webadmin.exe in Novell Nsure Audit 1.0.1 allows remote attackers to cause a denial of service via malformed ASN.1 packets in corrupt client certificates to an SSL server, as demonstrated using an exploit for the OpenSSL ASN.1 parsing vulnerability. 20040115 OpenSSL ASN.1 parsing bugs PoC / brute forcer http://www.cirt.dk/advisories/cirt-31-advisory.pdf http://support.novell.com/cgi-bin/search/searchtid.cgi?/10097379.htm 20050424 [CIRT.DK - Advisory] Novell Nsure Audit 1.0.1 Denial of Service Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension. realplayer-media-file-deletion(17551) 11308 http://www.ngssoftware.com/advisories/real-02full.txt http://service.real.com/help/faq/security/040928_player/EN/ 12672 20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f) 20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Format string vulnerability in the SetBaseURL function in AtHoc toolbar allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log. athoc-toolbar-format-string(17628) 11341 http://www.ngssoftware.com/advisories/athoc-01full.txt 20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c) 20041006 Patch available for high risk flaws in the AtHoc Toolbar Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument. VU#698390 12311 http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in the parsing of Skin file names in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an RJS filename. realplayer-rjs-filenane-directory-traversal(18984) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as digestmda5.c), as used in the DIGEST-MD5 SASL plugin for Cyrus-SASL but not in any official releases, allows remote attackers to execute arbitrary code. cyrus-sasl-digestmda5-bo(17642) 11347 [openbsd-ports] 20040717 UPDATE: cyrus-sasl-2.1.19 SUSE-SR:2005:006 GLSA-200410-05 https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c?rev=1.171&content-type=text/x-cvsweb-markup https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171 MDKSA-2005:054 The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 Multiple stack-based buffer overflows in Sybase Adaptive Server Enterprise (ASE) 12.x before 12.5.3 ESD#1 allow remote authenticated users to execute arbitrary code via the (1) attrib_valid function, (2) covert function, (3) declare statement, or (4) a crafted query plan, or remote authenticated users with database owner or "sa" role privileges to execute arbitrary code via (5) a crafted install java statement. sybase-ase-install-java-bo(19980) sybase-ase-abstract-bo(19979) sybase-ase-declare-bo(19978) sybase-ase-convert-bo(19976) sybase-ase-attribvalid-bo(19974) sybase-adaptive-server(19354) http://www.sybase.com/detail?id=1034752 http://www.sybase.com/detail?id=1034520 12080 20050321 Details of Sybase ASE bugs withheld 13632 20050405 Sybase ASE Multiple Security Issues (#NISR05042005) 20041222 Sybase ASE 12.5.2 vulnerabilities http://www.ngssoftware.com/advisories/sybase-ase.txt Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter. 20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution sugar-sales-index-xss(18719) 12113 Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field. flatnuke-indexphp-xss(18746) 12150 20050102 Multiple Vulnerabilities in FlatNuke Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php. reviewpost-php-sql-injection(18732) http://www.gulftech.org/?node=research&article_id=00062-01022005 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters. photopost-php-showgallery-xss(18744) 12156 http://www.gulftech.org/?node=research&article_id=00063-01032005 20050103 Multiple PhotoPost Pro Vulnerabilities 13680 Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message. soldner-secret-wars-format-string(18752) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. (dot dot) and a %00 at the end of the filename in the page parameter. qwikiwiki-directory-traversal(18748) 12163 20050104 QWikiwiki directory traversal vulnerability http://www.qwikiwiki.com/index.php?page=QwikiVulnerability 12044 The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack. moddosevasive-symlink(18765) 12181 http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01 20050111 Mod_dosevasive symlink and race vulnerability 13725 SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter. woltlab-book-addentry-sql-injection(18859) 20050110 Woltlab Burning Book addentry.php SQL Injection Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values. webseries-report-execution(18862) 20050110 Portcullis Security Advisory 05-009 1012854 13821 The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference. 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 GLSA-200501-25 13789 12220 1012818 FLSA-2006:152809 Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service (crash) via a RADIUS_REPLY_MESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument. modauthradius-dos(18841) DSA-659 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02 20050111 Apache mod_auth_radius remote integer overflow 12217 1012829 14046 13773 Buffer overflow in XShisen before 1.36 allows local users to execute arbitrary code via a long GECOS field. http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784 The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords. webseries-pa-password-gain-access(18860) 12231 20050110 Portcullis Security Advisory 05-008 1012854 13821 PHP remote file inclusion vulnerability in SGallery 1.01 allows local and possibly remote attackers to execute arbitrary PHP code by modifying the DOCUMENT_ROOT parameter to reference a URL on a remote web server that contains (1) config.php or (2) sql_layer.php. sgallery-file-include(18878) http://www.waraxe.us/advisory-39.html 1012868 13824 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke Opera 7.54 and earlier does not properly validate base64 encoded binary data in a data: (RFC 2397) URL, which causes the URL to be obscured in a download dialog, which may allow remote attackers to trick users into executing arbitrary code. VU#882926 http://www.opera.com/linux/changelogs/754u2/ GLSA-200502-17 13818 opera-data-dialog-spoofing(18867) SUSE-SA:2005:031 The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files. vim-symlink(18870) RHSA-2005:122 RHSA-2005:036 13841 20050118 [USN-61-1] vim vulnerabilities FLSA:2343 1012938 Stack-based buffer overflow in the websql CGI program in MySQL MaxDB 7.5.00 allows remote attackers to execute arbitrary code via a long password parameter. 20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 12265 20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 1012893 Cross-site scripting (XSS) vulnerability in f.aspx in forumKIT 1.0 allows remote attackers to inject arbitrary web script or HTML via the members parameter. forumkit-members-xss(18880) 12256 1012895 20050113 XSS Vulnerability in ForumKIT The TCP stack (tcp_input.c) in OpenBSD 3.5 and 3.6 allows remote attackers to cause a denial of service (system panic) via crafted values in the TCP timestamp option, which causes invalid arguments to be used when calculating the retransmit timeout. 12250 20050111 027: RELIABILITY FIX: January 11, 2005 1012861 13819 Internet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function. 