506 PHP Advanced Transfer Manager v1.21 Cross-site scripting (XSS) vulnerability in the guestbook for SiteStudio 1.6 allows remote attackers to inject arbitrary web script or HTML via the name field to (1) psoft.guestbook.GuestBookServ in Standalone Site Studio or (2) E-Guest_sign.pl in Integrated Site Studio with H-Sphere. sitestudio-guestbook-xss(20496) http://www.psoft.net/SS/ss_16_security_update_guestbook.html http://www.psoft.net/misc/hsphere_winbox_security_update_guestbook.html 20050509 SiteStudio 15286 http://exploitlabs.com/files/advisories/EXPL-A-2005-008-sitestudio.txt 13554 16240 H-Sphere Winbox 2.4.2 and 2.4.3 RC1 stores sensitive information such as username and password in plaintext in world-readable log files, which allows local users to gain privileges. hsphere-information-disclosure(20522) 13559 http://www.psoft.net/misc/hsphere_winbox_security_update_passwd.html 15287 http://exploitlabs.com/files/advisories/EXPL-A-2005-007-hsphere.txt 16239 Cross-site scripting (XSS) vulnerability in shop.cgi in Remote Cart allows remote attackers to inject arbitrary web script or HTML via the (1) merchant or (2) demo parameters. 16454 http://www.governmentsecurity.org/forum/lofiversion/index.php/t14715.html 1013903 Multiple unknown vulnerabilities in the Blocks module in Spidean AutoTheme 1.7 and AT-Lite for PostNuke have unknown impact. autotheme-pnadminphp-gain-access(20490) 13539 1013908 15289 http://news.postnuke.com/Article2687.html 16346 Unknown vulnerability in Sun StorEdge 6130 Arrays (SE6130) with serial numbers between 0451AWF00G and 0513AWF00J allows local users and remote attackers to delete data. VU#812438 storedge-6130-array-bypass-security(20542) ADV-2005-0491 13566 16325 57771 1013921 15306 Cross-site scripting (XSS) vulnerability in security.php for Tru-Zone NukeET 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via a base64 encoded Codigo parameter. 13570 16214 1013936 http://lostmon.blogspot.com/2005/05/nukeet-codigo-variable-cross-site.html nukeet-securityphp-xss(20540) 15332 Cross-site scripting (XSS) vulnerability in WebX in Web Crossing 5.x allows remote attackers to inject arbitrary web script or HTML via a URL with an "@" followed by the desired script. web-crossing-webx-xss(20381) 13482 16070 15218 http://osvdb.org/ref/16/16070-webcrossing.txt SQL injection vulnerability in read.php in Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to execute arbitrary SQL commands via the TID parameter. 13624 20050513 OpenBB SQL Injection & Cross-site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in member.php in Open Bulletin Board (OpenBB) 1.0.8 allows remote attackers to inject arbitrary web script or HTML via the reverse parameter in a list action. 13625 20050513 OpenBB SQL Injection & Cross-site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows remote attackers to inject arbitrary web script or HTML via the postorder parameter. 13621 20050513 Ultimate PHP Board (UPB) Security Advisory viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 may allow remote attackers to read sensitive data via the postorder parameter, which is not properly handled by textdb.inc.php, possibly due to a SQL injection vulnerability. 13622 20050513 Ultimate PHP Board (UPB) Security Advisory viewforum.php in Ultimate PHP Board (UPB) 1.8 through 1.9.6 allows remote attackers to obtain sensitive information via an invalid (1) id or possibly (2) postorder parameter, which reveals the path in an error message when a file can not be opened. 20050513 Ultimate PHP Board (UPB) Security Advisory Willings WebCam and WebCam Lite 2.8 and earlier stores the password in memory in plaintext, which allows local users to gain sensitive information. 20050513 Willings WebCam - Password Disclosure Issue The YMSGR URL handler in Yahoo! Messenger 5.x through 6.0 allows remote attackers to cause a denial of service (disconnect) via a room login or a room join request packet with a third : (colon) and an & (ampersand), which causes Messenger to send a corrupted packet to the server, which triggers a disconnect from the server. 20050513 Yahoo! Messenger URL Handler Remote DoS Vulnerability 13626 16816 Multiple cross-site scripting (XSS) vulnerabilities in (1) start_page.css.php3 (aka start-page.css.php3) or (2) style.css.php3 in PHPMyChat 0.14.5 allow remote attackers to inject arbitrary web script or HTML commands via the FontName parameter. NOTE: it was later reported that 0.14.5 is also affected. 13628 13627 20071204 RFI and Multiple XSS in PhpMyChat 20050513 PHPHeaven PHPMyChat Cross-site Scripting Vulnerablitiy Cross-site scripting (XSS) vulnerability in Skull-Splitter Guestbook 1.0, 2.0 and 2.2 allows remote attackers to inject arbitrary web script or HTML via the (1) title or (2) content of a message. 20050514 Skull-Splitter's Guestbook Multiple XXS/HTML injection Directory traversal vulnerability in the pnModFunc function in pnMod.php for PostNuke 0.750 through 0.760rc4 allows remote attackers to read arbitrary files via a .. (dot dot) in the func parameter to index.php. 20050516 Postnuke 0.750 - 0.760rc4 local file inclusion http://cvs.postnuke.com/viewcvs.cgi/Historic_PostNuke_Library/postnuke-devel/html/includes/pnMod.php.diff?r1=1.47&r2=1.48 ADV-2005-0553 http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691 http://news.postnuke.com/Article2690.html Cross-site scripting (XSS) vulnerability in productsByCategory.asp in MetaCart e-Shop allows remote attackers to inject arbitrary web script or HTML via the strCatalog_NAME parameter. 20050516 Multiple Vulnerabilities in MetaCart e-Shop http://echo.or.id/adv/adv13-theday-2005.txt Stack-based buffer overflow in the UnixAppOpenFilePerform function in Adobe Reader 5.0.9 and 5.0.10 for Unix allows remote attackers to execute arbitrary code via a PDF document with a long /Filespec tag. 20050705 iDEFENSE Security Advisory 07.05.05: Adobe Acrobat Reader UnixAppOpenFilePerform() Buffer Overflow Vulnerability http://www.adobe.com/support/techdocs/329083.html RHSA-2005:575 SUSE-SA:2005:042 Multiple buffer overflows in handlers.c for Pico Server (pServ) before 3.3 may allow attackers to execute arbitrary code. 13648 http://sourceforge.net/project/shownotes.php?release_id=327708 Unknown vulnerability in Viewglob before 2.0.1, related to "a potential security issue with the Viewglob display and ssh X forwarding," has unknown impact. http://sourceforge.net/project/shownotes.php?release_id=325574 1013937 15293 viewglob-connection-information-disclosure(20559) 16170 apage.cgi in WebAPP 0.9.9.2.1, and possibly earlier versions, allows remote attackers to execute arbitrary commands via shell metacharacters in the f parameter. ADV-2005-0554 http://www.soulblack.com.ar/repo/tools/sbwebapp.txt 13637 20061024 Re: Application orders Linux in WebAPP v0.9.9.2.1 20061023 Application orders Linux in WebAPP v0.9.9.2.1 http://www.defacers.com.mx/advisories/3.txt SQL injection vulnerability in member.php for Photopost PHP Pro allows remote attackers to execute arbitrary SQL commands via the verifykey parameter. 20050513 PhotoPost Arbitrary Data Exploit 13620 Unknown vulnerability in Attachment Mod before 2.3.13, related to a "serious issue with realnames," has unknown impact and attack vectors. http://sourceforge.net/project/shownotes.php?release_id=326408 15327 booby.php in Booby 1.0.0 and earlier allows remote attackers to view private bookmarks by guessing item IDs. 13623 http://sourceforge.net/project/shownotes.php?release_id=326826 15305 booby-bookmarks-information-disclosure(20605) Cheetah 0.9.15 and 0.9.16 searches the /tmp directory for modules before using the paths in the PYTHONPATH variable, which allows local users to execute arbitrary code via a malicious module in /tmp/. http://sourceforge.net/mailarchive/forum.php?thread_id=7070332&forum_id=1542 16622 15386 Multiple SQL injection vulnerabilities in JGS-XA JGS-Portal 3.0.2 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) anzahl_beitraege parameter to jgs_portal.php, 2) year parameter to (jgs_portal_statistik.php, 3) year parameter to (jgs_portal_beitraggraf.php, 4) tag parameter to (jgs_portal_viewsgraf.php, 5) year parameter to (jgs_portal_themengraf.php, 6) year parameter to (jgs_portal_mitgraf.php, 7) id parameter to jgs_portal_sponsor.php, or (8) the Accept-Language header to jgs_portal_log.php. 20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05) Multiple cross-site scripting (XSS) vulnerabilities in JGS-XA JGS-Portal 3.0.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) anzahl_beitraege parameter to jgs_portal.php, (2) year parameter to jgs_portal_statistik.php, (3) year parameter to jgs_portal_beitraggraf.php, (4) tag parameter to jgs_portal_viewsgraf.php, (5) year parameter to jgs_portal_themengraf.php, (6) year parameter to jgs_portal_mitgraf.php, (7) id parameter to jgs_portal_sponsor.php, or (8) the Accept-Language header to jgs_portal_log.php. NOTE: this issue may stem from the same core problem as CVE-2005-1633. 20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05) JGS-XA JGS-Portal 3.0.2 and earlier allows remote attackers to obtain the full server path via direct requests to (1) jgs_portal_ref.php, (2) jgs_portal_land.php, (3) jgs_portal_log.php, (4) jgs_portal_global_sponsor.php, (5) jgs_portal_global.php, (6) jgs_portal_system.php, (7) jgs_portal_views.php; or multiple files in the jgs_portal_include directory, including (8) jgs_portal_boardmenue.php, (9) jgs_portal_forenliste.php, (10) jgs_portal_geburtstag.php, (11) jgs_portal_guckloch.php, (12) jgs_portal_kalender.php, (13) jgs_portal_letztethemen.php, (14) jgs_portal_links.php, (15) jgs_portal_neustemember.php, (16) jgs_portal_newsboard.php, (17) jgs_portal_online.php, (18) jgs_portal_pn.php, (19) jgs_portal_portalmenue.php, (20) jgs_portal_styles.php, (21) jgs_portal_suchen.php, (22) jgs_portal_team.php, (23) jgs_portal_topforen.php, (24) jgs_portal_topposter.php, (25) jgs_portal_umfrage.php, (26) jgs_portal_useravatar.php, (27) jgs_portal_waronline.php, (28) jgs_portal_woonline.php, or (29) jgs_portal_zufallsavatar.php. 20050516 [SePro Bugtraq] WBB Portal - JGS-Portal <= 3.0.2 - Multiple Vulnerabilities (09.05.05) mysql_install_db in MySQL 4.1.x before 4.1.12 and 5.x up to 5.0.4 creates the mysql_install_db.X file with a predictable filename and insecure permissions, which allows local users to execute arbitrary SQL commands by modifying the file's contents. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158688 http://www.zataz.net/adviso/mysql-05172005.txt 13660 RHSA-2005:685 17080 15369 oval:org.mitre.oval:def:9504 20050517 MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp MDKSA-2006:045 Multiple SQL injection vulnerabilities in NPDS 4.8 and 5.0 allow remote attackers to execute arbitrary SQL commands via the thold parameter to (1) comments.php or (2) pollcomments.php. http://www.npds.org/article.php?sid=1258 1013973 The _writeAttrs function in SafeHTML before 1.3.2 does not properly handle quotes in attribute values, which could allow remote attackers to exploit cross-site scripting (XSS) vulnerabilities in applications that rely on SafeHTML for protection. http://pixel-apes.com/safehtml/feed 16612 15371 SQL injection vulnerability in Sigmaweb.DLL in Sigma ISP Manager 6.6 allows remote attackers to execute arbitrary SQL commands via the (1) username, (2) password, or (3) domain fields. http://www.under9round.com/sigma.txt 16620 15379 mod_channel.bas in The Ignition Project ignitionServer 0.3.0 to 0.3.6, and possibly earlier versions, does not properly verify whether a host has the owner privileges required to delete IRC channel access entries, which allows remote attackers to bypass intended restrictions. http://www.ignition-project.com/security/20050414-hosts-delete-owner-access-entries 15388 mod_channel in The Ignition Project ignitionServer 0.3.0 to 0.3.6, and possibly earlier versions, does not allow protected operators to access channels that have been locked out by a key, which allows IRC users to cause a denial of service. http://www.ignition-project.com/security/20050515-protected-opers-cannot-join-channel-with-key 15388 SQL injection vulnerability in the verify_email function in Woltlab Burning Board 2.x and earlier allows remote attackers to execute arbitrary SQL commands via the $email variable. ADV-2005-0558 16575 20050516 Re: Woltlab Burning Board SQL Injection Vulnerability (fwd) 15395 20050516 Woltlab Burning Board SQL Injection Vulnerability The ZCom_BitStream::Deserialize function in Zoidcom 1.0 beta 4 and earlier allows remote attackers to cause a denial of service via a crafted UDP packet with a large size value, which causes a memory allocation error or an out-of-bounds read. http://www.zoidcom.com/download/changelog.txt 1013939 zoidcom-deserialize-dos(20511) 16495 20050510 Crash in Zoidcom 1.0 beta 4 Cross-site scripting (XSS) vulnerability in guestbook.php for 1Two Livre d'Or 1.0 allows remote attackers to inject arbitrary web script or HTML via the (1) livreornom, (2) livreoremail, or (3) livreormessage parameters. 1013971 13631 1two-livere-dor-guestbook-xss(20589) 16717 Keyvan1 ImageGallery stores the image.mdb database under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information. imagegallery-information-disclosure(20592) 13630 1013970 15362 The default installation of Fastream NETFile FTP/Web Server 7.4.6, which supports FXP, does not require that the IP address in a PORT command be the same as the IP of the logged in user, which allows remote attackers to conduct FTP Bounce attacks to bypass firewall rules or cause a denial of service. http://www.security.org.sg/vuln/netfileftp746port.html ADV-2005-0556 15394 Gurgens (GASoft) Guest Book 2.1 stores the db/Genid.dat database file under the web document root with insufficient access control, which allows remote attackers to obtain and decrypt usernames and passwords. 1013976 15373 20050515 Gurgens Guest Book Password Database Vulnerability Gurgens (GASoft) Ultimate Forum 1.0 stores the db/Genid.dat database file under the web document root with insufficient access control, which allows remote attackers to obtain and decrypt usernames and passwords. 20050515 Ultimate Forum Password Database Vulnerability 1013974 15374 The IpV6 support in Windows XP SP2, 2003 Server SP1, and Longhorn, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, a variant of CVE-2005-0688 and a reoccurrence of the "Land" vulnerability (CVE-1999-0016). ADV-2005-0559 13658 20050516 Windows (XP, 2k3, Longhorn) is vulnerable to IpV6 Land attack. The web mail service in Woppoware PostMaster 4.2.2 (build 3.2.5) generates different error messages depending on whether a user exists or not, which allows remote attackers to determine valid usernames. 13597 15268 Directory traversal vulnerability in message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to determine the existence of arbitrary files via a .. (dot dot) in the wmm parameter. 13597 15268 message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to bypass authentication by modifying the email parameter. 13597 15268 Cross-site scripting (XSS) vulnerability in message.htm for Woppoware PostMaster 4.2.2 (build 3.2.5) allows remote attackers to inject arbitrary web script or HTML via the email parameter. 13597 15268 Hosting Controller 6.1 Hotfix 1.9 and earlier allows remote attackers to register arbitrary users via a direct request to addsubsite.asp with the loginname and password parameters set. http://isun.shabgard.org/hc3.txt 15271 AOL Instant Messenger 5.5.x and earlier allows remote attackers to cause a denial of service (client crash) via an invalid smiley icon location in the sml parameter of a font tag. 13553 Mercur Messaging 2005 SP2 allows remote attackers to read the source code of .ctml files via a URL with a trailing hex-encoded space ("%20"). 16218 15234 Multiple directory traversal vulnerabilities in Mercur Messaging 2005 SP2 allow remote attackers to perform unauthorized file operations via the Folder.Id parameter to (1) deletefolder.ctml, (2) deletemessage.ctml, (3) origmessage.ctml, or (4) readmessage.ctml, the Message.Id parameter to editmessage.ctml, or the (5) Message.Command parameter to messages.ctml. 16225 16224 16223 16222 16221 16220 15234 Directory traversal vulnerability in filemanager.cpp in MyServer 0.8 allows remote attackers to list the parent directory of the web root via a URL with a "..." (triple dot). 15274 http://cvs.sourceforge.net/viewcvs.py/myserverweb/myserverweb/source/filemanager.cpp?rev=1.116&view=log Cross-site scripting (XSS) vulnerability in filemanager.cpp in MyServer 0.8 allows remote attackers to inject arbitrary Javascript via a URL with a "..." (triple dot) followed by an onmouseover event. 15274 http://cvs.sourceforge.net/viewcvs.py/myserverweb/myserverweb/source/filemanager.cpp?rev=1.116&view=log HTMLJunction EZGuestbook stores the guestbook.mdb file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as the administrative password. htmljunction-database-disclosure(20487) 16444 1013912 Jeuce Personal Webserver 2.13 allows remote attackers to cause a denial of service (server crash) via a long GET request, possibly triggering a buffer overflow. 16453 http://users.pandora.be/bratax/advisories/b005.html 1013902 13732 Directory traversal vulnerability in Jeuce Personal Web Server 2.13 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. jeuce-dotdot-directory-traversal(18787) 12183 http://www.securiteam.com/windowsntfocus/5JP011PEKY.html 12718 1012791 13732 Jeuce Personal Web Server 2.13 allows remote attackers to cause a denial of service (server crash) via a GET request beginning with "://". jeuce-url-dos(18791) 12183 http://www.securiteam.com/windowsntfocus/5JP011PEKY.html 12719 1012791 13732 The __VIEWSTATE functionality in Microsoft ASP.NET 1.x allows remote attackers to conduct replay attacks to (1) apply a ViewState generated from one view to a different view, (2) reuse ViewState information after the application's state has changed, or (3) use the ViewState to conduct attacks or expose content to third parties. ms-aspnet-viewstate-replay(20409) 16196 15241 http://scottonwriting.net/sowblog/posts/3747.aspx 20050505 Re: ASP.NET __VIEWSTATE crypto validation prone to replay attacks 20050503 ASP.NET __VIEWSTATE crypto validation prone to replay attacks The __VIEWSTATE functionality in Microsoft ASP.NET 1.x, when not cryptographically signed, allows remote attackers to cause a denial of service (CPU consumption) via deeply nested markup. ms-aspnet-viewstate-dos(20408) 16195 15241 http://scottonwriting.net/sowblog/posts/3747.aspx 20050503 ASP.NET __VIEWSTATE crypto validation prone to replay attacks Multiple buffer overflows in Orenosv HTTP/FTP Server 0.8.1 allow remote authenticated users to cause a denial of service (server crash) and possibly execute arbitrary code via long arguments to FTP commands such as MKD, RMD, or DELE, which are processed by the (1) ftp_xlate_path, (2) ftp_is_canonical, or (3) os_fn_nativize functions, or (4) a long SSI command that is processed by the parse_cmd function in cgissi.exe. 13549 13546 1013923 http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html orenosv-http-ftp-cgissi-bo(20512) orenosv-http-ftp-commands-bo(20510) ADV-2005-0499 http://www.security.org.sg/vuln/orenosv081.html http://www.securiteam.com/windowsntfocus/5FP0H00FPS.html 16166 16165 15302 DataTrac Activity Console 1.1 allows remote attackers to cause a denial of service via a long HTTP GET request. 13558 http://www.securiteam.com/windowsntfocus/5FP052AFPA.html 16168 15291 983 YusASP Web Asset Manager 1.0 allows remote attackers to gain privileges via a direct request to assetmanager.asp. http://www.securiteam.com/windowsntfocus/5OP0115FPQ.html 13501 16198 Cross-site scripting (XSS) vulnerability in Opera 8.0 Final Build 1095 allows remote attackers to inject arbitrary web script or HTML via "javascript:" URLs when a new window or frame is opened, which allows remote attackers to bypass access restrictions and perform unauthorized actions on other domains. http://secunia.com/secunia_research/2005-5/advisory/ 15411 Unknown vulnerability in Extreme BlackDiamond 10808 and 8800 switches running ExtremeWare XOS 11.1 before 11.1.3.3, 11.0 before 11.0.2.4, and 10.x allows remote authenticated users to execute arbitrary commands. VU#937838 http://www.extremenetworks.com/services/documentation/FieldNotices_FN0215-Security_Alert_EXOS.asp ADV-2005-0572 15438 The Logfile feature in Yahoo! Messenger 5.x through 6.0 can be activated by a YMSGR: URL and writes all output to a single ypager.log file, even when there are multiple users, and does not properly warn later users that the feature has been enabled, which allows local users to obtain sensitive information from other users. 20050518 Yahoo! Messenger may be storing all session data 'Unencoded' on the local machine Multiple cross-site scripting (XSS) vulnerabilities in Help Center Live allow remote attackers to inject arbitrary web script or HTML via the (1) find parameter to index.php, (2) name or (3) message field of a chat request, or (4) the message body when opening a trouble ticket. 20050517 Help Center Live Vulnerabilities Multiple SQL injection vulnerabilities in Help Center Live allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to index.php, (2) tid parameter to view.php, fid parameter to (3) download.php or (4) chat_download.php, (5) status parameter to icon.php, TICKET_tid parameter to (6) index.php or (7) view.php. 20050517 Help Center Live Vulnerabilities Cross-Site Request Forgery (CSRF) vulnerability in Help Center Live allows remote attackers to perform actions as the administrator via a link or IMG tag to view.php. 20050517 Help Center Live Vulnerabilities Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 installs the client installation directories with insecure EVERYBODY permissions, which allows local users to gain sensitive information. http://www.kb.cert.org/vuls/id/JGEI-6BCRBX VU#443370 15421 Multiple cross-site scripting (XSS) vulnerabilities in Groove Mobile Workspace in Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 allow remote attackers to inject arbitrary web script or HTML via the (1) picture columns embedded within SharePoint lists or (2) drop-down menus in a SharePoint list. http://www.kb.cert.org/vuls/id/JGEI-6BCRCC VU#514386 VU#372618 15421 Unknown vulnerability in Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 allows remote attackers to bypass restrictions on COM objects. http://www.kb.cert.org/vuls/id/JGEI-6BCRCM VU#155610 15421 Groove Virtual Office before 3.1 build 2338, before 3.1a build 2364, and Groove Workspace before 2.5n build 1871 does not properly display file extensions on attached or embedded files in a compound document, which may allow remote attackers to trick users into executing malicious code. http://www.kb.cert.org/vuls/id/JGEI-6BCRD6 VU#232232 15421 Stack-based buffer overflow in the error directive in picasm 1.12b and earlier allows attackers to execute arbitrary code via a long error message. http://www.co.jyu.fi/~trossi/pic/ 20050520 picasm error handling stack overflow vulnerability 13698 D-Link DSL-502T, DSL-504T, DSL-562T, and DSL-G604T, when /cgi-bin/firmwarecfg is executed, allows remote attackers to bypass authentication (1) if their IP address already exists in /var/tmp/fw_ip or (2) if their request is the first, which causes /var/tmp/fw_ip to be created and contain their IP address. ADV-2005-0573 20050519 D-Link DSL routers authentication bypass PHP remote file inclusion vulnerability in common.php in phpATM 1.21, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code via a URL in the include_location parameter to index.php. 16692 1014008 15420 20050519 phpATM arbitrary PHP code inclusion ** DISPUTED ** JavaMail API, as used by Solstice Internet Mail Server POP3 2.0, does not properly validate the message number in the MimeMessage constructor in javax.mail.internet.InternetHeaders, which allows remote authenticated users to read other users' e-mail messages by modifying the msgno parameter. NOTE: Sun disputes this issue, stating "The report makes references to source code and files that do not exist in the mentioned products." ADV-2005-0574 20050519 JavaMail Information Disclosure (msgno) Buffer overflow in winword.exe 10.2627.6714 and earlier in Microsoft Word for the Macintosh, before SP3 for Word 2002, allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted mcw file. 13687 20050521 [UPDATE] UNICODE BUFFER OVERFLOW IN MS-WORD 20050519 UNICODE BUFFER OVERFLOW IN MS-WORD Cross-site scripting (XSS) vulnerability in default.asp for episodex guestbook allows remote attackers to inject arbitrary web script or HTML via the Name field and other fields. 20050520 episodex guestbook security bypass & html injection episodex guestbook allows remote attackers to bypass authentication and edit scripts via a direct request to admin.asp. 20050520 episodex guestbook security bypass & html injection Format string vulnerability in gedit 2.10.2 may allow attackers to cause a denial of service (application crash) via a bin file with format string specifiers in the filename. NOTE: while this issue is triggered on the command line by the gedit user, it has been reported that web browsers and email clients could be configured to provide a file name as an argument to gedit, so there is a valid attack that crosses security boundaries. USN-138-1 RHSA-2005:499 GLSA-200506-09 oval:org.mitre.oval:def:9845 20050520 pst.advisory: gedit fun. opensource is god .lol windows SUSE-SA:2005:036 DSA-753 oval:org.mitre.oval:def:1245 SQL injection vulnerability in wp-trackback.php in Wordpress 1.5 and earlier allows remote attackers to execute arbitrary SQL commands via the tb_id parameter. 20050520 [BuHa Security] Wordpress SQL-Injection GLSA-200506-04 http://bugs.gentoo.org/show_bug.cgi?id=88926 Wordpress 1.5 and earlier allows remote attackers to obtain sensitive information via a direct request to files in (1) wp-content/themes/, (2) wp-includes/, or (3) wp-admin/, which reveal the path in an error message. 20050520 [BuHa Security] Wordpress SQL-Injection Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions. VU#623332 GLSA-200507-11 DSA-757 kerberos-kdc-krb5recvauth-execute-code(21055) ADV-2006-3776 ADV-2005-1066 USN-224-1 TLSA-2005-78 2005-0036 14239 HPSBUX02152 HPSBUX02152 RHSA-2005:567 RHSA-2005:562 SUSE-SR:2005:017 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt 101810 1014461 22090 17899 17135 16041 oval:org.mitre.oval:def:9819 20050712 MITKRB5-SA-2005-003: double-free in krb5_recvauth APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 CLA-2005:993 20050703-01-U ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1250. Reason: This candidate is a duplicate of CVE-2005-1250. Notes: this duplicate occurred as a result of multiple independent discoveries and insufficient coordination by the vendor and CNA. All CVE users should reference CVE-2005-1250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in Internet Graphics Server in SAP before 6.40 Patch 11 allows remote attackers to read arbitrary files via ".." sequences in an HTTP GET request. http://www.corsaire.com/advisories/c050503-001.txt Format string vulnerability in gxine 0.4.1 through 0.4.4, and other versions down to 0.3, allows remote attackers to execute arbitrary code via a ram file with a URL whose hostname contains format string specifiers. ADV-2005-0626 13707 16747 http://www.0xbadexworm.org/adv/gxinefmt.txt GLSA-200505-19 15451 20050521 pst.advisory 2005-21: gxine remote exploitable . opensource is god .lol windows http://cvs.sourceforge.net/viewcvs.py/xine/gnome-xine/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup Integer overflow in Computer Associates Vet Antivirus library, as used by CA InoculateIT 6.0, eTrust Antivirus r6.0 through 7.1, eTrust Antivirus for the Gateway r7.0 and r7.1, eTrust Secure Content Manager, eTrust Intrusion Detection, BrightStor ARCserve Backup (BAB) r11.1, Vet Antivirus, Zonelabs ZoneAlarm Security Suite, and ZoneAlarm Antivirus, allows remote attackers to gain privileges via a compressed VBA directory with a project name length of -1, which leads to a heap-based buffer overflow. http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=32896 http://crm.my-etrust.com/login.asp?username=guest&target=DOCUMENT&openparameter=1588 13710 http://www.rem0te.com/public/images/vet.pdf 1014050 15479 15470 20050523 Computer Associates Vet Antivirus Library Remote Heap Overflow Multiple SQL injection vulnerabilities in Xanthia.php in the Xanthia module in PostNuke 0.750 allow remote attackers to execute arbitrary SQL commands via the (1) name or (2) module parameter. http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691 20050521 [SECURITYREASON.COM] PostNuke SQL Injection 0.750=>x Multiple cross-site scripting (XSS) vulnerabilities in the RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) rss_url parameter to magpie_slashbox.php, or the url parameter to (2) magpie_simple.php or (3) magpie_debug.php. http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691 20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosure 20050521 [SECURITYREASON.COM] PostNuke XSS 0.760{RC2,RC3} Multiple cross-site scripting (XSS) vulnerabilities in PostNuke 0.750 and 0.760RC3 allow remote attackers to inject arbitrary web script or HTML via the (1) skin or (2) paletteid parameter to demo.php in the Xanthia module, or (3) the serverName parameter to config.php in the Multisites (aka NS-Multisites) module. http://news.postnuke.com/modules.php?op=modload&name=News&file=article&sid=2691 20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosure The RSS module in PostNuke 0.750 and 0.760RC2 and RC3 allows remote attackers to obtain sensitive information via a direct request to simple_smarty.php, which reveals the path in an error message. 20050521 [SECURITYREASON.COM] PostNuke XSS 0.760{RC2,RC3} PostNuke 0.750 and 0.760RC3 allows remote attackers to obtain sensitive information via a direct request to (1) theme.php or (2) Xanthia.php in the Xanthia module, (3) user.php, (4) thelang.php, (5) text.php, (6) html.php, (7) menu.php, (8) finclude.php, or (9) button.php in the pnblocks directory in the Blocks module, (10) config.php in the NS-Multisites (aka Multisites) module, or (11) xmlrpc.php, which reveals the path in an error message. 20050521 [SECURITYREASON.COM] PostNuke XSS and Full path disclosure Directory traversal vulnerability in pnadminapi.php in the Xanthia module in PostNuke 0.760-RC3 allows remote administrators to read arbitrary files via a .. (dot dot) in the skin parameter. 20050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10 SQL injection vulnerability in pnadmin.php in the Xanthia module in PostNuke 0.760-RC3 allows remote administrators to execute arbitrary SQL commands via the riga[0] parameter. 20050521 [SECURITYREASON.COM] PostNuke Non Critical SQL Injection and Include 0.760-RC3=>x cXIb8O3.10 SQL injection vulnerability in PortailPHP 1.3 allows remote attackers to execute arbitrary SQL commands via the id parameter to the (1) News, (2) File, (3) Liens, or (4) Faq modules. 13708 20050521 SQL injections in PortailPHP 1014036 Format string vulnerability in Warrior Kings: Battles 1.23 and earlier and Warrior Kings 1.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in a nickname. 13711 http://aluigi.altervista.org/adv/warkings-adv.txt 1014041 1014040 15482 20050523 Format string and crash in Warrior Kings 1.3 and Battles 1.23 Warrior Kings: Battles 1.23 and earlier allows remote attackers to cause a denial of service (server crash) via a partial join packet that triggers a NULL pointer dereference. 13712 http://aluigi.altervista.org/adv/warkings-adv.txt 1014041 1014040 15482 20050523 Format string and crash in Warrior Kings 1.3 and Battles 1.23 Integer overflow in the Binary File Descriptor (BFD) library for gdb before 6.3, binutils, elfutils, and possibly other packages, allows user-assisted attackers to execute arbitrary code via a crafted object file that specifies a large number of section headers, leading to a heap-based buffer overflow. ADV-2007-1267 http://www.vmware.com/support/vi3/doc/esx-55052-patch.html USN-136-1 2005-0025 13697 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates RHSA-2006:0368 RHSA-2006:0354 RHSA-2005:801 RHSA-2005:763 RHSA-2005:709 RHSA-2005:673 RHSA-2005:659 16757 MDKSA-2005:215 MDKSA-2005:095 GLSA-200506-01 http://support.avaya.com/elmodocs2/security/ASA-2006-178.htm 18506 http://support.avaya.com/elmodocs2/security/ASA-2005-222.pdf 1016544 GLSA-200505-15 24788 21717 21262 21122 17718 17356 17257 17135 17072 17001 15527 oval:org.mitre.oval:def:9071 CLA-2006:1060 http://bugs.gentoo.org/show_bug.cgi?id=91398 20060703-01-P gdb before 6.3 searches the current working directory to load the .gdbinit configuration file, which allows local users to execute arbitrary commands as the user running gdb. RHSA-2005:801 RHSA-2005:709 MDKSA-2005:095 17072 18506 GLSA-200505-15 17356 oval:org.mitre.oval:def:11072 http://bugs.gentoo.org/show_bug.cgi?id=88398 Unknown vulnerability in MailScanner 4.41.3 and earlier, related to "incomplete reporting of viruses in zip files," allows remote attackers to bypass virus detection. The vendor has released a fixed version (4.42.2) http://www.sng.ecs.soton.ac.uk/mailscanner/ChangeLog 1014024 The fn_show_postinst function in Gentoo webapp-config before 1.10-r14 allows local users to overwrite arbitrary files via a symlink attack on the postinst.txt temporary file. 1014027 http://www.zataz.net/adviso/webapp-config-05182005.txt ADV-2005-0809 13780 16746 GLSA-200506-13 15445 http://bugs.gentoo.org/show_bug.cgi?id=91785 templates.admin.users.user_form_processing in Blue Coat Reporter before 7.1.2 allows authenticated users to gain administrator privileges via an HTTP POST that sets volatile.user.administrator to true. http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html ADV-2005-0589 13723 16763 15452 20050524 Blue Coat Reporter multiple remote vulnerabilities Unknown vulnerability in Blue Coat Reporter before 7.1.2 allows remote unauthenticated attackers to add a license. http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html ADV-2005-0589 13725 16764 15452 Multiple cross-site scripting (XSS) vulnerabilities in Blue Coat Reporter before 7.1.2 allow remote attackers to inject arbitrary web script or HTML via (1) the username in an Add User window or (2) the license key (volatile.license_to_add parameter) in the Licensing page. http://www.bluecoat.com/support/knowledge/advisory_reporter_711_vulnerabilities.html ADV-2005-0589 16766 16765 15452 20050524 Blue Coat Reporter multiple remote vulnerabilities Gibraltar Firewall 2.2 and earlier, when using the ClamAV update to 0.81 for Squid, uses a defunct ClamAV method to scan memory for viruses, which does not return an error code and prevents viruses from being detected. 1014030 Unknown vulnerability in Serendipity 0.8, when used with multiple authors, allows unprivileged authors to upload arbitrary media files. http://sourceforge.net/project/shownotes.php?release_id=328092 15405 16659 Multiple cross-site scripting (XSS) vulnerabilities in Serendipity 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) templatedropdown and (2) shoutbox plugins. 16660 15405 16661 http://sourceforge.net/project/shownotes.php?release_id=328092 Cross-site scripting (XSS) vulnerability in NetWin SurgeMail 3.0c2 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 15425 ADV-2005-0576 Cross-site scripting (XSS) vulnerability in index.php for TOPo 2.2 (2.2.178) allows remote attackers to inject arbitrary web script or HTML via the (1) m, (2) s, (3) ID, or (4) t parameters, or the (5) field name, (6) Your Web field, or (7) email field in the comments section. http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html 13701 13700 16699 1014016 15325 TOPo 2.2 (2.2.178) stores data files in the data directory under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as client IP addresses. 16700 1014016 15325 http://lostmon.blogspot.com/2005/05/topo-22-multiple-variable-fields-xss.html ZyXEL Prestige 650R-31 router running ZyNOS FW v3.40(KO.1) allows remote attackers to cause a denial of service (CPU consumption and network loss) via crafted fragmented IP packets. 13703 16779 http://www.infobyte.com.ar/adv/ISR-10.html 15463 Buffer overflow in LS Games War Times 1.03 and earlier allows remote attackers to cause a denial of service (server crash) via a long nickname. 