Race condition in the page fault handler (fault.c) for Linux kernel 2.2.x to 2.2.7, 2.4 to 2.4.29, and 2.6 to 2.6.10, when running on multiprocessor machines, allows local users to execute arbitrary code via concurrent threads that share the same virtual memory space and simultaneously request stack expansion. FLSA:2336 linux-fault-handler-gain-privileges(18849) 2005-0001 12244 RHSA-2005:092 RHSA-2005:043 RHSA-2005:017 RHSA-2005:016 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1012862 20338 20202 20163 13822 oval:org.mitre.oval:def:10322 20050114 [USN-60-0] Linux kernel vulnerabilities 20050112 Linux kernel i386 SMP page fault handler privilege escalation 20050112 Linux kernel i386 SMP page fault handler privilege escalation http://isec.pl/vulnerabilities/isec-0022-pagefault.txt CLA-2005:930 MDKSA-2005:022 poppassd_pam 1.0 and earlier, when changing a user password, does not verify that the user entered the old password correctly, which allows remote attackers to change passwords for arbitrary users. GLSA-200501-22 1012840 13865 The 64 bit ELF support in Linux kernel 2.6 before 2.6.10, on 64-bit architectures, does not properly check for overlapping VMA (virtual memory address) allocations, which allows local users to cause a denial of service (system crash) or execute arbitrary code via a crafted ELF or a.out file. 12261 RHSA-2005:043 linux-vma-gain-privileges(18886) 2005-0001 RHSA-2005:017 SUSE-SA:2005:018 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1012885 20338 20202 20163 oval:org.mitre.oval:def:9512 http://linux.bkbits.net:8080/linux-2.6/cset@41a6721cce-LoPqkzKXudYby_3TUmg http://linux.bkbits.net:8080/linux-2.4/cset@41c36fb6q1Z68WUzKQFjJR-40Ev3tw MDKSA-2005:022 The mysqlaccess script in MySQL 4.0.23 and earlier, 4.1.x before 4.1.10, 5.0.x before 5.0.3, and other versions including 3.x, allows local users to overwrite arbitrary files or read temporary files via a symlink attack on temporary files. 12277 DSA-647 13867 mysql-mysqlaccess-symlink(18922) http://mysql.osuosl.org/doc/mysql/en/News-4.1.10.html 20050118 [USN-63-1] MySQL client vulnerability http://lists.mysql.com/internals/20600 CLA-2005:947 MDKSA-2005:036 101864 Heap-based buffer overflow in psd.c for ImageMagick 6.1.0, 6.1.7, and possibly earlier versions allows remote attackers to execute arbitrary code via a .PSD image file with a large number of layers. RHSA-2005:071 DSA-646 20050117 Multiple Vendor ImageMagick .psd Image File Decode Heap Overflow Vulnerability GLSA-200501-37 oval:org.mitre.oval:def:9925 20050118 [USN-62-1] imagemagick vulnerability RHSA-2005:070 The COPS dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (infinite loop). http://www.ethereal.com/appnotes/enpa-sa-00017.html 13946 ethereal-cops-dos(18999) RHSA-2005:037 GLSA-200501-27 P-106 oval:org.mitre.oval:def:10801 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the DLSw dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash from assertion). ethereal-dlsw-dos(19000) 13946 RHSA-2005:037 GLSA-200501-27 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:11381 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the DNP dissector in Ethereal 0.10.5 through 0.10.8 allows remote attackers to cause "memory corruption." http://www.ethereal.com/appnotes/enpa-sa-00017.html ethereal-dnp-memory-corruption(19001) RHSA-2005:037 GLSA-200501-27 P-106 13946 oval:org.mitre.oval:def:10689 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the Gnutella dissector in Ethereal 0.10.6 through 0.10.8 allows remote attackers to cause a denial of service (application crash). GLSA-200501-27 13946 ethereal-gnutella-dos(19002) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:10623 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Unknown vulnerability in the MMSE dissector in Ethereal 0.10.4 through 0.10.8 allows remote attackers to cause a denial of service by triggering a free of statically allocated memory. ethereal-mmse-free-memory(19003) 13946 