20050114 Internet Explorer (SP2) - Remote File Download inpview in SGI IRIX allows local users to execute arbitrary commands via the SUN_TTSESSION_CMD environment variable, which is executed by inpview without dropping privileges. irix-inpview-gain-privileges(18894) 20050113 SGI IRIX inpview Design Error Vulnerability 13858 12259 12915 1012894 Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses. RHSA-2005:061 RHSA-2005:060 DSA-651 GLSA-200501-25 13825 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch http://www.squid-cache.org/Advisories/SQUID-2005_1.txt SUSE-SA:2005:006 CLA-2005:923 12276 MDKSA-2005:014 FLSA-2006:152809 The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers. 2005-0003 http://www.squid-cache.org/Advisories/SQUID-2005_2.txt RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-651 GLSA-200501-25 13825 CLA-2005:923 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch 12275 12886 MDKSA-2005:014 1012882 FLSA-2006:152809 minis.php in Minis 0.2.1 allows remote attackers to cause a denial of service (infinite loop) via an HTTP request for a file that the web server does not have permission to read, as demonstrated using the month parameter. minis-month-dos(18929) 20050116 Minis directory traversal vulnerability 20050116 Minis directory traversal vulnerability 1012911 13866 Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field. gallery-multiple-xss(18938) http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 http://theinsider.deep-ice.com/texts/advisory69.txt 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability 20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability gallery-g2formsubject-xss(43472) NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension. netgear-fvs318-filter-bypass(18920) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 1012913 13787 Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase. netgear-fvs318-log-xss(18921) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 13012 1012913 13787 Multiple SQL injection vulnerabilities in index.php in PHP Gift Registry (phpGiftReg) 1.4.0, and possibly other versions before 1.5.0b1, allow remote attackers to execute arbitrary SQL commands via the (1) messageid, (2) shopper, (3) shopfor, or (4) itemid parameters. 12289 20050307 Re: phpGiftReq SQL Injection phpgiftregistry-sql-injection(18925) 13873 20050116 phpGiftReq SQL Injection 20050116 phpGiftReq SQL Injection 1012910 npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges. nprotect-npptnt2-gain-access(18952) 12280 20050116 Unrestricted I/O access vulnerability in INCA Gameguard 13928 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect login and a modified (1) error or (2) modify parameter that returns template files or the "about" information page. NOTE: the vendor has disputed this issue. groupwise-error-auth-bypass(18954) 12285 20050127 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) 20050121 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) http://support.novell.com/servlet/tidfinder/10096251 20050117 Novell GroupWise WebAccess error modules loading 13135 AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl. VU#272296 20050117 AWStats Remote Command Execution Vulnerability 13893 http://awstats.sourceforge.net/docs/awstats_changelog.txt 12298 13002 http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf SQL injection vulnerability in Oracle Database 9i and 10g allows remote attackers to execute arbitrary SQL commands and gain privileges. 20050118 Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port. cisco-ios-sccp-dos(18956) 20050119 Vulnerability in Cisco IOS Embedded Call Processing Solutions oval:org.mitre.oval:def:4849 1012945 13913 Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag. realplayer-long-filename-offbyone-bo(18982) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in session.php in JSBoard 2.0.9 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the table parameter. jsboard-session-file-include(18990) 12319 20050120 STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure 1012949 13920 Multiple directory traversal vulnerabilities in YaMT before 0.5_2 allow attackers to overwrite arbitrary files via the (1) rename or (2) sort options. http://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.html http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html Multiple buffer overflows in YaMT before 0.5_2 allow attackers to execute arbitrary code via the (1) rename or (2) sort options. http://www.vuxml.org/freebsd/99b5cfa5-d3d2-11d9-8ffb-00061bc2ad93.html http://rpmfind.net/linux/RPM/suse/updates/8.2/i386/rpm/i586/yamt-0.5-1277.i586.html Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code. isync-mrouter-bo(19011) 20050122 Mac OS X 10.3 iSync Privilege Escalation APPLE-SA-2005-04-19 12334 1012974 13965 Buffer overflow in Golden FTP Server Pro (goldenftpd) 2.x allows remote attackers to execute arbitrary code via a long RNTO command. VU#620862 golden-ftp-rnto-bo(19015) 12333 http://www.goldenftpserver.com 13966 1012973 20050122 several BO's in goldenftpd zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files. DSA-655 zhcon-information-disclosure(19045) 12343 MDKSA-2005:012 1012977 13987 13982 13977 Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature. https://bugzilla.mozilla.org/show_bug.cgi?id=265176 mozilla-script-click-event-bypass(19170) http://www.mozilla.org/security/announce/mfsa2005-07.html 12407 oval:org.mitre.oval:def:100051 Stack-based buffer overflow in DataRescue Interactive Disassembler (IDA) Pro 4.7 allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name. database-ida-portable-executable-bo(19042) http://www.datarescue.com/ubb/ultimatebb.php?/topic/2/146.html 20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability 12353 1012975 13980 Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow. evolution-camellockhelper-bo(19031) 12354 RHSA-2005:397 DSA-673 GLSA-200501-35 CLA-2005:925 RHSA-2005:238 USN-69-1 MDKSA-2005:024 1012981 13830 PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code. http://www.squirrelmail.org/security/issue/2005-01-19?PHPSESSID=8af117822fb1ca3aa966a64248b5d223 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 GLSA-200501-39 20050129 SquirrelMail Security Advisory squirrelmail-frame-file-include(19037) zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files. DSA-655 zhcon-information-disclosure(19045) 12343 MDKSA-2005:012 1012977 13987 13982 13977 Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption). http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 GLSA-200501-25 CLA-2005:923 2005-0003 SUSE-SA:2005:006 12324 1012818 FLSA-2006:152809 Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php or (2) mod.php in Exponent 0.95 allow remote attackers to inject arbitrary web script or HTML via the module parameter. exponent-module-xss(19061) 12358 20050125 Vulnerabilities in eXponent 0.95 13190 13188 MercuryBoard 1.1.1 allows remote attackers to gain sensitive information via an HTTP request with the n parameter set to 0, which causes a divide-by-zero error and reveals the path in the resulting error message. mercuryboard-multiple-script-path-disclosure(19048) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Multiple cross-site scripting (XSS) vulnerabilities in index.php in MercuryBoard 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) s, (2) l, (3) a, (4) t, (5) to, or (6) re parameters. mercuryboard-multiple-scripts-xss(19050) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. openswan-xauth-pam-bo(19078) http://www.openswan.org/support/vuln/IDEF0785/ 20050126 Openswan XAUTH/PAM Buffer Overflow Vulnerability 12377 FEDORA-2005-082 13195 1013014 14062 14038 WarFTPD 1.82 RC9, when running as an NT service, allows remote authenticated users to cause a denial of service (access violation) via a CWD command with a crafted pathname, as demonstrated using a large string of "%s" sequences, possibly indicating a format string vulnerability. 