16619 1013981 15363 http://aluigi.altervista.org/adv/wartimesboom-adv.txt Unknown vulnerability in ALWIL avast! antivirus 4 (4.6.6230) and earlier, when running on Windows NT 4.0, does not properly detect certain viruses. http://www.avast.com/eng/av4_revision_history.html 1013991 AFP Server for Mac OS X 10.4.1, when using an ACL enabled volume, does not properly remove an ACL when a file is copied to a directory that does not use ACLs, which will override the POSIX file permissions for that ACL. APPLE-SA-2005-06-08 Buffer overflow in the legacy client support for AFP Server for Mac OS X 10.4.1 allows attackers to execute arbitrary code. APPLE-SA-2005-06-08 1014138 Unknown vulnerability in the CoreGraphics Window Server for Mac OS X 10.4.x up to 10.4.1 allows local users to inject arbitrary commands into root sessions. APPLE-SA-2005-06-08 LaunchServices in Apple Mac OS X 10.4.x up to 10.4.1 does not properly mark file extensions and MIME types as unsafe if an Apple Uniform Type Identifier (UTI) is not created when the type is added to the database of unsafe types, which could allow attackers to bypass intended restrictions. APPLE-SA-2005-06-08 1014141 NFS on Apple Mac OS X 10.4.x up to 10.4.1 does not properly obey the -network or -mask flags for a filesystem and exports it to everyone, which allows remote attackers to bypass intended access restrictions. APPLE-SA-2005-06-08 1014142 launchd 106 in Apple Mac OS X 10.4.x up to 10.4.1 allows local users to overwrite arbitrary files via a symlink attack on the socket file in an insecure temporary directory. APPLE-SA-2005-06-08 http://www.suresec.org/advisories/adv3.pdf 20050608 [ Suresec Advisories ] - Mac OS X 10.4 - launchd local root vulnerability The CoreGraphics Window Server in Mac OS X 10.4.1 allows local users with console access to gain privileges by "launching commands into root sessions." APPLE-SA-2005-06-08 http://docs.info.apple.com/article.html?artnum=301742 Apple Mac OS X 10.4.x up to 10.4.1 sets insecure world- and group-writable permissions for the (1) system cache folder and (2) Dashboard system widgets, which allows local users to conduct unauthorized file operations via "file race conditions." APPLE-SA-2005-06-08 MCX Client for Apple Mac OS X 10.4.x up to 10.4.1 insecurely logs Portable Home Directory credentials, which allows local users to obtain the credentials. APPLE-SA-2005-06-08 1014148 Novell eDirectory 8.7.3 allows remote attackers to cause a denial of service (application crash) via a URL containing an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1. http://www.cirt.dk/advisories/cirt-33-advisory.pdf 20050612 [CIRT.DK - Advisory] Novell eDirectory 8.7.3 DOS Device name Denial of Service http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097766.htm 1014177 15676 Multiple vulnerabilities in the OpenSSL ASN.1 parser, as used in Novell iManager 2.0.2, allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted packets, as demonstrated by "OpenSSL ASN.1 brute forcer." NOTE: this issue might overlap CVE-2004-0079, CVE-2004-0081, or CVE-2004-0112. This vulnerability is addressed in the following product update: http://www.novell.com/products/consoles/ ADV-2005-0744 http://www.securityfocus.com/data/vulnerabilities/exploits/ASN.1-Brute.c http://www.cirt.dk/advisories/cirt-32-advisory.pdf 8732 Cookie Cart allows remote attackers to read the Order Notification list via the testmycgi and path parameters to testmy.cgi. http://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt 1014026 20050521 Cookie Cart Default Installation Multiple Vulnerabilities 15448 Cookie Cart stores the password file under the web document root with insufficient access control, which allows remote attackers to obtain usernames and encrypted passwords via a direct request to passwd.txt. http://www.soulblack.com.ar/repo/papers/cookiec_advisory.txt 1014026 Multiple SQL injection vulnerabilities in PROMS before 0.11 allow remote attackers to execute arbitrary SQL commands via unknown vectors. 1013992 http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91 http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gz Multiple cross-site scripting (XSS) vulnerabilities in PROMS before 0.11 allow remote attackers to inject arbitrary web script or HTML via unknown vectors. 1013992 http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91 http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gz PROMS 0.11 does not properly handle "certain combinations of rights," which gives more rights to users than intended. http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91 http://projects.electricmonk.nl//files/PROMS/proms-0.11.tar.gz Multiple unknown vulnerabilities in PROMS 0.11 allow "non-authorized users" to (1) view or modify the project member list or (2) modify the todos list. 1013992 Format string vulnerability in the logPrintBadfile function in delbadfiles.c Iron Bars SHell (ibsh) before 0.3d allows users to "access files outside the home directory" and possibly execute arbitrary code via certain inputs that are not properly handled in a syslog call. Fixed in version 0.3 d 13720 http://sourceforge.net/project/shownotes.php?release_id=329340 15473 The XWD Decoder in ImageMagick before 6.2.2.3, and GraphicsMagick before 1.1.6-r1, allows remote attackers to cause a denial of service (infinite loop) via an image with a zero color mask. USN-132-1 13705 16775 16774 GLSA-200505-16 15446 15429 oval:org.mitre.oval:def:11667 http://bugs.gentoo.org/show_bug.cgi?id=90423 RHSA-2005:480 MDKSA-2005:107 15453 oval:org.mitre.oval:def:960 fixproc in Net-snmp 5.x before 5.2.1-r1 creates temporary files insecurely, which allows local users to modify the contents of those files to execute arbitrary commands, or overwrite arbitrary files via a symlink attack. http://www.zataz.net/adviso/net-snmp-05182005.txt ADV-2005-0598 16778 GLSA-200505-18 15471 oval:org.mitre.oval:def:11659 13715 RHSA-2005:395 RHSA-2005:373 MDKSA-2006:025 1014039 18635 17135 16999 Gearbox Software Halo: Combat Evolved 1.6 allows remote attackers to cause a denial of service (infinite loop) via malformed data. ADV-2005-0616 13728 1014067 15501 http://aluigi.altervista.org/adv/haloloop-adv.txt BEA WebLogic Server and WebLogic Express 8.1 SP2 and SP3 allows users with the Monitor security role to "shrink or reset JDBC connection pools." ADV-2005-0602 13717 1014049 15486 BEA05-75.00 BEA WebLogic Server and WebLogic Express 8.1 through Service Pack 3 and 7.0 through Service Pack 5 does not properly handle when a security provider throws an exception, which may cause WebLogic to use incorrect identity for the thread, or to fail to audit security exceptions. ADV-2005-0603 13717 1014049 15486 BEA05-76.00 BEA WebLogic Server and WebLogic Express 7.0 through Service Pack 5 does not log out users when an application is redeployed, which allows those users to continue to access the application without having to log in again, which may be in violation of newly changed security constraints or role mappings. ADV-2005-0604 13717 1014049 15486 BEA05-77.00 The UserLogin control in BEA WebLogic Portal 8.1 through Service Pack 3 prints the password to standard output when an incorrect login attempt is made, which could make it easier for attackers to guess the correct password. ADV-2005-0605 13717 1014049 15486 BEA05-78.00 The cluster cookie parsing code in BEA WebLogic Server 7.0 through Service Pack 5 attempts to contact any host or port specified in a cookie, even when it is not in the cluster, which allows remote attackers to cause a denial of service (cluster slowdown) via modified cookies. ADV-2005-0606 13717 1014049 15486 BEA05-79.00 Multiple cross-site scripting (XSS) vulnerabilities in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 6, allow remote attackers to inject arbitrary web script or HTML, and possibly gain administrative privileges, via the (1) j_username or (2) j_password parameters in the login page (LoginForm.jsp), (3) parameters to the error page in the Administration Console, (4) unknown vectors in the Server Console while the administrator has an active session to obtain the ADMINCONSOLESESSION cookie, or (5) an alternate vector in the Server Console that does not require an active session but also leaks the username and password. ADV-2005-0607 13717 http://www.appsecinc.com/resources/alerts/general/BEA-002.html http://www.appsecinc.com/resources/alerts/general/BEA-001.html http://www.acrossecurity.com/aspr/ASPR-2005-05-24-2-PUB.txt http://www.acrossecurity.com/aspr/ASPR-2005-05-24-1-PUB.txt 1014049 15486 BEA05-80.00 20050527 [AppSecInc Advisory BEA05-V0101] BEA WebLogic Administration Console login page cross-site scripting vulnerability 20050527 [AppSecInc Advisory BEA05-V0100] BEA WebLogic Administration Console error page cross-site scripting vulnerability 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (1) 20050524 ACROS Security: HTML Injection in BEA WebLogic Server Console (2) The embedded LDAP server in BEA WebLogic Server and Express 8.1 through Service Pack 4, and 7.0 through Service Pack 5, allows remote anonymous binds, which may allow remote attackers to view user entries or cause a denial of service. ADV-2005-0608 13717 1014049 15486 BEA05-81.00 Buffer overflow in BEA WebLogic Server and WebLogic Express 6.1 Service Pack 4 allows remote attackers to cause a denial of service (CPU consumption from thread looping). ADV-2005-0609 13717 15486 BEA05-82.00 SQL injection vulnerability in login.asp in ezdwc NewsletterEz 3.0 allows remote attackers to execute arbitrary SQL commands via the password parameter. http://www.under9round.com/nez.txt 13730 15469 1014038 Race condition in shtool 2.0.1 and earlier allows local users to create or modify arbitrary files via a symlink attack on the .shtool.$$ temporary file, a different vulnerability than CVE-2005-1759. http://www.zataz.net/adviso/shtool-05252005.txt GLSA-200506-08 1014059 15496 oval:org.mitre.oval:def:9639 http://bugs.gentoo.org/show_bug.cgi?id=93782 13767 RHSA-2005:564 DSA-789 15668 OpenPKG-SA-2005.011 oval:org.mitre.oval:def:345 viewFile.php in the scm component of Gforge before 4.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the file_name parameter. 13716 13845 20050524 Gforge - viewFile.php security flaw ** DISPUTED ** ReadMessage.jsp in JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to view other users' e-mail attachments via a direct request to /mailboxesdir/username@domainname. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products." http://tomcat.apache.org/security-5.html 20050524 Javamail Multiple Information Disclosure Vulnerabilities ** DISPUTED ** JavaMail API 1.1.3 through 1.3, as used by Apache Tomcat 5.0.16, allows remote attackers to read arbitrary files via a full pathname in the argument to the Download parameter. NOTE: Sun and Apache dispute this issue. Sun states: "The report makes references to source code and files that do not exist in the mentioned products." 13753 http://tomcat.apache.org/security-5.html 20050524 Javamail Multiple Information Disclosure Vulnerabilities PHP remote file inclusion vulnerability in poll_vote.php in PHP Poll Creator 1.01 allows remote attackers to execute arbitrary PHP code via the relativer_pfad parameter. 16846 1014061 15510 20050525 PHP Injection in PHP Poll Creator Cross-site scripting (XSS) vulnerability in the ModWeb agent for Novell NetMail 3.52 before 3.52C allows remote attackers to inject arbitrary web script or HTML via calendar display fields. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htm 15644 ADV-2005-0727 13926 17240 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097957.htm Buffer overflow in the Modweb agent for Novell NetMail 3.52 before 3.52C, when renaming folders, may allow attackers to execute arbitrary code. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htm 15644 ADV-2005-0727 13926 17241 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097957.htm Buffer overflow in the IMAP command continuation function in Novell NetMail 3.52 before 3.52C may allow remote attackers to execute arbitrary code. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971591.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971590.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2971588.htm 15644 ADV-2005-0727 14718 13926 17239 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097957.htm Race condition in shtool 2.0.1 and earlier allows local users to modify or create arbitrary files via a symlink attack on temporary files after they have been created, a different vulnerability than CVE-2005-1751. GLSA-200506-08 OpenPKG-SA-2005.011 http://bugs.gentoo.org/show_bug.cgi?id=93782 13767 15668 sysreport 1.3.15 and earlier includes contents of the up2date file in a report, which leaks the password for a proxy server in plaintext and allows local users to gain privileges. RHSA-2005:502 oval:org.mitre.oval:def:9522 13936 1014181 15675 oval:org.mitre.oval:def:623 Linux kernel 2.6 and 2.4 on the IA64 architecture allows local users to cause a denial of service (kernel crash) via ptrace and the restore_sigcontext function. SUSE-SA:2005:044 ADV-2005-1878 14051 FLSA:157459-3 RHSA-2005:663 RHSA-2005:551 RHSA-2005:514 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1 DSA-1018 DSA-922 1014275 19369 18056 17073 17002 oval:org.mitre.oval:def:10487 http://kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=4ea78729b8dbfc400fe165a57b90a394a7275a54 The ptrace call in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform allows local users to cause a denial of service (kernel crash) via a "non-canonical" address. SUSE-SA:2005:029 15786 ADV-2005-1878 USN-143-1 oval:org.mitre.oval:def:10630 13904 FLSA:157459-2 FLSA:157459-3 RHSA-2005:663 RHSA-2005:514 DSA-922 DSA-921 18059 18056 17073 17002 Buffer overflow in ptrace in the Linux Kernel for 64-bit architectures allows local users to write bytes into kernel memory. SUSE-SA:2005:029 oval:org.mitre.oval:def:10182 13903 FLSA:157459-3 RHSA-2005:514 DSA-922 18056 17073 Linux 2.6.11 on 64-bit x86 (x86_64) platforms does not use a guard page for the 47-bit address page to protect against an AMD K8 bug, which allows local users to cause a denial of service. SUSE-SA:2005:029 MDKSA-2005:220 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=637716a3825e186555361574aa1fa3c0ebf8018b http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=637716a3825e186555361574aa1fa3c0ebf8018b linux-kernel-guardpage-dos(43324) 13904 MDKSA-2005:220 syscall in the Linux kernel 2.6.8.1 and 2.6.10 for the AMD64 platform, when running in 32-bit compatibility mode, allows local users to cause a denial of service (kernel hang) via crafted arguments. SUSE-SA:2005:029 USN-143-1 13904 DSA-922 18056 Heap-based buffer overflow in rtffplin.cpp in RealPlayer 10.5 6.0.12.1056 on Windows, and 10, 10.0.1.436, and other versions before 10.0.5 on Linux, allows remote attackers to execute arbitrary code via a RealMedia file with a long RealText string, such as an SMIL file. DSA-826 http://service.real.com/help/faq/security/050623_player/EN/ RHSA-2005:523 SUSE-SA:2005:037 20050623 RealNetworks RealPlayer RealText Parsing Heap Overflow Vulnerability oval:org.mitre.oval:def:9509 RHSA-2005:517 16981 traps.c in the Linux kernel 2.6.x and 2.4.x executes stack segment faults on an exception stack, which allows local users to cause a denial of service (oops and stack fault exception). SUSE-SA:2005:044 ADV-2005-1878 oval:org.mitre.oval:def:11101 MDKSA-2006:044 USN-187-1 14467 RHSA-2005:663 DSA-922 DSA-921 18977 18059 18056 17002 http://kernel.org/git/?p=linux/kernel/git/marcelo/linux-2.4.git;a=commit;h=51e31546a2fc46cb978da2ee0330a6a68f07541e Race condition in the ia32 compatibility code for the execve system call in Linux kernel 2.4 before 2.4.31 and 2.6 before 2.6.6 allows local users to cause a denial of service (kernel panic) and possibly execute arbitrary code via a concurrent thread that increments a pointer count after the nargs function has counted the pointers, but before the count is copied from user space to kernel space, which leads to a buffer overflow. ADV-2005-1878 http://www.suresec.org/advisories/adv4.pdf oval:org.mitre.oval:def:11117 20050711 [ Suresec Advisories ] - Linux kernel ia32 compatibility (ia64/x86-64) 14205 RHSA-2005:663 RHSA-2005:551 SUSE-SA:2005:044 DSA-921 1014442 19607 19185 18059 17002 15980 20060402-01-U Multiple cross-site scripting (XSS) vulnerabilities in SquirrelMail 1.4.0 through 1.4.4 allow remote attackers to inject arbitrary web script or HTML via unknown attack vectors in (1) the URL or (2) an e-mail message. http://www.squirrelmail.org/security/issue/2005-06-15 oval:org.mitre.oval:def:9852 20050616 [SM-ANNOUNCE] Patch fixes SquirrelMail cross site scripting vulnerabilities [CAN-2005-1769] FLSA:163047 RHSA-2005:595 SUSE-SR:2005:018 MDKSA-2005:108 DSA-756 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Buffer overflow in the Aavmker4 device driver in Avast! Antivirus 4.6 and possibly other versions allows local users to cause a denial of service (system crash) and possibly execute arbitrary code via certain signals combined with crafted input. http://pb.specialised.info/all/adv/avast-adv.txt 20050526 Alwil Software Avast Antivirus Device Driver Memory Overwrite Vulnerability Unknown vulnerability in HP-UX trusted systems B.11.00 through B.11.23 allows remote attackers to gain unauthorized access, possibly involving remshd and/or telnet -t. SSRT5899 1014060 SSRT5899 Buffer overflow in the client cd-key hash in Terminator 3: War of the Machines 1.16 and earlier allows remote attackers to cause a denial of service (application crash) via a long client cd-key hash value, a different vulnerability than CVE-2005-1556. http://aluigi.altervista.org/adv/t3wmbof-adv.txt 15520 20050526 Buffer-overflow and crash in Terminator 3: War of the Machines 1.16 Multiple unknown vulnerabilities in L-Soft LISTSERV 14.3, 1.8e, and 1.8d allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: this candidate may be SPLIT in the future when more precise technical details become available. 13768 20050525 High Risk Vulnerability in L-Soft's LISTSERV Server 1014051 15498 WEB-DAV Linux File System (davfs2) 0.2.3 does not properly enforce Unix permissions, which allows local users to write arbitrary files on a davfs2 mounted filesystem. 15497 20050525 davfs2 does not honour Unix permissions http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=310757 Terminator 3: War of the Machines 1.16 and earlier allows remote attackers to cause a denial of service (application crash) via a large nickname. 20050526 Buffer-overflow and crash in Terminator 3: War of the Machines 1.16 15520 Buffer overflow in the READ_TCP_STRING function in game_message_functions.cpp in the network plugin for C'Nedra 0.4.0 and earlier allows remote attackers to execute arbitrary code via a long text string. http://aluigi.altervista.org/adv/cnedrabof-adv.txt 15519 20050526 Buffer-overflow in C'Nedra 0.4.0 SQL injection vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to execute arbitrary SQL commands via the start parameter. http://news.postnuke.com/Article2691.html 1014066 20050527 PostNuke Critical SQL Injection and XSS 0.750=>x Cross-site scripting (XSS) vulnerability in readpmsg.php in PostNuke 0.750 allows remote attackers to inject arbitrary web script or HTML via the start parameter. http://news.postnuke.com/Article2691.html 20050527 PostNuke Critical SQL Injection and XSS 0.750=>x SQL injection vulnerability in password.asp in MaxWebPortal 1.35, 1.36, 2.0, and 20050418 Next allows remote attackers to execute arbitrary SQL commands via the memKey parameter. 1014048 15511 SQL injection vulnerability in admin/login.asp in Active News Manager allows remote attackers to execute arbitrary SQL commands via the password. http://www.under9round.com/anm.txt 1014057 15493 Unknown vulnerability in SMTP authentication for MailEnable allows remote attackers to cause a denial of service (crash). 15487 Multiple cross-site scripting (XSS) vulnerabilities in BookReview beta 1.0 allow remote attackers to inject arbitrary web script or HTML via the node parameter to (1) add_review.htm, (2) suggest_review.htm, (3) suggest_category.htm, (4) add_booklist.htm, or (5) add_url.htm, the isbn parameter to (6) add_review.htm, (7) add_contents.htm, (8) add_classification.htm, the (9) chapters parameter to the add_contents page in index.php (aka add_contents.htm), (10) the user parameter to contact.htm, or (11) the submit[string] parameter to search.htm. NOTE: it is not clear whether BookReview is available to the public. If not, then it should not be included in CVE. 13783 16879 16878 16877 16876 16875 16874 16873 16872 16871 1014058 http://lostmon.blogspot.com/2005/05/bookreview-10-multiple-variable-xss.html BookReview beta 1.0 allows remote attackers to obtain the path of the web server via certain parameters to search.htm, possibly due to a search[string] parameter with a missing value or an incorrect submit[type] value, which reveals the path in the resulting error message. NOTE: it is not clear whether BookReview is available to the public. If not, then it should not be included in CVE. 16881 http://lostmon.blogspot.com/2005/05/bookreview-10-multiple-variable-xss.html 16880 Hosting Controller 6.1 HotFix 2.0 and earlier allows remote attackers to steal passwords and gain privileges via a modified emailaddress parameter in an updateprofile action for UserProfile.asp. 1014062 SQL injection vulnerability in ad/login.asp in ZonGG 1.2 allows remote attackers to execute arbitrary SQL commands via the password parameter. ADV-2005-0636 http://www.under9round.com/zongg.txt 13787 1014063 15515 SQL injection vulnerability in admin.asp in FunkyASP AD System 1.1 allows remote attackers to execute arbitrary SQL commands and gain privileges via the password parameter. http://www.funkyasp.co.uk/product.asp?prod=1&currency=USD http://www.under9round.com/funky-asp.txt 1014056 15494 setup.php in phpStat 1.5 allows remote attackers to bypass authentication and gain administrator privileges by setting the $check variable. http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt 1014064 20050527 PHP Stat Administrative User Authentication Bypass 15516 SQL injection vulnerability in resellerresources.asp in Hosting Controller 6.1 Hotfix 2.0 allows remote attackers to execute arbitrary SQL commands via the jresourceid parameter. 1014071 15540 SQL injection vulnerability in SignIn.asp in India Software Solution shopping cart allows remote attackers to execute arbitrary SQL commands via the password. 1014074 http://ir-hackers.com/indsc.txt Microsoft Internet Explorer 6 SP2 6.0.2900.2180 and 6.0.2800.1106, and earlier versions, allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a Javascript BODY onload event that calls the window function, aka "Mismatched Document Object Model Objects Memory Corruption Vulnerability." TA05-347A VU#887861 http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=375420 ADV-2005-2909 ADV-2005-2867 ADV-2005-2509 13799 20051121 Computer Terrorism Security Advisory (Reclassification) - Microsoft Internet Explorer JavaScript Window() Vulnerability MS05-054 http://www.computerterrorism.com/research/ie/ct21-11-2005 http://support.avaya.com/elmodocs2/security/ASA-2005-234.pdf 1015251 18311 18064 15546 15368 20050530 Re: Microsoft Internet Explorer - Crash on JavaScript 20050528 Microsoft Internet Explorer - Crash on JavaScript oval:org.mitre.oval:def:722 oval:org.mitre.oval:def:1508 oval:org.mitre.oval:def:1489 oval:org.mitre.oval:def:1303 oval:org.mitre.oval:def:1299 oval:org.mitre.oval:def:1091 Microsoft Internet Explorer 6 SP2 (6.0.2900.2180) crashes when the user attempts to add a URI to the restricted zone, in which the full domain name of the URI begins with numeric sequences similar to an IP address. NOTE: if there is not an exploit scenario in which an attacker can trigger this behavior, then perhaps this issue should not be included in CVE. 13798 20050531 Microsoft Internet Explorer - Crash on adding sites to restricted zone (05/28/2005) Memory leak in Windows Management Instrumentation (WMI) service allows attackers to cause a denial of service (memory consumption and crash) by creating security contexts more quickly than they can be cleared from the RPC cache. 13801 http://www.networksecurity.fi/advisories/windows-wmi-rpc.html 890196 13020 User32.DLL in Microsoft Windows 98SE, and possibly other operating systems, allows local and remote attackers to cause a denial of service (crash) via an icon (.ico) bitmap file with large width and height values. Microsoft Terminal Server using Remote Desktop Protocol (RDP) 5.2 stores an RSA private key in mstlsapi.dll and uses it to sign a certificate, which allows remote attackers to spoof public keys of legitimate servers and conduct man-in-the-middle attacks. 13818 http://www.oxid.it/downloads/rdp-gbu.pdf 15605 oval:org.mitre.oval:def:12441 The filecopy function in misc.c in Clam AntiVirus (ClamAV) before 0.85, on Mac OS, allows remote attackers to execute arbitrary code via a virus in a a filename that contains shell metacharacters, which are not properly handled when HFS permissions prevent the file from being deleted and ditto is invoked. 1014070 http://www.sentinelchicken.com/advisories/clamav Format string vulnerability in the curses_msg function in the Ncurses interface (ec_curses.c) for Ettercap before 0.7.3 allows remote attackers to execute arbitrary code. 15535 http://ettercap.sourceforge.net/history.php ADV-2005-0670 13820 1014084 GLSA-200506-07 DSA-749 16000 15664 The design of Advanced Encryption Standard (AES), aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations. 13785 http://cr.yp.to/antiforgery/cachetiming-20050414.pdf Directory traversal vulnerability in ServersCheck Monitoring Software 5.9.0 to 5.10.0 allows remote attackers to read arbitrary files via .. (dot dot) sequences in an HTTP request. http://www.rgod.altervista.org/hacking/news/serverscheck.html 1014075 Cross-site scripting (XSS) vulnerability in FreeStyle Wiki 3.5.7 and WikiLite (FSWikiLite) .10 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 15538 13824 Cross-site scripting (XSS) vulnerability in Jaws Glossary gadget 0.4 to 0.5.1 allows remote attackers to inject arbitrary web script or HTML via the term parameter in a view or ViewTerm action to index.php. 20050529 XSS Bug in Jaws Glossary Action: ViewTerm ( v 0.4 - 0.5.1 (latest version)) 13796 The vCard viewer in Nokia 9500 allows attackers to cause a denial of service (crash) via a vCard with a long Name field, which causes the crash when the user views it. http://www.securityfocus.com/infocus/1836 13784 Nortel VPN Router (aka Contivity) allows remote attackers to cause a denial of service (crash) via an IPsec IKE packet with a malformed ISAKMP header. 13792 20050531 Nortel VPN Router Malformed Packet DoS Vulnerability http://www.nta-monitor.com/news/vpn-flaws/nortel/vpn-router-dos/ 1014068 Multiple cross-site scripting (XSS) vulnerabilities in Net Portal Dynamic System (NPDS) 5.0 allow remote attackers to inject arbitrary web script or HTML via the language parameter to (1) admin.php, or (2) powerpack_f.php, (3) the sitename parameter to sdv_infos.php, (4) the categories parameter to faq.php, (5) the lettre parameter to the glossaire module, (6) the title parameter to reviews.php, or (7) the image_subject parameter to reply.php. 1014073 http://www.npds.org/download.php?op=geninfo&did=115 16922 16464 Multiple SQL injection vulnerabilities in Net Portal Dynamic System (NPDS) 5.0 allow remote attackers to execute arbitrary SQL commands via the (1) terme parameter in the glossaire module (glossaire.php) or (2) query parameter to links.php. http://www.npds.org/download.php?op=geninfo&did=115 1014073 SQL injection vulnerability in login.asp in an unknown product by Online Solutions for Educators (OS4E) allows remote attackers to execute arbitrary SQL commands via the password. ADV-2005-0645 http://www.under9round.com/os4e.txt 13804 1014072 Format string vulnerability in PeerCast 0.1211 and earlier allows remote attackers to execute arbitrary code via format strings in the URL. http://www.peercast.org/forum/viewtopic.php?p=11596 http://www.gulftech.org/?node=research&article_id=00077-05282005 15536 20050528 Format String Vulnerability In Peercast 0.1211 And Earlier ADV-2005-0651 GLSA-200506-15 15753 The Data function in class.smtp.php in PHPMailer 1.7.2 and earlier allows remote attackers to cause a denial of service (infinite loop leading to memory and CPU consumption) via a long header field. ADV-2007-2242 ADV-2006-0448 http://www.cybsec.com/vuln/PHPMailer-DOS.pdf 1014069 13805 http://sourceforge.net/project/shownotes.php?release_id=341210&group_id=26031 25726 18732 15543 Firefly Studios Stronghold 2 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a packet with a large size value for the nickname, which causes a memory allocation failure and generates an exception. 15556 20050530 Crash in Stronghold 2 1.2 http://aluigi.altervista.org/adv/strong2boom-adv.txt Sony Ericsson P900 Beamer allows remote attackers to cause a denial of service (panic) via an obexftp session with a long filename in an OBEX File Transfer or OBEX Object Push. http://www.securityfocus.com/infocus/1836 13872 SQL injection vulnerability in template-functions-category.php in WordPress 1.5.1 allows remote attackers to execute arbitrary SQL commands via the $cat_ID variable, as demonstrated using the cat parameter to index.php. 15517 13809 16905 http://wordpress.org/development/2005/05/security-update/ GLSA-200506-04 http://bugs.gentoo.org/show_bug.cgi?id=94512 20050607 SQL Injection Exploit for WordPress <= 1.5.1.1 Cross-site scripting (XSS) vulnerability in usercp.php for MyBulletinBoard (MyBB) allows remote attackers to inject arbitrary web script or HTML via the website field in a user profile. 15552 13819 20050530 MyBB 1.0 RC4 XSS Bug 1014081 Multiple stack-based buffer overflows in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allow remote attackers to execute arbitrary code via a long (1) filename or (2) transfer mode string in a Read Request (RRQ) or Write Request (WRQ) packet. 13821 http://www.security.org.sg/vuln/tftp2000-1001.html 1014079 15539 Directory traversal vulnerability in FutureSoft TFTP Server Evaluation Version 1.0.0.1 allows remote attackers to read arbitrary files via a TFTP GET request containing (1) "../" (dot dot slash) or (2) "..\" (dot dot backslash) sequences. 13821 http://www.security.org.sg/vuln/tftp2000-1001.html 1014079 15539 Stack-based buffer overflow in PicoWebServer 1.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long URL. 13807 20050528 PicoWebServer Remote Unicode Stack Overflow 15541 Multiple buffer overflows in Hummingbird Connectivity inetD 10.0.0.1 and 9.0.0.4 allows attackers to cause a denial of service and possibly execute arbitrary code via (1) an FTP command with a long argument to FTPD (ftpdw.exe) or (2) a large amount of data to LPD (Lpdw.exe). 13790 13788 15557 http://connectivity.hummingbird.com/support/nc/exceed/lpdw_advisory.html http://connectivity.hummingbird.com/support/nc/exceed/ftpd_advisory.html?cks=y Invision Power Board (IPB) 1.0 through 2.0.4 allows non-root admins to add themselves or other users to the root admin group via the "Move users in this group to" screen. 13797 15545 20050528 Invision Power Board 1.x and 2.x Privilege Escalation Vulnerability Invision Power Board (IPB) 1.0 through 1.3 allows remote attackers to edit arbitrary forum posts via a direct request to index.php with modified parameters. 13802 Multiple SQL injection vulnerabilities in NewLife Blogger before 3.3.1 allow remote attackers to execute arbitrary SQL commands via unknown attack vectors. http://www.sevengraff.com/index.php 13815 15523 Cross-site scripting (XSS) vulnerability in NikoSoft WebMail before 0.11.0 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. http://www.nikosoft.net/nswm/ 15518 zboard.php in Zeroboard version 4.1pl2 to 4.1pl5 allows remote attackers to execute arbitrary PHP code via improper quoting when using the preg_replace function. 13823 http://www.securiteam.com/exploits/5KP0V0AFPA.html http://pandora.sapzil.info/text/notify/20050123.zb41advisory.php PHP remote file inclusion vulnerability in pdl_header.inc.php in PowerDownload 3.0.2 and 3.0.3 allows remote attackers to execute arbitrary PHP code via the incdir parameter to downloads.php. http://www.soulblack.com.ar/repo/papers/advisory/powerdownload_advisory.txt 13822 1014078 15537 20050531 PowerDownload Remote File Inclusion Multiple SQL injection vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php. xcart-multiple-parameters-sql-injection(20773) 13817 1014077 15555 20050530 Multiple vulnerabilities in x-cart Gold Multiple cross-site scripting (XSS) vulnerabilities in Qualiteam X-Cart 4.0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) cat or (2) printable parameter to home.php, (3) productid or (4) mode parameter to product.php, (5) id parameter to error_message.php, (6) section parameter to help.php, (7) mode parameter to orders.php, (8) mode parameter to register.php, (9) mode parameter to search.php, or the (10) gcid or (11) gcindex parameter to giftcert.php. xcart-multiple-scripts-xss(20774) 13817 1014077 15555 20050530 Multiple vulnerabilities in x-cart Gold The sql_escape_string function in auth/sql.c for the mailutils SQL authentication module does not properly quote the "\" (backslash) character, which is used as an escape character and makes the module vulnerable to SQL injection attacks. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=308031 GLSA-200506-02 Multiple stack-based buffer overflows in the nvd_exec function in HP Radia Notify Daemon 3.1.2.0 (formerly by Novadigm), and other versions including 2.x, 3.x, and 4.x, allows remote attackers to execute arbitrary code via a command with crafted parameters to a RADEXECD process. ADV-2005-0681 http://www.grok.org.uk/advisories/radexecd.html SSRT5962 HPSBMA01143 20050601 HP Radia Notify Daemon: Multiple Buffer Overflow Vulnerabilities 1014089 15567 Buffer overflow in HP Radia Notify Daemon 3.1.0.0 (formerly by Novadigm), and other versions including 2.x, 3.x, and 4.x, allows remote attackers to execute arbitrary code via a long file extension. ADV-2005-0681 http://www.grok.org.uk/advisories/radexecd.html HPSBMA01143 HPSBMA01143 20050601 HP Radia Notify Daemon: Multiple Buffer Overflow Vulnerabilities 1014089 15567 D-Link DSL-504T allows remote attackers to bypass authentication and gain privileges, such as upgrade firmware, restart the router or restore a saved configuration, via a direct request to firmwarecfg. 20050526 DSL-504T (and maybe many other) remote access without password bug 13679 15422 D-Link DSL-504T stores usernames and passwords in cleartext in the router configuration file, which allows remote attackers to obtain sensitive information. 20050526 DSL-504T (and maybe many other) remote access without password bug Microsoft Internet Explorer 6 SP2 allows remote attackers to cause a denial of service (infinite loop and application crash) via two embedded files that call each other. 20050528 Microsoft Internet Explorer - Crash on processing embedded files with endless loop (05/28/2005) The DbgMsg.sys driver in Compuware SoftICE DriverStudio 3.1 and 3.2 allows remote attackers to cause a denial of service (application crash) via an invalid Debug Message pointer. 15522 http://pb.specialised.info/all/adv/sice-adv.txt 20050529 Compuware Softice (DbgMsg driver) Local Denial Of Service ** DISPUTED ** Sudo 1.6.8p7 on SuSE Linux 9.3, and possibly other Linux distributions, allows local users to gain privileges by using sudo to call su, then entering a blank password and hitting CTRL-C. NOTE: SuSE and multiple third-party researchers have not been able to replicate this issue, stating "Sudo catches SIGINT and returns an empty string for the password so I don't see how this could happen unless the user's actual password was empty." 20417 20050531 [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3 20050531 RE: [securitysuse.de] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3 20050531 Re: [securitysuse.de] [XNUXER-SECURITY] Root Privilige Escalation in Sudo version 1.6.8p7 without Password, SuSE 9.3 Multiple cross-site scripting (XSS) vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 and earlier allow remote attackers to execute arbitrary web script or HTML via the (1) forums, (2) version, or (3) limit parameter to misc.php, (4) page or (5) datecut parameter to forumdisplay.php, (6) username, (7) email, or (8) email2 parameter to member.php, (9) page or (10) usersearch parameter to memberlist.php, (11) pid or (12) tid parameter to showthread.php, or (13) tid parameter to printthread.php. http://www.mybboard.com/community/showthread.php?tid=2559 15552 20050531 Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 Multiple SQL injection vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to calendar.php, (2) idsql parameter to online.php, (3) usersearch parameter to memberlist.php, (4) pid parameter to editpost.php, (5) fid parameter to forumdisplay.php, (6) tid parameter to newreply.php, (7) sid parameter to search.php, (8) tid or (9) pid parameter to showthread.php, (10) tid parameter to usercp2.php, (11) tid parameter to printthread.php, or (12) pid parameter to reputation.php. http://www.mybboard.com/community/showthread.php?tid=2559 15552 20050531 Multiple vulnerabilities in MyBulletinBoard (MyBB) 1.00 RC4 17024 SQL injection vulnerability in login.asp in NEXTWEB (i)Site allows remote attackers to execute arbitrary SQL commands and bypass authentication via the password field. 15560 20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple 1014085 NEXTWEB (i)Site stores databases under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to databases/Users.mdb. 15560 20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple 1014085 NEXTWEB (i)Site allows remote attackers to cause a denial of service (error 500) via a crafted HTTP request, possibly involving wildcard requests for .jsp files. 15560 20050601 [ZH2005-13SA] NEXTWEB (i)Site website management multiple Fortinet firewall running FortiOS 2.x contains a hardcoded username with the password set to the serial number, which allows local users with console access to gain privileges. 20050601 Backdoor in =?ISO-8859-1?Q?Fortinet=B4s_firewall_Fortigate?= Multiple cross-site scripting vulnerabilities in castnewPost.asp in Liberum Help Desk 0.97.3 allow remote attackers to inject arbitrary web script or HTML via the (1) Email, (2) Title, or (3) Description fields. 