RHSA-2005:037 GLSA-200501-27 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:9521 12326 RHSA-2005:011 FLSA-2006:152922 MDKSA-2005:013 Multiple vulnerabilities in fliccd, when installed setuid root as part of the kdeedu Kstars support for Instrument Neutral Distributed Interface (INDI) in KDE 3.3 to 3.3.2, allow local users and remote attackers to execute arbitrary code via stack-based buffer overflows. http://www.kde.org/info/security/advisory-20050215-1.txt 14306 FEDORA-2005-148 GLSA-200502-23 Format string vulnerability in the a_Interface_msg function in Dillo before 0.8.3-r4 allows remote attackers to execute arbitrary code via format string specifiers in a web page. 12203 dillo-capi-format-string(18807) GLSA-200501-11 13760 13764 nwclient.c in ncpfs before 2.2.6 does not drop root privileges before executing utilities using the NetWare client functions, which allows local users to gain privileges. DSA-665 GLSA-200501-44 ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6 12400 FLSA:152904 RHSA-2005:371 13297 MDKSA-2005:028 1013019 Buffer overflow in ncplogin in ncpfs before 2.2.6 allows remote malicious NetWare servers to execute arbitrary code on the NetWare client. GLSA-200501-44 ftp://platan.vc.cvut.cz/pub/linux/ncpfs/Changes-2.2.6 12400 FLSA:152904 13298 MDKSA-2005:028 1013019 diatheke.pl in Sword 1.5.7a allows remote attackers to execute arbitrary commands via shell metacharacters in a URL. DSA-650 sword-diatheke-command-execution(18997) 1012955 13897 12320 13941 Buffer overflow in the exported_display function in xatitv in gatos before 0.0.5 allows local users to execute arbitrary code. DSA-640 13884 gatos-xatitv-bo(18930) The f2c translator in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files. DSA-661 GLSA-200501-43 12380 1013028 14067 14052 14041 The f2 shell script in the f2c package 3.1 allows local users to read arbitrary files via a symlink attack on temporary files. 12380 DSA-661 1013028 14052 14041 Unknown vulnerability in hztty 2.0 and earlier allows local users to execute arbitrary commands. 12518 DSA-675 hztty-command-execution(19297) 1013154 14236 Buffer overflow in playmidi before 2.4 allows local users to execute arbitrary code. DSA-641 playmidi-bo(18933) 12274 13049 MDKSA-2005:010 1012957 13898 13890 13828 Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function. VU#132992 RHSA-2005:025 20050114 Exim dns_buld_reverse() Buffer Overflow Vulnerability 20050107 Exim host_aton() Buffer Overflow Vulnerability [exim] 20050104 2 smallish security issues DSA-637 DSA-635 GLSA-200501-23 oval:org.mitre.oval:def:10347 http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44 Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication. RHSA-2005:025 [exim] 20050104 2 smallish security issues 20050107 Exim auth_spa_server() Buffer Overflow Vulnerability GLSA-200501-23 oval:org.mitre.oval:def:11293 20050212 exim auth_spa_server() PoC exploit http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44 12188 gnome-pty-helper in GNOME libzvt2 and libvte4 allows local users to spoof the logon hostname via a modified DISPLAY environment variable. NOTE: the severity of this issue has been disputed. libzvt-gnomeptyhelper-spoof(22496) ADV-2005-1931 15004 17023 20051007 gnome-pty-helper writes arbitrary utmp records http://bugzilla.gnome.org/show_bug.cgi?id=317312 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=330907 Buffer overflow in the code for recursion and glue fetching in BIND 8.4.4 and 8.4.5 allows remote attackers to cause a denial of service (crash) via queries that trigger the overflow in the q_usedns array that tracks nameservers and addresses. VU#327633 http://www.uniras.gov.uk/niscc/docs/al-20050125-00059.html http://www.isc.org/index.pl?/sw/bind/bind8.php http://www.isc.org/index.pl?