12384 20050127 WarFTPD 1.82 RC9 DoS warftpd-cwd-dos(19129) http://support.jgaa.com/index.php?cmd=ShowReport&ID=02643 Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or delete arbitrary directories and files via the IMAP commands (3) CREATE, (4) EXAMINE, (5) SELECT, or (6) DELETE. magic-winmail-command-directory-traversal(19114) magicwinmail-uploadphp-file-upload(19108) 12388 1013017 14053 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail Server 4.0 Build 1112 allows remote attackers to inject arbitrary web script or HTML via the personal information fields. magic-winmail-userphp-xss(19113) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify that the IP address in a PORT command is the same as the IP address of the user of the FTP session, which allows remote authenticated users to use the server as an intermediary for port scanning. magicwinmail-ftp-obtain-information(19115) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions. 12394 14058 webwasher-classic-connect-gain-access(19144) http://www.oliverkarow.de/research/WebWasherCONNECT.txt 20050128 WebWasher Classic - HTTP CONNECT weakness 1013036 Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter. webadmin-usereditaccountwdm-xss(19161) 12395 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 1013038 14079 useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validate account edits by the logged in user, which allows remote authenticated users to edit other users' account information via a modified user parameter. 12395 1013038 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to load external webpages that appear to come from the WebAdmin server, which allows remote attackers to inject arbitrary HTML or web script to facilitate cross-site scripting (XSS) and phishing attacks. 12395 webadmin-html-injection(19162) 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to login.html, (2) accountid parameter to accountsettings_add.html, or the (3) note, (4) title, and (5) location fields to calendar.html. 12396 merak-icewarp-multiple-xss(19147) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables. http://www.squirrelmail.org/security/issue/2005-01-20 RHSA-2005:135 RHSA-2005:099 DSA-662 14096 13962 20050129 SquirrelMail Security Advisory APPLE-SA-2005-03-21 squirrelmail-webmailphp-xss(19036) GLSA-200501-39 prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers. http://www.squirrelmail.org/security/issue/2005-01-14 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 20050129 SquirrelMail Security Advisory GLSA-200501-39 Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 through 4.7, when running the TGA daemon, allows remote attackers to cause a denial of service via certain network traffic. 14082 SSRT5900 Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247. postgresql-cursor-bo(19188) RHSA-2005:150 RHSA-2005:138 12948 DSA-683 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-patches] 20050120 Re: WIP: pl/pgsql cleanup [pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser. [pgsql-committers] 20050121 pgsql: Prevent overrunning a heap-allocated buffer is more than 1024 12417 SUSE-SA:2005:036 MDKSA-2005:040 Buffer overflow in the socket_getline function in Newspost 2.1.1 and earlier allows remote malicious NNTP servers to execute arbitrary code via a long string without a newline character. GLSA-200502-05 newspost-socketgetline-bo(19178) http://www.vuxml.org/freebsd/7f13607b-6948-11d9-8937-00065be4b5b6.html 14092 http://people.freebsd.org/~niels/issues/newspost-20050114.txt 20050202 RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT] 12418 1013056 14098 PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation." VU#203214 DSA-662 14096 Format string vulnerability in the Log_Resolver function in log.c for ngIRCd 0.8.2 and earlier, when compiled with IDENT, logging to SYSLOG, and with DEBUG enabled, allows remote attackers to execute arbitrary code. http://www.nosystem.com.ar/advisories/advisory-11.txt 14114 20050203 ngIRCd <= v0.8.2 Format String Vulnerability 12434 Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing." https://bugzilla.mozilla.org/show_bug.cgi?id=280056 mozilla-firefox-tab-gain-access(19264) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-26.html GLSA-200503-30 GLSA-200503-10 http://www.mikx.de/firetabbing/ 20050207 Firetabbing [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100032 Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. perl-perliodebug-bo(19208) 2005-0003 12426 RHSA-2005:105 RHSA-2005:103 GLSA-200502-13 http://www.digitalmunition.com/DMA[2005-0131b].txt 20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG 20050202 [USN-72-1] Perl vulnerabilities MDKSA-2005:031 14120 FLSA-2006:152845 CLSA-2006:1056 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters. VU#768702 RHSA-2005:061 RHSA-2005:060 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing FEDORA-2005-373 SUSE-SA:2005:006 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 12412 MDKSA-2005:034 FLSA-2006:152809 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. VU#625878 RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting http://www.squid-cache.org/Advisories/SQUID-2005_5.txt FEDORA-2005-373 12433 MDKSA-2005:034 FLSA-2006:152809 Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets. xemacs-movemail-format-string(19246) RHSA-2005:133 RHSA-2005:112 RHSA-2005:110 DSA-685 DSA-671 DSA-670 20050207 [USN-76-1] Emacs vulnerability 12462 FLSA-2006:152898 MDKSA-2005:038 Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. VU#107822 upx-engine-gain-control(18869) 20050208 Symantec AntiVirus Library Heap Overflow http://www.symantec.com/avcenter/security/Content/2005.02.08.html 1013133 The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-29.html GLSA-200503-30 GLSA-200503-10 http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 RHSA-2005:384 RHSA-2005:176 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks oval:org.mitre.oval:def:100029 Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1.8.7.3 allow remote authenticated users to read, delete, or upload arbitrary files via a .. (dot dot) in (1) the filename of an e-mail attachment, (2) the _msgatt.rec file, (3) and the /msg, /delete, /folderadd, and /folderdelete operations for the Folder parameter. 20050209 [SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities http://www.security.org.sg/vuln/argosoftmail1873.html awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 16089 Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service. hpux-bind-dos(19276) 14220 HPSBUX01117 oval:org.mitre.oval:def:5690 lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop privileges before processing the -f option, which allows local users to read one line of arbitrary files. IY67655 IY67457 ibm-aix-ispath-information-disclosure(19281) 20050210 IBM AIX lspath Local File Access Vulnerability 12513 14232 Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to execute arbitrary code. DSA-676 12523 1013162 14250 14248 vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. 20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerability http://download.zonelabs.com/bin/free/securityAlert/19.html 12531 14256 The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow. http://aluigi.altervista.org/adv/q3infoboom-adv.txt 12534 20050212 Infostring crash and shutdown in the Quake 3 engine A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image. http://www.redteam-pentesting.de/advisories/rt-sa-2005-008.txt 20050214 Advisory: JPEG EXIF information disclosure CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable. http://www.redteam-pentesting.de/advisories/rt-sa-2005-002.txt 20050214 Advisory: Authentication bypass in CitrusDB CitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities. http://www.redteam-pentesting.de/advisories/rt-sa-2005-003.txt 20050214 Advisory: Upload Authorization bypass in CitrusDB SQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and earlier allows remote attackers to inject data via the fields of a CSV file. http://www.redteam-pentesting.de/advisories/rt-sa-2005-004.txt 20050214 Advisory: SQL-Injection in CitrusDB Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter. http://www.redteam-pentesting.de/advisories/rt-sa-2005-005.txt 20050214 Advisory: Directory traversal in CitrusDB VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries using a path that includes the rrdharan world-writable temporary directory, which allows local users to execute arbitrary code. GLSA-200502-18 Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (hang) via a flood of certain ARP packets. 