20050602 [ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Desk http://echo.or.id/adv/adv14-theday-2005.txt Multiple SQL injection vulnerabilities in Doug Luxem Liberum Help Desk 0.97.3 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) view.asp or (2) print.asp or (3) edit parameter to register.asp. 15593 20050602 [ECHO_ADV_14$2005] Multiple Vulnerabilities in Liberum Help Desk http://echo.or.id/adv/adv14-theday-2005.txt Directory traversal vulnerability in class.layout_phpcms.php in phpCMS 1.2.x before 1.2.1pl2 allows remote attackers to read or include arbitrary files, as demonstrated using a .. (dot dot) in the language parameter to parser.php. http://www.phpcms.de/download/index.en.html 20050602 SEC-CONSULT SA20050602-1 :: Arbitrary File Inclusion in phpCMS 1.2.x http://cvs.sourceforge.net/viewcvs.py/phpcms/phpcms/parser/include/class.layout_phpcms.php?rev=1.12.2.37&view=markup 15586 The control for Adobe Reader 5.0.9 and 5.0.10 on Linux, Solaris, HP-UX, and AIX creates temporary files with the permissions as specified in a user's umask, which could allow local users to read PDF documents of that user if the umask allows it. http://www.adobe.com/support/techdocs/329121.html http://secunia.com/secunia_research/2005-6/advisory/ 14457 RHSA-2005:575 VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, creates temporary log files with predictable names, which allows local users to modify arbitrary files via a symlink attack. http://www.adobe.com/support/techdocs/327129.html 16541 14638 20050829 Adobe Version Cue VCNative Arbitrary File Overwrite Vulnerability 1014776 VCNative for Adobe Version Cue 1.0 and 1.0.1, as used in Creative Suite 1.0 and 1.3, and when running on Mac OS X with Version Cue Workspace, allows local users to load arbitrary libraries and execute arbitrary code via the -lib command line argument. http://www.adobe.com/support/techdocs/327129.html 16541 14638 20050829 Adobe Version Cue VCNative Arbitrary Library Loading Vulnerability 1014776 Multiple directory traversal vulnerabilities in YaMT before 0.5_2 allow attackers to overwrite arbitrary files via the (1) rename or (2) sort options. http://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.html http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html Multiple buffer overflows in YaMT before 0.5_2 allow attackers to execute arbitrary code via the (1) rename or (2) sort options. http://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.html http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html The dhcpcd DHCP client before 1.3.22 allows remote attackers to cause a denial of service (daemon crash) via unknown vectors that cause an out-of-bounds memory read. DSA-750 RHSA-2005:603 inftrees.h in zlib 1.2.2 allows remote attackers to cause a denial of service (application crash) via an invalid file that causes a large dynamic tree to be produced. DSA-763 FLSA:162680 zlib-codetable-dos(21456) ADV-2007-1267 http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html USN-151-3 14340 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates RHSA-2008:0629 RHSA-2005:584 18141 SUSE-SA:2005:043 MDKSA-2006:070 MDKSA-2005:196 GLSA-200603-18 GLSA-200509-18 DSA-1026 DSA-797 1014540 http://security.debian.org/pool/updates/main/z/zlib/zlib_1.2.2-4.sarge.2.diff.gz 31492 24788 19597 19550 19334 18377 17516 17326 16137 oval:org.mitre.oval:def:11402 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 SCOSA-2006.6 Certain contributed scripts for ekg Gadu Gadu client 1.5 and earlier create temporary files insecurely, with unknown impact and attack vectors, a different vulnerability than CVE-2005-1916. DSA-760 20050721 Multiple vulnerabilities in libgadu and ekg package A certain contributed script for ekg Gadu Gadu client 1.5 and earlier allows attackers to execute shell commands via unknown attack vectors. DSA-760 20050721 Multiple vulnerabilities in libgadu and ekg package Multiple integer overflows in libgadu, as used in Kopete in KDE 3.2.3 to 3.4.1, ekg before 1.6rc3, GNU Gadu, CenterICQ, Kadu, and other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an incoming message. 14345 http://www.kde.org/info/security/advisory-20050721-1.txt GLSA-200507-23 FEDORA-2005-624 RHSA-2005:639 SUSE-SR:2005:019 GLSA-200507-26 16242 16211 16155 16140 oval:org.mitre.oval:def:9532 20050721 Multiple vulnerabilities in libgadu and ekg package gopher.c in the Gopher client 3.0.5 does not properly create temporary files, which allows local users to gain privileges. 1014599 DSA-770 Unknown vulnerability in apt-cacher in Debian 3.1, related to "missing input sanitising," allows remote attackers to execute arbitrary commands on the caching server. aptcacher-command-execution(21664) 14459 DSA-772 16327 Backup Manager (backup-manager) before 0.5.8 creates backup files with world-readable default permissions, which allows local users to obtain sensitive information. http://www.sukria.net/packages/backup-manager/ 13892 DSA-787 1014124 15615 http://www.usenetlinux.com/archive/index.php/t-411815.html The CD-burning feature in backup-manager 0.5.8 and earlier uses a fixed filename in a world-writable directory for logging, which allows local users to overwrite files via a symlink attack. DSA-787 Format string vulnerability in simpleproxy before 3.4 allows remote malicious HTTP proxies to execute arbitrary code via format string specifiers in a reply. VU#139421 simpleproxy-reply-format-string(22016) 14666 DSA-786 http://sourceforge.net/project/shownotes.php?group_id=604&release_id=351847 16567 FUSE 2.x before 2.3.0 does not properly clear previously used memory from unfilled pages when the filesystem returns a short byte count to a read request, which may allow local users to obtain sensitive information. 15561 http://www.sven-tantau.de/public_files/fuse/fuse_20050603.txt 13857 17042 http://sourceforge.net/project/shownotes.php?release_id=331884 http://bugs.debian.org/311634 DSA-744 1014107 16024 Unknown vulnerability in arshell in the Array Service (arrayd) for SGI ProPack 3 with SP 5 and 6, and SGI ProPack 4, allows local users to execute arbitrary shells as root on other hosts in the cluster or array. 1014454 20050701-01-P PHP remote file inclusion vulnerability in cal_admintop.php in Calendarix Advanced 1.5 allows remote attackers to execute arbitrary PHP code via the calpath parameter. 1014083 20050531 multiple vulnerability Calendarix Advanced Multiple SQL injection vulnerabilities in Calendarix Advanced 1.5 allow remote attackers to execute arbitrary SQL commands via the catview parameter to (1) cal_week.php, (2) cal_cat.php, or (3) cal_day.php, or (4) id parameter to cal_pophols.php. 16975 16974 16972 16971 1014083 15569 20050531 multiple vulnerability Calendarix Advanced http://www.calendarix.com/download_basic.php http://www.calendarix.com/download_advanced.php Cross-site scripting (XSS) vulnerability in calendar.php in Calendarix Advanced 1.5 allows remote attackers to inject arbitrary web script or HTML via the year parameter. 16973 1014083 20050531 multiple vulnerability Calendarix Advanced Symantec Brightmail AntiSpam before 6.0.2 has a hard-coded database administrator password, which allows remote attackers to gain privileges. http://securityresponse.symantec.com/avcenter/security/Content/2005.05.31a.html 15562 brightmail-static-database-security-bypass(20804) ADV-2005-0671 1014088 I-Man 0.9, and possibly earlier versions, allows remote attackers to execute arbitrary PHP code by uploading a file attachment with a .php extension. http://sourceforge.net/project/shownotes.php?release_id=331422 15558 iman-file-upload(20857) PHP remote file inclusion vulnerability in start_lobby.php in MWChat 6.x allows remote attackers to execute arbitrary PHP code via the CONFIG[MWCHAT_Libs] parameter. 1014090 http://www.appindex.net 17087 http://www.defacers.com.mx/advisories/4.txt 15596 PHP remote file inclusion vulnerability in childwindow.inc.php in Popper 1.41-r2 and earlier allows remote attackers to execute arbitrary PHP code via the form parameter. 17085 1014116 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-06-07 15584 20050605 Re: LSS.hr false positives. (correction) 20050606 Popper webmail remote code execution vulnerability - advisory fix 20050604 LSS.hr false positives. Unknown vulnerability in the privilege system in Drupal 4.4.0 through 4.6.0, when public registration is enabled, allows remote attackers to gain privileges, due to an "input check" that "is not implemented properly." 17028 15372 20050603 [DRUPAL-SA-2005-001] New Drupal release fixes critical security issue 20050603 [DRUPAL-SA-2005-001] New Drupal release fixes critical security issue Buffer overflow in the administrative console in IBM WebSphere Application Server 5.x, when the global security option is enabled, allows remote attackers to execute arbitrary code. http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24009775 15598 17041 http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html 20050607 [AppSecInc Advisory WEBSP05-V0098] Remote Buffer overflow in WebSphere Application Server Administrative Console Multiple buffer overflows in Crob FTP 3.6.1, and possibly earlier versions, allow remote attackers to execute arbitrary code via (1) an FTP command with a large string followed by the RMD command with a long string or (2) a globbing ("*") character followed by a long string. 20050606 Crob FTP Server remote buffer overflows http://security.lss.hr/index.php?page=details&ID=LSS-2005-06-06 15585 Directory traversal vulnerability in Dzip before 2.9 allows remote attackers to create arbitrary files via a filename containing a .. (dot dot) in a .dz archive. http://bugs.gentoo.org/show_bug.cgi?id=93079 ADV-2005-0692 GLSA-200506-03 15614 15599 Multiple SQL injection vulnerabilities in list.php in Exhibit Engine (EE) 1.22 allow remote attackers to execute arbitrary SQL commands via the (1) search_row, (2) sort_row, (3) order or (4) perpage parameter. 15583 20050602 SEC-CONSULT SA20050602-2 :: Exhibit Engine Blind SQL Injection 13844 17006 http://photography-on-the.net/forum/showthread.php?p=579692 Direct code injection vulnerability in CuteNews 1.3.6 and earlier allows remote attackers with administrative privileges to execute arbitrary PHP code via certain inputs that are injected into a template (.tpl) file. 17030 15594 20050602 PHP Execution Vulnerability in CuteNews Cross-site scripting (XSS) vulnerability in view_ticket.php in Lpanel 1.59 and earlier allows remote attackers to inject arbitrary web script or HTML and obtain sensitive information via the pid parameter. 13869 15589 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to plain-text session credential leakage via script injection. GIPTables Firewall 1.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on the temp.ip.addresses temporary file. http://www.zataz.net/adviso/giptables-05222005.txt 15604 20050606 GIPTables Firewall <= v1.1 insecure temporary file creation 1014109 LutelWall 0.97 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget. http://www.zataz.net/adviso/lutelwall-05222005.txt 13863 1014112 GLSA-200506-10 20050606 LutelWall <= 0.97 insecure temporary file creation http://firewall.lutel.pl/download/0.98/ChangeLog 15665 15647 everybuddy 0.4.3 and earlier allows local users to overwrite arbitrary files via a symlink attack on a temporary file created by a system call to wget. http://www.zataz.net/adviso/everybuddy-06062005.txt 13865 1014110 20050606 everybuddy <= 0.4.3 insecure temporary file creation http://bugs.gentoo.org/show_bug.cgi?id=94473 upload.php in YaPiG 0.92b, 0.93u and 0.94u does not properly restrict the file extension for uploaded image files, which allows remote attackers to upload arbitrary files and execute arbitrary PHP code. 17115 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 PHP remote file inclusion vulnerability in last_gallery.php in YaPiG 0.93u and 0.94u allows remote attackers to execute arbitrary PHP code via the YAPIG_PATH parameter. 17117 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 global.php in YaPiG 0.92b allows remote attackers to include arbitrary local files via the BASE_DIR parameter. 17116 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 Directory traversal vulnerability in the (1) rmdir or (2) mkdir commands in upload.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to create or delete arbitrary directories via a .. (dot dot) in the dir parameter. 13877 17120 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to obtain sensitive information via a phid parameter that is not an integer, which reveals the path in an error message. 17119 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 Cross-site scripting (XSS) vulnerability in view.php in YaPiG 0.92b, 0.93u and 0.94u allows remote attackers to inject arbitrary web script or HTML via (1) the phid parameter or (2) unknown parameters when posting a new comment. 13876 13875 17118 http://secwatch.org/advisories/secwatch/20050530_yapig.txt 1014103 15600 Unknown vulnerability in the Sun Solaris C library (libc and libproject) in Solaris 10 allows local users to gain privileges. solaris-clibrary-libproject-gain-privileges(20874) ADV-2005-0690 17099 101740 15613 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.5 allows remote attackers to inject arbitrary web script via HTML attributes in page templates. 13861 http://sourceforge.net/project/shownotes.php?release_id=332231 SUSE-SR:2005:019 Unknown vulnerability in Sun ONE Application Server 6.5 SP1 Maintenance Update 6 and earlier allows attackers to read files. 101690 ADV-2005-0695 Unknown vulnerability in Mortiforo before 0.9.1 allows users to access private forums via unknown attack vectors. 1014120 http://sourceforge.net/project/shownotes.php?release_id=332807 The GIF parser in ateimg32.dll in AOL Instant Messenger (AIM) 5.9.3797 and earlier allows remote attackers to cause a denial of service (crash) via a malformed buddy icon that causes an integer underflow in a loop counter variable. 13880 20050607 Re: AOL AIM Instant Messenger Buddy Icon "ateimg32.dll" DoS 20050607 AOL AIM Instant Messenger Buddy Icon "ateimg32.dll" DoS 1014145 FlatNuke 2.5.3 allows remote attackers to cause a denial of service or obtain sensitive information via (1) a direct request to foot_news.php, which triggers an infinite loop, or (2) direct requests to unknown scripts, which reveals the web document root in an error message. http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt ADV-2005-0697 1014114 15603 http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 FlatNuke 2.5.3 allows remote attackers to obtain sensitive information via invalid parameters to certain scripts, which leaks the web document root in an error message. http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt 1014114 15603 ADV-2005-0697 http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 Direct code injection vulnerability in FlatNuke 2.5.3 allows remote attackers to execute arbitrary PHP code by placing the code into the Referer header of an HTTP request, which causes the code to be injected into referer.php, which can then be accessed by the attacker. http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt 1014114 15603 http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 ADV-2005-0697 Cross-site scripting (XSS) vulnerability in FlatNuke 2.5.3 allows remote attackers to inject arbitrary web script or HTML via the border or back parameters to (1) help.php or (2) footer.php. 1014114 15603 ADV-2005-0697 http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 Directory traversal vulnerability in thumb.php in FlatNuke 2.5.3 allows remote attackers to read arbitrary images or obtain the installation path via the image parameter. http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt 1014114 15603 http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256 ADV-2005-0697 Unknown vulnerability in FlexCast Audio Video Streaming Server before 2.0 has unknown impact and attack vectors. 15441 The passthrough functionality in phpThumb.php in phpThumb() before 1.5.4 allows remote attackers to read files that are not images. 15534 13842 http://sourceforge.net/project/shownotes.php?release_id=330469 Rakkarsoft RakNet network library 2.33 and earlier, when released before 30 May 2005, and as used in multiple products including nFusion Elite Warriors: Vietnam, allows remote attackers to cause a denial of service (infinite loop) via a zero-byte UDP packet. 13862 http://aluigi.altervista.org/adv/rakzero-adv.txt 1014111 15597 20050605 Server termination in Raknet 2.33 (before 30 May 2005) Sawmill before 7.1.6 allows remote attackers to bypass authentication and (1) gain administrative privileges or (2) add a license. 15499 sawmill-unknown-add-license(20880) sawmill-unknown-gain-access(20879) http://www.sawmill.net/version_history7.html 17101 17100 http://www.networksecurity.fi/advisories/sawmill-admin.html 1014106 Multiple cross-site scripting (XSS) vulnerabilities in Sawmill before 7.1.6 allow remote attackers to inject arbitrary web script or HTML via (1) the username in the Add User window or (2) the license key in the Licensing page. 15499 sawmill-add-user-xss(20881) http://www.sawmill.net/version_history7.html 17103 17102 http://www.networksecurity.fi/advisories/sawmill-admin.html 1014106 Directory traversal vulnerability in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to read other users' mail and perform operations on arbitrary directories via .. sequences in the (1) SELECT, (2) CREATE, (3) DELETE, and (4) RENAME commands. spa-pro-imap-diectory-traversal(20860) http://www.security.org.sg/vuln/spa-promail4.html 15573 ADV-2005-0680 16989 1014095 Buffer overflow in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to execute arbitrary code via a long CREATE command. spa-pro-create-bo(20862) http://www.security.org.sg/vuln/spa-promail4.html 16990 15573 ADV-2005-0680 1014095 SQL injection vulnerability in login.asp in JiRo's Upload System (JUS) 1 allows remote attackers to execute arbitrary SQL commands via the password parameter. http://www.under9round.com/jus.txt 16969 1014086 15564 The klif.sys driver in Kaspersky Labs Anti-Virus 5.0.227, 5.0.228, and 5.0.335 on Windows 2000 allows local users to gain privileges by modifying certain critical code addresses that are later accessed by privileged programs. 13878 20050607 Kaspersky AntiVirus "klif.sys" Privilege Escalation Vulnerability SQL injection vulnerability in login.asp in livingmailing 1.3 allows remote attackers to execute arbitrary SQL commands via the password. NOTE: there is little public information about this product and its vendor, and the original researcher announcement is no longer available. ADV-2005-0678 1014087 The ISA Firewall service in Microsoft Internet Security and Acceleration (ISA) Server 2000 allows remote attackers to cause a denial of service (Wspsrv.exe crash) via a large amount of SecureNAT network traffic. 13846 17031 http://www.niscc.gov.uk/niscc/docs/br-20050602-00456.html?lang=en http://www.networksecurity.fi/advisories/windows-isa-firewall.html 894864 1014113 Perception LiteWeb allows remote attackers to bypass access controls for files via an extra leading / (slash) or leading \ (backslash) in the URL. 17084 1014096 15592 The web server control panel in 602LAN SUITE 2004 allows remote attackers to make it more difficult for the administrator to read portions of log files via a "</pre><!-" sequence in an HTTP GET request in the logon, possibly due to a cross-site scripting (XSS) vulnerability. 1014105 http://rgod.altervista.org/602_en.html SQL injection vulnerability in login.asp for WWWeb Concepts Events System 1.0 allows remote attackers to execute arbitrary SQL commands via the password. http://www.under9round.com/wecs.txt 1014104 15595 The fetchnews NNTP client in leafnode 1.11.2 and earlier can hang while waiting for input that never arrives, which allows remote NNTP servers to cause a denial of service (news loss). http://leafnode.sourceforge.net/leafnode-SA-2005-02.txt ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1841. Reason: This candidate is a duplicate of CVE-2005-1841. Notes: this duplicate occurred as a result of separate assignments by multiple CNAs, one to the researcher and one to the vendor. All CVE users should reference CVE-2005-1841 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The Linux kernel 2.6 before 2.6.12.1 allows local users to cause a denial of service (kernel panic) via a non group-leader thread executing a different program than was pending in itimer, which causes the signal to be delivered to the old group-leader task, which does not exist. kernel-subthread-dos(21138) 14054 15786 USN-178-1 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.1 CenterICQ 4.20.0 and earlier creates temporary files with predictable file names, which allows local users to overwrite arbitrary files via a symlink attack on the gg.token.PID temporary file. DSA-754 http://www.zataz.net/adviso/centericq-06152005.txt 14144 The log4sh_readProperties function in log4sh 1.2.5 and earlier allows local users to overwrite arbitrary files via a symlink attack on predictable log4sh.$$ filenames. 14140 http://www.zataz.net/adviso/log4sh-06092005.txt ADV-2005-0957 15899 http://bugs.gentoo.org/show_bug.cgi?id=94069 20050704 log4sh insecure temporary file creation 20050705 log4sh insecure temporary file creation linki.py in ekg 2005-06-05 and earlier allows local users to overwrite or create arbitrary files via a symlink attack on temporary files. http://www.zataz.net/adviso/ekg-06062005.txt 20050705 ekg insecure temporary file creation and arbitrary code execution DSA-760 20050721 Multiple vulnerabilities in libgadu and ekg package kpopper 1.0 and earlier allows local users to create and overwrite arbitrary files via a symlink attack on the .popper-new temporary file. http://www.zataz.net/adviso/kpopper-06152005.txt The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/". 5834 FLSA:183571-1 RHSA-2006:0195 1015655 19183 18988 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140589 SUSE-SR:2006:005 http://support.avaya.com/elmodocs2/security/ASA-2006-110.htm 20397 19130 oval:org.mitre.oval:def:9946 20060301-01-U ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information. http://www.kde.org/info/security/advisory-20050718-1.txt 20050718 [KDE Security Advisory]: Kate backup file permission leak oval:org.mitre.oval:def:9434 14297 FLSA:178606 RHSA-2005:612 SUSE-SR:2005:018 DSA-804 1014512 GLSA-200611-21 23099 16099 Eval injection vulnerability in PEAR XML_RPC 1.3.0 and earlier (aka XML-RPC or xmlrpc) and PHPXMLRPC (aka XML-RPC For PHP or php-xmlrpc) 1.1 and earlier, as used in products such as (1) WordPress, (2) Serendipity, (3) Drupal, (4) egroupware, (5) MailWatch, (6) TikiWiki, (7) phpWebSite, (8) Ampache, and others, allows remote attackers to execute arbitrary PHP code via an XML file, which is not properly sanitized before being used in an eval statement. MDKSA-2005:109 http://www.gulftech.org/?node=research&article_id=00087-07012005 http://pear.php.net/package/XML_RPC/download/1.3.1 20050629 Advisory 02/2005: Remote code execution in Serendipity ADV-2005-2827 HPSBTU02083 http://www.hardened-php.net/advisory-022005.php oval:org.mitre.oval:def:11294 14088 HPSBTU02083 RHSA-2005:564 SUSE-SA:2005:049 SUSE-SA:2005:041 SUSE-SR:2005:018 http://www.drupal.org/security/drupal-sa-2005-003/advisory.txt DSA-789 DSA-747 DSA-746 DSA-745 http://www.ampache.org/announce/3_3_1_2.php http://sourceforge.net/project/shownotes.php?release_id=338803 http://sourceforge.net/project/showfiles.php?group_id=87163 1015336 GLSA-200507-07 GLSA-200507-06 GLSA-200507-01 18003 17674 17440 16693 16339 16001 15957 15947 15944 15922 15917 15916 15904 15903 15895 15884 15883 15872 15861 15855 15852 15810 SUSE-SA:2005:051 20050629 [DRUPAL-SA-2005-003] Drupal 4.6.2 / 4.5.4 fixes critical XML-RPC issue oval:org.mitre.oval:def:350 The MS-Expand file handling in Clam AntiVirus (ClamAV) before 0.86 allows remote attackers to cause a denial of service (file descriptor and memory consumption) via a crafted file that causes repeated errors in the cli_msexpand function. 20050629 Clam AntiVirus ClamAV MS-Expand File Handling DoS Vulnerability http://sourceforge.net/project/shownotes.php?release_id=336462 DSA-737 The ENSURE_BITS macro in mszipd.c for Clam AntiVirus (ClamAV) 0.83, and other versions vefore 0.86, allows remote attackers to cause a denial of service (CPU consumption by infinite loop) via a cabinet (CAB) file with the cffile_FolderOffset field set to 0xff, which causes a zero-length read. 20050629 Clam AntiVirus ClamAV Cabinet File Handling DoS Vulnerability DSA-737 The G/PGP (GPG) Plugin 2.1 and earlier for Squirrelmail allow remote authenticated users to execute arbitrary commands via shell metacharacters in (1) the fpr parameter to the deleteKey function in gpg_keyring.php, as called by (a) import_key_file.php, (b) import_key_text.php, and (c) keyring_main.php; and (2) the keyserver parameter to the gpg_recv_key function in gpg_key_functions.php, as called by gpg_options.php. NOTE: this issue may overlap CVE-2007-3636. ADV-2007-2513 24874 20070711 SquirrelMail G/PGP Encryption Plug-in Remote Command Execution Vulnerability 20070711 True: SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln 26035 4173 20070711 SquirrelMail G/PGP Plugin gpg_recv_key() Command Injection Vulnerability 20070711 SquirrelMail G/PGP Plugin deleteKey() Command Injection Vulnerability squirrelmail-gpgp-keyfunc-command-execution(35364) squirrelmail-gpgp-keyring-command-execution(35355) GLSA-200708-08 26424 Multiple directory traversal vulnerabilities in Tikiwiki before 1.9.1 allow remote attackers to read arbitrary files and execute commands via (1) the suck_url parameter to tiki-editpage.php or (2) language parameter to tiki-user_preferences.php. 20051110 Tikiwiki tiki-editpage Arbitrary File Exposure Vulnerability 20051110 Tikiwiki tiki-user_preferences Command Injection Vulnerability tikiwiki-tikiuserpreferences-dir-traversal(23099) tikiwiki-tikieditpage-directory-traversal(23095) 15392 15390 1015190 Trend Micro ServerProtect EarthAgent for Windows Management Console 5.58 and possibly earlier versions, when running with Trend Micro Control Manager 2.5 and 3.0, and Damage Cleanup Server 1.1, allows remote attackers to cause a denial of service (CPU consumption) via a flood of crafted packets with a certain "magic value" to port 5005, which also leads to a memory leak. ADV-2005-2907 15868 21773 20051214 Trend Micro ServerProtect EarthAgent Remote DoS Vulnerability http://solutionfile.trendmicro.com/SolutionFile/25254/en/Hotfix_Readme_SPNT5_58_B1137.txt 1015358 259 18038 http://kb.trendmicro.com/solutions/search/main/search/solutionDetail.asp?solutionID=25254 Multiple heap-based buffer overflows in (1) isaNVWRequest.dll and (2) relay.dll in Trend Micro ServerProtect Management Console 5.58 and earlier, as used in Control Manager 2.5 and 3.0 and Damage Cleanup Server 1.1, allow remote attackers to execute arbitrary code via "wrapped" length values in Chunked transfer requests. NOTE: the original report suggests that the relay.dll issue is related to a problem in which a Microsoft Foundation Classes (MFC) static library returns invalid values under heavy load. As such, this might not be a vulnerability in Trend Micro's product. ADV-2005-2907 15866 15865 21772 21771 20051214 Trend Micro ServerProtect isaNVWRequest.dll Chunked Overflow 1015358 257 256 18038 20051214 Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability 20051214 Re: iDefense Security Advisory 12.14.05: Trend Micro ServerProtect relay.dll Chunked Overflow Vulnerability Directory traversal vulnerability in the Crystal Report component (rptserver.asp) in Trend Micro ServerProtect Management Console 5.58, as used in Control Manager 2.5 and 3.0 and Damage Cleanup Server 1.1, and possibly earlier versions, allows remote attackers to read arbitrary files via the IMAGE parameter. ADV-2005-2907 20051214 Trend Micro ServerProtect Crystal Reports ReportServer File Disclosure 15867 21770 1015358 258 18038 GoodTech SMTP Server 5.14 allows remote attackers to cause a denial of service (application crash) via a RCPT TO command with an invalid argument, as demonstrated using an "A" character. 15623 20050607 Denial of Service vulnerability in GoodTech SMTP Server for Windows NT/2000/XP version 5.14 Lpanel 1.59 and earlier, and other versions before 1.597, allows remote authenticated users to modify certain critical variables and (1) modify DNS settings for arbitrary domains via the domain parameter to diagnose.php, (2) close, open, or respond to arbitrary support tickets via the close, open, or pid parameter to view_ticket.php, (3) obtain sensitive information on arbitrary invoices via the inv parameter to viewreceipt.php, or (4) modify domain information for arbitrary domains via the editdomain parameter to domains.php. 13869 http://www.lpanel.net/changelog.php 15589 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to reset the DNS information of any domain name managed by the system. 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to respond to any support ticket on the system. 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to the unauthorized viewing of client invoice information. 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable to unauthorized domain management access. 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to open any support ticket within the system. 20050606 Lpanel.NET's Lpanel (all versions up to and including 1.59) is vulnerable in that it allows an attacker to close any support ticket within the system. Dashboard in Apple Mac OS X Tiger 10.4 allows attackers to execute arbitrary commands by overriding the behavior of system widgets via a user widget with the same bundle identifier (CFBundleIdentifier), a different vulnerability than CVE-2005-1474. VU#983429 http://www1.cs.columbia.edu/~aaron/files/widgets/ Gaim before 1.3.1 allows remote attackers to cause a denial of service (crash) via a malformed MSN message that leads to a memory allocation of a large size, possibly due to an integer signedness error. http://sourceforge.net/tracker/index.php?func=detail&aid=1205290&group_id=235&atid=100235 GLSA-200506-11 oval:org.mitre.oval:def:10368 13932 FLSA:158543 RHSA-2005:518 SUSE-SA:2005:036 MDKSA-2005:099 DSA-734 oval:org.mitre.oval:def:263 Heap-based buffer overflow in the BERDecBitString function in Microsoft ASN.1 library (MSASN1.DLL) allows remote attackers to execute arbitrary code via nested constructed bit strings, which leads to a realloc of a non-null pointer and causes the function to overwrite previously freed memory, as demonstrated using a SPNEGO token with a constructed bit string during HTTP authentication, and a different vulnerability than CVE-2003-0818. NOTE: the researcher has claimed that MS:MS04-007 fixes this issue. asn1-constructed-heap-overflow(20870) http://www.phreedom.org/solar/exploits/msasn1-bitstring/ Unknown vulnerability in the web server for the ESS/ Network Controller for Xerox Document Centre 240 through 555 running System Software 27.18.017 and earlier allows attackers to "gain unauthorized access." xerox-document-security-bypass(19661) http://www.xerox.com/downloads/usa/en/c/cert_XRX05_003.pdf 12783 14556 ADV-2005-0255 14659 A regression error in Firefox 1.0.3 and Mozilla 1.7.7 allows remote attackers to inject arbitrary Javascript from one page into the frameset of another site, aka the frame injection spoofing vulnerability, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2004-0718. https://bugzilla.mozilla.org/show_bug.cgi?id=296850 ADV-2005-1075 http://secunia.com/multiple_browsers_frame_injection_vulnerability_test/ oval:org.mitre.oval:def:10633 FLSA:160202 14242 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.mozilla.org/security/announce/mfsa2005-51.html DSA-810 DSA-777 101952 15601 oval:org.mitre.oval:def:759 oval:org.mitre.oval:def:637 oval:org.mitre.oval:def:100007 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1250. Reason: This candidate is a duplicate of CVE-2005-1250. Notes: this duplicate occurred as a result of multiple independent discoveries and insufficient coordination by the vendor and CNA. All CVE users should reference CVE-2005-1250 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Directory traversal vulnerability in Ipswitch WhatsUp Small Business 2004 allows remote attackers to read arbitrary files via ".." (dot dot) sequences in a request to the Report service (TCP 8022). whatsup-smallbusiness-dotdot-traversal(22969) 15291 1015141 http://secunia.com/secunia_research/2005-14/advisory/ 15500 http://cirt.dk/advisories/cirt-40-advisory.pdf SilverCity before 0.9.5-r1 installs (1) cgi-styler-form.py, (2) cgi-styler.py, and (3) source2html.py with read and write world permissions, which allows local users to execute arbitrary code. GLSA-200506-05 http://bugs.gentoo.org/show_bug.cgi?id=93558 1014153 15632 Cisco switches that support 802.1x security allow remote attackers to bypass port security and gain access to the VLAN via spoofed Cisco Discovery Protocol (CDP) messages. cisco-callmanager-voice-gain-access(20939) 1014135 http://www.fishnetsecurity.com/csirt/disclosure/cisco/Cisco+802.1x+Advisory.pdf 20050608 Cisco 802.1x Voice-Enabled Interfaces Allow Anonymous Voice VLAN Access 20050610 Voice VLAN Access/Abuse Possible on Cisco voice-enabled, 802.1x-secured Interfaces Vulnerability Discovery: FishNet Security Multiple SQL injection vulnerabilities in Loki download manager 2.0 allow remote attackers to execute arbitrary SQL commands via the (1) password field to default.asp or (2) cat parameter to catinfo.asp. 13900 13898 20050608 2 SQL injection in Loki download manager v2.0 1014147 15633 xmysqladmin 1.0 and earlier allows local users to delete arbitrary files via a symlink attack on a database backup file in /tmp. 15635 20050609 xmysqladmin insecure temporary file creation http://bugs.gentoo.org/show_bug.cgi?id=93792 http://www.zataz.net/adviso/xmysqladmin-05292005.txt 1014172 Cross-site scripting (XSS) vulnerability in the convert_highlite_words function in Invision Blog before 1.1.2 Final allows remote attackers to inject arbitrary web script or HTML via double hex encoded highlight data. http://www.gulftech.org/?node=research&article_id=00078-06072005 20050609 Invision Community Blog Vulnerabilities 15626 Multiple SQL injection vulnerabilities in Invision Blog before 1.1.2 Final allow remote attackers to execute arbitrary SQL commands via the (1) eid parameter to an editentry, replyentry, or editcomment action, or (2) the mid parameter to an aboutme action. http://www.gulftech.org/?node=research&article_id=00078-06072005 20050609 Invision Community Blog Vulnerabilities 15626 Cross-site request forgery (CSRF) vulnerability in Invision Gallery before 1.3.1 allows remote attackers to delete albums and images as another user via a link or IMG tag to the (1) albums or (2) delimg actions. http://www.gulftech.org/?node=research&article_id=00079-06092005 20050609 Invision Gallery Vulnerabilities Multiple SQL injection vulnerabilities in Invision Gallery before 1.3.1 allow remote attackers to execute arbitrary SQL commands via (1) the comment parameter in an editcomment action or (2) the rating parameter when voting on a photo. http://www.gulftech.org/?node=research&article_id=00079-06092005 20050609 Invision Gallery Vulnerabilities 13907 The eping_validaddr function in functions.php for the ePing plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the eping_host parameter. 20050610 Re: Arbitrary code execution in eping plugin 20050609 Arbitrary code execution in eping plugin 15678 http://e107plugins.co.uk/news.php hints.pl in Webhints 1.03 allows remote attackers to execute arbitrary commands via shell metacharacters in the argument. 13930 20050609 Webhints v1.03 Remote Command Execution 1014173 15652 Multiple HTTP Response Splitting vulnerabilities in osCommerce 2.2 Milestone 2 and earlier allow remote attackers to spoof web content and poison web caches via hex-encoded CRLF ("%0d%0a") sequences in the (1) products_id or (2) pid parameter to index.php or (3) goto parameter to banner.php. 13979 20050610 osCommere HTTP Response Splitting 15670 20050616 RE: osCommere HTTP Response Splitting (Solution) Directory traversal vulnerability in Pico Server (pServ) 3.3 allows remote attackers to read arbitrary files and execute arbitrary commands via a /./ (slash dot slash) before each .. (dot dot) sequence in the URL, which results in an incorrect directory depth count. http://sourceforge.net/project/shownotes.php?group_id=59378&release_id=334036 15663 20050611 Multiple vulnerabilities in Pico Server (pServ) v3.3 Heap-based buffer overflow in the CGI extension for Pico Server (pServ) 3.3 allows remote attackers to execute arbitrary code via a long HTTP request. http://sourceforge.net/project/shownotes.php?group_id=59378&release_id=334036 20050611 Multiple vulnerabilities in Pico Server (pServ) v3.3 15663 singapore 0.9.11 allows remote attackers to obtain sensitive information via a direct request to (1) admin.class.php, (2) any .tpl.php file in templates/admin_default/, or (3) any .tpl.php file in templates/default/, which reveal the path in an error message. 20050612 singapore v0.9.11 cross site scripting and path disclosure 1014186 Cross-site scripting (XSS) vulnerability in index.php in singapore 0.9.11 allows remote attackers to inject arbitrary web script or HTML via the gallery parameter. 13938 20050612 singapore v0.9.11 cross site scripting and path disclosure 1014186 File Upload Manager allows remote attackers to upload arbitrary files by modifying the test variable to contain a value of '~~~~~~' (six tildes), which bypasses the file extension checks. 20050612 File Upload Manager Sploits 20257 mtnpeak.net File Upload Manager does not properly check user authentication for certain actions, which allows remote attackers to provide a modified base64-encoded file parameter and (1) read arbitrary files via the "view" action or (2) delete arbitrary files via the del action. 