14286 solaris-arp-dos(19331) 12553 57673 1013179 Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. phpnuke-multiple-scripts-path-disclosure(19344) http://www.waraxe.us/advisory-40.html 12561 Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation. phpnuke-downloads-weblinks-xss(19346) http://www.waraxe.us/advisory-40.html 12561 The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. RHSA-2005:092 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 12598 RHSA-2005:472 19607 20060402-01-U oval:org.mitre.oval:def:1225 Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages. https://bugzilla.mozilla.org/show_bug.cgi?id=268107 mozilla-cookie-policy-bypass(19172) RHSA-2005:335 RHSA-2005:323 RHSA-2005:094 http://www.mozilla.org/security/announce/mfsa2005-11.html 12407 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100047 Unknown vulnerability in typespeed 0.4.1 and earlier allows local users to gain privileges. DSA-684 Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.NET (.Net) 1.0 and 1.1 to SP1 allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 12574 14214 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension. GLSA-200502-21 14297 http://article.gmane.org/gmane.comp.web.lighttpd/1171 Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1.x allows remote attackers to inject arbitrary HTML and web script via the f parameter. 13937 http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions. http://secunia.com/secunia_research/2005-2/advisory/ 13712 The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions. http://secunia.com/secunia_research/2004-6/advisory/ 11815 Directory traversal vulnerability in Xinkaa 1.0.3 and earlier allows remote attackers to read arbitrary files via (1) ../ and (2) ..\ characters in an HTTP request. xinkaa-web-directory-traversal(19404) 12606 ADV-2005-0189 14349 http://aluigi.altervista.org/adv/xinkaa-adv.txt ArGoSoft FTP Server before 1.4.2.7 allows remote attackers to read arbitrary files by uploading a ZIP file containing a shortcut (.LNK) file, using SITE UNZIP to extract the .LNK file onto the server, then accessing the file, a different vulnerability than CVE-2005-0520. http://www.argosoft.com/ftpserver/changelist.aspx 14172 argosoft-ink-file-upload(17939) 12487 13614 PHP remote file inclusion vulnerability in mail_autocheck.php in the Email This Entry add-on for pMachine Pro 2.4, and possibly other versions including pMachine Free, allows remote attackers to execute arbitrary PHP code by directly requesting mail_autocheck.php and modifying the pm_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2003-1086. 12597 15473 20050219 pMachine Pro / pMachine Free Remote Code Execution Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote attackers to inject arbitrary web script or HTML via the (1) sn1, (2) year, or (3) page parameter to zboard.php or (4) filename to view_image.php. zeroboard-xss(19420) 1013243 20050219 Multiples vulnerability in ZeroBoard, Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when running on x86 with the hugemem kernel, allows local users to cause a denial of service (crash). 12599 RHSA-2005:092 red-hat-patch-dos(20620) Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries. gigafast-dns-queries-dos(19426) 20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilities misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter. 14326 http://www.vbulletin.com/forum/showthread.php?postid=819562 12622 20050222 [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection PHP remote file inclusion vulnerability in Tar.php in Mambo 4.5.2 allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2004-1693. 14337 http://mamboforge.net/frs/download.php/4043/Patch_4.5.2_to_4.5.2.1.zip uim before 0.4.5.1 trusts certain environment variables when libUIM is used in setuid or setgid applications, which allows local users to gain privileges. 12604 13981 [uim] 20050220 uim 0.4.5.1 released MDKSA-2005:046 Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands. arkeia-backup-client-gain-access(20667) 1013256 http://metasploit.com/research/arkeia_agent/ 20050220 Arkeia Network Backup Client Remote Access Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated. 20050221 Multiple PuTTY SFTP Client Packet Parsing Integer Overflow Vulnerabilities GLSA-200502-28 14333 putty-sftppktgetstring-bo(19403) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414 17214 The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request. thomson-tcw690-gain-access(19387) 14353 20050219 Thomson TCW690 POST Password Validation Vulnerability Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters. 1013268 14369 20050221 [NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users. 1013260 14360 GLSA-200502-33 GLSA-200502-33 Cross-site scripting (XSS) vulnerability in Verity Ultraseek before 5.3.3 allows remote attackers to inject arbitrary HTML and web script via search parameters. VU#716144 http://www.mikx.de/index.php?p=6 14367 20041223 Cross-Site Scripting - an industry-wide problem Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages. VU#215006 SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12630 Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames. SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12628 Some futex functions in futex.c for Linux kernel 2.6.x perform get_user calls while holding the mmap_sem semaphore, which could allow local users to cause a deadlock condition in do_page_fault by triggering get_user faults while another thread is executing mmap or other functions. http://lkml.org/lkml/2005/2/22/123 http://linux.bkbits.net:8080/linux-2.6/cset@421cfc11zFsK9gxvSJ2t__FCmuUd3Q FLSA:157459-3 RHSA-2005:420 The ImageGalleryPlugin (ImageGalleryPlugin.pm) in Twiki allows remote attackers to execute arbitrary commands via certain commands that generate thumbnails. 14384 http://www.enyo.de/fw/security/notes/twiki-robustness.html http://static.enyo.de/fw/patches/twiki/imagegallery-robustness-20041128.diff 20050223 Robustness patch for TWiki, vulnerability in ImageGalleryPlugin PeerFTP_5 stores sensitive information such as passwords in plaintext in the PeerFTP.ini files, which allows local users to gain privileges. 1013263 eXeem 0.21 stores sensitive information such as passwords in plaintext in the Exeem registry key, which allows local users to gain privileges via the proxy_user and proxy_password values. 1013266 ArGoSoft FTP Server before 1.4.2.8 allows remote attackers to read arbitrary files via shortcut (.LNK) files in the SITE COPY command, a different vulnerability than CVE-2005-0519. http://www.argosoft.com/ftpserver/changelist.aspx 14372 argosoft-site-copy-files(19442) 12632 14061 SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges. 1013269 Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_family parameter in theme_right.css.php. phpmyadmin-multiple-php-xss(19462) 12644 GLSA-200503-07 14382 20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4 Unknown vulnerability in ftpd on HP-UX B.11.00, B.11.04, B.11.11, B.11.22, and B.11.23 allows remote authenticated users to gain "unauthorized access to files." 