20258 17435 20050612 File Upload Manager Sploits 20050615 Re: File Upload Manager Sploits ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1855. Reason: This candidate is a duplicate of CVE-2005-1855. Notes: All CVE users should reference CVE-2005-1855 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. jammail.pl in jamchen JamMail 1.8 allows remote attackers to execute arbitrary commands via shell metacharacters in the mail parameter. 1014175 13937 The getemails function in C.J. Steele Tattle allows remote attackers to execute arbitrary commands via shell metacharacters in certain log entries, as demonstrated using shell metacharacters in an FTP username. 15582 20050607 remote command execution in 'tattle' Unknown vulnerability in ObjectWeb Consortium C-JDBC before 1.3.1 allows local users to bypass intended access restrictions and obtain the cache results from another user. 1014118 15627 Cross-site scripting (XSS) vulnerability in Cerberus Helpdesk 0.97.3 allows remote attackers to inject arbitrary web script or HTML via the (1) errorcode parameter to index.php or (2) certain fields to clients.php. http://forum.cerberusweb.com/showthread.php?threadid=5162&goto=newpost http://echo.or.id/adv/adv15-theday-2005.txt 1014128 15641 Cerberus Helpdesk 0.97.3 allows remote attackers to obtain sensitive information via certain requests to (1) reports.php, (2) knowledgebase.php, or (3) configuration.php, which leaks the information in a PHP error message. http://forum.cerberusweb.com/showthread.php?threadid=5162&goto=newpost http://echo.or.id/adv/adv15-theday-2005.txt http://www.wgmdev.com/jira/browse/CERB-170 1014128 15641 PHP remote file inclusion vulnerability in utilit.php for Ovidentia Portal allows remote attackers to execute arbitrary PHP code via the babInstallPath parameter. 1014149 15658 PHP remote file inclusion vulnerability in siteframe.php for Broadpool Siteframe allows remote attackers to execute arbitrary code via a URL in the LOCAL_PATH parameter. siteframe-localpath-file-include(20973) 13928 17246 1014150 15657 [Siteframe-Announce] 20060621 WARNING: Security Vulnerability identified in Siteframe 3.x The eTrace_validaddr function in eTrace plugin for e107 portal allows remote attackers to execute arbitrary commands via shell metacharacters after a valid argument to the etrace_host parameter. 13934 20050610 Re: Arbitrary code execution in eping plugin Multiple SQL injection vulnerabilities in ProductCart Ecommerce before 2.7 allow remote attackers to execute arbitrary SQL commands via the (1) idcategory parameter to viewPrd.asp, (2) lid parameter to editCategories.asp, (3) icd parameter to modCustomCardPaymentOpt.asp, or (4) idccr parameter to OptionFieldsEdit.asp. 1014129 http://echo.or.id/adv/adv16-theday-2005.txt Cross-site scripting (XSS) vulnerability in ProductCart Ecommerce before 2.7 allows remote attackers to inject arbitrary web script or HTML via the error parameter to techErr.asp. 1014129 http://echo.or.id/adv/adv16-theday-2005.txt Cross-site scripting (XSS) vulnerability in Pragma Systems Telnetserver 6.0 allows remote attackers to inject arbitrary web script or HTML, and hide activities in log files, via a "<!--" (HTML comment) in a session. http://www.rgod.altervista.org/pragma.html 1014127 15642 Symantec pcAnywhere 10.5x and 11.x before 11.5, with "Launch with Windows" enabled, allows local users with physical access to execute arbitrary commands via the Caller Properties feature. 13933 http://securityresponse.symantec.com/avcenter/security/Content/2005.06.10.html 1014178 15673 Directory traversal vulnerability in InteractivePHP FusionBB .11 Beta and earlier allows remote attackers to include arbitrary local files via ".." sequences in the language parameter. http://www.interactivephp.com/misc/CHANGELOG.html http://www.gulftech.org/?node=research&article_id=00081-06132005 Multiple SQL injection vulnerabilities in InteractivePHP FusionBB .11 Beta and earlier allow remote attackers to execute arbitrary SQL commands via (1) the username, which is not properly handled by the insertUser function, or (2) the bb_session_id value in a cookie. http://www.interactivephp.com/misc/CHANGELOG.html http://www.gulftech.org/?node=research&article_id=00081-06132005 Java Web Start in Java 2 Platform Standard Edition (J2SE) 5.0 and 5.0 Update 1 allows applications to assign permissions to themselves and gain privileges. 101748 HPSBUX01214 13958 13945 61 SSRT051003 Unspecified vulnerability in Java 2 Platform, Standard Edition (J2SE) 5.0 and 5.0 Update 1 and J2SE 1.4.2 up to 1.4.2_07, as used in multiple products and platforms including (1) HP-UX and (2) APC PowerChute, allows applications to assign permissions to themselves and gain privileges. ADV-2005-2150 13958 SUSE-SA:2005:032 101799 101749 1015643 56 17272 http://rpmfind.net/linux/RPM/suse/updates/9.3/i386/rpm/i586/java-1_4_2-sun-src-1.4.2.08-0.1.i586.html http://nam-en.apc.com/cgi-bin/nam_en.cfg/php/enduser/std_adp.php?p_faqid=7638 HPSBMA01234 SSRT051052 HPSBUX01215 HPSBUX01215 Multiple cross-site scripting (XSS) vulnerabilities in Annuaire 1Two 1.1 and earlier allow remote attackers to inject arbitrary web script or HTML via (1) the id parameter to index.php, or the (2) site_id, (3) nom, (4) email, or (5) commentaire parameters in commentaires.php. 13960 http://www.hackisknowledge.org/Advisories/Annuaire%201Two%20v1.0/Annuaire%201Two%20v1.0.html 1014187 13961 13612 15708 Novell NetMail 3.5.2a, 3.5.2b, and 3.5.2c, when running on Linux, sets the owner and group ID to 500 for certain files, which could allow users or groups with that ID to execute arbitrary code or cause a denial of service by modifying those files. 14005 17456 http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098022.htm 15763 1014251 COM+ in Microsoft Windows does not properly "create and use memory structures," which allows local users or remote attackers to execute arbitrary code. TA05-284A VU#950516 MS05-051 15057 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 17509 17223 17172 17161 oval:org.mitre.oval:def:816 oval:org.mitre.oval:def:576 oval:org.mitre.oval:def:1499 oval:org.mitre.oval:def:1466 oval:org.mitre.oval:def:1269 oval:org.mitre.oval:def:1261 Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service exception and exit) via an "unexpected protocol command during the reconnection request," which is not properly handled by the Transaction Internet Protocol (TIP) functionality. MS05-051 20051011 Microsoft Distributed Transaction Controller TIP DoS Vulnerability 15058 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015037 17509 17223 17172 17161 oval:org.mitre.oval:def:686 oval:org.mitre.oval:def:1550 oval:org.mitre.oval:def:1513 oval:org.mitre.oval:def:1338 oval:org.mitre.oval:def:1283 oval:org.mitre.oval:def:1134 Distributed Transaction Controller in Microsoft Windows allows remote servers to cause a denial of service (MSDTC service hang) via a crafted Transaction Internet Protocol (TIP) message that causes DTC to repeatedly connect to a target IP and port number after an error occurs, aka the "Distributed TIP Vulnerability." MS05-051 20051011 Microsoft Distributed Transaction Controller Packet Relay DoS Vulnerability 15059 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015037 17509 17223 17172 17161 oval:org.mitre.oval:def:1413 oval:org.mitre.oval:def:1325 oval:org.mitre.oval:def:1253 oval:org.mitre.oval:def:1203 oval:org.mitre.oval:def:1182 oval:org.mitre.oval:def:1136 Unknown vulnerability in Microsoft Windows 2000 Server and Windows Server 2003 domain controllers allows remote authenticated users to cause a denial of service (system crash) via a crafted Kerberos message. VU#610133 MS05-042 16368 1014642 oval:org.mitre.oval:def:100105 oval:org.mitre.oval:def:100103 oval:org.mitre.oval:def:100101 oval:org.mitre.oval:def:100099 oval:org.mitre.oval:def:100097 oval:org.mitre.oval:def:100095 Unknown vulnerability in the PKINIT Protocol for Microsoft Windows 2000, Windows XP, and Windows Server 2003 could allow a local user to obtain information and spoof a server via a man-in-the-middle (MITM) attack between a client and a domain controller when PKINIT smart card authentication is being used. VU#477341 MS05-042 16368 14520 1014642 oval:org.mitre.oval:def:100106 oval:org.mitre.oval:def:100104 oval:org.mitre.oval:def:100102 oval:org.mitre.oval:def:100100 oval:org.mitre.oval:def:100098 oval:org.mitre.oval:def:100096 Stack-based buffer overflow in the Plug and Play (PnP) service for Microsoft Windows 2000 and Windows XP Service Pack 1 allows remote attackers to execute arbitrary code via a crafted packet, and local users to gain privileges via a malicious application, as exploited by the Zotob (aka Mytob) worm. TA05-221A VU#998653 MS05-039 ADV-2005-1354 win-plugandplay-bo(21602) 20050809 Windows Plug and Play Remote Compromise 14513 http://www.securiteam.com/windowsntfocus/5YP0E00GKW.html 18605 http://www.hsc.fr/ressources/presentations/null_sessions/ http://www.frsirt.com/english/alerts/20050814.ZotobA.php P-266 1014640 16372 20050811 Windows 2000 universal exploit for MS05-039 oval:org.mitre.oval:def:783 oval:org.mitre.oval:def:497 oval:org.mitre.oval:def:474 oval:org.mitre.oval:def:267 oval:org.mitre.oval:def:160 oval:org.mitre.oval:def:100073 Buffer overflow in the Print Spooler service (Spoolsv.exe) for Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code via a malicious message. TA05-221A VU#220821 MS05-043 16356 14514 1014638 oval:org.mitre.oval:def:256 oval:org.mitre.oval:def:1405 oval:org.mitre.oval:def:1045 oval:org.mitre.oval:def:100077 The Client Service for NetWare (CSNW) on Microsoft Windows 2000 SP4, XP SP1 and Sp2, and Server 2003 SP1 and earlier, allows remote attackers to execute arbitrary code due to an "unchecked buffer" when processing certain crafted network messages. MS05-046 win-csnw-bo(21700) 15066 19922 1015041 17165 oval:org.mitre.oval:def:910 oval:org.mitre.oval:def:1544 oval:org.mitre.oval:def:1536 oval:org.mitre.oval:def:1210 oval:org.mitre.oval:def:1106 Buffer overflow in Collaboration Data Objects (CDO), as used in Microsoft Windows and Microsoft Exchange Server, allows remote attackers to execute arbitrary code when CDOSYS or CDOEX processes an e-mail message with a large header name, as demonstrated using the "Content-Type" string. TA05-284A VU#883460 MS05-048 Q907245 20051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability win-cdo-bo(22495) 15067 19905 1015039 1015038 17167 20051012 [SEC-1 Advisory] Collaboration Data Objects Buffer Overflow Vulnerability oval:org.mitre.oval:def:848 oval:org.mitre.oval:def:581 oval:org.mitre.oval:def:1515 oval:org.mitre.oval:def:1420 oval:org.mitre.oval:def:1406 oval:org.mitre.oval:def:1201 oval:org.mitre.oval:def:1130 Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to execute arbitrary code via a web site or an HTML e-mail containing a crafted JPEG image that causes memory corruption, aka "JPEG Image Rendering Memory Corruption Vulnerability". TA05-221A VU#965206 MS05-038 16373 ADV-2005-1353 oval:org.mitre.oval:def:390 oval:org.mitre.oval:def:1335 oval:org.mitre.oval:def:1216 oval:org.mitre.oval:def:1140 Unknown vulnerability in Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to obtain information and possibly execute code when browsing from a web site to a web folder view using WebDAV, aka "Web Folder Behaviors Cross-Domain Vulnerability". MS05-038 16373 ADV-2005-1353 14512 oval:org.mitre.oval:def:888 oval:org.mitre.oval:def:790 oval:org.mitre.oval:def:697 oval:org.mitre.oval:def:1319 oval:org.mitre.oval:def:100082 oval:org.mitre.oval:def:100081 Internet Explorer 5.0, 5.5, and 6.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, including (1) devenum.dll, (2) diactfrm.dll, (3) wmm2filt.dll, (4) fsusd.dll, (5) dmdskmgr.dll, (6) browsewm.dll, (7) browseui.dll, (8) shell32.dll, (9) mshtml.dll, (10) inetcfg.dll, (11) infosoft.dll, (12) query.dll, (13) syncui.dll, (14) clbcatex.dll, (15) clbcatq.dll, (16) comsvcs.dll, and (17) msconf.dll, which causes memory corruption, aka "COM Object Instantiation Memory Corruption Vulnerability," a different vulnerability than CVE-2005-2087. TA05-221A VU#959049 MS05-038 16373 ADV-2005-1353 14511 1014643 oval:org.mitre.oval:def:1337 oval:org.mitre.oval:def:1235 oval:org.mitre.oval:def:1221 oval:org.mitre.oval:def:1061 oval:org.mitre.oval:def:100082 The XMLRPC server in utils.rb for the ruby library (libruby) 1.8 sets an invalid default value that prevents "security protection" using handlers, which allows remote attackers to execute arbitrary commands. VU#684913 http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-core/5237 http://www2.ruby-lang.org/en/20050701.html 14016 oval:org.mitre.oval:def:10819 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=315064 RHSA-2005:543 SUSE-SR:2005:018 DSA-748 P-312 ESB-2005.0732 16920 APPLE-SA-2005-09-22 Race condition in sudo 1.3.1 up to 1.6.8p8, when the ALL pseudo-command is used after a user entry in the sudoers file, allows local users to gain privileges via a symlink attack. 20050620 Sudo version 1.6.8p9 now available, fixes security issue. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161116 ADV-2005-2659 ADV-2005-0821 13993 oval:org.mitre.oval:def:11341 sudo-pathname-race-condition(21080) http://www.sudo.ws/sudo/alerts/path_race.html 15647 FLSA:162750 RHSA-2005:535 17396 SUSE-SA:2005:036 DSA-735 17813 15744 APPLE-SA-2005-11-29 oval:org.mitre.oval:def:1242 Finjan SurfinGate 7.0SP2 and SP3 allows remote attackers to download blocked files via hex-encoded characters in a filename, as demonstrated using "%2e". finjan-surfingate-security-bypass(21010) ADV-2005-0778 17324 15711 20050614 URL-Encoding Problem in Finjan SurfinGate Bitrix Site Manager 4.0.x allows remote attackers to obtain sensitive information via direct request to (1) subscr_form.php or (2) dbquery_error.php, which reveals the path in an error message. 17376 17348 bitrix-site-path-disclosure(21019) 20050615 Vulnerability: Bitrix Web Server Paths PHP remote file inclusion vulnerability in start.php in Bitrix Site Manager 4.0.x allows remote attackers to execute arbitrary PHP code via the _SERVER[DOCUMENT_ROOT] parameter. 17341 http://www.bitrixsoft.com/support/forum/read.php?FID=10&TID=1872 http://www.bitrixsoft.com/sitemanager/versions.php?module=main 15726 bitrix-serverdocumentroot-file-include(21018) ADV-2005-0779 13965 20050615 Vulnerability: Bitrix Php inclusion show.php in McGallery 1.1 allows remote attackers to connect to arbitrary databases, or gain sensitive information by triggering an error, via a modified host parameter. 17344 15727 20050615 Vulnerability: McGallery v 1.1 Mysql DB including 1014215 Directory traversal vulnerability in admin.php in McGallery 1.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter. 17343 15727 20050615 Vulnerability: McGallery v 1.1 files reading on disk 13963 1014215 Multiple cross-site scripting (XSS) vulnerabilities in pafiledb.php in paFileDB 3.1 allow remote attackers to inject arbitrary web script or HTML via the (1) sortby or (2) filelist parameters to the category action (category.php), or (3) pages parameter in the viewall action (viewall.php). http://www.phparena.net/pafiledb_patch/ http://www.phparena.net/ http://www.gulftech.org/?node=research&article_id=00082-06142005 20050615 Multiple paFileDB Vulnerabilities Multiple SQL injection vulnerabilities in paFileDB 3.1 and earlier allow remote attackers to execute arbitrary SQL commands via the formname parameter (1) in the login form, (2) in the team login form, or (3) to auth.php, (4) select, (5) id, or (6) query parameter to pafiledb.php, or (7) string parameter to search.php. http://www.phparena.net/pafiledb_patch/ http://www.phparena.net/ http://www.gulftech.org/?node=research&article_id=00082-06142005 20050615 Multiple paFileDB Vulnerabilities Directory traversal vulnerability in pafiledb.php in paFileDB 3.1 and earlier allows remote attackers to include arbitrary files via a .. (dot dot) in the action parameter. http://www.phparena.net/pafiledb_patch/ http://www.phparena.net/ http://www.gulftech.org/?node=research&article_id=00082-06142005 20050615 Multiple paFileDB Vulnerabilities SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter. 15710 13966 17323 20050615 Mambo 4.5.2.2 SQL Injection in UPDATE statement http://mamboforge.net/frs/download.php/6153/CHANGELOG 1014222 Ultimate PHP Board (UPB) 1.9.6 GOLD allows remote attackers to obtain sensitive information via an invalid (zero) id parameter to (1) viewtopic.php, (2) profile.php, or (3) newpost.php, which reveals the path in an error message. 15732 20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD Multiple cross-site scripting vulnerabilities in Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) ref parameter to login.php, (2) id or (3) page parameter to viewtopic.php, id parameter to (4) profile.php, (5) newpost.php, (6) email.php, (7) icq.php, or (8) aol.php, (9) t_id parameter to newpost.php, (10) ref parameter to getpass.php, or (11) sText parameter to search.php. 15732 20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD Ultimate PHP Board (UPB) 1.9.6 GOLD and earlier stores the users.dat file under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information on registered users via a direct request to db/users.dat. 15732 20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD JBOSS 3.2.2 through 3.2.7 and 4.0.2 allows remote attackers to obtain sensitive information via a GET request (1) with a "%." (percent dot), which reveals the installation path or (2) with a % (percent) before a filename, which reveals the contents of the file. SSRT061108 ADV-2006-0497 ADV-2005-0815 15746 20050617 JBOSS 3.2.2-3.2.7 / 4.0.2 installation path disclosure / config disclosure / version fingerprinting SSRT061108 13985 20060720 Cisco MARS < 4.2.1 remote compromise 1015605 439 18789 17559 20060720 Cisco MARS < 4.2.1 remote compromise Directory traversal vulnerability in Edgewall Trac 0.8.3 and earlier allows remote attackers to read or write arbitrary files via a .. (dot dot) in the id parameter to the (1) upload or (2) attachment scripts. http://www.hardened-php.net/advisory-012005.php 15752 20050619 Advisory 01/2005: Fileupload/download vulnerability in Trac http://svn.edgewall.com/repos/trac/tags/trac-0.8.4/ChangeLog Yaws Webserver 1.55 and earlier allows remote attackers to obtain the source code for yaws scripts via a request to a yaw script with a trailing %00 (null). http://yaws.hyber.org/yaws-1.55_to_1.56.patch 15740 20050617 Source Code Disclosure in Yaws Webserver <1.56 17375 Multiple SQL injection vulnerabilities in Ublog Reload 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) ci, (2) d, or (3) m parameter to index.asp, or the (4) bi parameter to blog_comment.asp. ADV-2005-0818 20050620 [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5 http://echo.or.id/adv/adv18-theday-2005.txt Cross-site scripting (XSS) vulnerability in trackback.asp in Ublog Reload 1.0.5 allows remote attackers to inject arbitrary web script or HTML via the btitle parameter. ADV-2005-0818 13994 20050620 [ECHO_ADV_18$2005] Multiple SQL INJECTION in Ublog Reload 1.0.5 http://echo.or.id/adv/adv18-theday-2005.txt Multiple cross-site scripting (XSS) vulnerabilities in paFAQ 1.0 Beta 4 allow remote attackers to inject arbitrary web script or HTML, as demonstrated via the id parameter in a Question action. http://www.gulftech.org/?node=research&article_id=00083-06202005 20050620 paFaq Multiple Vulnerabilities Multiple SQL injection vulnerabilities in login in paFAQ 1.0 Beta 4 allow remote attackers to execute arbitrary SQL commands and bypass authentication via the (1) username or (2) id parameters. http://www.gulftech.org/?node=research&article_id=00083-06202005 20050620 paFaq Multiple Vulnerabilities paFAQ 1.0 Beta 4 allows remote attackers to obtain sensitive information via a direct request to admin/backup.php, which contains a backup of the database including usernames and passwords. http://www.gulftech.org/?node=research&article_id=00083-06202005 20050620 paFaq Multiple Vulnerabilities The "upload a language pack" feature in paFAQ 1.0 Beta 4 allows remote authenticated administrators to execute arbitrary PHP commands by uploading a malicious language pack. 20050620 paFaq Multiple Vulnerabilities Symantec AntiVirus 9 Corporate Edition allows local users to gain privileges via the "Scan for viruses" option, which launches a help window with raised privileges, a re-introduction of a vulnerability that was originally identified and addressed by CVE-2002-1540. http://www.symantec.com/avcenter/security/Content/2005.08.24.html 20050829 Symantec AntiVirus 9 Corporate Edition Local Privilege Escalation Vulnerability ipfw in FreeBSD 5.4, when running on Symmetric Multi-Processor (SMP) or Uni Processor (UP) systems with the PREEMPTION kernel option enabled, does not sufficiently lock certain resources while performing table lookups, which can cause the cache results to be corrupted during multiple concurrent lookups, allowing remote attackers to bypass intended access restrictions. FreeBSD-SA-05:13 Directory traversal vulnerability in the web server for 3Com Network Supervisor 5.0.2 allows remote attackers to read arbitrary files via ".." sequences in the URL to TCP port 21700. 20050902 3Com Network Supervisor Directory Traversal Vulnerability 1014836 16639 ADV-2005-1611 Cross-site scripting (XSS) vulnerability in cPanel 9.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the user parameter in the login page. 13996 Unknown vulnerability in Webmail in iPlanet Messaging Server 5.2 Patch 1 and Sun ONE Messaging Server 6.2 allows remote attackers to execute arbitrary Javascript, possibly due to a cross-site scripting (XSS) vulnerability. 101770 ADV-2005-0816 The send_pinentry_environment function in asshelp.c in gpg2 on SUSE Linux 9.3 does not properly handle certain options, which can prevent pinentry from being found and causes S/MIME signing to fail. SUSE-SR:2005:016 [gpa-dev] 20050603 Re: S/MIME signing fails on a SUSE 9.3 system [gpa-dev] 20050603 Re: S/MIME signing fails on a SUSE 9.3 system [gpa-dev] 20050603 Re: S/MIME signing fails on a SUSE 9.3 system Vipul Razor Agents (razor-agents) before 2.70 allows remote attackers to cause a denial of service via (1) certain "unusual HTML messages" or (2) "certain malformed headers" such as Content-Type. 13984 http://sourceforge.net/mailarchive/forum.php?thread_id=7520323&forum_id=4259 GLSA-200506-17 http://bugs.gentoo.org/show_bug.cgi?id=95492 SUSE-SA:2005:035 DSA-738 Cisco VPN 3000 Concentrator before 4.1.7.F allows remote attackers to determine valid groupnames by sending an IKE Aggressive Mode packet with the groupname in the ID field, which generates a response if the groupname is valid, but does not generate a response for an invalid groupname. 13992 http://www.nta-monitor.com/news/vpn-flaws/cisco/VPN-Concentrator/index.htm ADV-2005-0822 Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 has a hard-coded account and password for debugging, which allows remote attackers to gain privileges. http://www.enterasys.com/support/relnotes/VH-4802-2050509-patch-rel.pdf 15757 Enterasys Vertical Horizon VH-2402S before firmware 2.05.05.09 does not properly restrict certain debugging commands to the ADMIN account, which could allow attackers to obtain sensitive information or modify the registry. http://www.enterasys.com/support/relnotes/VH-4802-2050509-patch-rel.pdf 15757 SQL injection vulnerability in index.php for MercuryBoard 1.1.4 and earlier allows remote attackers to execute arbitrary SQL commands via the User-Agent HTTP header. 14015 20050621 MercuryBoard 1.1.4 SQL Injection amaroK Web Frontend 1.3 stores the globals.inc file under the web root without a .php extension and insufficient access control, which allows remote attackers to obtain the database username and password via a direct request to the file. http://sourceforge.net/project/shownotes.php?release_id=335719 15736 Ultimate PHP Board (UPB) 1.9.6 GOLD uses weak encryption for passwords in the users.dat file, which allows attackers to easily decrypt the passwords and gain privileges, possibly after exploiting CVE-2005-2005 to obtain users.dat. 13975 20050616 M4DR007-06SA (security advisory): Multiple vulnerabilities in UPB 1.9.6 GOLD Multiple SQL injection vulnerabilities in socialMPN allow remote attackers to execute arbitrary SQL commands via (1) the sid parameter to article.php, (2) uname parameter to user.php, (3) siteid parameter to viewforum.php, (4) username parameter to newtopic.php, the (5) secid or (6) artid parameter to sections.php, (7) siteid parameter to index.php, or (8) sid parameter to friend.php. 1014214 Unknown vulnerability in lpadmin on Sun Solaris 7, 8, and 9 allows local users to overwrite arbitrary files. 101768 15723 13968 1014218 Directory traversal vulnerability in folderview.asp for Blue-Collar Productions i-Gallery 3.3 allows remote attackers to read arbitrary files and directories via the folder parameter. ADV-2005-0825 14000 20050620 [Hat-Squad] i-Gallery directory traversal Cross-site scripting (XSS) vulnerability in folderview.asp for BlueCollar iGallery 3.3 allows remote attackers to inject arbitrary web script or HTML via the folder parameter. ADV-2005-0825 20050620 [Hat-Squad] i-Gallery directory traversal SQL injection vulnerability in login.asp for Cool Cafe (Cool Café) Chat 1.2.1 allows remote attackers to execute arbitrary SQL commands via the password. 17349 1014221 20050616 CoolCafe Chat SQL injection http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt modifyUser.asp in Cool Cafe (Cool Café) Chat 1.2.1 allows remote attackers to obtain the administrator password and email address via a modified nickname value. 17350 20050616 CoolCafe Chat SQL injection http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt Multiple SQL injection vulnerabilities in Fortibus CMS 4.0.0 allow remote attackers to execute arbitrary SQL commands via (1) the username or password to logon.asp, (2) WeeklyNotesDisplay.asp, or (3) the Search page. ADV-2005-0827 1014242 15762 Fortibus CMS 4.0.0 allows remote attackers to modify information of other users, including Admin, via the "My info" page. 1014242 Unknown vulnerability in "various plugins" for NanoBlogger 3.2.1 and earlier allows remote attackers to execute arbitrary commands. 17392 15754 http://nanoblogger.sourceforge.net/downloads/nanoblogger-3.2.3.tar.gz Multiple buffer overflows in the getterminaltype function in telnetd for Heimdal before 0.6.5 may allow remote attackers to execute arbitrary code, a different vulnerability than CVE-2005-0468 and CVE-2005-0469. 15718 http://www.pdc.kth.se/heimdal/advisory/2005-06-20/ SUSE-SA:2005:040 GLSA-200506-24 DSA-758 Buffer overflow in addschup in HAURI ViRobot 2.0, and possibly other products, allows remote attackers to execute arbitrary code via a long ViRobot_ID cookie (HTTP_COOKIE). http://www.securiteam.com/exploits/5TP0C1FG1I.html http://www.digitalmunition.com/DMA%5B2005-0614a%5D.txt 15700 virobot-addschup-bo(21000) 12964 17320 http://www.globalhauri.com/html/download/down_unixpatch.html 20050615 DMA[2005-0614a] - 'Global Hauri ViRobot Server cookie overflow' Cross-site scripting (XSS) vulnerability in ajax-spell before 1.8 allows remote attackers to inject arbitrary web script or HTML via onmouseover or other events in HTML tags. 13986 http://www.broken-notebook.com/spell_checker/index.php http://sourceforge.net/project/shownotes.php?release_id=335556 15737 Directory traversal vulnerability in XAMPP before 1.4.14 allows remote attackers to inject arbitrary HTML and PHP code via lang.php. 13983 http://sourceforge.net/project/shownotes.php?release_id=335710 15735 Multiple cross-site scripting (XSS) vulnerabilities in ATutor 1.4.3 and 1.5 RC 1 allow remote attackers to inject arbitrary web script or HTML via the (1) show_course parameter to browse.php, (2) subject parameter to contact.php, (3) cid parameter to content.php, (4) l parameter to inbox/send_message.php, the (5) search, (6) words, (7) include, (8) find_in, (9) display_as, or (10) search parameter to search.php, the (11) submit, (12) query, or (13) field parameter to tile.php, the (14) us parameter to forum/subscribe_forum.php, or the (15) roles[], (16) status, (17) submit, or (18) reset_filter parameters to directory.php. 13972 http://lostmon.blogspot.com/2005/06/atutor-multiple-variable-cross-site.html 17359 17358 17357 17356 17355 17354 17353 17352 17351 1014216 Multiple SQL injection vulnerabilities in DUware DUportal PRO 3.4.3 allow remote attackers to execute arbitrary SQL commands via the (1) iChannel parameter to default.asp, (2) iData parameter to detail.asp, (3) iMem parameter to members.asp, (4) iCat parameter to cat.asp, (5) offset parameter to members_listing_approval.asp, or (6) iChannel parameter to channels_edit.asp. 20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products http://echo.or.id/adv/adv19-theday-2005.txt 17599 17598 17597 Multiple SQL injection vulnerabilities in DUware DUamazon Pro 3.0 and 3.1 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iSub parameter to sub.asp, (3) iSub parameter to detail.asp, (4) iPro parameter to review.asp, iCat parameter to (5) catEdit.asp, (6) catDelete.asp, (7) productEdit.asp, or (8) productDelete.asp, or (9) iType parameter to type.asp. 20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products http://echo.or.id/adv/adv19-theday-2005.txt Multiple SQL injection vulnerabilities in DUware DUpaypal Pro 3.0 allow remote attackers to execute arbitrary SQL commands via the (1) iCat parameter to cat.asp, (2) iPro parameter to detail.asp, (3) iSub parameter to sub.asp, (4) iCat parameter to catEdit.asp. 20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products http://echo.or.id/adv/adv19-theday-2005.txt Multiple SQL injection vulnerabilities in DUware DUforum 3.1, and possibly other versions, allow remote attackers to execute arbitrary SQL commands via the (1) iMsg parameter to messages.asp, iFor parameter to (2) post.asp or (3) forums.asp, or (4) id parameter to userEdit.asp. NOTE: vectors 1 and 3 were later reported to affect version 3.0. duforum-messages-forums-sql-injection(30668) 20061202 [Aria-Security Team] DuWare DuForum SQL Injection Vuln 20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products http://echo.or.id/adv/adv19-theday-2005.txt Multiple SQL injection vulnerabilities in DUware DUclassmate 1.2 allow remote attackers to execute arbitrary SQL commands via the (1) iState parameter to default.asp or (2) iPro parameter to edit.asp. 20050622 [ECHO_ADV_19$2005] Multiple SQL INJECTION in DUWARE Products http://echo.or.id/adv/adv19-theday-2005.txt 14036 Unknown vulnerability in Tor before 0.1.0.10 allows remote attackers to read arbitrary memory and possibly key information from the exit server's process space. tor-information-disclosure(21093) GLSA-200506-18 15764 http://bugs.gentoo.org/show_bug.cgi?id=96320 http://archives.seul.org/or/announce/Jun-2005/msg00001.html Buffer overflow in the VERITAS Backup Exec Web Administration Console (BEWAC) 9.0 4367 through 10.0 rev. 5484 allows remote attackers to execute arbitrary code. http://seer.support.veritas.com/docs/276606.htm 15789 20050623 Buffer overflow vulnerability in VERITAS Software Backup Exec Web Administration Console (BEWAC) 14025 P-232 Heap-based buffer overflow in vidplin.dll in RealPlayer 10 and 10.5 (6.0.12.1040 through 1069), RealOne Player v1 and v2, RealPlayer 8 and RealPlayer Enterprise allows remote attackers to execute arbitrary code via an .avi file with a modified strf structure value. http://service.real.com/help/faq/security/050623_player/EN/ 20050623 eEye Advisory - EEYEB-200505 - RealPlayer AVI Processing Overflow Just another flat file (JAF) CMS before 3.0 Final allows remote attackers to obtain sensitive information via (1) an * (asterisk) in the id parameter, (2) a blank id parameter, or (3) an * (asterisk) in the disp parameter to index.php, which reveals the path in an error message. NOTE: a followup suggests that this may be a directory traversal or file inclusion vulnerability. 20050626 Re: [ECHO_ADV_20$2005] Full path disclosure JAF CMS 20050623 [ECHO_ADV_20$2005] Full path disclosure JAF CMS http://echo.or.id/adv/adv20-theday-2005.txt Unknown vulnerability in RealPlayer 10 and 10.5 (6.0.12.1040-1069) and RealOne Player v1 and v2 allows remote attackers to overwrite arbitrary files or execute arbitrary ActiveX controls via a crafted MP3 file. http://service.real.com/help/faq/security/050623_player/EN/ RealPlayer 8, 10, 10.5 (6.0.12.1040-1069), and Enterprise and RealOne Player v1 and v2 allows remote malicious web server to create an arbitrary HTML file that executes an RM file via "default settings of earlier Internet Explorer browsers". http://service.real.com/help/faq/security/050623_player/EN/ The Quantum archive decompressor in Clam AntiVirus (ClamAV) before 0.86.1 allows remote attackers to cause a denial of service (application crash) via a crafted Quantum archive. GLSA-200506-23 http://sourceforge.net/project/shownotes.php?release_id=337279 14058 15811 SUSE-SA:2005:038 DSA-737 Multiple cross-site scripting (XSS) vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to inject arbitrary web script or HTML via the (1) Searchpage parameter to dosearch.php, (2) Number, (3) what, or (4) page parameter to newreply.php, (5) Number, (6) Board, or (7) what parameter to showprofile.php, (8) fpart or (9) page parameter to showflat.php, or (10) like parameter to showmembers.php. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 http://www.gulftech.org/?node=research&article_id=00084-06232005 20050624 Infopop UBB Threads Multiple Vulnerabilities Multiple SQL injection vulnerabilities in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to execute arbitrary SQL commands via the Number parameter to (1) download.php, (2) modifypost.php, (3) mailthread.php, or (4) notifymod.php, (5) month or (6) year parameter to calendar.php, (7) message parameter to viewmessage.php, (8) main parameter to addfav.php, or (9) posted parameter to grabnext.php. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 http://www.gulftech.org/?node=research&article_id=00084-06232005 20050624 Infopop UBB Threads Multiple Vulnerabilities Multiple cross-site request forgery (CSRF) vulnerabilities in (1) addaddress.php, (2) toggleignore.php, (3) removeignore.php, and (4) removeaddress.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to modify settings as another user via a link or IMG tag. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 http://www.gulftech.org/?node=research&article_id=00084-06232005 20050624 Infopop UBB Threads Multiple Vulnerabilities Multiple HTTP Response Splitting vulnerabilities in (1) toggleshow.php, (2) togglecats.php, and (3) showprofile.php in Infopop UBB.Threads before 6.5.2 Beta allow remote attackers to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the Cat parameter. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 http://www.gulftech.org/?node=research&article_id=00084-06232005 20050624 Infopop UBB Threads Multiple Vulnerabilities Infopop UBB.Threads before 6.5.2 Beta allows remote attackers to include arbitrary files via the language parameter in a cookie followed by a null (%00) byte. http://www.ubbcentral.com/boards/showflat.php/Cat/0/Number/42351/Main/42351/#Post42351 http://www.gulftech.org/?node=research&article_id=00084-06232005 20050624 Infopop UBB Threads Multiple Vulnerabilities Multiple SQL injection vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to execute arbitrary SQL commands via the catid parameter to (1) default.asp or (2) buyersend.asp, (3) Administrator ID field in admin.asp, E-mail field in (4) advertiserstart.asp or (5) buyer.asp, or Keyword field in search.asp. ADV-2007-1096 20050624 [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell activebuyandsell-buyersend-sql-injection(33183) 23110 3550 Multiple cross-site scripting (XSS) vulnerabilities in ActiveBuyAndSell 6.2 allow remote attackers to inject arbitrary web script or HTML via the (1) Title parameter to sendpassword.asp or (2) Keyword field in search.asp. 20050624 [ECHO_ADV_21$2005] MUltiple Vulnarable In ActiveBuyAndSell Multiple cross-site scripting vulnerabilities in ASP Nuke 0.80 allow remote attackers to inject arbitrary web script or HTML via the (1) email parameter to forgot_password.asp, or the (2) FirstName, (3) LastName, (4) Username, (5) Password, (6) Address1, (7) Address2, (8) City, (9) ZipCode, (10) Email parameter to register.asp. 14062 20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80 HTTP response splitting vulnerability in language_select.asp in ASP Nuke 0.80 allows remote attackers to spoof web content and poison web caches via CRLF ("%0d%0a") sequences in the LangCode parameter. 14063 20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80 SQL injection vulnerability in comment_post.asp in ASP Nuke 0.80 allows remote attackers to execute arbitrary SQL statements via the TaskID parameter. 14064 20050626 M4DR007-07SA (security advisory): Multiple vulnerabilities in ASP Nuke 0.80 20050627 SQL Injection Exploit for ASPNuke <= 0.80 SQL injection vulnerability in article.asp in unknown versions of aspnuke allows remote attackers to execute arbitrary SQL commands via the articleid parameter. 20050627 aspnuke is vulnerable to sql injection 18215 http://downloads.securityfocus.com/vulnerabilities/exploits/ASPNuke-0601-sql.txt FreeBSD 4.x through 4.11 and 5.x through 5.4 allows remote attackers to modify certain TCP options via a TCP packet with the SYN flag set for an already established session. FreeBSD-SA-05:15 pam_ldap and nss_ldap, when used with OpenLDAP and connecting to a slave using TLS, does not use TLS for the subsequent connection if the client is referred to a master, which may cause a password to be sent in cleartext and allows remote attackers to sniff the password. http://www.openldap.org/its/index.cgi/Incoming?id=3791 http://bugzilla.padl.com/show_bug.cgi?id=210 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=161990 ldap-tls-information-disclosure(21245) MDKSA-2005:121 USN-152-1 14126 14125 RHSA-2005:767 RHSA-2005:751 17692 GLSA-2005-07-13 http://support.avaya.com/elmodocs2/security/ASA-2006-157.htm 21520 17845 17233 oval:org.mitre.oval:def:9445 http://bugzilla.padl.com/show_bug.cgi?id=211 http://bugs.gentoo.org/show_bug.cgi?id=96767 20050704 pam_ldap/nss_ldap password leak in a master+slave+start_tls LDAP setup The ClamAV Mail fILTER (clamav-milter) 0.84 through 0.85d, when used in Sendmail using long timeouts, allows remote attackers to cause a denial of service by keeping an open connection, which prevents ClamAV from reloading. 14047 20050623 long sendmail timeouts let attacker prevent milter quiesce SUSE-SA:2005:038 DSA-737 traceroute in Sun Solaris 10 on x86 systems allows local users to execute arbitrary code with PRIV_NET_RAWACCESS privileges via (1) a large number of -g arguments or (2) a malformed -s argument with a trailing . (dot). ADV-2005-2564 14049 102060 1015261 17708 20050624 Re: Solaris 10 /usr/sbin/traceroute vulnerabilities 20050624 Re: [Full-disclosure] Solaris 10 /usr/sbin/traceroute vulnerabilities 20050624 Solaris 10 /usr/sbin/traceroute vulnerabilities The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain privileges by (1) modifying LD_AUDIT to reference malicious code and possibly (2) using a long value for LD_AUDIT. ADV-2005-0908 14074 http://www.opensolaris.org/jive/thread.jspa?messageID=3497 101794 1014537 15841 20050628 Solaris 9/10 ld.so fun 20050628 Solaris 9/10 ld.so fun 20050628 Solaris 9/10 ld.so fun Unknown vulnerability in IBM DB2 8.1.4 through 8.1.9 and 8.2.0 through 8.2.2 allows local users with SELECT privileges to conduct unauthorized activities and insert, update or delete table contents. IY73104 Cross-site scripting (XSS) vulnerability in PHP-Fusion 6.0.105 allows remote attackers to inject arbitrary web script or HTML via a news or article post, possibly involving the (1) news_body, (2) article_description, or (3) article_body parameters to submit.php. 15830 http://dark-assassins.com/forum/viewtopic.php?t=145 ADV-2005-0888 14066 PHP-Fusion 5.0 and 6.0 stores the database file with a predictable filename under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information via a direct request to the filename in the administration/db_backups directory in PHP-Fusion 6.0 or the fusion_admin/db_backups directory in 5.0. 15830 ADV-2005-0888 http://dark-assassins.com/forum/viewtopic.php?t=142 HP Version Control Repository Manager (VCRM) before 2.1.1.730 does not properly handle the "@" character in a proxy password, which could allow attackers with physical access to obtain portions of the password when it is displayed to the screen. 14032 SSRT5955 1014267 15790 SSRT5955 Cross-site scripting (XSS) vulnerability in error.asp for Hosting Controller allows remote attackers to inject arbitrary web script or HTML via the error parameter. 14080 20051215 Bug in HC 1016456 20050628 Cross-Site Scripting (CSS) in Hosting Controller All Version and hot fix it hehe ;) BisonFTP Server V4R1 allows remote authenticated users to cause a denial of service via an invalid command with a long argument. 14079 Heap-based buffer overflow in the Admin Plus Pack Option for VERITAS Backup Exec 9.0 through 10.0 for Windows Servers allows remote attackers to execute arbitrary code. TA05-180A VU#352625 http://seer.support.veritas.com/docs/277429.htm http://seer.support.veritas.com/docs/276607.htm 15789 14023 Unknown vulnerability in Remote Agent for Windows Servers (RAWS) in VERITAS Backup Exec 9.0 through 10.0 for Windows, and 9.0.4019 through 9.1.307 for NetWare, allows remote attackers to gain privileges by copying the handle for the server. http://seer.support.veritas.com/docs/277429.htm http://seer.support.veritas.com/docs/276608.htm 15789 14026 Stack-based buffer overflow in the function that parses commands in Asterisk 1.0.7, when the 'write = command' option is enabled, allows remote attackers to execute arbitrary code via a command that has two double quotes followed by a tab character. asterisk-manager-interface-bo(21115) http://www.portcullis-security.com/advisory/advisory-05-013.txt 20050622 Portcullis Security Advisory 05-013 - VoIP - Asterisk Stack Overflow im_trbbs.cgi in imTRSET 1.02 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in the df parameter. http://www.cgi-club.com/imTRBBS/ 20050629 Original imTRBBS(ver1.02) and prior remote command execution Format string vulnerability in IMAP4 in IA eMailServer Corporate Edition 5.2.2 build 1051 allows remote attackers to cause a denial of service (application crash) via a LIST command with format string specifiers as the second argument. emailserver-list-dos(21169) 1014301 20050627 Denial of Service Vulnerability in True North Software, Inc. IA eMailServer Corporate Edition Version: 5.2.2. Build: 1051 Cross-site scripting (XSS) vulnerability in SearchResults.aspx in Community Forum allows remote attackers to inject arbitrary web script or HTML via the q parameter. 20050627 XSS IN Community forum Buffer overflow in Inframail Advantage Server Edition 6.0 through 6.7 allows remote attackers to cause a denial of service (process crash) via a long (1) SMTP FROM field or possibly (2) FTP NLST command. 20050628 Multiple buffer overflows exist in Infradig Systems Inframail Advantage Server Edition 6.0 PHP remote file inclusion vulnerability in viewtopic.php in phpBB 2.0.15 and earlier allows remote attackers to execute arbitrary PHP code. http://www.phpbb.com/phpBB/viewtopic.php?f=14&t=302011 20050628 Security Advisory - phpBB 2.0.15 PHP-code injection bug Internet Explorer 5.01 SP4 up to 6 on various Windows operating systems, including IE 6.0.2900.2180 on Windows XP, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not ActiveX controls, as demonstrated using the JVIEW Profiler (Javaprxy.dll). NOTE: the researcher says that the vendor could not reproduce this problem. TA05-193A VU#959049 VU#939605 ie-javaprxydll-execute-code(21193) ADV-2005-0935 14087 20050702 Microsoft Internet Explorer 17680 MS05-037 http://www.microsoft.com/technet/security/advisory/903144.mspx ESB-2005.0489 1014329 15891 20050629 SEC-CONSULT SA-20050629-0 oval:org.mitre.oval:def:793 oval:org.mitre.oval:def:1518 oval:org.mitre.oval:def:1506 oval:org.mitre.oval:def:1326 The Apache HTTP server before 1.3.34, and 2.0.x before 2.0.55, when acting as an HTTP proxy, allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Apache to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." SSRT051128 SSRT051128 http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf ADV-2006-4680 ADV-2006-1018 ADV-2006-0789 ADV-2005-2659 ADV-2005-2140 USN-160-2 15647 14106 HPSBUX02074 HPSBUX02074 http://www.securiteam.com/securityreviews/5GP0220G0U.html RHSA-2005:582 DSA-805 DSA-803 http://www.apache.org/dist/httpd/CHANGES_2.0 http://www.apache.org/dist/httpd/CHANGES_1.3 PK16139 PK13959 http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm 102198 102197 SSA:2005-310-04 1014323 19317 19185 19073 19072 17813 17487 17319 14530 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling oval:org.mitre.oval:def:11452 [apache-httpd-announce] 20051014 Apache HTTP Server 2.0.55 Released TSLSA-2005-0059 APPLE-SA-2005-11-29 https://secure-support.novell.com/KanisaPlatform/Publishing/741/3222109_f.SAL_Public.html SUSE-SA:2005:046 SUSE-SR:2005:018 MDKSA-2005:130 604 23074 oval:org.mitre.oval:def:840 oval:org.mitre.oval:def:1629 oval:org.mitre.oval:def:1526 oval:org.mitre.oval:def:1237 Microsoft IIS 5.0 and 6.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes IIS to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://www.securiteam.com/securityreviews/5GP0220G0U.html 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling microsoft-iis-hrs(42899) Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf ADV-2009-0233 ADV-2008-1979 ADV-2008-0065 ADV-2007-3386 ADV-2007-3087 ADV-2007-2732 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities http://www.securiteam.com/securityreviews/5GP0220G0U.html http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 33668 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling oval:org.mitre.oval:def:10499 SSRT071447 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx 25159 13873 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 RHSA-2008:0261 RHSA-2007:0360 RHSA-2007:0327 http://www.fujitsu.com/global/support/software/security/products-f/interstage-200703e.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html http://tomcat.apache.org/security-4.html http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm 239312 1014365 30908 30899 29242 28365 27037 26660 26235 [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 SUSE-SR:2008:005 APPLE-SA-2007-07-31 HPSBUX02262 http://docs.info.apple.com/article.html?artnum=306172 IBM WebSphere 5.1 and WebSphere 5.0 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebSphere to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://www.securiteam.com/securityreviews/5GP0220G0U.html 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling ibm-websphere-hrs(42898) 1014367 BEA Systems WebLogic 8.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes WebLogic to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://www.securiteam.com/securityreviews/5GP0220G0U.html 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling bea-weblogic-hrs(42901) 1014366 Oracle 9i Application Server (Oracle9iAS) 9.0.2 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Application Server to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://www.securiteam.com/securityreviews/5GP0220G0U.html 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling oracle-applicationserver-hrs(42902) Sun SunONE web server 6.1 SP1 allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes SunONE to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling." http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://www.securiteam.com/securityreviews/5GP0220G0U.html 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling sun-sunone-hrs(42903) 1014369 options_identities.php in SquirrelMail 1.4.4 and earlier uses the extract function to process the $_POST variable, which allows remote attackers to modify or read the preferences of other users, conduct cross-site scripting XSS) attacks, and write arbitrary files. DSA-756 FLSA:163047 squirrelmail-set-post-variable(21359) http://www.squirrelmail.org/security/issue/2005-07-13 14254 20050714 SquirrelMail Arbitrary Variable Overwriting Vulnerability 20050714 [SM-ANNOUNCE] Patch available for CAN-2005-2095 RHSA-2005:595 SUSE-SR:2005:018 http://www.gulftech.org/?node=research&article_id=00090-07142005 oval:org.mitre.oval:def:10500 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 zlib 1.2 and later versions allows remote attackers to cause a denial of service (crash) via a crafted compressed stream with an incomplete code description of a length greater than 1, which leads to a buffer overflow, as demonstrated using a crafted PNG file. VU#680620 14162 RHSA-2005:569 GLSA-200509-18 DSA-797 DSA-740 101989 GLSA-200507-05 15949 FLSA:162680 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162391 ADV-2007-1267 ADV-2006-0144 ADV-2005-0978 USN-148-1 HPSBUX02090 RHSA-2008:0629 http://support.apple.com/kb/HT3298 1014398 31492 oval:org.mitre.oval:def:11500 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 APPLE-SA-2008-11-13 FreeBSD-SA-05:16.zlib hpux-secure-shell-dos(24064) http://www.vmware.com/support/vi3/doc/esx-9916286-patch.html http://www.vmware.com/support/vi3/doc/esx-3616065-patch.html USN-151-3 20071029 Windows binary of "Virtual Floppy Drive 2.1" contains vulnerable zlib (CAN-2005-2096) 20071029 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096) 20071021 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096) 20071020 Re: Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096) 20071018 Official Windows binaries of "curl" contain vulnerable zlib 1.2.2 (CAN-2005-2096) 20071018 Windows binary of "GSview 4.8" contain vulnerable zlib (CAN-2005-2096) 20070404 VMSA-2007-0003 VMware ESX 3.0.1 and 3.0.0 server security updates HPSBUX02090 MDKSA-2006:070 MDKSA-2005:196 MDKSA-2005:112 DSA-1026 http://support.avaya.com/elmodocs2/security/ASA-2006-016.htm 24788 19597 19550 18507 18406 18377 17516 17326 17236 17225 17054 SCOSA-2006.6 oval:org.mitre.oval:def:1542 oval:org.mitre.oval:def:1262 xpdf and kpdf do not properly validate the "loca" table in PDF files, which allows local users to cause a denial of service (disk consumption and hang) via a PDF file with a "broken" loca table, which causes a large temporary file to be created when xpdf attempts to reconstruct the information. ADV-2007-2280 USN-163-1 14529 FLSA:175404 FLSA-2006:176751 RHSA-2005:708 RHSA-2005:706 RHSA-2005:671 RHSA-2005:670 SUSE-SR:2005:019 MDKSA-2005:138 DSA-936 DSA-1136 DSA-780 21339 18407 18398 17277 oval:org.mitre.oval:def:10280 SCOSA-2005.42 102972 25729 The KEYCTL_JOIN_SESSION_KEYRING operation in the Linux kernel before 2.6.12.5 contains an error path that does not properly release the session management semaphore, which allows local users or remote attackers to cause a denial of service (semaphore hang) via a new session keyring (1) with an empty name string, (2) with a long name string, (3) with the key quota reached, or (4) ENOMEM. 16355 USN-169-1 MDKSA-2005:220 oval:org.mitre.oval:def:9638 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 14521 FLSA:157459-3 RHSA-2005:514 MDKSA-2005:220 17073 The Linux kernel before 2.6.12.5 does not properly destroy a keyring that is not instantiated properly, which allows local users or remote attackers to cause a denial of service (kernel oops) via a keyring with a payload that is not empty, which causes the creation to fail, leading to a null dereference in the keyring destructor. 16355 USN-169-1 14517 FLSA:157459-3 RHSA-2005:514 MDKSA-2005:220 MDKSA-2005:220 1014644 17073 oval:org.mitre.oval:def:9079 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 The rw_vm function in usercopy.c in the 4GB split patch for the Linux kernel in Red Hat Enterprise Linux 4 does not perform proper bounds checking, which allows local users to cause a denial of service (crash). https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=165547 RHSA-2005:514 oval:org.mitre.oval:def:11556 17073 langen2kvtml in KDE 3.0 to 3.4.2 creates insecure temporary files in /tmp with predictable names, which allows local users to overwrite arbitrary files. http://www.kde.org/info/security/advisory-20050815-1.txt 14561 MDKSA-2005:159 DSA-818 1014675 16428 The AIM/ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) via a filename that contains invalid UTF-8 characters. USN-168-1 oval:org.mitre.oval:def:9283 http://gaim.sourceforge.net/security/?id=21 14531 FLSA:158543 RHSA-2005:627 SUSE-SR:2005:019 Buffer overflow in the AIM and ICQ module in Gaim before 1.5.0 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via an away message with a large number of AIM substitution strings, such as %t or %n. USN-168-1 oval:org.mitre.oval:def:11477 http://gaim.sourceforge.net/security/?id=22 14531 FLSA:158543 RHSA-2005:627 RHSA-2005:589 SUSE-SR:2005:019 sysreport before 1.3.7 allows local users to obtain sensitive information via a symlink attack on a temporary directory. sysreport-race-condition(21770) RHSA-2005:598 1014653 16381 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=162978 15379 18682 oval:org.mitre.oval:def:9411 FEDORA-2005-1072 FEDORA-2005-1071 17539 Cisco IOS 12.2T through 12.4 allows remote attackers to bypass Authentication, Authorization, and Accounting (AAA) RADIUS authentication, if the fallback method is set to none, via a long username. radius-authentication-bypass(21190) 1014330 20050629 RADIUS Authentication Bypass oval:org.mitre.oval:def:5756 Unknown vulnerability in Drupal 4.5.0 through 4.5.3, 4.6.0, and 4.6.1 allows remote attackers to execute arbitrary PHP code via a public comment or posting. 15872 20050629 [DRUPAL-SA-2005-002] Drupal 4.6.2 / 4.5.4 fixes input validation issue 14110 http://www.drupal.org/security/drupal-sa-2005-002/advisory.txt DSA-745 Multiple cross-site scripting (XSS) vulnerabilities in post.php in WordPress 1.5.1.2 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) p or (2) comment parameter. 15831 http://www.gulftech.org/?node=research&article_id=00085-06282005 20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilities SQL injection vulnerability in XMLRPC server in WordPress 1.5.1.2 and earlier allows remote attackers to execute arbitrary SQL commands via input that is not filtered in the HTTP_RAW_POST_DATA variable, which stores the data in an XML file. 15831 http://www.gulftech.org/?node=research&article_id=00085-06282005 20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilities wp-login.php in WordPress 1.5.1.2 and earlier allows remote attackers to change the content of the forgotten password e-mail message via the message variable, which is not initialized before use. 15831 http://www.gulftech.org/?node=research&article_id=00085-06282005 20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilities WordPress 1.5.1.2 and earlier allows remote attackers to obtain sensitive information via (1) a direct request to menu-header.php or a "1" value in the feed parameter to (2) wp-atom.php, (3) wp-rss.php, or (4) wp-rss2.php, which reveal the path in an error message. NOTE: vector [1] was later reported to also affect WordPress 2.0.1. 15831 20060227 WordPress 2.0.1 Multiple Vulnerabilities http://www.gulftech.org/?node=research&article_id=00085-06282005 http://NeoSecurityTeam.net/advisories/Advisory-17.txt 20050629 WordPress 1.5.1.2 && Earlier Multiple Vulnerabilities login.cgi in Community Link Pro Web Editor allows remote attackers to execute arbitrary commands via the file parameter. http://www.badroot.org/advisories/SA0x05 15880 20050629 [badroot security] Community link pro web editor: Remote command 1014345 Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.11 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) order parameter to edit.php or (2) cid parameter to comment_edit.php. http://www.xoops.org/modules/news/article.php?storyid=2383 http://www.gulftech.org/?node=research&article_id=00086-06292005 20050629 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities 15843 SQL injection vulnerability in the loginUser function in the XMLRPC server in XOOPS 2.0.11 and earlier allows remote attackers to execute arbitrary SQL commands and bypass authentication via crafted values in an XML file, as demonstrated using the blogger.getPost method. http://www.xoops.org/modules/news/article.php?storyid=2383 http://www.gulftech.org/?node=research&article_id=00086-06292005 20050629 XOOPS 2.0.11 && Earlier Multiple Vulnerabilities 15843 Mozilla 1.7.8, Firefox 1.0.4, Camino 0.8.4, Netscape 8.0.2, and K-Meleon 0.9, and possibly other products that use the Gecko engine, allow remote attackers to cause a denial of service (application crash) via JavaScript that repeatedly calls an empty function. http://www.kurczaba.com/html/security/0506241.htm oval:org.mitre.oval:def:9628 20050629 Mozilla Multiple Product JavaScript Issue mozilla-mult-browsers-javascript-dos(21188) http://www.securiteam.com/securitynews/5OP0U00G1G.html RHSA-2005:587 RHSA-2005:586 1014372 1014349 1014294 1014293 1014292 Soldier of Fortune II 1.02x and 1.03 allows remote attackers to cause a denial of service (server crash) via a large ID value in the ignore command, which is used as an array index and causes an out-of-bounds operation. 17649 15868 http://aluigi.altervista.org/adv/sof2ignore-adv.txt 20050629 In-game /ignore crash in Soldier of Fortune II 1.03 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1921. Reason: This candidate is a duplicate of CVE-2005-1921. Notes: All CVE users should reference CVE-2005-1921 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Web View in Windows Explorer on Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 does not properly handle certain HTML characters in preview fields, which allows remote user-assisted attackers to execute arbitrary code. TA05-284A 15064 MS05-049 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 17223 17172 17168 oval:org.mitre.oval:def:1291 Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote user-assisted attackers to execute arbitrary commands via a crafted shortcut (.lnk) file with long font properties that lead to a buffer overflow when the user views the file's properties using Windows Explorer, a different vulnerability than CVE-2005-2122. TA05-284A MS05-049 15070 http://www.argeniss.com/research/MSBugPaper.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015040 17223 17172 17168 oval:org.mitre.oval:def:1192 oval:org.mitre.oval:def:1116 The MIDL_user_allocate function in the Microsoft Distributed Transaction Coordinator (MSDTC) proxy (MSDTCPRX.DLL) allocates a 4K page of memory regardless of the required size, which allows attackers to overwrite arbitrary memory locations using an incorrect size value that is provided to the NdrAllocate function, which writes management data to memory outside of the allocated buffer. TA05-284A VU#180868 MS05-051 18828 15056 AD20051011b http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015037 73 17509 17223 17172 17161 oval:org.mitre.oval:def:551 oval:org.mitre.oval:def:1452 oval:org.mitre.oval:def:1071 Stack-based buffer overflow in the Plug and Play (PnP) service (UMPNPMGR.DLL) in Microsoft Windows 2000 SP4, and XP SP1 and SP2, allows remote or local authenticated attackers to execute arbitrary code via a large number of "\" (backslash) characters in a registry key name, which triggers the overflow in a wsprintfW function call. TA05-284A VU#214572 15065 MS05-047 AD20051011c 1015042 17166 18830 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 71 17223 17172 oval:org.mitre.oval:def:1519 oval:org.mitre.oval:def:1328 oval:org.mitre.oval:def:1244 Windows Shell for Microsoft Windows 2000 SP4, XP SP1 and SP2, and Server 2003 allows remote attackers to execute arbitrary commands via a shortcut (.lnk) file with long font properties that lead to a buffer overflow in the Client/Server Runtime Server Subsystem (CSRSS), a different vulnerability than CVE-2005-2118. TA05-284A VU#922708 MS05-049 15069 http://www.argeniss.com/research/MSBugPaper.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015040 17223 17172 17168 oval:org.mitre.oval:def:708 oval:org.mitre.oval:def:1551 oval:org.mitre.oval:def:1537 oval:org.mitre.oval:def:1517 oval:org.mitre.oval:def:1488 oval:org.mitre.oval:def:1329 Multiple integer overflows in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1 allow remote attackers to execute arbitrary code via crafted Windows Metafile (WMF) and Enhanced Metafile (EMF) format images that lead to heap-based buffer overflows, as demonstrated using MRBP16::bCheckRecord. VU#300549 TA05-312A MS05-053 http://www.eeye.com/html/research/advisories/AD20051108b.html ADV-2005-2348 15352 http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf 1015168 17498 17461 17223 oval:org.mitre.oval:def:701 oval:org.mitre.oval:def:1546 oval:org.mitre.oval:def:1263 oval:org.mitre.oval:def:1175 oval:org.mitre.oval:def:1063 Unspecified vulnerability in the Graphics Rendering Engine (GDI32.DLL) in Windows 2000 SP4, XP SP1 and SP2, and Server 2003 SP1, related to "An unchecked buffer" and possibly buffer overflows, allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) format image, aka "Windows Metafile Vulnerability." VU#433341 TA05-312A MS05-053 http://www.eeye.com/html/research/advisories/AD20051108b.html ADV-2005-2348 1015168 15356 http://www.eeye.com/html/research/advisories/AD20051108a.html http://support.avaya.com/elmodocs2/security/ASA-2005-228.pdf 161 17498 17461 17223 The FTP client in Windows XP SP1 and Server 2003, and Internet Explorer 6 SP1 on Windows 2000 SP4, when "Enable Folder View for FTP Sites" is enabled and the user manually initiates a file transfer, allows user-assisted, remote FTP servers to overwrite files in arbitrary locations via crafted filenames. VU#415828 http://www.securiteam.com/windowsntfocus/6M00I0KEAU.html MS05-044 17163 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 1015036 17223 17172 oval:org.mitre.oval:def:1416 oval:org.mitre.oval:def:1284 oval:org.mitre.oval:def:1146 Microsoft Internet Explorer 5.01, 5.5, and 6 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a web page with embedded CLSIDs that reference certain COM objects that are not intended for use within Internet Explorer, as originally demonstrated using the (1) DDS Library Shape Control (Msdds.dll) COM object, and other objects including (2) Blnmgrps.dll, (3) Ciodm.dll, (4) Comsvcs.dll, (5) Danim.dll, (6) Htmlmarq.ocx, (7) Mdt2dd.dll (as demonstrated using a heap corruption attack with uninitialized memory), (8) Mdt2qd.dll, (9) Mpg4ds32.ax, (10) Msadds32.ax, (11) Msb1esen.dll, (12) Msb1fren.dll, (13) Msb1geen.dll, (14) Msdtctm.dll, (15) Mshtml.dll, (16) Msoeacct.dll, (17) Msosvfbr.dll, (18) Mswcrun.dll, (19) Netshell.dll, (20) Ole2disp.dll, (21) Outllib.dll, (22) Psisdecd.dll, (23) Qdvd.dll, (24) Repodbc.dll, (25) Shdocvw.dll, (26) Shell32.dll, (27) Soa.dll, (28) Srchui.dll, (29) Stobject.dll, (30) Vdt70.dll, (31) Vmhelper.dll, and (32) Wbemads.dll, aka a variant of the "COM Object Instantiation Memory Corruption vulnerability." TA05-284A VU#959049 VU#740372 TA06-220A TA05-347A VU#898241 14594 MS05-052 1014727 16480 Win-msdss-command-execution(21895) ADV-2005-1450 http://www.microsoft.com/technet/security/advisory/906267.mspx http://isc.sans.org/diary.php?date=2005-08-18 microsoft-ie-mshtml-dos(34754) 15061 20070606 IE 6/Microsoft Html Popup Window (mshtml.dll) DoS http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 72 17509 17223 17172 oval:org.mitre.oval:def:1538 oval:org.mitre.oval:def:1535 oval:org.mitre.oval:def:1468 oval:org.mitre.oval:def:1464 oval:org.mitre.oval:def:1454 oval:org.mitre.oval:def:1155 QUARTZ.DLL in Microsoft Windows Media Player 9 allows remote attackers to write a null byte to arbitrary memory via an AVI file with a crafted strn element with a modified length value. TA05-284A VU#995220 MS05-050 18822 15063 AD20051011a http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 17509 17172 17160 oval:org.mitre.oval:def:1434 oval:org.mitre.oval:def:1424 oval:org.mitre.oval:def:1267 oval:org.mitre.oval:def:1231 oval:org.mitre.oval:def:1149 RPC portmapper (rpcbind) in SCO UnixWare 7.1.1 m5, 7.1.3 mp5, and 7.1.4 mp2 allows remote attackers or local users to cause a denial of service (lack of response) via multiple invalid portmap requests. SCOSA-2005.31 14360 16228 20050727 [NILESA-20050701] UnixWare 7.x RPC portmapper Dos Vulnerability DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1915. Reason: This candidate is a duplicate of CVE-2005-1915. Notes: All CVE users should reference CVE-2005-1915 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The (1) clcs and (2) emuxki drivers in NetBSD 1.6 through 2.0.2 allow local users to cause a denial of service (kernel crash) by using the set-parameters ioctl on an audio device to change the block size and set the pause state to "unpaused" in the same ioctl, which causes a divide-by-zero error. NetBSD-SA2005-002 SQL injection vulnerability in verify.asp in EtoShop Dynamic Biz Website Builder (QuickWeb) 1.0 allows remote attackers to execute arbitrary SQL commands via the (1) T1 or (2) T2 parameters. 15818 Raritan Dominion SX (DSX) Console Servers DSX16, DSX32, DSX4, DSX8, and DSXA-48 set (1) world-readable permissions for /etc/shadow and (2) world-writable permissions for /bin/busybox, which allows local users to obtain hashed passwords or execute arbitrary code as other users. 15853 20050628 Access right escalation / severe permission problems on Raritan Console Servers 14084 Unknown vulnerability in NateOn Messenger 3.0 allows remote attackers to list arbitrary directories via unknown attack vectors. 14100 17619 15819 Cross-site scripting (XSS) vulnerability in index.php in Comdev eCommerce 3.0 and 3.1 allows remote attackers to inject arbitrary web script or HTML via Javascript in the onMouseOver event of an "A" tag in a review message. 15865 http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=64 PHP remote file inclusion vulnerability in user_check.php for Pavsta Auto Site allows remote attackers to execute arbitrary PHP code via the sitepath parameter. ADV-2005-0930 17631 1014321 15873 Directory traversal vulnerability in default.asp for FSboard 2.0 allows remote attackers to read arbitrary files via ".." sequences in the filename parameter. 14111 TCP Chat 1.0 allows remote attackers to cause a denial of service (crash) via a long string to the chat service, possibly triggering a buffer overflow. 1014371 http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=65 http://addict3d.org/index.php?page=viewarticle&type=security&ID=4377 Directory traversal vulnerability in Golden FTP Server 2.60 allows remote authenticated attackers to list arbitrary directories via a "\.." (backslash dot dot) in an LS (LIST) command. 15840 Microsoft Front Page allows attackers to cause a denial of service (crash) via a crafted style tag in a web page. http://www.freewebs.com/xxosfilexx/HungFPage.html 1014352 Prevx Pro 2005 1.0 allows local users to bypass file protection and modify files by using MapViewOfFile to perform memory mapping on the file. 1014346 15885 The kernel driver in Prevx Pro 2005 1.0 does not verify the source of certain messages, which allows local users to bypass protection by sending certain messages to the driver, as demonstrated by sending an "allow" message to bypass a warning message. 1014346 15885 SSH Tectia Server 4.3.1 and earlier, and SSH Secure Shell for Windows Servers, uses insecure permissions when generating the Secure Shell host identification key, which allows local users to access the key and spoof the server. http://www.ssh.com/company/newsroom/article/653/ 15894 Trac before 0.8.4 allows remote attackers to read or upload arbitrary files via a full pathname in the id parameter to the (1) upload or (2) attachment viewer scripts. 13990 http://www.hardened-php.net/advisory-012005.php 15752 DSA-739 Cacti 0.8.6e and earlier does not perform proper input validation to protect against common attacks, which allows remote attackers to execute arbitrary commands or SQL by sending a legitimate value in a POST request or cookie, then specifying the attack string in the URL, which causes the get_request_var function to return the wrong value in the $_REQUEST variable, which is cleansed while the original malicious $_GET value remains unmodified, as demonstrated in (1) graph_image.php and (2) graph.php. http://www.hardened-php.net/advisory-042005.php http://www.hardened-php.net/advisory-032005.php http://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch [cacti-announce] 20050701 Cacti 0.8.6f Released ADV-2005-0951 20050702 Advisory 03/2005: Cacti Multiple SQL Injection Vulnerabilities [FIXED] 20050702 Advisory 04/2005: Cacti Remote Command Execution Vulnerability cacti-request-array-command-execution(21270) cacti-graph-post-cookie-sql-injection(21266) 14129 14128 DSA-764 1014361 15490 config.php in Cacti 0.8.6e and earlier allows remote attackers to set the no_http_headers switch, then modify session information to gain privileges and disable the use of addslashes to conduct SQL injection attacks. http://www.hardened-php.net/advisory-052005.php http://www.cacti.net/downloads/patches/0.8.6e/cacti-0.8.6f_security.patch [cacti-announce] 20050701 Cacti 0.8.6f Released ADV-2005-0951 20050702 Advisory 05/2005: Cacti Authentification/Addslashes Bypass Vulnerability 14130 DSA-764 1014361 Windows NT 4.0 and Windows 2000 before URP1 for Windows 2000 SP4 does not properly prevent NULL sessions from accessing certain alternate named pipes, which allows remote attackers to (1) list Windows services via svcctl or (2) read eventlogs via eventlog. http://www.hsc.fr/ressources/presentations/null_sessions/ 20050707 NULL sessions vulnerabilities using alternate named pipes win-pipe-null-eventlog-information-disclosure(21288) win-name-pipe-null-information-disclosure(21286) 14178 14177 1014417 14189 spf.c in Courier Mail Server does not properly handle DNS failures when looking up Sender Policy Framework (SPF) records, which could allow attackers to cause memory corruption. http://www.courier-mta.org/?changelog.html 15901 SQL injection vulnerability in Geeklog before 1.3.11 allows remote attackers to execute arbitrary SQL commands via user comments for an article. http://www.hardened-php.net/advisory-062005.php http://www.geeklog.net/article.php/geeklog-1.3.11sr1 1014381 15914 SQL injection vulnerability in class.ticket.php in osTicket 1.3.1 beta and earlier allows remote attackers to execute arbitrary SQL commands via the ticket variable. 14127 1014373 20050701 [SECURITY ALERT] osTicket bugs PHP local file inclusion vulnerability in (1) view.php and (2) open.php in osTicket 1.3.1 beta and earlier allows remote attackers to include and possibly execute arbitrary local files via the inc parameter. 14127 1014373 20050701 [SECURITY ALERT] osTicket bugs PHP remote file inclusion vulnerability in EasyPHPCalendar 6.1.5 and earlier allows remote attackers to execute arbitrary code via the serverPath parameter. 15893 SQL injection vulnerability in news.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the prevnext parameter. 14133 http://sourceforge.net/project/shownotes.php?group_id=66322&release_id=339317 PHP remote file inclusion vulnerability in survey.inc.php for nabopoll 1.2 allows remote attackers to execute arbitrary PHP code via the path parameter. ADV-2005-0954 1014355 15910 A regression error in the embedded HSQLDB in JBoss jBPM 2.0 allows remote attackers to execute arbitrary comands, a re-introduction of a vulnerability that was originally identified by CVE-2003-0845. http://www.illegalaccess.org/java/jboss.php 20050703 JBoss jBPM 2.0: Remote code execution and classloader covert channel mshftp.dll in PlanetDNS PlanetFileServer 2.0.1.3 allows remote attackers to cause a denial of service (application crash) via a long request. 14138 20050704 PlanetFileServer v2.0.1.3 - Denial Of Service IMail stores usernames and passwords in cleartext in a cookie, which allows remote attackers to obtain sensitive information. 20050705 Imail Cookie Vulnerability (unhashed) Cross-site scripting (XSS) vulnerability in phpBB 2.0.16 allows remote attackers to inject arbitrary web script or HTML via nested [url] tags. http://www.securitylab.ru/55612.html 20050705 XSS in nested tag in phpbb 2.0.16 DSA-768 PHP remote file inclusion vulnerability in form.inc.php3 in MyGuestbook 0.6.1 allows remote attackers to execute arbitrary PHP code via the lang parameter. http://www.soulblack.com.ar/repo/papers/advisory/myguestbook_advisory.txt 20050705 MyGuestbook Remote File Inclusion. 1014387 15927 Cross-site scripting (XSS) vulnerability in index.php in AutoIndex PHP Script 1.5.2 allows remote attackers to inject arbitrary web script or HTML via the search parameter. 15928 http://www.badroot.org/advisories/SA0x07 20050705 Re: [badroot security] AutoIndex PHP Script: XSS vulnerability SQL injection vulnerability in Covide Groupware-CRM allows remote attackers to execute arbitrary SQL commands via unknown attack vectors. http://sourceforge.net/project/shownotes.php?release_id=339047 20050705 [covide] possible sql injection read.cgi in GlobalNoteScript allows remote attackers to execute arbitrary commands via shell metacharacters in the file parameters. http://zone-h.org/advisories/read/id=7765 1014375 SQL injection vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to execute arbitrary SQL commands via the cid parameter. 15902 http://dark-assassins.com/forum/viewtopic.php?t=90 Cross-site scripting (XSS) vulnerability in index.php in Plague News System 0.6 and earlier allows remote attackers to inject arbitrary web script or HTML via the cid parameter. 15902 http://dark-assassins.com/forum/viewtopic.php?t=90 delete.php in Plague News System 0.6 and earlier allows remote unauthenticated attackers to delete news, comments, and shoutbox posts by modifying the id parameter. 15902 http://dark-assassins.com/forum/viewtopic.php?t=90 Directory traversal vulnerability in source.php in Quick & Dirty PHPSource Printer 1.1 and earlier allows remote attackers to read arbitrary files via ".../...//" sequences in the file parameter, which are reduced to "../" when PHPSource Printer uses a regular expression to remove "../" sequences. 