12651 hp-ux-ftpd-gain-access(19467) oval:org.mitre.oval:def:5464 SSRT4694 The RealServer RealSubscriber on Cisco devices running Application and Content Networking System (ACNS) 5.1 allow remote attackers to cause a denial of service (CPU consumption) via malformed packets. VU#579240 cisco-realserver-realsubscriber-dos(19469) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities 14395 Cisco devices running Application and Content Networking System (ACNS) 5.0, 5.1 before 5.1.13.7, or 5.2 before 5.2.3.9 allow remote attackers to cause a denial of service (bandwidth consumption) via "crafted IP packets" that are continuously forwarded. cisco-acns-dos(19470) 12648 20050224 ACNS Denial of Service and Default Admin Password Vulnerabilities 14395 nxagent in FreeNX before 0.2.8 does not properly handle when the XAUTHORITY environment variable is not set, which allows local users to access the X server without X authentication. SUSE-SR:2005:006 [FreeNX-kNX] 20050217 Security: Serious bug in authority handling found and fixed cmd5checkpw, when running setuid, does not properly drop privileges before calling the execvp function, which allows local users to read the poppasswd file. GLSA-200502-30 bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, which allows remote attackers to execute arbitrary commands. DSA-690 viewtopic.php in phpBB 2.0.12 and earlier allows remote attackers to obtain sensitive information via a highlight parameter containing invalid regular expression syntax, which reveals the path in a PHP error message. http://www.phpbb.com/phpBB/viewtopic.php?t=267563 14413 20050225 -==phpBB 2.0.12 Full path disclosure==- Heap-based buffer overflow in server.cpp for WebMod 0.47 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via a POST request with a Content-Length that is less than the amount of data that is actually sent. 14302 http://djeyl.net/forum/index.php?showtopic=41440 Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files. 12676 Multiple cross-site scripting (XSS) vulnerabilities in the Download module for PostNuke 0.750 and 0.760-RC2 allow remote attackers to inject arbitrary web script or HTML via the (1) Program name, (2) File link, (3) Author name (4) Author e-mail address, (5) File size, (6) Version, or (7) Home page variables. 1013324 http://news.postnuke.com/Article2669.html 20050228 [SECURITYREASON.COM] PostNuke Critical XSS 0.760-RC2=>x cXIb8O3.2 Einstein 1.0.1 stores sensitive information such as usernames and passwords in plaintext in the registry, which allows local users to gain privileges. 14212 1013316 14455 846 reportbug before 2.62 creates the .reportbugrc configuration file with world-readable permissions, which allows local users to obtain email smarthost passwords. reportbug-file-world-readable(19504) 14422 https://bugzilla.ubuntu.com/show_bug.cgi?id=6600 20050228 [USN-88-1] reportbug information disclosure http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295407 reportbug 3.2 includes settings from .reportbugrc in bug reports, which exposes sensitive information such as smtpuser and smtppasswd. reportbug-smtppasswd-information-disclosure(19520) 14422 https://bugzilla.ubuntu.com/show_bug.cgi?id=6717 https://bugzilla.ubuntu.com/show_bug.cgi?id=6600 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=295407 20050228 [USN-88-1] reportbug information disclosure RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to view the PHP source code via an HTTP GET request for a filename with a trailing (1) . (dot) or (2) space. http://www.security.org.sg/vuln/raidenhttpd1132.html 14453 20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities Buffer overflow in RaidenHTTPD 1.1.32, and possibly other versions before 1.1.34, allows remote attackers to execute arbitrary code via a long URL. http://www.security.org.sg/vuln/raidenhttpd1132.html 14453 20050301 [SIG^2 G-TEC] RaidenHTTPD Server Buffer Overflow and CGI Source Disclosure Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in Forumwa 1.0 allow remote attackers to inject arbitrary web script or HTML via (1) the keyword parameter in search.php or the (2) body or (3) subject of a forum message. 12689 14418 20050301 Forumwa search.php xss vulnerability Multiple cross-site scripting (XSS) vulnerabilities in profile.php in 427BB 2.2 allow remote attackers to inject arbitrary web script or HTML via the (1) user or (2) Avatar parameters. 427bb-profile-xss(19546) 12693 1013337 14434 20050301 427BB profile.php XSS vulnerability. 20050301 427BB profile.php XSS vulnerability. sendpm.php in PBLang 4.63 allows remote authenticated users to read arbitrary files via a full pathname in the orig parameter. pblang-sendpm-obtain-information(19544) 12690 20050301 Software PBLang 4.63 sendpm.php reply file read vulnerability http://pblforum.drmartinus.de/post.php?cat=2&fid=2&pid=40&page=1 delpm.php in PBLang 4.63 allows remote authenticated users to delete arbitrary PM files by modifying the "id" and "a" parameters. pblang-delpm-delete-messages(19552) 12694 20050301 Software PBLang 4.63 delpm.php authentication vulnerability http://pblforum.drmartinus.de/post.php?cat=2&fid=2&pid=42&page=1 PHP remote file inclusion vulnerability in auth.php in PHPNews 1.2.4 and possibly 1.2.3, allows remote attackers to execute arbitrary PHP code via the path parameter. 1013345 14449 12696 20050303 PHP News <= 1.2.4 - Remote File Inclusion Exploit 20050301 PHP News <= 1.2.4 - Remote File Inclusion (VXSfx) Buffer overflow in Trillian 3.0 and Pro 3.0 allows remote attackers to execute arbitrary code via a crafted PNG image file. 12703 http://www.securiteam.com/exploits/5KP030KF5E.html ADV-2005-0221 20050306 See-security advisory: Trillian Basic 3.0 PNG Processing Buffer overflow Einstein 1.0 stores credit card information in plaintext in the world-readable wallets.dat file, which allows local users to steal the information. 14455 scan.c for LibXPM may allow attackers to execute arbitrary code via a negative bitmap_unit value that leads to a buffer overflow. 12714 RHSA-2005:331 GLSA-200503-15 DSA-723 1013339 GLSA-200503-08 http://bugs.gentoo.org/show_bug.cgi?id=83655 http://bugs.gentoo.org/show_bug.cgi?id=83598 https://bugs.freedesktop.org/attachment.cgi?id=1909 RHSA-2005:412 USN-97-1 USN-92-1 RHSA-2008:0261 RHSA-2005:473 RHSA-2005:198 RHSA-2005:044 FLSA-2006:152803 19624 18316 18049 14460 APPLE-SA-2005-08-15 APPLE-SA-2005-08-17 20060403-01-U SCOSA-2005.57 SCOSA-2006.5 xloadimage before 4.1-r2, and xli before 1.17, allows attackers to execute arbitrary commands via shell metacharacters in filenames for compressed images, which are not properly quoted when calling the gunzip command. 14459 DSA-695 GLSA-200503-05 14462 http://bugs.gentoo.org/show_bug.cgi?id=79762 12712 FLSA-2006:152923 RHSA-2005:332 14365 http://support.avaya.com/elmodocs2/security/ASA-2005-134_RHSA-2005-332.pdf Multiple vulnerabilities in xli before 1.17 may allow remote attackers to execute arbitrary code via "buffer management errors" from certain image properties, some of which may be related to integer overflows in PPM files. 14459 DSA-695 GLSA-200503-05 http://bugs.gentoo.org/show_bug.cgi?id=79762 Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 does not properly initialize the "Change Credentials for Database" window, which allows local users to recover the SQL Admin password via certain methods. http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 14454 Cross-site scripting (XSS) vulnerability in the Reporter for Computer Associates (CA) Unicenter Asset Management (UAM) 4.0 allows remote attackers to inject arbitrary HTML or web script via the (1) name or (2) description in a report template. 14454 http://supportconnect.ca.com/sc/solcenter/solresults.jsp?aparno=Qo64323 Format string vulnerability in Foxmail Server 2.0 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via format strings in the USER command. 12711 20050302 Foxmail server "USER" command Multiple remote buffer overflow 1013356 14145 Format string vulnerability in Carsten's 3D Engine (Ca3DE), March 2004 version and earlier, allows remote attackers to execute arbitrary code via format string specifiers in a command. 