1014376 15900 http://guff.szub.net/2005/07/04/quick-and-dirty-security/ The LCF component (lcfd) in IBM Tivoli Management Framework Endpoint allows remote attackers to cause a denial of service (process exit and connection loss) by connecting to LCF and ending the connection without sending any data. 14194 http://www-1.ibm.com/support/entdocview.wss?uid=swg21210334 15953 ADV-2005-1018 http://www.corsaire.com/advisories/c041127-001.txt 1014424 The Flag::validate and Flag::modify functions in Bugzilla 2.17.1 to 2.18.1 and 2.19.1 to 2.19.3 do not verify that the flag ID is appropriate for the given bug or attachment ID, which allows users to change flags on arbitrary bugs and obtain a bug summary via process_bug.cgi. https://bugzilla.mozilla.org/show_bug.cgi?id=293159 http://www.bugzilla.org/security/2.18.1/ 1014428 Bugzilla 2.17.x, 2.18 before 2.18.2, 2.19.x, and 2.20 before 2.20rc1 inserts a bug into the database before it is marked private, which introduces a race condition and allows attackers to access information about the bug via buglist.cgi before MySQL replication is complete. https://bugzilla.mozilla.org/show_bug.cgi?id=293159 http://www.bugzilla.org/security/2.18.1/ 1014428 The web interface for Lotus Notes mail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies. 1014440 20050706 Cross site scripting in Lotus Notes web mail Novell NetMail automatically processes HTML in an attachment without prompting the user to save or open it, which makes it easier for remote attackers to conduct web-based attacks and steal cookies. ADV-2005-0994 14171 15962 17821 http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972438.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972433.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972340.htm 1014439 Net-SNMP 5.0.x before 5.0.10.2, 5.2.x before 5.2.1.2, and 5.1.3, when net-snmp is using stream sockets such as TCP, allows remote attackers to cause a denial of service (daemon hang and CPU consumption) via a TCP packet of length 1, which triggers an infinite loop. 2005-0034 [net-snmp-announce] 20050701 Multiple new Net-SNMP releases to fix a security related bug ADV-2007-1883 ADV-2006-4677 ADV-2006-4502 http://www.vmware.com/download/esx/esx-254-200610-patch.html http://www.vmware.com/download/esx/esx-213-200610-patch.html http://www.vmware.com/download/esx/esx-202-200610-patch.html USN-190-1 21256 14168 20061113 VMSA-2006-0008 - VMware ESX Server 2.0.2 Upgrade Patch 2 20061113 VMSA-2006-0005 - VMware ESX Server 2.5.4 Upgrade Patch 1 20061113 VMSA-2006-0007 - VMware ESX Server 2.1.3 Upgrade Patch 2 20061113 VMSA-2006-0006 - VMware ESX Server 2.5.3 Upgrade Patch 4 RHSA-2005:720 RHSA-2005:395 RHSA-2005:373 SUSE-SR:2007:013 SUSE-SR:2007:012 SUSE-SR:2005:024 http://www.net-snmp.org/about/ChangeLog.html MDKSA-2006:025 DSA-873 http://support.avaya.com/elmodocs2/security/ASA-2005-225.pdf 102725 1017273 25787 25432 25373 23058 22875 18635 17343 17282 17217 17135 17007 16999 15930 oval:org.mitre.oval:def:9986 probe.cgi allows remote attackers to execute arbitrary commands via shell metacharacters in the olddat parameter. NOTE: it is unclear which product or vendor this program is associated with, if any. http://www.badroot.org/advisories/SA0x06 1014393 20050705 [badroot security] probe.cgi: Remote Command Execution PHP remote file inclusion vulnerability in BlogModel.php in Jaws 0.5.2 and earlier allows remote attackers to execute arbitrary PHP code via the path parameter. http://www.hardened-php.net/advisory-072005.php 20050706 Advisory 07/2005: Jaws Multiple Remote Code Execution Vulnerabilities 1014395 gen-index in GNATS 4.0, 4.1.0, and possibly earlier versions, when installed setuid, does not properly check files passed to the -o argument and opens the file with write access, which allows local users to overwrite arbitrary files. 20050706 GNATS - gen-index http://www.pi3.int.pl/adv/gnats.txt 15963 Cisco 7940/7960 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the "Messages waiting" message. sip-notify-message-spoof(21260) 1014406 http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt 20050706 VoIP-Phones: Weakness in proccessing SIP-Notify-Messages Grandstream BudgeTone (BT) 100 Voice over IP (VoIP) phones do not properly check the Call-ID, branch, and tag values in a NOTIFY message to verify a subscription, which allows remote attackers to spoof messages such as the "Messages waiting" message. sip-notify-message-spoof(21260) 1014407 http://pentest.tele-consulting.com/advisories/05_07_06_voip-phones.txt 20050706 VoIP-Phones: Weakness in proccessing SIP-Notify-Messages class.xmail.php in PhpXmail 0.7 through 1.1 does not properly handle large passwords, which prevents an error message from being returned and allows remote attackers to bypass authentication and gain unauthorized access. 15951 20050706 PHPXMAIL - Authentication Bypass eRoom 6.x does not properly restrict files that can be attached, which allows remote attackers to execute arbitrary commands via a .lnk file. 20050706 eRoom Multiple Security Issues 15940 eRoom does not set an expiration for Cookies, which allows remote attackers to capture cookies and conduct replay attacks. 20050706 eRoom Multiple Security Issues Multiple cross-site scripting (XSS) vulnerabilities in McAfee IntruShield Security Management System allow remote authenticated users to inject arbitrary web script or HTML via the (1) thirdMenuName or (2) resourceName parameter to SystemEvent.jsp. 20050706 Re: Re: McAfee Intrushield IPS Abuse 20050706 McAfee Intrushield IPS Abuse 1014422 15961 McAfee IntruShield Security Management System allows remote authenticated users to access the "Generate Reports" feature and modify alerts by setting the Access option to true, as demonstrated using the (1) fullAccess or (2) fullAccessRight parameter in reports-column-center.jsp, or (3) fullAccess parameter to SystemEvent.jsp. 20050706 Re: Re: McAfee Intrushield IPS Abuse 20050706 McAfee Intrushield IPS Abuse 1014422 15961 McAfee IntruShield Security Management System obtains the user ID from the URL, which allows remote attackers to guess the Manager account and possibly gain privileges via a brute force attack. 20050706 Re: Re: McAfee Intrushield IPS Abuse 20050706 McAfee Intrushield IPS Abuse 1014422 Lantronix SecureLinx console server running firmware 2.0 and 3.0 stores /etc/ssh under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as SSH private keys. 20050707 Multiple vulnerabilities in Lantronix SLC console server 15979 Multiple SQL injection vulnerabilities in Comersus shopping cart allow remote attackers to execute arbitrary SQL commands via the (1) email parameter to comersus_optAffiliateRegistrationExec.asp or (2) idProduct parameter to comersus_optReviewReadExec.asp. 20050707 [Bday release] Comersus shopping cart has multiple Sql injection 1014419 Multiple cross-site scripting (XSS) vulnerabilities in Comersus shopping cart allow remote attackers to inject arbitrary web script or HTML via the (1) name parameter to comersus_backoffice_listAssignedPricesToCustomer.asp or (2) message parameter to comersus_backoffice_message.asp. 20050707 [Bday release] Comersus shopping cart has multiple Sql injection 15251 1014419 http://downloads.securityfocus.com/vulnerabilities/exploits/backoffice_mult_exp.pl SimplePHPBlog 0.4.0 stores password hashes in config/password.txt with insufficient access control, which allows remote attackers to obtain passwords via a brute force attack. 15954 20050707 SimplePHPBlog 0.4.0 <= Remote Password Disclosure SQL injection vulnerability in the user profile edit module in profile.php for PunBB 1.2.5 and earlier allows remote attackers to execute arbitrary SQL statements via the temp array, which is not initialized before it is used and prevents the attacker-supplied portions of the array from being properly escaped. http://www.hardened-php.net/advisory-082005.php 20050707 Advisory 08/2005: PunBB SQL Injection Vulnerability http://www.punbb.org/ Unspecified vulnerability in the Apple Mac OS X kernel before 10.4.2 allows remote attackers to cause a denial of service (kernel panic) via a crafted TCP packet, possibly related to source routing or loose source routing. APPLE-SA-2005-07-12 http://docs.info.apple.com/article.html?artnum=301948 Apple Darwin Streaming Server 5.5 and earlier allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name such as AUX, CON, PRN, COM1, or LPT1, a different vulnerability than CVE-2003-0421 and CVE-2003-0502. http://secway.org/Advisory/AD20050713.txt 1014474 16056 20050713 APPLE Darwin Streaming Server Web Admin Remote Denial of Serivce The Apple AirPort card uses a default WEP key when not connected to a known or trusted network, which can cause it to automatically connect to a malicious network. 14321 1014522 SQL injection vulnerability in sql.cls.php in Id Board 1.1.3 allows remote attackers to modify SQL queries, as demonstrated using the f parameter to index.php. 1014438 20050710 ID Board 1.1.3 SQL Injection Vulnerability 14204 15976 PHP remote file inclusion vulnerability in lang.php in SPiD before 1.3.1 allows remote attackers to execute arbitrary code via the lang_path parameter. http://spid.adnx.net/index_en.html#log 1014437 16022 14208 PHP remote file inclusion vulnerability in inc/functions.inc.php in PPA web photo gallery 0.5.6 allows remote attackers to execute arbitrary code via the config[ppa_root_path] variable. 14209 1014436 16011 Multiple unknown vulnerabilities in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to bypass authentication. http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf 1014429 15970 Unknown vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allow attackers to cause a denial of service or access files via crafted HTTP requests. http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf 1014429 15970 Cross-site scripting (XSS) vulnerability in the MicroServer Web Server for Xerox WorkCentre Pro Color 2128, 2636, and 3545, version 0.001.04.044 through 0.001.04.504, allows remote attackers to inject arbitrary web script or HTML via unknown vectors. http://www.xerox.com/downloads/usa/en/c/cert_XRX05_006.pdf 1014429 15970 login.php in phpWishlist before 0.1.15 allows remote attackers to bypass authentication via a direct request to admin.php. http://unix.freshmeat.net/projects/phpwishlist/?branch_id=53897&release_id=200925 1014432 Cross-site scripting (XSS) vulnerability in Computer Associates (CA) eTrust SiteMinder 5.5, when the "CSSChecking" parameter is set to "NO," allows remote attackers to inject arbitrary web script or HTML via the (1) PASSWORD or (2) BUFFER parameters to smpwservicescgi.exe, (3) the TARGET parameter to login.fcc, and possibly other vectors. ADV-2005-1040 1014433 20050711 Re: SiteMinder Multiple Vulnerabilities 20050708 SiteMinder Multiple Vulnerabilities ca-siteminder-smpwservicescgi-xss(21305) 17810 17809 15956 The ReadLog function in kaiseki.cgi in pngren allows remote attackers to execute arbitrary commands via shell metacharacters in the query string. 14182 17784 1014426 15981 20050705 PNG&#402;J&#402;E&#402;&#8220;&#402;^+&#8212;p&#402;&#402;O&#8240;&#402;X&#402;N&#402;&#352;&#402;v&#402;g remote commands execution vulnerability Multiple SQL injection vulnerabilities in CartWIZ allow remote attackers to modify SQL statements via the (1) idProduct parameter to tellAFriend.asp, (2) sortType parameter to viewSupportTickets.asp, or the id parameter to (3) updateCreditCards.asp or (4) deleteCreditCards.asp. 1014418 http://digitalparadox.org/viewadvisories.ah?view=42 Cross-site scripting (XSS) vulnerability in store/login.asp in CartWIZ allows remote attackers to inject arbitrary web script or HTML via the message parameter. 1014418 http://digitalparadox.org/viewadvisories.ah?view=42 PrivaShare 1.1b allows remote attackers to cause a denial of service (crash) via a malformed message. 15933 http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=66 1014412 Capturix ScanShare 1.06 build 50 stores sensitive information such as the password in cleartext in capturixss_cfg.ini, which is readable by local users. 1014409 15995 Stack-based buffer overflow in Internet Download Manager 4.05 allows remote attackers to execute arbitrary code via a long URL. http://www.ihsteam.com/download/ihsexpl/dlm.c 1014404 Backup Manager 0.5.8a creates temporary files insecurely, which allows local users to conduct unauthorized file operations when a user is burning a CDR. http://www.sukria.net/packages/backup-manager/ 15989 Backup Manager 0.5.8a creates an archive repository with world readable and writable permissions, which allows attackers to modify or read the repository. http://www.sukria.net/packages/backup-manager/ 15989 Buffer overflow in the mms_interp_header function in mms.c in MMS Ripper before 0.6.4 might allow remote attackers to execute arbitrary code via a file with more than 20 streams. 15987 http://nbenoit.tuxfamily.org/projects/mmsrip/ChangeLog apt-setup in Debian GNU/Linux installs the apt.conf file with insecure permissions, which allows local users to obtain sensitive information such as passwords. 15955 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=305142 14173 Cross-site scripting (XSS) vulnerability in MediaWiki before 1.4.x before 1.4.6 and 1.5 before 1.5beta3 allows remote attackers to inject arbitrary web script or HTML via a parameter in the page move template, a different vulnerability than CVE-2005-1888. 14181 http://sourceforge.net/project/shownotes.php?release_id=340290 15950 SUSE-SR:2005:019 PHP remote file inclusion vulnerability in gals.php in PhotoGal Photo Gallery 1.5 and earlier allows remote attackers to execute arbitrary code via the news_file parameter. 1014397 Dansie Shopping Cart stores the vars.dat file under the web root with insufficient access control, which might allow remote attackers to obtain sensitive information such as program variables. 1014396 The device file system (devfs) in FreeBSD 5.x does not properly check parameters of the node type when creating a device node, which makes hidden devices available to attackers, who can then bypass restrictions on a jailed process. FreeBSD-SA-05:17 freebsd-devfs-gain-privileges(21451) 14334 18123 1014536 16145 Hosting Controller 6.1 Hotfix 2.1 allows remote authenticated users to perform unauthorized actions, such as modifying the credit limit, via a direct request to AccountActions.asp and modifying the CreditLimit parameter in an UpdateCreditLimit action. 1014443 ** DISPUTED ** Dragonfly Commerce allows remote attackers to change a product price by modifying the x_DragonflyCartProductPrice hidden field to (1) dc_Categorieslist.asp, (2) dc_Categoriesview.asp, (3) dc_productslist.asp, and (4) dc_productslist_Clearance.asp. NOTE: the vendor has disputed this issue, saying that "Dragonfly Commerce does not allow for editing prices nor does it allow for viewing information about clients stored in the database except by the store owner and authorized staff as appointed in the store administration." However, SecurityTracker claims that they have been able to confirm the problem. http://www.digitalparadox.org/viewadvisories.ah?view=46 1014451 20050712 Dragonfly Shopping Cart Multiple vulnerabilities ** DISPUTED ** Multiple SQL injection vulnerabilities in Dragonfly Commerce allows remote attackers to modify SQL statements and possibly execute arbitrary SQL commands via the (1) key parameter to dc_Categoriesview.asp, (2) dc_productslist_Clearance.asp, (3) PID parameter to ratings.asp, (4) dc_Productsview.asp, (5) start, (6) key_mp, (7) searchtype, or (8) psearch parameters to dc_forum_Postslist.asp. NOTE: the vendor has disputed this issue, saying that the error messages arise from invalid category and product numbers. Assuming that this is the case, the issue still satisfies the CVE definition of "exposure." http://www.digitalparadox.org/viewadvisories.ah?view=46 20050712 Dragonfly Shopping Cart Multiple vulnerabilities Unknown vulnerability in the HTTPMail service in MailEnable Professional before 1.6 has unknown impact and attack vectors. 1014427 http://www.mailenable.com/professionalhistory.asp Unknown vulnerability in the SMTP service in MailEnable Standard before 1.9 and Professional before 1.6 allows remote attackers to cause a denial of service (crash) during authentication. 1014427 http://www.mailenable.com/standardhistory.asp http://www.mailenable.com/professionalhistory.asp aspnet_wp.exe in Microsoft ASP.NET web services allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a crafted SOAP message to an RPC/Encoded method. http://www.spidynamics.com/spilabs/advisories/aspRCP.html 16005 14217 Microsoft MSN Messenger allows remote attackers to cause a denial of service via a plaintext message containing the ".pif" string, which is interpreted as a malicious file extension and causes users to be kicked from a group conversation. NOTE: it has been reported that Gaim is also affected, so this may be an issue in the protocol or MSN servers. http://www.messenger-blog.com/?p=146 http://www.digitalparadox.org/viewadvisories.ah?view=45 1014444 Microsoft Outlook Express 6.0 leaks the default news server account when a user responds to a "watched" conversation thread, which could allow remote attackers to obtain sensitive information. 14225 900930 Softiacom wMailserver 1.0 stores passwords in plaintext in the Darsite\MAILSRV\Admin key, which allows local users to gain administrator privileges. 14212 1014450 20050712 SoftiaCom MailServer - Local Password Disclosure Vulnerability Web Wiz Forums 7.9 and 8.0 allows remote attackers to view message titles of a hidden forum. 14207 Blog Torrent 0.92 and earlier stores sensitive files under the web document root in the (1) data or (2) torrents directories with insufficient access control, which allows remote attackers to obtain sensitive information such as account names and password hashes, as demonstrated using data/newusers. 1014449 15983 20050711 blogtorrent remote/local user password disclosure Electronic Mail Operator (elmo) 1.3.2-r1 and earlier creates the elmostats temporary file insecurely, which allows local users to overwrite arbitrary files. 15977 http://www.zataz.net/adviso/elmo-06272005.txt 14235 High Availability Linux Project Heartbeat 1.2.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files. 16039 DSA-761 Buffer overflow in invscout in IBM AIX 5.1.0 through 5.3.0 might allow local users to execute arbitrary code via a long command line argument. 13909 15636 http://www.securityfocus.com/advisories/8816 http://www.caughq.org/advisories/CAU-2005-0002.txt 1014132 Buffer overflow in multiple "p" commands in IBM AIX 5.1, 5.2 and 5.3 might allow local users to execute arbitrary code via long command line arguments to (1) penable or other hard-linked files including (2) pdisable, (3) pstart, (4) phold, (5) pdelay, or (6) pshare. 13915 http://www.security-focus.com/advisories/8684 15636 http://www.caughq.org/advisories/CAU-2005-0006.txt 1014132 Buffer overflow in the getlvname command in IBM AIX 5.1, 5.2 and 5.3, might allow local users to execute arbitrary code via long command line arguments. 13914 http://www.security-focus.com/advisories/8684 15636 http://www.caughq.org/advisories/CAU-2005-0005.txt 1014132 Buffer overflow in the diagTasksWebSM command in IBM AIX 5.1, 5.2 and 5.3, might allow local users to execute arbitrary code via long command line arguments. 13912 http://www.security-focus.com/advisories/8819 15636 http://www.caughq.org/advisories/CAU-2005-0004.txt 1014132 Format string vulnerability in the paginit command in IBM AIX 5.3, and possibly other versions, might allow local users to execute arbitrary code via format strings in command line arguments. 13911 http://www.caughq.org/advisories/CAU-2005-0003.txt 1014132 Format string vulnerability in the swcons command in IBM AIX 5.3, and possibly other versions, might allow local users to execute arbitrary code via long command line arguments. 13921 http://www.caughq.org/advisories/CAU-2005-0007.txt 1014132 ftpd in IBM AIX 5.1, 5.2 and 5.3 allows remote authenticated users to cause a denial of service (port exhaustion and memory consumption) by using all ephemeral ports. 1014421 oftpd 0.3.7 allows remote attackers to cause a denial of service via a USER command with a large number of null (\0) characters. 1014413 xpvm.tcl in xpvm 1.2.5 allows local users to overwrite arbitrary files via a symlink attack on the xpvm.trace.$user temporary file. 16040 http://www.zataz.net/adviso/xpvm-06272005.txt 14228 DSA-1003 19251 Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 does not quickly time out Realtime Information Server Data Collection (RISDC) sockets, which results in a "resource leak" that allows remote attackers to cause a denial of service (memory and connection consumption) in RisDC.exe. 20050712 Cisco CallManager Memory Handling Vulnerabilities 14250 Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to cause a denial of service (memory consumption and restart) via crafted packets to (1) the CTI Manager (ctimgr.exe) or (2) the CallManager (ccm.exe). 20050712 Cisco CallManager Memory Handling Vulnerabilities 14252 14251 Memory leak in inetinfo.exe in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1, when Multi Level Admin (MLA) is enabled, allows remote attackers to cause a denial of service (memory consumption) via a large number of Admin Service Tool (AST) logins that fail. 20050712 Cisco CallManager Memory Handling Vulnerabilities 14253 The aupair service (aupair.exe) in Cisco CallManager (CCM) 3.2 and earlier, 3.3 before 3.3(5), 4.0 before 4.0(2a)SR2b, and 4.1 4.1 before 4.1(3)SR1 allows remote attackers to execute arbitrary code or corrupt memory via crafted packets that trigger a memory allocation failure and lead to a buffer overflow. 20050712 Cisco CallManager Memory Handling Vulnerabilities malloc-return-value-dos(19053) 14255 Unknown vulnerability in F5 BIG-IP 9.0.2 through 9.1 allows attackers to "subvert the authentication of SSL transactions," via unknown attack vectors, possibly involving NATIVE ciphers. 1014452 16008 14215 Multiple PHP remote file inclusion vulnerabilities in iPhotoAlbum 1.1 allow remote attackers to execute arbitrary code via the (1) doc_path parameter to getpage.php or (2) set_menu parameter to lib/static/header.php. 1014448 23189 14229 3596 20070329 iPhotoAlbum v1.1(header.php)Remote File Include Vulnerability 16031 Multiple unknown vulnerabilities in Moodle before 1.5.1 have unknown impact and attack vectors. 16028 http://moodle.org/doc/?frame=release.html Directory traversal vulnerability in DownloadProtect before 1.0.3 allows remote attackers to read files above the download folder. 16003 14211 Multiple unknown vulnerabilities in Jinzora 2.0.1 have unknown impact and attack vectors, possibly involving a PHP file inclusion vulnerability. http://freshmeat.net/projects/jinzora/?branch_id=43140&release_id=200390 15952 Buffer overflow in Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary code via a long filename in an OBEX file share. 14230 http://affix.sourceforge.net/affix_212_sec.patch http://www.digitalmunition.com/DMA%5B2005-0712a%5D.txt DSA-762 PHP remote file inclusion vulnerability in secure.php in PHPSecurePages (phpSP) 0.28beta and earlier allows remote attackers to execute arbitrary code via the cfgProgDir parameter, a variant of CVE-2001-1468. 1014410 phpsecurepages-secure-file-include(29263) 14201 2452 15994 PhpAuction 2.5 allows remote attackers to bypass authentication and gain privileges as another user by setting the PHPAUCTION_RM_ID cookie to the user ID. 1014423 15967 SQL injection vulnerability in PhpAuction 2.5 allow remote attackers to modify SQL queries via the category parameter to adsearch.php. NOTE: there is evidence that viewnews.php may not be part of the PhpAuction product, so it is not included in this description. 1014423 15967 Multiple cross-site scripting (XSS) vulnerabilities in PhpAuction 2.5 allow remote attackers to inject arbitrary web script or HTML via the lan parameter to (1) index.php or (2) admin/index.php, or (3) the auction_id parameter to profile.php. NOTE: there is evidence that viewnews.php and login.php may not be part of the PhpAuction product, so they are not included in this description. 1014423 15967 Directory traversal vulnerability in PhpAuction 2.5 allows remote attackers to read arbitrary files, include local PHP files, or obtain sensitive path information via ".." sequences in the lan parameter to (1) index.php or (2) admin/index.php. 1014423 15967 Encoded directory traversal vulnerability in phpPgAdmin 3.1 to 3.5.3 allows remote attackers to access arbitrary files via "%2e%2e%2f" (encoded dot dot) sequences in the formLanguage parameter. http://www.vuxml.org/freebsd/88188a8c-eff6-11d9-8310-0001020eed82.html 14142 1014414 15941 DSA-759 http://sourceforge.net/project/shownotes.php?release_id=342261 16116 [Dailydave] 20050704 !!! pre-authenticated remote code inclusion vulnerability inside phppgadmin !!! The saveProfile function in PhpSlash 0.8.0 allows remote attackers to modify arbitrary profiles and gain privileges by modifying the author_id parameter. 15936 20050707 phpSlash account hijacking vulnerability 1014415 PHP remote file inclusion vulnerability in photolist.inc.php in Squito Gallery 1.33 allows remote attackers to execute arbitrary code via the photoroot parameter. 1014447 16009 14219 The dispallclosed2 function in dispallclosed.pl for multiple USANet Creations products, including (1) USANet Shopping Mall Software, (2) Domain Name Auction Software, (3) Standard Classified Ads Software, and (4) MakeBid Reverse Auction allows remote attackers to execute arbitrary code via shell metacharacters in the DISPCLOSED parameter. 14179 1014411 15985 The browser user interface in Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 does not properly distinguish between user-generated events and untrusted synthetic events, which makes it easier for remote attackers to perform dangerous actions that normally could only be performed manually by the user. http://www.mozilla.org/security/announce/mfsa2005-45.html ADV-2005-1075 oval:org.mitre.oval:def:10132 FLSA:160202 14242 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.networksecurity.fi/advisories/netscape-multiple-issues.html DSA-810 P-252 16059 16044 16043 http://bugzilla.mozilla.org/show_bug.cgi?id=289940 oval:org.mitre.oval:def:742 oval:org.mitre.oval:def:1226 oval:org.mitre.oval:def:100013 Firefox before 1.0.5, Thunderbird before 1.0.5, Mozilla before 1.7.9, Netscape 8.0.2, and K-Meleon 0.9 runs XBL scripts even when Javascript has been disabled, which makes it easier for remote attackers to bypass such protection. http://www.mozilla.org/security/announce/mfsa2005-46.html https://bugzilla.mozilla.org/show_bug.cgi?id=292591 https://bugzilla.mozilla.org/show_bug.cgi?id=292589 ADV-2005-1075 SUSE-SA:2006:004 oval:org.mitre.oval:def:10947 FLSA:160202 14242 RHSA-2005:601 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2006:022 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.networksecurity.fi/advisories/netscape-multiple-issues.html DSA-810 P-252 19823 16059 16044 16043 oval:org.mitre.oval:def:808 oval:org.mitre.oval:def:1348 oval:org.mitre.oval:def:100012 Firefox 1.0.3 and 1.0.4, and Netscape 8.0.2, allows remote attackers to execute arbitrary code by tricking the user into using the "Set As Wallpaper" (in Firefox) or "Set as Background" (in Netscape) context menu on an image URL that is really a javascript: URL with an eval statement, aka "Firewalling." ADV-2005-1075 http://www.mozilla.org/security/announce/mfsa2005-47.html http://www.mikx.de/firewalling/ oval:org.mitre.oval:def:11097 14242 http://www.securiteam.com/securitynews/5ZP0E0UGAK.html RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.networksecurity.fi/advisories/netscape-multiple-issues.html P-252 16044 16043 oval:org.mitre.oval:def:100011 The InstallTrigger.install method in Firefox before 1.0.5 and Mozilla before 1.7.9 allows remote attackers to execute a callback function in the context of another domain by forcing a page navigation after the install method has been called, which causes the callback to be run in the context of the new page and results in a same origin violation. http://www.mozilla.org/security/announce/mfsa2005-48.html https://bugzilla.mozilla.org/show_bug.cgi?id=293331 ADV-2005-1075 oval:org.mitre.oval:def:11629 FLSA:160202 14242 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 DSA-810 P-252 16059 16043 oval:org.mitre.oval:def:1311 oval:org.mitre.oval:def:1281 oval:org.mitre.oval:def:100016 oval:org.mitre.oval:def:100010 Firefox before 1.0.5 allows remote attackers to steal sensitive information by opening a malicious link in the Firefox sidebar using the _search target, then injecting script into other pages via a data: URL. http://www.mozilla.org/security/announce/mfsa2005-49.html https://bugzilla.mozilla.org/show_bug.cgi?id=294074 ADV-2005-1075 oval:org.mitre.oval:def:9887 14242 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 P-252 16043 oval:org.mitre.oval:def:100009 Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 and 7.2 allows remote attackers to cause a denial of service (access violation and crash), and possibly execute arbitrary code, by calling InstallVersion.compareTo with an object instead of a string. http://www.mozilla.org/security/announce/mfsa2005-50.html https://bugzilla.mozilla.org/show_bug.cgi?id=295854 ADV-2005-1075 SUSE-SA:2006:004 oval:org.mitre.oval:def:10397 FLSA:160202 14242 RHSA-2005:601 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2006:004 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.networksecurity.fi/advisories/netscape-multiple-issues.html DSA-810 P-252 19823 16059 16044 16043 oval:org.mitre.oval:def:781 oval:org.mitre.oval:def:417 oval:org.mitre.oval:def:100008 Firefox before 1.0.5 and Mozilla before 1.7.9 allows a child frame to call top.focus and other methods in a parent frame, even when the parent is in a different domain, which violates the same origin policy and allows remote attackers to steal sensitive information such as cookies and passwords from web sites whose child frames do not verify that they are in the same domain as their parents. http://www.mozilla.org/security/announce/mfsa2005-52.html ADV-2005-1075 SUSE-SA:2006:004 15549 oval:org.mitre.oval:def:10712 FLSA:160202 mozilla-frame-topfocus-xss(21332) 14242 RHSA-2005:601 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2006:022 SUSE-SA:2005:045 SUSE-SR:2005:018 DSA-810 19823 15553 15551 oval:org.mitre.oval:def:773 oval:org.mitre.oval:def:1415 oval:org.mitre.oval:def:100107 Firefox before 1.0.5 allows remote attackers to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL, which is run in the context of the previous page, and may lead to code execution if the standalone application loads a privileged chrome: URL. https://bugzilla.mozilla.org/show_bug.cgi?id=298255 ADV-2005-1075 http://www.mozilla.org/security/announce/mfsa2005-53.html oval:org.mitre.oval:def:11334 FLSA:160202 14242 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 P-252 1014469 16043 oval:org.mitre.oval:def:1172 oval:org.mitre.oval:def:1073 oval:org.mitre.oval:def:100006 Firefox before 1.0.5 and Mozilla before 1.7.9 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." http://www.mozilla.org/security/announce/mfsa2005-54.html 15489 ADV-2005-1075 http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ oval:org.mitre.oval:def:10517 FLSA:160202 14242 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2005:045 SUSE-SR:2005:018 DSA-810 oval:org.mitre.oval:def:1313 oval:org.mitre.oval:def:1268 oval:org.mitre.oval:def:100005 Firefox before 1.0.5, Mozilla before 1.7.9, and Netscape 8.0.2 does not properly verify the associated types of DOM node names within the context of their namespaces, which allows remote attackers to modify certain tag properties, possibly leading to execution of arbitrary script or code, as demonstrated using an XHTML document with IMG tags with custom properties ("XHTML node spoofing"). http://www.mozilla.org/security/announce/mfsa2005-55.html https://bugzilla.mozilla.org/show_bug.cgi?id=298892 ADV-2005-1075 SUSE-SA:2006:004 oval:org.mitre.oval:def:9777 FLSA:160202 14242 RHSA-2005:601 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2006:022 SUSE-SA:2005:045 SUSE-SR:2005:018 http://www.networksecurity.fi/advisories/netscape-multiple-issues.html DSA-810 P-252 19823 16059 16044 16043 oval:org.mitre.oval:def:729 oval:org.mitre.oval:def:1258 oval:org.mitre.oval:def:100011 oval:org.mitre.oval:def:100005 oval:org.mitre.oval:def:100004 Firefox before 1.0.5 and Mozilla before 1.7.9 does not properly clone base objects, which allows remote attackers to execute arbitrary code by navigating the prototype chain to reach a privileged object. VU#652366 http://www.mozilla.org/security/announce/mfsa2005-56.html https://bugzilla.mozilla.org/show_bug.cgi?id=296397 https://bugzilla.mozilla.org/show_bug.cgi?id=295011 https://bugzilla.mozilla.org/show_bug.cgi?id=294799 https://bugzilla.mozilla.org/show_bug.cgi?id=294795 ADV-2005-1075 SUSE-SA:2006:004 oval:org.mitre.oval:def:11751 FLSA:160202 14242 RHSA-2005:601 RHSA-2005:587 RHSA-2005:586 SUSE-SA:2006:022 SUSE-SA:2005:045 SUSE-SR:2005:018 DSA-810 P-252 1014470 19823 16059 16043 oval:org.mitre.oval:def:817 oval:org.mitre.oval:def:550 oval:org.mitre.oval:def:100003 iCab 2.9.8 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." 15477 http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ Safari version 2.0 (412) does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." ADV-2005-2659 http://secunia.com/secunia_research/2005-12/advisory/ http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ mozilla-javascript-dialog-box-spoofing(21070) 14011 17397 1015294 17813 15474 APPLE-SA-2005-11-29 Opera 7.x and 8 before 8.01 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ http://secunia.com/secunia_research/2005-8/ 15488 Microsoft Internet Explorer 6.0 does not clearly associate a Javascript dialog box with the web page that generated it, which allows remote attackers to spoof a dialog box from a trusted site and facilitates phishing attacks, aka the "Dialog Origin Spoofing Vulnerability." http://www.microsoft.com/technet/security/advisory/902333.mspx http://secunia.com/secunia_research/2005-9/advisory/ http://secunia.com/multiple_browsers_dialog_origin_vulnerability_test/ 15492 15491 Cross-site scripting (XSS) vulnerability in Novell Groupwise WebAccess 6.5 before July 11, 2005 allows remote attackers to inject arbitrary web script or HTML via an e-mail message with an encoded javascript URI (e.g. "j&#X41vascript" in an IMG tag. novell-groupwise-webaccess-xss(21421) http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098301.htm 16098 20050719 [ISR] - Novell Groupwise WebAccess Cross-Site Scripting 14310 18064 http://www.infobyte.com.ar/adv/ISR-11.html 1014515 Bluetooth FTP client (BTFTP) in Nokia Affix 2.1.2 and 3.2.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the filename argument of a PUT command. http://www.digitalmunition.com/DMA[2005-0712b].txt 14232 DSA-762 20050712 MA[2005-0712b] - 'Nokia Affix Bluetooth btsrv/btobex poor use of system() http://affix.sourceforge.net/affix_320_sec.patch http://affix.sourceforge.net/affix_212_sec.patch Stack-based buffer overflow in the IMAP daemon (imapd) in MailEnable Professional 1.54 allows remote authenticated users to execute arbitrary code via the status command with a long mailbox name. http://www.coresecurity.com/common/showdoc.php?idx=467&idxseccion=10 20050712 CORE-2005-0629: MailEnable Buffer Overflow Vulnerability Cisco ONS 15216 Optical Add/Drop Multiplexer (OADM) running firmware 2.2.2 and earlier allows remote attackers to cause a denial of service (management plane session loss) via crafted telnet data. 20050713 Cisco ONS 15216 OADM Telnet Denial-of-Service Vulnerability 14246 17863 1014475 16073 Cisco Security Agent (CSA) 4.5 allows remote attackers to cause a denial of service (system crash) via a crafted IP packet. csa-ip-dos(21344) 20050713 Cisco Security Agent Vulnerable to Crafted IP Attack WebEOC before 6.0.2 uses a weak encryption scheme for passwords, which makes it easier for attackers to crack passwords. VU#491770 http://www.kb.cert.org/vuls/id/JGEI-6BWQDQ Multiple cross-site scripting (XSS) vulnerabilities in WebEOC before 6.0.2 allow remote attackers to inject arbitrary web script and HTML via unknown vectors. VU#138538 http://www.kb.cert.org/vuls/id/JGEI-6BVST4 WebEOC before 6.0.2 does not properly restrict the size of an uploaded file, which allows remote authenticated users to cause a denial of service (system and database resource consumption) via a large file. VU#956762 http://www.kb.cert.org/vuls/id/JGEI-6BWLER Multiple SQL injection vulnerabilities in WebEOC before 6.0.2 allow remote attackers to modify SQL statements via unknown attack vectors. VU#372797 http://www.kb.cert.org/vuls/id/JGEI-6C8Q27 WebEOC before 6.0.2 stores sensitive information in locations such as URIs, web pages, and configuration files, which allows remote attackers to obtain information such as Usernames, Passwords, Emergency information, medical information, and system configuration. VU#165290 http://www.kb.cert.org/vuls/id/JGEI-6BWPXL WebEOC before 6.0.2 does not properly check user authorization, which allows remote attackers to gain privileges via a direct request to a resource. VU#258834 http://www.kb.cert.org/vuls/id/JGEI-6BWLWG SoftiaCom wMailServer 1.0 and 2.0 allows remote attackers to cause a denial of service (application crash) via a large TCP packet with a leading space, possibly triggering a buffer overflow. 20050712 SoftiaCom MailServer v2.0 - Denial Of Service Cross-site scripting (XSS) vulnerability in PHPCounter 7.2 allows remote attackers to inject arbitrary web script or HTML via the EpochPrefix parameter. 14256 1014478 15816 20050713 Path Disclosure and XSS problem in PHP Counter 7.2 PHPCounter 7.2 allows remote attackers to obtain sensitive information via a direct request to prelims.php, which reveals the path in an error message. 1014478 15816 20050713 Path Disclosure and XSS problem in PHP Counter 7.2 wps_shop.cgi in WPS Web Portal System 0.7.0 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) art and (2) cat variables. 14245 1014480 15780 20050713 WPS Web-Portal-System v.0.7.0 (wps_shop.cgi) remote commands Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 passes the cleartext password as a parameter when starting sqlplus, which allows local users to gain sensitive information. http://www.red-database-security.com/advisory/oracle_jdeveloper_passes_plaintext_password.html 20050713 Advisory: Oracle JDeveloper passes Plaintext Password Oracle JDeveloper 9.0.4, 9.0.5, and 10.1.2 stores cleartext passwords in (1) IDEConnections.xml, (2) XSQLConfig.xml and (3) settings.xml, which allows local users to obtain sensitive information. jdeveloper-config-plaintext-password(21342) http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html 15991 http://www.red-database-security.com/advisory/oracle_jdeveloper_plaintext_password.html 20050713 Advisory: Oracle JDeveloper Plaintext Passwords Oracle Formsbuilder 9.0.4 stores database usernames and passwords in a temporary file, which is not deleted after it is used, which allows local users to obtain sensitive information. formsbuilder-temp-file-plaintext-password(21343) http://www.red-database-security.com/advisory/oracle_formsbuilder_temp_file_issue.html http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html 15991 20050713 Advisory: Oracle Forms Builder Password in Temp Files Oracle Forms 4.5, 6.0, 6i, and 9i on Unix, when a large number of records are retrieved by an Oracle form, stores a copy of the database tables in a world-readable temporary file, which allows local users to gain sensitive information such as credit card numbers. formsbuilder-temp-file-info-disclosure(21347) http://www.red-database-security.com/advisory/oracle_forms_unsecure_temp_file_handling.html http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html 15991 20050713 Advisory: Oracle Forms Insecure Temporary File Handling NetPanzer 0.8 and earlier allows remote attackers to cause a denial of service (infinite loop) via a packet with a zero datablock size. netpanzer-datablock-dos(21361) http://aluigi.altervista.org/adv/panzone-adv.txt 14257 1014479 16055 20050713 Endless loop in NetPanzer 0.8 YabbSE 1.5.5c allows remote attackers to obtain sensitive information via a direct request to ssi_examples.php, which reveals the path. 20050714 YaBBSe 1.5.5c Path disclosure problem Stack-based buffer overflow in TreeAction.do in Sybase EAServer 4.2.5 through 5.2 allows remote authenticated users to execute arbitrary code via a large javascript parameter. http://www.sybase.com/detail?id=1036742 http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm 20050715 Stack-Based Buffer Overflow in Sybase EAServer 4.2.5 to 5.2 1014497 16108 BitDefender Engine 1.6.1 and earlier does not properly scan all attachments, which allows remote attackers to bypass virus scanning via begin and end commands in the body of the e-mail, which BitDefender treats as a uuencoded attachment and stops scanning afterwards. 20050714 05_07_14-bitdefender_malicious_content_bypass 1014495 Multiple cross-site scripting (XSS) vulnerabilities in Simple Message Board Version 2.0 Beta 1 allow remote attackers to inject arbitrary web script or HTML via the (1) FID parameter to forum.cfm, (2) UID parameter to user.cfm, (3) TID parameter to thread.cfm, or (4) PostDate parameter to search.cfm. 14266 1014494 20050714 XSS in forums Simple Message Board Version 2.0 Beta 1 14269 14268 14267 Skype 1.1.0.20 and earlier allows local users to overwrite arbitrary files via a symlink attack on the skype_profile.jpg temporary file. http://www.zone-h.org/advisories/read/id=7808 20050716 [ZH2005-16SA] Insecure temporary file creation in Skype for Linux 16105 PowerDNS before 2.9.18, when running with an LDAP backend, does not properly escape LDAP queries, which allows remote attackers to cause a denial of service (failure to answer ldap questions) and possibly conduct an LDAP injection attack. 20050716 PowerDNS 2.9.18 fixes two security issues affecting users of LDAP http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18 14290 SUSE-SR:2005:019 1014504 PowerDNS before 2.9.18, when allowing recursion to a restricted range of IP addresses, does not properly handle questions from clients that are denied recursion, which could cause a "blank out" of answers to those clients that are allowed to use recursion. 20050716 PowerDNS 2.9.18 fixes two security issues affecting users of LDAP http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-18 SUSE-SR:2005:019 1014504 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-1218. Reason: This candidate is a duplicate of CVE-2005-1218. Notes: All CVE users should reference CVE-2005-1218 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Microsoft MSN Messenger 9.0 and Internet Explorer 6.0 allows remote attackers to cause a denial of service (crash) via an image with an ICC Profile with a large Tag Count. 14288 20050716 Internet Explorer / MSN ICC Profiles Crash PoC Exploit DG Remote Control Server 1.6.2 allows remote attackers to cause a denial of service (crash or CPU consumption) and possibly execute arbitrary code via a long message to TCP port 1071 or 1073, possibly due to a buffer overflow. 14263 http://k.domaindlx.com/shellcore/advisories.asp?bug_report=display&infamous_group=72 16070 Race condition in Macromedia JRun 4.0, ColdFusion MX 6.1 and 7.0, when under heavy load, causes JRun to assign a duplicate authentication token to multiple sessions, which could allow authenticated users to gain privileges as other users. http://www.macromedia.com/devnet/security/security_zone/mpsb05-05.html 16081 1014489 netman.dll in Microsoft Windows Connections Manager Library allows local users to cause a denial of service (Network Connections Service crash) via a large integer argument to a particular function, aka "Network Connection Manager Vulnerability." 14260 MS05-045 http://support.avaya.com/elmodocs2/security/ASA-2005-214.pdf 17223 17172 16065 oval:org.mitre.oval:def:786 oval:org.mitre.oval:def:1532 oval:org.mitre.oval:def:1289 oval:org.mitre.oval:def:1254 oval:org.mitre.oval:def:1250 The JPEG decoder in Microsoft Internet Explorer allows remote attackers to cause a denial of service (CPU consumption or crash) and possibly execute arbitrary code via certain crafted JPEG images, as demonstrated using (1) mov_fencepost.jpg, (2) cmp_fencepost.jpg, (3) oom_dos.jpg, or (4) random.jpg. 14286 14285 14284 20050715 Compromising pictures of Microsoft Internet Explorer! http://lcamtuf.coredump.cx/crash Opera 8.01 allows remote attackers to cause a denial of service (CPU consumption) via a crafted JPEG image, as demonstrated using random.jpg. 20050718 Re: Compromising pictures of Microsoft Internet Explorer! 20050715 Compromising pictures of Microsoft Internet Explorer! http://lcamtuf.coredump.cx/crash Buffer overflow in Winamp 5.03a, 5.09 and 5.091, and other versions before 5.094, allows remote attackers to execute arbitrary code via an MP3 file with a long ID3v2 tag such as (1) ARTIST or (2) TITLE. http://www.winamp.com/player/version_history.php ADV-2005-1106 14276 17897 1014483 http://security.lss.hr/index.php?page=details&ID=LSS-2005-07-14 16077 SMS 1.9.2m and earlier allows local users to overwrite arbitrary files via a symlink attack on the (1) request1 or (2) request2 temporary files. 16038 management.php in Realnode Emilda 1.2.2 and earlier allows remote attackers to perform actions as other users by modifying the user_id parameter. 14244 http://sourceforge.net/project/shownotes.php?release_id=338551 15857 Check Point SecuRemote NG with Application Intelligence R54 allows attackers to obtain credentials and gain privileges via unknown attack vectors. 14221 inc.login.php in PHPsFTPd 0.2 through 0.4 allows remote attackers to obtain the administrator's username and password by setting the do_login parameter and performing an edit action using user.php, which causes the login check to be bypassed and leaks the password in the response. 14222 ADV-2005-1101 15879 http://packetstorm.linuxsecurity.com/0507-exploits/phpsftpd.txt 1014481 20050713 PHPsFTPd - Admin password leak Buffer overflow in Domain Name Relay Daemon (DNRD) before 2.19.1 allows remote attackers to execute arbitrary code via a large number of large DNS packets with the Z and QR flags cleared. This vulnerability is addressed in the following product release: dnrd, dnrd, 2.19.1 This vulnerability affects all versions of dnrd prior to 2.19.1 http://sourceforge.net/forum/forum.php?forum_id=482568 16142 http://www.FreeBSD.org/ports/portaudit/e72fd82b-fa01-11d9-bc08-0001020eed82.html 1014557 Domain Name Relay Daemon (DNRD) before 2.19.1 allows remote attackers to cause a denial of service (infinite recursion) via a DNS packet that uses message compression in the QNAME and two pointers that point to each other (circular buffer). http://sourceforge.net/forum/forum.php?forum_id=482568 16142 http://www.FreeBSD.org/ports/portaudit/e72fd82b-fa01-11d9-bc08-0001020eed82.html 1014557 Shorewall 2.4.x before 2.4.1, 2.2.x before 2.2.5, and 2.0.x before 2.0.17, when MACLIST_TTL is greater than 0 or MACLIST_DISPOSITION is set to ACCEPT, allows remote attackers with an accepted MAC address to bypass other firewall rules or policies. http://shorewall.net/News.htm#20050717 16087 20050718 Shorewall MACLIST Problem USN-197-1 14292 GLSA-200507-20 DSA-849 17113 17110 Cross-site scripting (XSS) vulnerability in showerr.asp in DVBBS 7.1 SP2 allows remote attackers to inject arbitrary web script or HTML via the action parameter. 14223 PHP remote file include vulnerability in Yawp library 1.0.6 and earlier, as used in YaWiki and possibly other products, allows remote attackers to include arbitrary files via the _Yawp[conf_path] parameter. 14237 20050712 Advisory 10/2005: Yawp/YaWiki Remote URL Include Vulnerability http://www.hardened-php.net/advisory-102005.php http://phpyawp.com/yawiki/index.php?page=ChangeLog 16049 WebCalendar before 1.0.0 does not properly restrict access to assistant_edit.php, which allows remote attackers to gain privileges. 14072 PHP remote file inclusion vulnerability in CaLogic 1.2.2 allows remote attackers to execute arbitrary code via the CLPATH parameter to (1) cl_minical.php, (2) clmcpreload.php, (3) mcconfig.php, or (4) mcpi-demo.php. 16090 14296 http://www.calogic.de/modules/newbb/viewtopic.php?topic_id=333&forum=7 Cross-site scripting (XSS) vulnerability in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allows remote attackers to inject arbitrary web script or HTML via the (1) viewuser_id or (2) group parameter to users.php. 14261 1014486 1014485 16078 http://lostmon.blogspot.com/2005/07/class-1-forum-software-cross-site.html Multiple SQL injection vulnerabilities in Class-1 Forum 0.24.4 and 0.23.2, and Clever Copy with forums installed, allow remote attackers to modify SQL statements via the (1) id parameter to viewattach.php, (2) viewuser_id parameter to users.php, or the (3) id or (4) forum parameter to viewforum.php. 1014486 1014485 16078 http://lostmon.blogspot.com/2005/07/class-1-forum-software-cross-site.html Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the searchtype or searchterm parameters to (1) results.php or (2) categorysearch.php. http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.html Clever Copy 2.0 and 2.0a allows remote attackers to obtain the full path of the web root via a direct request to (1) ticker.php, (2) menu.php, (3) banned.php, (4) endlayout.php, (5) randomhlinesblock.php, (6) showlast.php, (7) showlast5class1.php, (8) showlast5phorum.php, (9) showlast5phorumblock.php, (10) showlastforumbb2.php, or (11) showlastforumbb2block.php. http://lostmon.blogspot.com/2005/07/clever-copy-path-disclosure-and-xss.html Cross-site scripting (XSS) vulnerability in Clever Copy 2.0 and 2.0a allows remote attackers to inject arbitrary web script or HTML via the yr parameter to calendar.php. http://lostmon.blogspot.com/2005/07/clever-copy-calendarphp-yr-variable.html Cross-site scripting (XSS) vulnerability in e107 0.617 and earlier allows remote attackers to inject arbitrary web script or HTML via nested [url] BBCode tags. 1014513 1106 PHP remote file inclusion vulnerability in im.php in Laffer 0.3.2.6 and 0.3.2.7 allows remote attackers to execute arbitrary PHP code via the CFG_PATH variable. 14264 http://laffer.sourceforge.net/cgi-bin/index.pl?page=news&key=373747410 http://sourceforge.net/tracker/index.php?func=detail&aid=1235463&group_id=101249&atid=629313 MRV Communications In-Reach LX-8000S, LX-4000S, and LX-1000S 3.5.0, when using SSH public key authentication, does not properly restrict access to ports, which allows remote authenticated users to access the consoles of other users. 14300 20050718 MRV In-Reach console server: Port Access Control Bypass Vulnerability 1014517 Directory traversal vulnerability in extras/update.php in osCommerce 2.2 allows remote attackers to read arbitrary files via (1) .. sequences or (2) a full pathname in the readme_file parameter. oscommerce-extrasupdate-info-disclosure(25861) 14294 20060414 RE: osCommerce "extras/" information/source code disclosure 20060414 osCommerce "extras/" information/source code disclosure 18249 http://www.oscommerce.com/community/bugs,2835 http://sourceforge.net/mailarchive/message.php?msg_id=12318248 1015944 http://retrogod.altervista.org/oscommerce_22_adv.html PHP remote file inclusion vulnerability in display.php in MooseGallery allows remote attackers to execute arbitrary PHP code via the type parameter. moosegallery-display-file-include(21388) 14280 1014487 16093 Cross-site scripting (XSS) vulnerability in PHPPageProtect 1.0.0a allows remote attackers to inject arbitrary web script or HTML via the username parameter to (1) admin.php or (2) login.php. 1014510 16110 14318 14314 Cross-site scripting (XSS) vulnerability in smilies_popup.php in SEO-Board 1.0 allows remote attackers to inject arbitrary web script or HTML via the doc parameter. 1014509 14320 16051 Y.SAK allows remote attackers to execute arbitrary commands via shell metacharacters in the $no variable to (1) w_s3mbfm.cgi, (2) w_s3adix.cgi, or (3) w_s3sbfm.cgi. 1014502 14299 Buffer overflow in the POP3 client in Fetchmail before 6.2.5.2 allows remote POP3 servers to cause a denial of service and possibly execute arbitrary code via long UIDL responses. NOTE: a typo in an advisory accidentally used the wrong CVE identifier for the Fetchmail issue. This is the correct identifier. TA06-214A 14349 FEDORA-2005-614 http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt http://developer.berlios.de/project/shownotes.php?release_id=6617 ADV-2006-3101 ADV-2005-1171 19289 20060801 DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow' 20060526 rPSA-2006-0084-1 fetchmail RHSA-2005:640 http://www.redhat.com/archives/fedora-announce-list/2005-July/msg00104.html FEDORA-2005-613 18174 SUSE-SR:2005:018 DSA-774 21253 16176 oval:org.mitre.oval:def:8833 APPLE-SA-2006-08-01 oval:org.mitre.oval:def:1124 oval:org.mitre.oval:def:1038 Cross-site scripting (XSS) vulnerability in Hiki 0.8.0 to 0.8.2 allows remote attackers to inject arbitrary web script or HTML via "missing pages" in which the page name is not properly escaped, a different vulnerability than CVE-2005-2803. http://hikiwiki.org/en/advisory20050804.html JVN#38138980 15021 17075 Ruby 1.6.x up to 1.6.8, 1.8.x up to 1.8.2, and 1.9.0 development up to 2005-09-01 allows attackers to bypass safe level and taint flag protections and execute disallowed code when Ruby processes a program through standard input (stdin). TA06-132A VU#160012 http://www.ruby-lang.org/en/20051003.html 16904 ruby-eval-security-bypass(22360) ADV-2006-1779 USN-195-1 1014948 17951 14909 RHSA-2005:799 SUSE-SR:2006:005 MDKSA-2005:191 GLSA-200510-05 DSA-864 DSA-862 DSA-860 20077 19130 17285 17147 17129 17098 17094 oval:org.mitre.oval:def:10564 APPLE-SA-2006-05-11 http://jvn.jp/jp/JVN%2362914675/index.html 59 Multiple cross-site scripting (XSS) vulnerabilities in XOOPS 2.0.12 JP and earlier, XOOPS 2.0.13.1 and earlier, and 2.2.x up to 2.2.3 RC1 allow remote attackers to inject arbitrary web script or HTML via (1) modules that use "XOOPS Code" and (2) newbb in the forum module. http://www.lac.co.jp/business/sns/intelligence/SNSadvisory_e/85_e.html 17300 JVN#77105349 15195 20051025 [SNS Advisory No.85] XOOPS Multiple Cross-site Scripting Vulnerabilities Cross-site scripting (XSS) vulnerability in the Unicode version of msearch (unicode-msearch) 1.51(U1)-beta1, 1.51(U1), and 1.52(U1) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. http://jvn.jp/jp/JVN%2379925E6F/index.html Heap-based buffer overflow in Apple Quicktime before 7.0.4 allows remote attackers to execute arbitrary code via a crafted (1) QuickTime Image File (QTIF), (2) PICT, or (3) JPEG format image with a long data field. TA06-011A VU#687201 VU#629845 quicktime-qtif-bo(24054) 16202 22335 22334 22333 1015463 18370 APPLE-SA-2006-01-10 ADV-2006-0128 16212 20060111 [EEYEB-20051220] Apple QuickTime QTIF Stack Overflow 20060111 Updated Advisories - Incorrect CVE Information http://www.cirt.dk/advisories/cirt-41-advisory.pdf 332 20060111 Updated Advisories - Incorrect CVE Information 20060111 [EEYEB-20051220] Apple QuickTime QTIF Stack Overflow 20060111 [CIRT.DK] Apple QuickTime 7.0.3 and earlier - JPG/PICT Buffer Overflow Heap-based buffer overflow in Research in Motion (RIM) BlackBerry Attachment Service allows remote attackers to cause a denial of service (hang) via an e-mail attachment with a crafted TIFF file. VU#570768 1015426 18277 ADV-2006-0011 16098 Research in Motion (RIM) BlackBerry Router allows remote attackers to cause a denial of service (communication disruption) via crafted Server Routing Protocol (SRP) packets. VU#392920 ADV-2006-0011 16100 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167898 1015427 18277 Research in Motion (RIM) BlackBerry Handheld web browser for BlackBerry Handheld before 4.0.2 allows remote attackers to cause a denial of service (hang) via a Java Application Description (JAD) file with a long application name and vendor string, which prevents a browser dialog from being properly dismissed. VU#829400 ADV-2006-0011 16099 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/7925/8142/?nodeid=1167791 1015428 The BlackBerry Attachment Service in Research in Motion (RIM) BlackBerry Enterprise Server (BES) 4.0 to version 4.0 Service Pack 2 allows attackers to cause a denial of service via a malformed Portable Network Graphics (PNG) file that triggers a heap-based buffer overflow. VU#646976 18393 blackberry-attachment-png-bo(24063) ADV-2006-0127 16204 http://www.blackberry.com/knowledgecenterpublic/livelink.exe/fetch/2000/8021/728075/728850/728215/?nodeid=1167794 Buffer overflow in Novell GroupWise 6.5 Client allows remote attackers to execute arbitrary code via a GWVW02xx.INI language file with a long entry, as demonstrated using a long ES02TKS.VEW value in the Group Task section. http://support.novell.com/cgi-bin/search/searchtid.cgi?/10098314.htm 20050727 [ISR] - Novell GroupWise Client Remote Buffer Overflow run-mozilla.sh in Thunderbird, with debugging enabled, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. USN-157-1 14443 MDKSA-2005:174 MDKSA-2005:173 DSA-1051 DSA-1046 19941 19863 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2335, CVE-2005-2356. Reason: due to a typo in an advisory, this candidate was accidentally referenced. Notes: All CVE users should consult CVE-2005-2335 and CVE-2005-2356 to determine the appropriate identifier for the issue. Directory traversal vulnerability in EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. emcnavispheremanager-directory-traversal(21726) 14487 20050805 EMC Navisphere Manager Directory Traversal Vulnerability 1014629 16344 EMC Navisphere Manager 6.4.1.0.0 allows remote attackers to list arbitrary directories via an HTTP request for a directory that ends in a "." (trailing dot). 14487 20050805 EMC Navisphere Manager Directory Traversal Vulnerability 1014629 16344 The AES-XCBC-MAC algorithm in IPsec in FreeBSD 5.3 and 5.4, when used for authentication without other encryption, uses a constant key instead of the one that was assigned by the system administrator, which can allow remote attackers to spoof packets to establish an IPsec session. freebsd-aesxcbcmac-security-bypass(21551) 16244 FreeBSD-SA-05:19 14394 1014586 Unknown vulnerability in the LDAP dissector in Ethereal 0.8.5 through 0.10.11 allows remote attackers to cause a denial of service (free static memory and application crash) via unknown attack vectors. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:11254 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 DSA-853 17102 16225 Unknown vulnerability in the (1) AgentX dissector, (2) PER dissector, (3) DOCSIS dissector, (4) SCTP graphs, (5) HTTP dissector, (6) DCERPC, (7) DHCP, (8) RADIUS dissector, (9) Telnet dissector, (10) IS-IS LSP dissector, or (11) NCP dissector in Ethereal 0.8.19 through 0.10.11 allows remote attackers to cause a denial of service (application crash or abort) via unknown attack vectors. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:10225 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 DSA-853 17102 16225 Unknown vulnerability several dissectors in Ethereal 0.9.0 through 0.10.11 allows remote attackers to cause a denial of service (application crash) by reassembling certain packets. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:10059 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 16225 Unknown vulnerability in the (1) SMPP dissector, (2) 802.3 dissector, (3) DHCP, (4) MEGACO dissector, or (5) H1 dissector in Ethereal 0.8.15 through 0.10.11 allows remote attackers to cause a denial of service (infinite loop) via unknown attack vectors. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:11271 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 SUSE-SR:2005:018 DSA-853 17102 16225 Unknown vulnerability in the (1) GIOP dissector, (2) WBXML, or (3) CAMEL dissector in Ethereal 0.8.20 through 0.10.11 allows remote attackers to cause a denial of service (application crash) via certain packets that cause a null pointer dereference. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:10007 14399 RHSA-2005:687 FLSA-2006:152922 18386 SUSE-SR:2005:019 DSA-853 17102 16225 Unknown vulnerability in the SMB dissector in Ethereal 0.9.0 through 0.10.11 allows remote attackers to cause a buffer overflow or a denial of service (memory consumption) via unknown attack vectors. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:9118 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 DSA-853 17102 16225 Unknown vulnerability in the BER dissector in Ethereal 0.10.11 allows remote attackers to cause a denial of service (abort or infinite loop) via unknown attack vectors. GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html oval:org.mitre.oval:def:11239 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 DSA-853 17102 16225 Format string vulnerability in the proto_item_set_text function in Ethereal 0.9.4 through 0.10.11, as used in multiple dissectors, allows remote attackers to write to arbitrary memory locations and gain privileges via a crafted AFP packet. MDKSA-2005:131 GLSA-200507-27 http://www.ethereal.com/appnotes/enpa-sa-00020.html 20050805 Multiple Vendor Ethereal AFP Protocol Dissector Format String Vulnerability oval:org.mitre.oval:def:10765 14399 RHSA-2005:687 FLSA-2006:152922 SUSE-SR:2005:019 SUSE-SR:2005:018 DSA-853 17102 16225 vim 6.3 before 6.3.082, with modelines enabled, allows external user-assisted attackers to execute arbitrary commands via shell metacharacters in the (1) glob or (2) expand commands of a foldexpr expression for calculating fold levels. http://www.guninski.com/where_do_you_want_billg_to_go_today_5.html 20050725 Help poor children in Uganda 14374 RHSA-2005:745 oval:org.mitre.oval:def:11302 Multiple integer signedness errors in libgadu, as used in ekg before 1.6rc2 and other packages, may allow remote attackers to cause a denial of service or execute arbitrary code. 20050721 Multiple vulnerabilities in libgadu and ekg package oval:org.mitre.oval:def:10281 14415 DSA-813 Multiple "memory alignment errors" in libgadu, as used in ekg before 1.6rc2, Gaim before 1.5.0, and other packages, allows remote attackers to cause a denial of service (bus error) on certain architectures such as SPARC via an incoming message. 20050721 Multiple vulnerabilities in libgadu and ekg package 24600 FLSA:158543 RHSA-2005:627 DSA-1318 DSA-813 16265 oval:org.mitre.oval:def:10456 http://gaim.sourceforge.net/security/index.php?id=20 Directory traversal vulnerability in Oracle Reports 6.0, 6i, 9i, and 10g allows remote attackers to overwrite arbitrary files via (1) "..", (2) Windows drive letter (C:), and (3) absolute path sequences in the desname parameter. NOTE: this issue was probably fixed by REP06 in CPU Jan 2006, in which case it overlaps CVE-2006-0289. oracle-january2006-update(24321) ADV-2006-0323 14309 20060117 Oracle Reports - Overwrite any application server file via desname (fixed after 889 days) http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html 1014524 18608 18493 20050719 Oracle Security Advisory: Overwrite any file via desname in Oracle Reports Oracle Forms 4.5 through 10g starts form executables from arbitrary directories and executes them as the Oracle or System user, which allows attackers to execute arbitrary code by uploading a malicious .fmx file and referencing it using an absolute pathname argument in the (1) form or (2) module parameters to f90servlet. http://www.red-database-security.com/advisory/oracle_forms_run_any_os_command.html 20050719 Oracle Security Advisory: Run any OS Command via unauthorized Oracle Forms Buffer overflow in SlimFTPd 3.15 and 3.16 allows remote authenticated users to execute arbitrary code via a long directory name to (1) LIST, (2) DELE or (3) RNFR commands. http://www.whitsoftdev.com/slimftpd/ 20050721 Arbitrary code execution in SlimFTPd v3.16 1014542 16177 Belkin 54g wireless routers do not properly set an administrative password, which allows remote attackers to gain access via the (1) Telnet or (2) weba dministration interfaces. belkin-router-default-password(21412) 1014493 20050715 several vulnerabilities present in Belkin wireless routers Format string vulnerability in Race Driver 1.20 and earlier allows remote attackers to cause a denial of service (application crash) via format string specifiers in a (1) nickname or (2) chat message. http://aluigi.altervista.org/adv/rdrum-adv.txt 20050718 Broadcast format string and buffer-overflow in Race Driver 1.20 Buffer overflow in Race Driver 1.20 and earlier allows remote attackers to cause a denial of service (application crash) via a long (1) nickname or (2) chat message. http://aluigi.altervista.org/adv/rdrum-adv.txt 20050718 Broadcast format string and buffer-overflow in Race Driver 1.20 nss_ldap 181 to versions before 213, as used in Mandrake Corporate Server and Mandrake 10.0, and other operating systems, does not properly handle a SIGPIPE signal when sending a search request to an LDAP directory server, which might allow remote attackers to cause a denial of service (crond and other application crash) if they can cause an LDAP server to become unavailable. NOTE: it is not clear whether this attack scenario is sufficient to include this item in CVE. MDKSA-2005:121 nssldap-sigpipe-dos(40501) http://qa.mandriva.com/show_bug.cgi?id=13271 Directory traversal vulnerability in Oracle Reports allows remote attackers to read arbitrary files via an absolute or relative path to the (1) CUSTOMIZE or (2) desformat parameters to rwservlet. NOTE: vector 2 is probably the same as CVE-2006-0289, and fixed in Jan 2006 CPU. oracle-january2006-update(24321) ADV-2006-0323 20060117 Oracle Reports - Read parts of files via desname (fixed after 874 days) http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html http://www.red-database-security.com/advisory/oracle_reports_read_any_file.html 1014527 1014525 18608 18493 20050719 Oracle Security Advisory: Read parts of any XML-file via customize parameter in Oracle Reports 20050719 Oracle Security Advisory: Read parts of any file via desformat in Oracle Reports Multiple cross-site scripting (XSS) vulnerabilities in Oracle Reports 9.0.2 allow remote attackers to inject arbitrary web script or HTML via the (1) debug parameter to showenv, (2) test parameter to parsequery, or (3) delimiter or (4) CELLWRAPPER parameter to rwservlet. http://www.red-database-security.com/advisory/oracle_reports_various_css.html 20050719 Oracle Security Advisory: Various Cross-Site-Scripting Oracle Reports Multiple cross-site scripting vulnerabilities in PHP Surveyor 0.98 allow remote attackers to inject arbitrary web script or HTML via the (1) sid, (2) start, and (3) id parameters to browse.php, or the sid parameter to (4) dataentry.php or (5) export.php. 20050720 Multiple Vulnerabilities in PHP Surveyor 16123 PHP Surveyor 0.98 allows remote attackers to obtain sensitive information via a direct request to (1) question.php, (2) survey.php, or (3) group.php in the root directory, a direct request to (4) database.php, (5) sessioncontrol.php, (6) html.php, (7) sessioncontrol.php, an invalid (8) qid parameter to dumpquestion.php, or an invalid lid parameter to (9) labels.php or (10) dumplabel.php, which reveal the path in an error message. 20050720 Multiple Vulnerabilities in PHP Surveyor 16123 Oray PeanutHull 3.0.1.0 and earlier does not properly drop SYSTEM privileges when launched from the system tray, which allows local users to gain privileges by accessing the Help functionality. http://secway.org/advisory/AD20050720EN.txt 20050720 PeanutHull Local Privilege Escalation Vulnerability 14330 16124 SQL injection vulnerability in auth.php in PHPNews 1.2.5 allows remote attackers to execute arbitrary SQL commands via the user parameter in an HTTP POST request. http://newsphp.sourceforge.net/changelog/changelog_1.30.txt 20050720 PHPNews SQL injection vulnerability 14333 16148 Directory traversal vulnerability in a third-party compression library (UNACEV2.DLL), as used in avast! Antivirus Home/Professional Edition 4.6.665 and Server Edition 4.6.460, allows remote attackers to write arbitrary files via an ACE archive containing filenames with (1) .. or (2) absolute pathnames. http://secunia.com/secunia_research/2005-20/advisory/ 15776 http://www.avast.com/eng/av4_revision_history.html 1014544 Buffer overflow in a third-party compression library (UNACEV2.DLL), as used in avast! Antivirus Home/Professional Edition 4.6.665 and Server Edition 4.6.460, allows remote attackers to execute arbitrary code via an ACE archive containing a long filename. http://secunia.com/secunia_research/2005-20/advisory/ 15776 http://www.avast.com/eng/av4_revision_history.html 1014544 Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ 1.20 allows remote attackers to inject arbitrary web script or HTML via the message parameter. 14386 http://www.hackerscenter.com/archive/view.asp?id=4008 Multiple stack-based buffer overflows in GoodTech SMTP server 5.16 allow remote attackers to execute arbitrary code via (1) a RCPT TO command with a long DNS name, or (2) a large number of RCPT TO commands with a long e-mail name arugment in the last command. 20050723 GoodTech SMTP server 5.16 RCPT TO command remote buffer overflow 14357 Buffer overflow in a certain USB driver, as used on Microsoft Windows, allows attackers to execute arbitrary code. 14376 http://www.eweek.com/article2/0,1759,1840131,00.asp windows-usb-device-bo(21539) 18493 1014566 16210 NDMP server in Veritas NetBackup 5.1 allows attackers to cause a denial of service via a CONFIG message with an out-of-range timestamp, which triggers a null dereference. http://www.hat-squad.com/en/000170.html 16187 Multiple format string vulnerabilities in ProFTPD before 1.3.0rc2 allow attackers to cause a denial of service or obtain sensitive information via (1) certain inputs to the shutdown message from ftpshut, or (2) the SQLShowInfo mod_sql directive. http://www.proftpd.org/docs/RELEASE_NOTES-1.3.0rc2 16181 14381 14380 DSA-795 OpenPKG-SA-2005.020 Unknown vulnerability in 3Com OfficeConnect Wireless 11g Access Point before 1.03.12 allows remote attackers to obtain sensitive information via the web interface. 16207 Cross-site scripting (XSS) vulnerability in index.php for CMSimple 2.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in the search function. 14346 http://www.cmsimple.dk/forum/viewtopic.php?t=2470 1014556 http://lostmon.blogspot.com/2005/07/cmsimple-search-variable-xss.html 20060803 CMSimple Cross Site Scripting 18128 http://www.aria-security.net/advisory/cmsimple.txt 16147 Cross-site scripting (XSS) vulnerability in CuteNews 1.3.6 allows remote attackers to inject arbitrary web script or HTML via (1) the lastusername parameter to index.php or (2) selected_search_arch parameter to search.php. 1014514 16129 show_news.php in CuteNews 1.3.6 allows remote attackers to obtain the full path of the server via an invalid archive parameter. 1014514 16129 Mozilla Firefox 1.0.4 and 1.0.5 does not choose the challenge with the strongest authentication scheme available as required by RFC2617, which might cause credentials to be sent in plaintext even if an encrypted channel is available. 14325 20050719 Mozilla cleartext credentials leak bug report to excuse myself (Re[2]: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein) https://bugzilla.mozilla.org/show_bug.cgi?id=281851 mozilla-authentication-weakness(22272) http://www.securiteam.com/securitynews/5PP0L00GUQ.html 19002 8 Cross-site scripting (XSS) vulnerability in MediaWiki 1.4.6 and earlier allows remote attackers to inject arbitrary web script or HTML via a parameter to the page move template. 14327 GLSA-200507-18 mediawiki-page-move-xss(21491) 17763 16130 15950 Cross-site scripting (XSS) vulnerability in guestbook.php in phpBook 1.46 allows remote attackers to inject arbitrary web script or HTML via the admin parameter. 1014573 phpbook-admin-xss(21538) 14390 18295 16192 Multiple SQL injection vulnerabilities in PHP Surveyor 0.98 allows remote attackers to execute arbitrary SQL commands via (1) the sid, start, and id parameters to browse.php, the sid parameter to (2) dataentry.php, (3) export.php, (4) admin.php, (5) conditions.php, (6) spss.php, (7) deletesurvey.php, (8) dumpsurvey.php, or (9) statistics.php, or the lid parameter to (10) labels.php or (11) dumplabel.php. 16123 20050720 Multiple Vulnerabilities in PHP Surveyor php-surveyor-sql-injection(21444) 14331 18108 18107 18106 18105 18104 18103 18102 18101 18100 18099 18098 1014538 PHP Surveyor 0.98 allows remote attackers to trigger SQL errors via missing parameters to (1) browse.php, (2) export.php, (3) conditions.php, or (4) spss.php. 16123 20050720 Multiple Vulnerabilities in PHP Surveyor 14331 1014538 The inc.login.php scripts in PHPFinance 0.3 allows remote attackers to bypass the login and gain privileges. http://sourceforge.net/project/shownotes.php?release_id=343135 ADV-2005-1133 http://cvs.sourceforge.net/viewcvs.py/phpfinance/phpfinance/inc.login.php?rev=1.2&view=log http://cvs.sourceforge.net/viewcvs.py/phpfinance/phpfinance/inc.conf.php?rev=1.2&view=log phpfinance-logon-bypass(21426) 14322 13276 PHP-Fusion allows remote attackers to inject arbitrary Cascading Style Sheets (CSS) via the BBCode color tag. 14332 16096 18111 Cross-site scripting (XSS) vulnerability in search.php in PHPSiteSearch 1.7.7d allows remote attackers to inject arbitrary web script or HTML via the query parameter. http://www.rgod.altervista.org/PHPSiteSearch177dpoc.txt 16156 phpsitesearch-query-xss(21463) 14344 18142 The login protocol in RealChat 3.5.1b does not use authentication, which allows remote attackers to log on as other users by sniffing the beginning of a chat session and replaying it via a modified username. 1014562 20050723 Realchat user impersonation - BSA 200506110001 realchat-account-login(21497) 14358 SQL injection vulnerability in sendcard.php in Sendcard 3.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter. ADV-2005-1169 16165 sendcard-id-sql-injection(21474) 14351 18153 Opera 8.01, when the "Arial Unicode MS" font (ARIALUNI.TTF) is installed, does not properly handle extended ASCII characters in the file download dialog box, which allows remote attackers to spoof file extensions and possibly trick users into executing arbitrary code. http://www.opera.com/linux/changelogs/802/ 15870 ADV-2005-1251 opera-content-disposition-extension-spoofing(21784) 14402 1014592 Opera 8.01 allows remote attackers to conduct cross-site scripting (XSS) attacks or modify which files are uploaded by tricking a user into dragging an image that is a "javascript:" URI. http://www.opera.com/linux/changelogs/802/ 15756 ADV-2005-1251 14410 1014593 A design error in Opera 8.01 and earlier allows user-assisted attackers to execute arbitrary code by overlaying a malicious new window above a file download dialog box, then tricking the user into double-clicking on the "Run" button, aka "link hijacking". http://www.opera.com/linux/changelogs/802/ 15781 ADV-2005-1251 15835 1015353 http://secunia.com/secunia_research/2005-19/advisory/ Format string vulnerability in util.c in nbsmtp 0.99 and earlier, while running in debug mode, allows remote attackers to execute arbitrary code via format string specifiers that are not properly handled in a syslog call. http://people.freebsd.org/~niels/issues/nbsmtp-20050726.txt http://www.vuxml.org/freebsd/debbb39c-fdb3-11d9-a30d-00b0d09acbfc.html nbsmtp-format-string(21674) 14441 16324 16279 Format string vulnerability in the nm_info_handler function in Network Manager may allow remote attackers to execute arbitrary code via format string specifiers in a Wireless Access Point identifier, which is not properly handled in a syslog call. [gnome-networkmanager-list] 20050729 Re: format string bug in nm_info_handler [gnome-networkmanager-list] 20050728 format string bug in nm_info_handler FEDORA-2005-680 Cross-Site Request Forgery (CSRF) vulnerability in tDiary 2.1.1, and tDiary 2.0.1 and earlier, allows remote attackers to conduct actions as another user, and execute commands on the server, via a URL that is activated by the user. tdiary-xs-request-forgery(21735) 14500 18604 DSA-808 http://sourceforge.net/forum/forum.php?forum_id=482743 16787 16329 PHP remote file inclusion vulnerability in block.php in PHP FirstPost allows remote attackers to execute arbitrary PHP code via the Include parameter. php-firstpost-block-file-include(21513) 14371 18394 1014563 20050724 PHP FirstPost remote file include vulnerability PHP remote file inclusion vulnerability in apa_phpinclude.inc.php in Atomic Photo Album (APA) allows remote attackers to execute arbitrary PHP code via the apa_module_basedir parameter. apa-apaphpinclude-file-include(21562) 14368 18265 1014569 16201 20050723 Atomic Photo Album (APA) apa_phpinclude.inc.php remote file include Race condition in the xpcom library, as used by web browsers such as Firefox, Mozilla, Netscape, and Galeon, allows remote attackers to cause a denial of service (application crash) via a large HTML file that loads a DOM call from within nested DIV tags, which causes part of the currently rendering page and referenced objects to be deleted. mozilla-xpcom-race-condition(21472) http://www.gulftech.org/?node=research&article_id=00091-07212005 1014550 1014548 20050721 Mozilla XPCOM Library Race Condition Multiple SQL injection vulnerabilities in Contrexx before 1.0.5 allow remote attackers to execute arbitrary SQL commands via the (1) value parameter to the poll module or (2) pId parameter to the gallery module. http://www.hardened-php.net/advisory_112005.59.html contrexx-votingoption-pld-sql-injection(21482) 14352 18167 18166 1014554 16169 20050722 Advisory 11/2005: Multiple vulnerabilities in Contrexx Multiple cross-site scripting (XSS) vulnerabilities in Contrexx before 1.