12727 14483 1013361 http://aluigi.altervista.org/adv/ca3dex-adv.txt Cross-site scripting (XSS) vulnerability in the News module for paBox 1.6 allows remote attackers to inject arbitrary web script or HTML via the text hidden parameter in an HTTP POST request. 12719 1013363 14474 20050303 [XSS] paBox 1.6 Unknown vulnerability in HTTP Anti Virus Proxy (HAVP) before 0.51 prevents viruses from being properly detected in certain files such as (1) .CAB or (2) .ZIP files. http://www.bemberg.de/server-side/index.htm 1013370 Firefox before 1.0.1 and Mozilla before 1.7.6 allows remote attackers to spoof the SSL "secure site" lock icon via (1) a web site that does not finish loading, which shows the lock of the previous site, (2) a non-HTTP server that uses SSL, which causes the lock to be displayed when the SSL handshake is completed, or (3) a URL that generates an HTTP 204 error, which updates the icon and location information but does not change the display of the original site. GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=277564 https://bugzilla.mozilla.org/show_bug.cgi?id=276720 https://bugzilla.mozilla.org/show_bug.cgi?id=268483 https://bugzilla.mozilla.org/show_bug.cgi?id=258048 http://www.mozilla.org/security/announce/mfsa2005-14.html GLSA-200503-30 12659 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100044 Windows Server 2003 and XP SP2, with Windows Firewall turned off, allows remote attackers to cause a denial of service (CPU consumption) via a TCP packet with the SYN flag set and the same destination and source address and port, aka a reoccurrence of the "Land" vulnerability (CVE-1999-0016). MS05-019 20050305 Windows Server 2003 and XP SP2 LAND attack vulnerability HPSBST02161 MS06-064 ADV-2006-3983 22341 oval:org.mitre.oval:def:4978 oval:org.mitre.oval:def:482 oval:org.mitre.oval:def:1685 oval:org.mitre.oval:def:1288 Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. VU#911878 12724 ADV-2005-0540 1013967 RHSA-2005:800 RHSA-2005:476 ADV-2005-3002 http://www.daemonology.net/papers/htt.pdf http://www.daemonology.net/hyperthreading-considered-harmful/ http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754 101739 18165 15348 [openbsd-misc] 20050304 Re: FreeBSD hiding security stuff [freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff] [freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff SCOSA-2005.24 PHP remote file inclusion vulnerability in article mode for modules.php in SocialMPN allows remote attackers to execute arbitrary PHP code by modifying the name parameter to reference a URL on a remote web server that contains the code. http://waraxe.us/ftopic-542-0-days0-orderasc-.html 20050307 Remote Testing SocialMPN Remote File Inclusion by y3dips Cross-site scripting (XSS) vulnerability in fusion_core.php for PHP-Fusion 5.x allows remote attackers to inject arbitrary web script or HTML via a message with IMG bbcode containing character-encoded Javascript. 14492 20050306 PHP-FUSION 5.* XSS VULNERABILITY http://www.php-fusion.co.uk/news.php?readmore=183 Nokia Symbian 60 allows remote attackers to cause a denial of service (phone restart) via a Bluetooth nickname. 1013380 nokia-symbian-dos(19594) 12743 http://www.securiteam.com/securitynews/5PP0V00G1S.html 14574 Format string vulnerability in Hashcash 1.16 allows remote attackers to cause a denial of service (memory consumption) and possibly execute arbitrary code via format string specifiers in a reply address, which is not properly handled when printing the header. GLSA-200503-12 14487 http://bugs.gentoo.org/show_bug.cgi?id=83541 Integer overflow in mlterm 2.5.0 through 2.9.1, with gdk-pixbuf support enabled, allows remote attackers to execute arbitrary code via a large image file that is used as a background. https://sourceforge.net/project/shownotes.php?release_id=310416 GLSA-200503-13 Buffer overflow in Sylpheed before 1.0.3 and other versions before 1.9.5 allows remote attackers to execute arbitrary code via an e-mail message with certain headers containing non-ASCII characters that are not properly handled when the user replies to the message. RHSA-2005:303 GLSA-200503-26 http://sylpheed.good-day.net/changelog.html.en http://sylpheed.good-day.net/changelog-devel.html.en 14491 1013376 PHP remote file inclusion vulnerability in download_center_lite.inc.php for Download Center Lite 1.6 allows remote attackers to execute arbitrary PHP code by modifying the script_root parameter to reference a URL on a remote web server that contains the code. http://www.stadtaus.com/forum/t-1579.html 14513 20050304 Download Center Lite (DCL) - Arbitrary File Inclusion (VXSfx) Buffer overflow in JoWood Chaser 1.50 and earlier allows remote attackers to cause a denial of service (client or server crash) and execute arbitrary code via a long nickname. 12733 http://aluigi.altervista.org/adv/chasercool-adv.txt Hosting Controller 6.1 Hotfix 1.7 and earlier stores log files under the web root, which allows remote attackers to obtain sensitive information via a direct request to HCDiskQuotaService.csv. 14522 20050307 Hosting Controller Multiple Unauthenticated information disclose http://isun.shabgard.org/hc2.txt The password recovery feature (forgotpassword.asp) in Hosting Controller 6.1 Hotfix 1.7 and earlier allows remote attackers to determine the owner's e-mail address by providing a portion of the domain name to the "login ID" field. 14522 20050307 Hosting Controller Multiple Unauthenticated information disclose http://isun.shabgard.org/hc2.txt includer.cgi in The Includer allows remote attackers to execute arbitrary commands via shell metacharacters in (1) the URL or (2) the template parameter. 12738 20050308 Re: Remote Command Execution 20050307 Remote Command Execution Gene6 FTP Server does not properly restrict access to the control console, which allows local users to modify the server configuration and gain privileges, as demonstrated by defining a SITE command. 12739 http://secway.org/Advisory/ad20050303.txt 14436 20050308 Re: Gene6 FTP Server Local Privilege Escalation Vulnerability 20050307 Gene6 FTP Server Local Privilege Escalation Vulnerability SQL injection vulnerability in the process_picture function xp_publish.php in CopperExport 0.2.1 allows remote attackers to execute arbitrary SQL commands, possibly via the (1) title, (2) caption, or (3) keywords parameters. http://www.zzamboni.org/copperexport/ 14401 PHP remote file inclusion vulnerability in PHPWebLog 0.5.3 and earlier allows remote attackers to execute arbitrary PHP code by modifying the (1) G_PATH parameter to init.inc.php or the (2) PATH parameter to index.php to reference a URL on a remote web server that contains the code. 12747 20050307 phpWebLog <= 0.5.3 arbitrary file inclusion (VXSfx) Cross-site scripting (XSS) vulnerability in Solaris AnswerBook2 Documentation 1.4.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the Search function. 57737 20050328 Multiple XSS issues in Sun AnswerBook2 nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQ CLA-2005:930 12598 20050215 [USN-82-1] Linux kernel vulnerabilities Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8A 12598 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. RHSA-2005:092 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 RHSA-2005:663 ADV-2005-1878 17002 Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions. RHSA-2005:092 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 12198 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories MDKSA-2005:219 MDKSA-2005:218 17826 MDKSA-2005:219 MDKSA-2005:218 The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie. 12745 http://www.frsirt.com/exploits/20050307.aztek.c.php Directory traversal vulnerability in Oracle Database Server 8i and 9i allows remote attackers to read or rename arbitrary files via "\\.