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) term parameter to the search module or (2) title in the blog aggregation module. http://www.hardened-php.net/advisory_112005.59.html contrexx-blog-xss(21487) contrexx-search-xss(21484) 14352 18169 18168 1014554 16169 20050722 Advisory 11/2005: Multiple vulnerabilities in Contrexx Contrexx before 1.0.5 allows remote attackers to obtain sensitive information via a direct request to /config/version.xml. http://www.hardened-php.net/advisory_112005.59.html contrexx-version-disclosure(21488) 14352 18170 1014554 16169 20050722 Advisory 11/2005: Multiple vulnerabilities in Contrexx ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2403. Reason: This candidate is a duplicate of CVE-2005-2403. Notes: All CVE users should reference CVE-2005-2403 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. B-FOCuS Router 312+ allows remote attackers to bypass authentication and gain unauthorized access via a direct request to firmwarecfg. eci-router-login-security-bypass(21521) 14364 16205 20050724 ECI router login bypass flsearch.pl in FtpLocate 2.02 allows remote attackers to execute arbitrary commands via shell metacharacters in an HTTP GET request. ftplocate-fsite-command-execution(21540) 14367 18305 1014570 16218 20050725 Chroot Security Group Advisory 2005-07-25 -- ftplocate Multiple SQL injection vulnerabilities in index.php and other pages in Beehive Forum allow remote attackers to execute arbitrary SQL commands via the webtag parameter. beehiveforum-webtag-sql-injection(21535) 14361 16217 20050725 Beehive Forum Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in index.php in Beehive Forum allows remote attackers to inject arbitrary web script or HTML via the webtag parameter. 14363 16217 20050725 Beehive Forum Multiple Vulnerabilities Beehive Forum allows remote attackers to obtain sensitive information via (1) an invalid final_uri or sort_by parameter to index.php or a direct request to (2) admin.php, (3) attachments.inc.php, (4) banned.inc.php, (5) beehive.inc.php, (6) constants.inc.php, (7) db.inc.php, (8) dictionary.inc.php or (9) search_index.php, which reveal the path in an error message. beehive-path-disclosure(21536) 16217 20050725 Beehive Forum Multiple Vulnerabilities The management interface for Siemens SANTIS 50 running firmware 4.2.8.0, and possibly other products including Ericsson HN294dp and Dynalink RTA300W, allows remote attackers to access the Telnet port without authentication via certain packets to the web interface that cause the interface to freeze. http://www.securenetwork.it/advisories/ santis50-packet-gain-access(21552) 14372 18294 16215 20050725 Siemens SANTIS 50 Authentication Vulnerability Stack-based buffer overflow in Ares FileShare 1.1 allows remote attackers or local users to execute arbitrary code via a (1) long history parameter in the configuration file (ares.conf) or (2) long search string. aresfileshare-long-string-bo(21818) ares-longconfstring-bo(21557) 14377 1014576 20050725 Ares FileShare 1.1 'Long Searched String' Buffer Overflow FTPshell Server 3.38 allows remote authenticated users to cause a denial of service (application crash) by multiple connections and disconnections without using the QUIT command. ftpshell-port-dos(21531) 14382 1014580 16189 20050726 Denial of service vulnerability in FTPshell Server Version 3.38 Cross-site scripting (XSS) vulnerability in viewCart.asp in CartWIZ allows remote attackers to inject arbitrary web script or HTML via the message parameter. cartwiz-viewcart-xss(21554) 14386 18463 1014581 20050726 [HSC Security Group] XSS in CartWiz Lotus Domino R5 and R6 WebMail, with "Generate HTML for all fields" enabled, stores sensitive data from names.nsf in hidden form fields, which allows remote attackers to read the HTML source to obtain sensitive information such as (1) the password hash in the HTTPPassword field, (2) the password change date in the HTTPPasswordChangeDate field, (3) the client platform in the ClntPltfrm field, (4) the client machine name in the ClntMachine field, and (5) the client Lotus Domino release in the ClntBld field, a different vulnerability than CVE-2005-2696. lotus-domino-names-obtain-information(21556) http://www.cybsec.com/vuln/default_configuration_information_disclosure_lotus_domino.pdf http://www-1.ibm.com/support/docview.wss?uid=swg21212934 16231 14389 http://www.securiteam.com/securitynews/5FP0E15GLQ.html 18462 1014584 20050726 CYBSEC - Security Advisory: Default Configuration Information Firefox, when opening Microsoft Word documents, does not properly set the permissions on shared sections, which allows remote attackers to write arbitrary data to open applications in Microsoft Office. office-mso97shareddg-dos(24346) 18484 16256 20050727 Shared section vulnerability when opening microsoft office Multiple cross-site scripting (XSS) vulnerabilities in GForge 4.5 allow remote attackers to inject arbitrary web script or HTML via the (1) forum_id or (2) group_id parameter to forum.php, (3) project_task_id parameter to task.php, (4) id parameter to detail.php, (5) the text field on the search page, (6) group_id parameter to qrs.php, (7) form, (8) rows, (9) cols or (10) wrap parameter to notepad.php, or the login field on the login form. gforge-multiple-xss(21558) 16253 14405 18304 18303 18302 18301 18300 18299 DSA-1094 20622 20050727 Cross Site Scripting vulnerabilities in GForge The (1) lost password and (2) account pending features in GForge 4.5 do not properly set a limit on the number of e-mails sent to an e-mail address, which allows remote attackers to send a large number of messages to arbitrary e-mail addresses (aka mail bomb). 20050727 Cross Site Scripting vulnerabilities in GForge SQL injection vulnerability in PhpList allows remote attackers to modify SQL statements via the id argument to admin pages such as (1) members or (2) admin. phplist-id-sql-injection(21576) 14403 18316 1014607 16274 20050731 PHPList Vunerability 20050728 PhpList Sql Injection and Path Disclosure PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9) usermgt.php, or (10) users.php in admin/commonlib/pages directory, (11) helloworld.php, or (12) sidebar.php in public_html/lists/admin/plugins directory, or (13) main.php in public_html/lists/admin/plugsins/defaultplugin directory, which reveal the path in an error message. phplist-multiple-scripts-path-disclosure(21579) 18329 18328 18327 18326 18325 18324 18323 18322 18321 18320 18319 18318 18317 20050728 PhpList Sql Injection and Path Disclosure Linksys WRT54G router uses the same private key and certificate for every router, which allows remote attackers to sniff the SSL connection and obtain sensitive information. linksys-wrt54g-session-decrypt(21635) 14407 1014596 16271 20050728 Vulnerability in Linksys Router access Cross-site scripting (XSS) vulnerability in browse.php in Website Baker Project allows remote attackers to inject arbitrary web script or HTML via the dir parameter. website-baker-browse-xss(21631) 14404 18342 16263 20050728 Website Baker Project Multiple Vulnerabilities browse.php in Website Baker Project allows remote attackers to obtain sensitive data via (1) a directory that does not exist in the dir parameter or (2) a direct request to certain php files, which reveal the path in an error message. website-baker-url-path-disclosure(21633) 18344 18343 16263 20050728 Website Baker Project Multiple Vulnerabilities Website Baker Project does not properly verify the file extensions of uploaded files, which allows remote attackers to upload and execute arbitrary PHP code. website-baker-adminmedia-file-upload(21634) 14406 18345 16263 20050728 Website Baker Project Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in UseBB 0.5.1 and earlier allows remote attackers to inject arbitrary Javascript via the BBCode color value. http://www.hardened-php.net/advisory_122005.60.html http://www.usebb.net/community/topic.php?id=605 usebb-colorbbcode-xss(21651) 14412 20050728 Advisory 12/2005: UseBB Multiple Vulnerabilities SQL injection vulnerability in UseBB 0.5.1 and earlier, when magic_quotes_gpc is disabled, allows remote attackers to execute arbitrary SQL commands via the search function. http://www.usebb.net/community/topic.php?id=605 http://www.hardened-php.net/advisory_122005.60.html usebb-search-sql-injection(21652) 14413 20050728 Advisory 12/2005: UseBB Multiple Vulnerabilities SQL injection vulnerability in login.asp in Thomson Web Skill Vantage Manager allows remote attackers to execute arbitrary SQL commands via the svmPassword parameter. webskill-login-sql-injection(21637) 14409 16268 18330 20050728 Thomson Web Skill Vantage Manager Multiple cross-site scripting (XSS) vulnerabilities in VBzoom allow remote attackers to inject arbitrary web script and HTML via the (1) UserName parameter to profile.php or (2) UserID parameter to login.php. vbzoom-profile-login-xss(21680) 14423 20060306 SQL injection & XSS IN vbzoom v1.11 18663 18662 1014614 16220 20050729 VBZoom Cross Site Scripting Vulnerabilities Cross-Application Scripting (XAS) vulnerability in SPI Dynamics WebInspect 5.0.196 allows remote attackers to inject Javascript from one application into another. spidynamics-webinspect-xas(21541) 14385 20050726 SPIDynamics WebInspect Cross-Application Scripting (XAS) 1014582 16191 20050728 SPIDynamics WebInspect Cross-ApplicationScripting (XAS) 20050726 SPIDynamics WebInspect Cross-Application Scripting (XAS) Kshout 2.x and 3.x stores settings.dat under the web document root with insufficient access control, which allows remote attackers to obtain sensitive information such as usernames and passwords. http://www.soulblack.com.ar/repo/papers/advisory/kshout_advisory.txt kshout-settings-information-disclosure(24352) 20050729 Kshout Data Disclosure Trillian Pro 3.1 build 121, when checking Yahoo e-mail, stores the password in plaintext in a world readable file and does not delete the file after login, which allows local users to obtain sensitive information. trillian-mail-plaintext-password(21667) 16289 20050730 Trillian Ver 3.1 saves password's in plain Text SQL injection vulnerability in viewPrd.asp in Product Cart 2.6 allows remote attackers to execute arbitrary SQL commands via the idcategory parameter. productcart-viewprd-sql-injection(21672) productcart-multiple-script-sql-injection(20956) 13881 18508 17329 1014129 14833 20050730 [HSC Security Group] SQL Injection in Product Cart 2.6 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2369. Reason: This candidate is a duplicate of CVE-2005-2369. Notes: All CVE users should reference CVE-2005-2369 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2370. Reason: This candidate is a duplicate of CVE-2005-2370. Notes: All CVE users should reference CVE-2005-2370 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Multiple "endianness errors" in libgadu in ekg before 1.6rc2 allow remote attackers to cause a denial of service (invalid behavior in applications) on big-endian systems. oval:org.mitre.oval:def:11263 24600 14415 DSA-1318 DSA-813 16363 16155 16140 20050721 Multiple vulnerabilities in libgadu and ekg package Race condition in sandbox before 1.2.11 allows local users to create or overwrite arbitrary files via symlink attack on sandboxpids.tmp. GLSA-200507-22 http://bugs.gentoo.org/show_bug.cgi?id=96782 sandbox-race-condition(21519) 14375 1014574 16214 Multiple integer overflows in the (1) TNEF, (2) CHM, or (3) FSG file format processors in libclamav for Clam AntiVirus (ClamAV) 0.86.1 and earlier allow remote attackers to gain privileges via a crafted e-mail message. clam-antivirus-file-format-gain-access(21555) http://sourceforge.net/project/shownotes.php?release_id=344514 14359 GLSA-200507-25 CLSA-2005:987 18259 18258 18257 SUSE-SR:2005:018 16458 16296 16250 16229 16180 20050725 ClamAV Multiple Rem0te Buffer Overflows Cisco IOS 12.0 through 12.4 and IOS XR before 3.2, with IPv6 enabled, allows remote attackers on a local network segment to cause a denial of service (device reload) and possibly execute arbitrary code via a crafted IPv6 packet. TA05-210A VU#930892 cisco-ios-ipv6-packet-command-execution(21591) 20050729 IPv6 Crafted Packet Vulnerability oval:org.mitre.oval:def:5445 14414 18332 1014598 16272 20050729 Cisco IOS Shellcode Presentation libtiff up to 3.7.0 allows remote attackers to cause a denial of service (application crash) via a TIFF image header with a zero "YCbCr subsampling" value, which causes a divide-by-zero error in (1) tif_strip.c and (2) tif_tile.c, a different vulnerability than CVE-2004-0804. USN-156-1 https://bugzilla.ubuntu.com/show_bug.cgi?id=12008 14417 MDKSA-2005:144 MDKSA-2005:143 MDKSA-2005:142 16486 16266 Cross-site scripting (XSS) vulnerability in NetworkActiv Web Server 1.0, 2.0.0.6, 3.0.1.1, and 3.5.13, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via the query string. http://secunia.com/secunia_research/2005-31/advisory/ 16301 networkactiv-xss(21696) 14473 18525 1014624 IBM Lotus Notes 6.5.4 and 6.5.5, and 7.0.0 and 7.0.1, uses insecure default permissions (Everyone/Full Control) for the "Notes" folder and all children, which allows local users to gain privileges and modify, add, or delete files in that folder. Update to version 7.0.2. VU#383092 lotusnotes-directory-insecure-permission(29660) ADV-2006-4093 20612 20061018 Secunia Research: IBM Lotus Notes Insecure Default FolderPermissions 29761 http://www-1.ibm.com/support/docview.wss?rs=463&uid=swg21246773 1017086 http://secunia.com/secunia_research/2005-29/advisory/ 27342 19537 Greasemonkey before 0.3.5 allows remote web servers to (1) read arbitrary files via a GET request to a file:// URL in the GM_xmlhttpRequest API function, (2) list installed scripts using GM_scripts, or obtain sensitive information via (3) GM_setValue and GM_getValue. mozilla-greasemonkey-information-disclosure(21453) 14336 http://www.securiteam.com/securitynews/5CP0P20GBK.html 1014529 16128 http://greasemonkey.mozdev.org/changes/0.3.5.html http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html ADV-2005-1147 18154 [Greasemonkey] 20050718 greasemonkey for secure data over insecure networks / sites [Greasemonkey] 20050718 greasemonkey for secure data over insecure networks / sites Array index overflow in the xfrm_sk_policy_insert function in xfrm_user.c in Linux kernel 2.6 allows local users to cause a denial of service (oops or deadlock) and possibly execute arbitrary code via a p->dir value that is larger than XFRM_POLICY_OUT, which is used as an index in the sock->sk_policy array. http://www.mail-archive.com/netdev@vger.kernel.org/msg00520.html http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=a4f1bac62564049ea4718c4624b0fadc9f597c84 http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=blobdiff;h=8da3e25b2c4c1f305fd85428d3a9eb62b543bfba;hp=ecade4893a139cc35d4fe345ce70242ede5358c4;hb=a4f1bac62564049ea4718c4624b0fadc9f597c84;f=net/xfrm/xfrm_user.c ADV-2005-1878 MDKSA-2005:220 MDKSA-2005:219 oval:org.mitre.oval:def:10858 linux-kernel-xfrm-dos(21710) USN-169-1 14477 FLSA:157459-3 RHSA-2005:663 RHSA-2005:514 SUSE-SA:2005:050 MDKSA-2005:220 MDKSA-2005:219 DSA-922 DSA-921 18059 18056 17826 17073 17002 16500 16298 The driver for compressed ISO file systems (zisofs) in the Linux kernel before 2.6.12.5 allows local users and remote attackers to cause a denial of service (kernel crash) via a crafted compressed ISO file system. USN-169-1 14614 MDKSA-2005:220 MDKSA-2005:219 16355 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 SUSE-SA:2005:068 SUSE-SA:2005:050 MDKSA-2005:220 MDKSA-2005:219 MDKSA-2005:218 DSA-1018 DSA-1017 19374 19369 17918 17826 16500 inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 allows remote attackers to cause a denial of service (kernel crash) via a compressed file with "improper tables". 16355 USN-169-1 MDKSA-2005:220 MDKSA-2005:219 [bug-gnu-utils] 19990625 Re: bug in gzip: segfault when doing "gzip -t" on a broken file oval:org.mitre.oval:def:10785 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 14719 FLSA:157459-2 FLSA:157459-1 FLSA:157459-3 SUSE-SA:2005:068 RHSA-2006:0191 RHSA-2006:0190 RHSA-2006:0144 RHSA-2006:0101 SUSE-SA:2005:050 MDKSA-2005:220 MDKSA-2005:219 DSA-922 DSA-921 19252 18684 18510 18059 18056 17918 17826 16500 The huft_build function in inflate.c in the zlib routines in the Linux kernel before 2.6.12.5 returns the wrong value, which allows remote attackers to cause a denial of service (kernel crash) via a certain compressed file that leads to a null pointer dereference, a different vulnerbility than CVE-2005-2458. 16355 USN-169-1 MDKSA-2005:220 MDKSA-2005:219 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.12.5 http://bugs.gentoo.org/show_bug.cgi?id=94584 14720 SUSE-SA:2005:068 SUSE-SA:2005:050 MDKSA-2005:220 MDKSA-2005:219 DSA-922 DSA-921 18059 18056 17918 17826 16500 Multiple cross-site scripting (XSS) vulnerabilities in Kayako liveResponse 2.x allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter or (2) name field when entering a session or sending a message. 14425 18397 18395 http://www.gulftech.org/?node=research&article_id=00092-07302005 16286 20050730 Kayako liveResponse Multiple Vulnerabilities Multiple SQL injection vulnerabilities in the calendar feature in Kayako liveResponse 2.x allow remote attackers to execute arbitrary SQL commands via the (1) year or (2) date parameter. 14425 18396 http://www.gulftech.org/?node=research&article_id=00092-07302005 16286 20050730 Kayako liveResponse Multiple Vulnerabilities Kayako liveResponse 2.x, when logging in a user, records the password in plaintext in the URL, which allows local users and possibly remote attackers to gain privileges. 14425 18398 http://www.gulftech.org/?node=research&article_id=00092-07302005 16286 20050730 Kayako liveResponse Multiple Vulnerabilities Kayako liveResponse 2.x allows remote attackers to obtain sensitive information via a direct request to addressbook.php and other include scripts, which reveals the path in an error message. 14425 18399 http://www.gulftech.org/?node=research&article_id=00092-07302005 16286 20050730 Kayako liveResponse Multiple Vulnerabilities login.php in PCXP/TOPPE CMS allows remote attackers to bypass authentication and gain privileges by modifying the cookie to match the target userid. 20050730 PC-EXPERIENCE/TOPPE CMS Security Advisory Cross-site scripting (XSS) vulnerability in pm.php in PCXP/TOPPE CMS allows remote attackers to inject arbitrary web script or HTML via the msg variable. 14428 18715 20050730 PC-EXPERIENCE/TOPPE CMS Security Advisory Multiple SQL injection vulnerabilities in the auth_user function in admin.php in OpenBook 1.2.2 allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password parameter. openbook-authuser-sql-injection(21643) ADV-2005-1301 14444 18475 1014606 20050730 [SVadvisory] - SQL injection in OpenBook 1.2.2 Multiple cross-site scripting (XSS) vulnerabilities in MySQL Eventum 1.5.5 and earlier allow remote attackers to inject arbitrary web script or HTML via the (1) id parameter to view.php, (2) release parameter to list.php, or (3) F parameter to get_jsrs_data.php. 1014603 16304 http://lists.mysql.com/eventum-users/2072 ADV-2005-1287 14436 18402 18401 18400 http://www.gulftech.org/?node=research&article_id=00093-07312005 20050731 MySQL Eventum Multiple Vulnerabilities Multiple SQL injection vulnerabilities in MySQL Eventum 1.5.5 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) isCorrectPassword or (2) userExist function in class.auth.php, getCustomFieldReport function in (4) custom_fields.php, (5) custom_fields_graph.php, or (6) class.report.php, or the insert function in (7) releases.php or (8) class.release.php. 18406 18405 18404 18403 1014603 16304 http://lists.mysql.com/eventum-users/2072 ADV-2005-1287 14437 http://www.gulftech.org/?node=research&article_id=00093-07312005 20050731 MySQL Eventum Multiple Vulnerabilities Stack-based buffer overflow in the NMAP Agent for Novell NetMail 3.52C and possibly earlier versions allows local users to execute arbitrary code via a long user name in the USER command. http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972438.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972433.htm http://support.novell.com/cgi-bin/search/searchtid.cgi?/2972340.htm http://secunia.com/secunia_research/2005-23/advisory/ 15925 netmail-nmap-user-bo(22727) 15080 19916 1015048 20051012 Secunia Research: Novell NetMail NMAP Agent "USER" Buffer Overflow Vulnerability Buffer overflow in a "core application plug-in" for Adobe Reader 5.1 through 7.0.2 and Acrobat 5.0 through 7.0.2 allows attackers to cause a denial of service (crash) and possibly execute arbitrary code via unknown vectors. VU#896220 http://www.adobe.com/support/techdocs/321644.html ADV-2005-1434 adobe-acrobat-reader-plugin-bo(21860) 14603 RHSA-2005:750 SUSE-SR:2005:019 GLSA-200508-11 1014712 16466 pstopnm in netpbm does not properly use the "-dSAFER" option when calling Ghostscript to convert a PostScript file into a (1) PBM, (2) PGM, or (3) PNM file, which allows external user-assisted attackers to execute arbitrary commands. netpbm-dsafer-command-execution(21500) 2005-0038 14379 RHSA-2005:743 18253 SUSE-SR:2005:019 DSA-1021 1014752 19436 18330 16184 oval:org.mitre.oval:def:11645 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319757 Multiple buffer overflows in BusinessMail 4.60.00 allow remote attackers to cause a denial of service (application crash) via a long string to SMTP (1) HELO or (2) MAIL FROM commands. http://reedarvin.thearvins.com/20050730-01.html 20050801 Buffer overflow in BusinessMail email server system 4.60.00 businessmail-smtp-dos(21636) 14434 16306 18407 1014602 20050801 Buffer overflow in BusinessMail email server system 4.60.00 Multiple SQL injection vulnerabilities in ChurchInfo allow remote attackers to execute arbitrary SQL commands via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, (8) DepositSlipID parameter to DepositSlipEditor.php, (9) QueryID parameter to QueryView.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php. churchinfo-sql-injection(21647) 14438 18428 18427 18424 18423 18422 18421 18420 18419 18418 18417 18416 18415 18414 18413 18412 18411 18410 18409 18408 1014617 16292 20050801 ChurchInfo Multiple Vulnerabilities ChurchInfo allows remote attackers to execute obtain sensitive information via the PersonID parameter to (1) PersonView.php, (2) MemberRoleChange.php, (3) PropertyAssign.php, (4) WhyCameEditor.php, (5) GroupPropsEditor.php, (6) Reports/PDFLabel.php, or (7) UserDelete.php, an invalid Number parameter to (8) SelectList.php or (9) SelectDelete.php, GroupID parameter to (10) GroupView.php, (11) GroupMemberList.php, (12) MemberRoleChange.php, (13) GroupDelete.php, (14) /Reports/ClassAttendance.php, or (15) /Reports/GroupReport.php, (16) PropertyID parameter to PropertyEditor.php, FamilyID parameter to (17) Canvas05Editor.php, (18) CanvasEditor.php, or (19) FamilyView.php, or (20) PledgeID parameter to PledgeDetails.php, which reveal the path in an error message. churchinfo-path-disclosure(21648) 18450 18439 18438 18437 18436 18435 18434 18433 18432 18431 18430 18429 18426 18425 1014617 16292 20050801 ChurchInfo Multiple Vulnerabilities Race condition in Unzip 5.52 allows local users to modify permissions of arbitrary files via a hard link attack on a file while it is being decompressed, whose permissions are changed by Unzip after the decompression is complete. oval:org.mitre.oval:def:9975 USN-191-1 2005-0053 14450 RHSA-2007:0203 18530 MDKSA-2005:197 DSA-903 32 25098 17653 17342 17045 17006 16985 16309 20050801 unzip TOCTOU file-permissions vulnerability SCOSA-2005.39 Cross-site scripting (XSS) vulnerability in lost_passowrd.php in Naxtor Shopping Cart 1.0 allows remote attackers to inject arbitrary web script or HTML via the email parameter. 16262 naxtorshoppingcart-password-xss(21676) 14454 1014613 20050802 [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection shop_display_products.php in Naxtor Shopping Cart 1.0 allows remote attackers to obtain sensitive information via a cat_id with a "'" (single quote), which reveals the path in an error message, possibly due to an SQL injection vulnerability. 16262 naxtorshoppingcart-path-disclosure(21677) 14456 1014613 20050802 [NOBYTES.COM: #8] Naxtor Shopping Cart 1.0 - Information Disclosure & Possible SQL Injection SQL injection vulnerability in SilverNews 2.0.3 allows remote attackers to execute arbitrary SQL commands via the user field on the login page in the Admin control panel. 16315 14466 http://www.rgod.altervista.org/silvernews.html silvernews-username-sql-injection(21688) 18517 1014622 20050803 Silvernews 2.0.3 (possibly previous versions ) SQL Injection / Login Bypass / Remote commands execution / cross site scripting Quick 'n Easy FTP Server 3.0 allows remote attackers to cause a denial of service (application crash or CPU consumption) via a long USER command. quickneasy-user-command-dos(21679) 14451 20060325 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow vulnerabilities) 1014615 20050803 Re: Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow 20050802 Re: Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow 20050802 Quick 'n Easy FTP Server 3.0 pro / lite (buffer overflow Cross-site scripting (XSS) vulnerability in ColdFusion Fusebox 4.1.0 allows remote attackers to inject arbitrary web script or HTML via the fuseaction parameter, which is not quoted in an error page, as demonstrated using index.cfm. 14460 16320 fusebox-fuseaction-xss(21697) 20050803 Coldfusion Fusebox V4.1.0 Vulnerability ColdFusion Fusebox 4.1.0 allows remote attackers to obtain sensitive information via an invalid fuseaction parameter, which leaks the full server path in an error message, as demonstrated using the "?" (question mark) character. 20050803 Coldfusion Fusebox V4.1.0 Vulnerability The StateToOptions function in msfweb in Metasploit Framework 2.4 and earlier, when running with the -D option (defanged mode), allows attackers to modify temporary environment variables before the "_Defanged" environment option is checked when processing the Exploit command. 16318 http://metasploit.com/archive/framework/msg00469.html metasploit-defanged-bypass-security(21705) 14455 18495 Eval injection vulnerability in Karrigell before 2.1.8 allows remote attackers to execute arbitrary Python code via modified arguments to a Karrigell services (.ks) script, which can reference functions from libraries that are used by that script. [karrigell-main] 20050802 Re: SECURITY: python namespace exposure 16319 karrigel-dos(21668) 14463 18506 [karrigell-main] 20050731 SECURITY: python namespace exposure Buffer overflow in the rdb_query function for Denora IRC Stats 1.0 might allow attackers to execute arbitrary code. denora-rdbquery-bo(21686) 14471 http://sourceforge.net/project/shownotes.php?release_id=346819 16281 http://denora.nomadirc.net/index.php ADV-2005-1319 Cross-site scripting (XSS) vulnerability in the Helpdesk in Logicampus before 1.1.1 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 14472 http://sourceforge.net/project/shownotes.php?release_id=346801 logicampus-helpdesk-xss(21687) 16297 SQL injection vulnerability in mod_forum/read_message.php in PortailPHP allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php with the affiche parameter set to "Forum-read_mess", a different vulnerability than CVE-2005-1701. 14474 20050804 SQL IN PortailPHP 18685 Unknown vulnerability in Sun McData switches and directors 4300, 4500, 6064, and 6140 before E/OS 6.0.0 may allow attackers to cause a denial of service (connectivity and array access loss) via a network broadcast storm. 101833 16295 mcdata-switch-director-dos(21706) 14475 Cross-site scripting (XSS) vulnerability in Web Content Management News System allows remote attackers to inject arbitrary web script or HTML via (1) the strRootpath parameter to validsession.php or (2) the strTable parameter to Admin/News/List.php. http://www.rgod.altervista.org/webc.html 1014616 16317 webcms-multiple-script-xss(21689) 14464 Web Content Management News System allows remote attackers to create arbitrary accounts and gain privileges via a direct request to Admin/Users/AddModifyInput.php. http://www.rgod.altervista.org/webc.html 1014616 16317 webcms-addmodifyinput-create-account(21694) 14465 18524 Stack-based buffer overflow in the sendmsg function call in the Linux kernel 2.6 before 2.6.13.1 allows local users execute arbitrary code by calling sendmsg and modifying the message contents in another thread. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166248 16747 kernel-sendmsg-bo(22217) ADV-2005-1878 USN-178-1 14785 MDKSA-2005:220 MDKSA-2005:219 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 oval:org.mitre.oval:def:10481 FLSA:157459-2 FLSA:157459-1 FLSA:157459-3 SUSE-SA:2005:068 RHSA-2005:663 RHSA-2005:514 MDKSA-2005:235 MDKSA-2005:220 MDKSA-2005:219 DSA-1017 19374 17918 17826 17073 17002 2005-0049 Integer overflow in pcre_compile.c in Perl Compatible Regular Expressions (PCRE) before 6.2, as used in multiple products such as Python, Ethereal, and PHP, allows attackers to execute arbitrary code via quantifier values in regular expressions, which leads to a heap-based buffer overflow. 1014744 ADV-2006-4502 ADV-2006-4320 ADV-2006-0789 ADV-2005-2659 ADV-2005-1511 14620 SSRT051251 SSRT051251 oval:org.mitre.oval:def:11516 SSRT090208 HPSBOV02683 SSRT061238 15647 FLSA:168516 RHSA-2006:0197 RHSA-2005:761 RHSA-2005:358 http://www.php.net/release_4_4_1.php SUSE-SA:2005:052 SUSE-SA:2005:049 SUSE-SA:2005:048 GLSA-200509-19 GLSA-200509-12 GLSA-200509-02 GLSA-200509-08 http://www.ethereal.com/appnotes/enpa-sa-00021.html DSA-821 DSA-819 DSA-817 DSA-800 http://support.avaya.com/elmodocs2/security/ASA-2006-159.htm http://support.avaya.com/elmodocs2/security/ASA-2006-081.htm http://support.avaya.com/elmodocs2/security/ASA-2005-223.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-216.pdf 102198 604 22875 22691 21522 19532 19193 19072 17813 17252 16679 16502 OpenPKG-SA-2005.018 SUSE-SA:2005:051 TSLSA-2005-0059 SSRT061238 APPLE-SA-2005-11-29 20060401-01-U SCOSA-2006.10 oval:org.mitre.oval:def:735 oval:org.mitre.oval:def:1659 oval:org.mitre.oval:def:1496 The raw_sendmsg function in the Linux kernel 2.6 before 2.6.13.1 allows local users to cause a denial of service (change hardware state) or read from arbitrary memory via crafted input. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=166830 kernel-rawsendmsg-obtain-information(22218) USN-178-1 14787 MDKSA-2005:220 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.13.1 16747 oval:org.mitre.oval:def:11031 FLSA:157459-3 SUSE-SA:2005:068 RHSA-2005:514 MDKSA-2005:235 MDKSA-2005:220 17918 17073 2005-0049 kcheckpass in KDE 3.2.0 up to 3.4.2 allows local users to gain root access via a symlink attack on lock files. http://www.kde.org/info/security/advisory-20050905-1.txt ftp://ftp.kde.org/pub/kde/security_patches/post-3.4.2-kdebase-kcheckpass.diff oval:org.mitre.oval:def:9388 USN-176-1 http://www.suresec.org/advisories/adv6.pdf 14736 RHSA-2006:0582 MDKSA-2005:160 DSA-815 21481 18139 16692 20050907 [ Suresec Advisories ] - Kcheckpass file creation vulnerability 20050905 [KDE Security Advisory] kcheckpass local root vulnerability Multiple integer overflows in XFree86 before 4.3.0 allow user-assisted attackers to execute arbitrary code via a crafted pixmap image. VU#102441 xorg-pixmap-bo(22244) ADV-2006-3140 14807 HPSBUX02137 HPSBUX02137 FLSA:168264-2 FEDORA-2005-894 FEDORA-2005-893 USN-182-1 RHSA-2005:501 RHSA-2005:396 RHSA-2005:329 19352 SUSE-SA:2005:056 SUSE-SR:2005:023 MDKSA-2005:164 GLSA-200509-07 DSA-816 http://support.avaya.com/elmodocs2/security/ASA-2005-226.pdf http://support.avaya.com/elmodocs2/security/ASA-2005-218.pdf 101953 101926 1014887 21318 19796 19624 17278 17258 17215 17044 16790 16777 oval:org.mitre.oval:def:9615 2005-0049 20060403-01-U SCOSA-2006.22 oval:org.mitre.oval:def:998 oval:org.mitre.oval:def:1044 The xntpd ntp (ntpd) daemon before 4.2.0b, when run with the -u option and using a string to specify the group, uses the group ID of the user instead of the group, which causes xntpd to run with different privileges than intended. ntp-incorrect-group-permissions(22035) ADV-2005-1561 FEDORA-2005-812 16602 oval:org.mitre.oval:def:9669 14673 RHSA-2006:0393 19055 MDKSA-2005:156 DSA-801 1016679 21464 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-2641. Reason: This candidate is a duplicate of CVE-2005-2641. Notes: All CVE users should reference CVE-2005-2641 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Eval injection vulnerability in PHPXMLRPC 1.1.1 and earlier (PEAR XML-RPC for PHP), as used in multiple products including (1) Drupal, (2) phpAdsNew, (3) phpPgAds, and (4) phpgroupware, allows remote attackers to execute arbitrary PHP code via certain nested XML tags in a PHP document that should not be nested, which are injected into an eval function call, a different vulnerability than CVE-2005-1921. http://www.hardened-php.net/advisory_152005.67.html 20050815 [DRUPAL-SA-2005-004] Drupal 4.6.3 / 4.5.5 fixes critical XML-RPC issue oval:org.mitre.oval:def:9569 14560 20050815 Advisory 15/2005: PHPXMLRPC Remote PHP Code Injection Vulnerability RHSA-2005:748 SUSE-SA:2005:049 GLSA-200509-19 FLSA:166943 DSA-842 DSA-840 DSA-798 DSA-789 17440 17066 17053 16976 16693 16635 16619 16563 16558 16550 16491 16469 16468 16465 16460 16441 16432 16431 SUSE-SA:2005:051 20050817 [PHPADSNEW-SA-2005-001] phpAdsNew and phpPgAds 2.0.6 fix multiple vulnerabilities slocate before 2.7 does not properly process very long paths, which allows local users to cause a denial of service (updatedb exit and incomplete slocate database) via a certain crafted directory structure. RHSA-2005:747 oval:org.mitre.oval:def:9538 slocate-directory-structure-dos(22316) 14640 RHSA-2005:346 RHSA-2005:345 19034 1014751 Buffer overflow in the xdr_xcode_array2 function in xdr.c in Linux kernel 2.6.12, as used in SuSE Linux Enterprise Server 9, might allow remote attackers to cause a denial of service and possibly execute arbitrary code via crafted XDR data for the nfsacl protocol. SUSE-SA:2005:044 http://lkml.org/lkml/2005/6/23/19 http://lkml.org/lkml/2005/6/23/126 kernel-xdrxcodearray-dos(21805) 14470 16406 http://linux.bkbits.net:8080/linux-2.6/cset@42b9c4fdYUuaq0joRUZi8W0Q-2hA1A Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2 allows external user-assisted attackers to execute arbitrary code via a crafted Rich Text Format (RTF) file. TA05-229A VU#435188 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 1014695 Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2, as used in applications such as TextEdit, allows external user-assisted attackers to execute arbitrary code via a crafted Microsoft Word file. TA05-229A VU#172948 1014695 APPLE-SA-2005-08-17 APPLE-SA-2005-08-15 AppKit for Mac OS X 10.3.9 and 10.4.2 allows attackers with physical access to create local accounts by forcing a particular error to occur at the login window. APPLE-SA-2005-08-17 1014696 APPLE-SA-2005-08-15 The System Profiler in Mac OS X 10.4.2 labels a Bluetooth device with "Requires Authentication: No" even when the user has selected the "Require pairing for security" option, which could confuse users about which setting is valid. APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 Buffer overflow in CoreFoundation in Mac OS X 10.3.9 allows attackers to execute arbitrary code via command line arguments to an application that uses CoreFoundation. APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 1014697 Algorithmic complexity vulnerability in CoreFoundation in Mac OS X 10.3.9 and 10.4.2 allows attackers to cause a denial of service (CPU consumption) via crafted Gregorian dates. APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 1014697 Buffer overflow in Directory Services in Mac OS X 10.3.9 and 10.4.2 allows