\\.." (modified dot dot backslash) sequences to UTL_FILE functions such as (1) UTL_FILE.FOPEN or (2) UTL_FILE.frename. http://www.argeniss.com/research/ARGENISS-ADV-030501.txt 20050307 - Argeniss - Oracle Database Server Directory transversal 20050307 - Argeniss - Oracle Database Server Directory transversal SQL injection vulnerability in phpMyFAQ 1.4 and 1.5 allows remote attackers to add FAQ records to the database via the username field in forum messages. http://www.phpmyfaq.de/advisory_2005-03-06.php 14516 Xerox MicroServer Web Server for various WorkCentre products including M35/M45/M55 2.028.11.000 through 2.97.20.032 and 4.84.16.000 through 4.97.20.032, Pro 35/45/55 3.028.11.000 through 3.97.20.032, Pro 65/75/90 1.001.00.060 through 1.001.02.084, and others, has an "unauthenticated account," which allows remote attackers to modify system configuration, a different vulnerability than CVE-2005-1179. http://www.xerox.com/downloads/usa/en/c/cert_XRX05_005.pdf 14507 eXPerience2 allows remote attackers to obtain the full path for the web root via a direct request to modules.php without any parameters, which leaks the path in a PHP error message. 20050307 Multiples Vulnerabilities Cross-site scripting (XSS) vulnerability in the jumpmenu function in functions.php for paFileDB 3.1 and earlier allows remote attackers to inject arbitrary web script or HTML via the URL parameters, which is not properly cleansed in the $pageurl variable, as demonstrated using pafiledb.php. 20050308 Multiple vulnerabilities in paFileDB PHP remote file inclusion vulnerability in admin/header.php in PHP mcNews 1.3 allows remote attackers to execute arbitrary PHP code by modifying the skinfile parameter to reference a URL on a remote web server that contains the code. mcnews-skinfile-file-include(19616) 12776 20070811 mcNews (skinfile) Remote File Include Vulnerability 14528 20050307 PHP mcNews <= 1.3 arbitrary file inclusion (VXSfx) Cross-site scripting (XSS) vulnerability in YaBB.pl for YaBB 2.0 RC1 allows remote attackers to inject arbitrary web script or HTML via the username parameter in a usersrecentposts action. 12756 1013420 SQL injection vulnerability in the getAllbyArticle function in wfsfiles.php for WF-Sections (wfsections) 1.07 allows remote attackers to execute arbitrary SQL commands via the articleid parameter to article.php. wfsections-wfsfiles-sql-injection(19660) 20050308 Wfsection 1.07 vulnerabilities ApplyYourself i-Class allows remote attackers to obtain sensitive information about their own applications by reusing the hidden ID field, as demonstrated using the id parameter to ApplicantDecision.asp. 1013400 Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line. DSA-691 14495 The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files. DSA-691 14495 14610 Multiple buffer overflows in the dissect_a11_radius function in the CDMA A11 (3G-A11) dissector (packet-3g-a11.c) for Ethereal 0.10.9 and earlier allow remote attackers to execute arbitrary code via RADIUS authentication packets with large length values. 12759 RHSA-2005:306 http://www.ethereal.com/appnotes/enpa-sa-00018.html GLSA-200503-16 20050308 Ethereal remote buffer overflow FLSA-2006:152922 MDKSA-2005:053 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-03-04 20050314 Ethereal 0.10.9 and below remote root exploit 20050309 RE: Ethereal remote buffer overflow - addon Buffer overflow in ArGoSoft FTP Server 1.4.2.8 allows remote authenticated users to execute arbitrary code via a long DELE command. NOTE: this issue was later reported to also affect 1.4.3.5. 12755 14526 https://www.securinfos.info/english/security-advisories-alerts/20060225_ArGoSoft.FTP.Server_Heap.Overflow.html 20060225 ArGoSoft FTP server remote heap overflow 20050308 ArGoSoft FTP Server 1.4.2.8 Buffer Overflow 1015681 20060225 ArGoSoft FTP server remote heap overflow 494 Multiple access validation errors in OutStart Participate Enterprise (PE) allow remote attackers to (1) browse arbitrary directory trees by modifying the rootFolder parameter to displaynavigator.jsp, (2) rename arbitrary directory objects by modifying the selectedObject parameter to renamepopup.jsp, (3) delete arbitrary directory objects by modifying the selectedObjectsCSV parameter to displaydeletenavigator.jsp, and conduct other unauthorized activities via the (4) showDeleteView, (5) showWebFolderView, (6) showLibraryView, (7) showMyLibraryView, (8) singleSelectObject, (9) processRadioSelection, (10) processCheckboxSelection, (11) singleSelectObject, (12) addToSelectedObjects, or (13) removeFromSelectedObjects commands. pe-access-validation-dos(19632) 12752 http://security.honour.ca/outstartpsi.txt 14542 20050308 PE Multiple Remote Access Validation Vulnerabilities (Participate Systems Inc. / Outstart Inc.) Race condition in Squid 2.5.STABLE7 to 2.5.STABLE9, when using the Netscape Set-Cookie recommendations for handling cookies in caches, may cause Set-Cookie headers to be sent to other users, which allows attackers to steal the related cookies. squid-set-cookie-race-condition(19581) USN-93-1 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE9-setcookie RHSA-2005:415 12716 FLSA-2006:152809 UTStarcom iAN-02EX VoIP Analog Terminal Adaptor (ATA) allows local users to bypass ATA access restrictions by dialing "*#26845#" and causing a device reset. 14544 20050307 Re: Lingo VoIP ATA / UTStarcom iAN-02EX remote access vulnerability Unknown vulnerability in the systems message queue in HP Tru64 Unix 4.0F PK8 through 5.1B-2/PK4 allows local users to cause a denial of service (process crash) for processes such as nfsstat, pfstat, arp, ogated, rarpd, route, sendmail, srconfig, strsetup, trpt, netstat, and xntpd. tru64-system-message-dos(19642) 12768 14549 SSRT4891 Integer overflow in sys_epoll_wait in eventpoll.c for Linux kernel 2.6 to 2.6.11 allows local users to overwrite kernel memory via a large number of events. 12763 20050309 overwriting low kernel memory USN-95-1 SUSE-SA:2005:018 http://linux.bkbits.net:8080/linux-2.6/cset@422dd06a1p5PsyFhoGAJseinjEq3ew?nav=index.html|ChangeSet@-1d RHSA-2005:366 RHSA-2005:293 PY Software Active Webcam WebServer (webcam.exe) 5.5 allows remote attackers to cause a denial of service (CPU consumption) via a direct request to Filelist.html. active-webcam-filelist-dos(19650) http://secway.org/advisory/ad20050104.txt 14553 20050310 Multiple Vulnerabilities of PY Software Active Webcam WebServer PHP remote file inclusion vulnerability in initdb.php for WEBInsta Mailing list manager 1.3d allows remote attackers to execute arbitrary PHP code by modifying the absolute_path parameter to reference a URL on a remote web server that contains the code. 14550 webinsta-initdb-file-include(19651) 12773 ADV-2005-0248 1013409 SQL injection vulnerability in member.php and possibly other scripts in PhotoPost PHP 5.0 RC3 allows remote attackers to execute arbitrary SQL commands via the uid parameter. photopost-uid-sql-injection(19675) 14576 12779 20050311 PhotoPost PHP 5.0 RC3, and later, multiple vulnerabilities paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message. 20050312 [SECURITYREASON.COM] Mass Full Path Disclosure in paFileDB Unknown vulnerability in the JXTA dissector in Ethereal 0.10.9 allows remote attackers to cause a denial of service (application crash). GLSA-200503-16 http://www.ethereal.com/appnotes/enpa-sa-00018.html 12762 MDKSA-2005:053 SQL injection vulnerability in gb_new.inc in SimpGB allows remote attackers to execute arbitrary SQL commands via the quote parameter to guestbook.php. 12801 14583 20050313 SimpGB SQL Injection Vulnerability simpgb-gbnew-sql-injection(19694) LimeWire 4.1.2 through 4.5.6 allows remote attackers to read arbitrary files by specifying the full pathname in a Gnutella GET request. limewire-client-information-disclosure(19693) GLSA-200503-37 14555 20050314 LimeWire Gnutella client two vulnerabilities Directory traversal vulnerability in LimeWire 3.9.6 through 4.6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in a magnet request. limewire-magnet-directory-traversal(19695) GLSA-200503-37 14555 20050314 LimeWire Gnutella client two vulnerabilities phpAdsNew 2.0.4 allows remote attackers to obtain sensitive information via a direct request to (1) lib-xmlrpcs.inc.php, (2) maintenance-activation.php, (3) maintenance-cleantables.php, (4) maintenance-autotargeting.php, (5) maintenance-reports.php, (6) phpads.php, (7) remotehtmlview.php, (8) click.php, (9) adcontent.php, which reveal the path in a PHP error message. http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc 20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9 1013429 Cross-site scripting (XSS) vulnerability in adframe.php in phpAdsNew 2.0.4-pr1, when register_globals is enabled, allows remote attackers to inject arbitrary web script or HTML via the refresh parameter. 12803 http://securityreason.com/adv/%5BphpAdsNew%202.0.4-pr1%20Multiple%20vulnerabilities%20cXIb8O3.9%5D.asc 14592 20050314 [SECURITYREASON.COM] phpAdsNew 2.0.4-pr1 Multiple vulnerabilities cXIb8O3.9 14787 1013429 HolaCMS 1.4.9 does not restrict file access to the holaDB/votes directory, which allows remote attackers to overwrite arbitrary files via a modified vote_filename parameter. http://www.holacms.de/?content=changelog 14566 20050315 Virginity Security Advisory 2005-001 : Hola CMS - File destruction and System access Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value. 12195 USN-508-1 RHSA-2005:663 RHSA-2005:551 RHSA-2005:529 ADV-2005-1878 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1013273 30112 26651 20338 20202 20163 17002 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22 RHSA-2008:0237 Unknown vulnerability in Information Resource Manager (IRM) before 1.5.2.1 allows remote attackers has "potentially serious" impact, related to LDAP logins. irm-ldap-security-bypass(19419) http://sourceforge.net/project/shownotes.php?release_id=306629 14342 The Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic. http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_Leak.pdf 20050222 Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability 20050222 Avaya IP Office Phone Manager - Sensitive Information Cleartext Directory traversal vulnerability in SD Server 4.0.70 and earlier allows remote attackers to read arbitrary files via .. sequences in an HTTP request. 14365 20050221 SD Server 4.0.70 Directory Traversal Bug http://www.gdsoftware.dk/ 20050222 SD Server 4.0.70 Directory Traversal Bug Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue." 12619 14336 http://xml.apache.org/batik/#SecurityWarning Multiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 implementation of ASP.NET (.Net) allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 14325 20050217 XSS vulnerabilty in ASP.Net [with details] 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The daemon for fallback-reboot before 0.995 allows attackers to cause a denial of service (daemon exit), possibly related to verbose debug messages when the daemon is not on a tty. 14328 http://dcs.nac.uci.edu/~strombrg/fallback-reboot/ Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data. wpasupplicant-bo(19357) GLSA-200502-22 14313 1013226 [HostAP] 20050213 wpa_supplicant - new stable releases v0.3.8 and v0.2.7 Sun Java JRE 1.1.x through 1.4.x writes temporary files with long filenames that become predictable on a file system that uses 8.3 style short names, which allows remote attackers to write arbitrary files to known locations and facilitates the exploitation of vulnerabilities in applications that rely on unpredictable file names. VU#544392 sun-java-create-files(19285) http://secunia.com/secunia_research/2004-7/advisory/ 11070 Gaim before 1.1.3 allows remote attackers to cause a denial of service (infinite loop) via malformed SNAC packets from (1) AIM or (2) ICQ. VU#839280 gaim-snac-dos(19380) RHSA-2005:432 RHSA-2005:215 GLSA-200503-03 DSA-716 14322 http://gaim.sourceforge.net/security/index.php?id=10 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 The HTML parsing functions in Gaim before 1.1.3 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0208. VU#523888 gaim-html-dos(19381) RHSA-2005:215 GLSA-200503-03 14322 http://gaim.sourceforge.net/security/index.php?id=11 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 The KAME racoon daemon in ipsec-tools before 0.5 allows remote attackers to cause a denial of service (crash) via malformed ISAKMP packets. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=view racoon-isakmp-header-dos(19707) 12804 RHSA-2005:232 ADV-2005-0264 [ipsec-tools-devel] 20050312 potential remote crash in racoon 1013433 GLSA-200503-33 14584 MDKSA-2005:062 Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter. 20050222 phpBB Group phpBB2 Arbitrary File Unlink Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target file. VU#774686 20050222 phpBB Group phpBB Arbitrary File Disclosure Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 14362 Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client. FLSA:152532 USN-95-1 2005-0009 12810 RHSA-2005:366 RHSA-2005:293 RHSA-2005:284 RHSA-2005:283 SUSE-SA:2005:018 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 SQL injection vulnerability in ZPanel 2.0 allows remote attackers to execute arbitrary SQL commands via the (1) uname parameter to index.php or (2) page parameter to zpanel.php. 14602 zpanel-index-sql-injection(19709) 12809 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel PHP remote file inclusion vulnerability in zpanel.php in ZPanel allows remote attackers to (1) execute arbitrary PHP code in ZPanel 2.0 or (2) include local files in ZPanel 2.5 beta 10 and earlier by modifying the page parameter. 12809 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel ZPanel 2.0 and 2.5 beta 10 does not remove or protect installation scripts after they have been used, which allows remote attackers to reinstall the software and possibly cause a denial of service via a direct request to install.php. 14602 20050320 Re: Few remote bugs in zPanel 20050315 Few remote bugs in zPanel Novell iChain Mini FTP Server 2.3 displays different error messages if a user exists or not, which allows remote attackers to obtain sensitive information and facilitates brute force attacks. 12811 http://www.infobyte.com.ar/adv/ISR-04.html 14607 20050315 [ISR] - Novell iChain Mini FTP Server Valid User Disclosure Vulnerability Novell iChain Mini FTP Server 2.3, and possibly earlier versions, does not limit the number of incorrect logins, which makes it easier for remote attackers to conduct brute force login attacks. http://www.infobyte.com.ar/adv/ISR-05.html http://support.novell.com/cgi-bin/search/searchtid.cgi?/10096887.htm 14607 20050315 [ISR] - Novell iChain Mini FTP Server Bruteforce Problem 14648 1013408 MySQL 4.1.9, and possibly earlier versions, allows remote attackers with certain privileges to cause a denial of service (application crash) via a use command followed by an MS-DOS device name such as (1) LPT1 or (2) PRN. 14564 20050315 Denial of Service Vulnerability in MySQL Server for Windows http://bugs.mysql.com/bug.php?id=9148 Race condition in the Radeon DRI driver for Linux kernel 2.6.8.1 allows local users with DRI privileges to execute arbitrary code as root. USN-95-1 RHSA-2005:366 CLA-2005:945 Servers Alive 4.1 and 5.0, when running as a service, does not drop SYSTEM privileges before loading local manual under the help menu, which allows local users to gain privileges. serversalive-gain-privileges(19715) 12822 14616 20050316 Servers Alive: Local Privilege Escalation The Bluetooth Setup Assistant for Mac OS X before 10.3.8 can be launched without a keyboard or Bluetooth device, which allows local users to bypass access restrictions and gain privileges.