/sw/bind/bind-security.php bind-qusedns-bo(19063) 12364 1012996 18291 14009 SCOSA-2006.1 An "incorrect assumption" in the authvalidated validator function in BIND 9.3.0, when DNSSEC is enabled, allows remote attackers to cause a denial of service (named server exit) via crafted DNS packets that cause an internal consistency test (self-check) to fail. VU#938617 bind-named-dns-dos(19062) http://www.uniras.gov.uk/niscc/docs/al-20050125-00060.html http://www.isc.org/index.pl?/sw/bind/bind-security.php 2005-0003 12365 http://www.isc.org/index.pl?/sw/bind/bind9.php 1012995 14008 The Acrobat web control in Adobe Acrobat and Acrobat Reader 7.0 and earlier, when used with Internet Explorer, allows remote attackers to determine the existence of arbitrary files via the LoadFile ActiveX method. ADV-2005-0310 http://www.niscc.gov.uk/niscc/docs/re-20050401-00264.pdf http://www.hyperdose.com/advisories/H2005-06.txt http://www.adobe.com/support/techdocs/331465.html 12989 15242 14813 The DNS implementation in DeleGate 8.10.2 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 The DNS implementation of DNRD before 2.10 allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. This vulnerability is addressed in the following product release: dnrd, dnrd, 2.10 http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en The DNS implementation of PowerDNS 2.9.16 and earlier allows remote attackers to cause a denial of service via a compressed DNS packet with a label length byte with an incorrect offset, which could trigger an infinite loop. http://www.niscc.gov.uk/niscc/docs/al-20050524-00433.html 13729 25291 http://www.niscc.gov.uk/niscc/docs/re-20050524-00432.pdf?lang=en Certain configurations of IPsec, when using Encapsulating Security Payload (ESP) in tunnel mode, integrity protection at a higher layer, or Authentication Header (AH), allow remote attackers to decrypt IPSec communications by modifying the outer packet in ways that cause plaintext data from the inner packet to be returned in ICMP messages, as demonstrated using bit-flipping attacks and (1) Destination Address Rewriting, (2) a modified header length that causes portions of the packet to be interpreted as IP Options, or (3) a modified protocol field and source address. VU#302220 ADV-2005-2806 ADV-2005-0507 SSRT5957 http://www.niscc.gov.uk/niscc/docs/al-20050509-00386.html?lang=en 13562 HPSBTU01217 1015320 17938 20050509 NISCC Vulnerability Advisory IPSEC - 004033 Multiple cross-site scripting (XSS) vulnerabilities in DotNetNuke before 3.0.12 allow remote attackers to inject arbitrary web script or HTML via the (1) register a new user page, (2) User-Agent, or (3) Username, which is not properly quoted before sending to the error log. http://www.woany.co.uk/advisories/dotnetnukexss.txt 15397 20050516 DotNetNuke (Multiple XSS) 13647 13646 13644 Buffer overflow in Apple iTunes 4.7 allows remote attackers to execute arbitrary code via a long URL in (1) .m3u or (2) .pls playlist files. VU#377368 20050113 Apple iTunes Playlist Parsing Buffer Overflow Vulnerability APPLE-SA-2005-01-11 itunes-m3u-pls-bo(18851) 12238 12833 1012839 13804 The OLE component in Windows 98, 2000, XP, and Server 2003, and Exchange Server 5.0 through 2003, does not properly validate the lengths of messages for certain OLE data, which allows remote attackers to execute arbitrary code, aka the "Input Validation Vulnerability." VU#927889 TA05-039A MS05-012 win-ole-code-execution(19109) oval:org.mitre.oval:def:4499 oval:org.mitre.oval:def:3568 oval:org.mitre.oval:def:2917 oval:org.mitre.oval:def:1180 The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the "Server Message Block Vulnerability," and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields. TA05-039A VU#652537 win-smb-code-execution(19089) MS05-011 20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 20050309 Update: MS05-011 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 20050209 EEYE: Windows SMB Client Transaction Response Handling Vulnerability 12484 oval:org.mitre.oval:def:4043 oval:org.mitre.oval:def:1889 oval:org.mitre.oval:def:1847 oval:org.mitre.oval:def:1606 Windows 2000, XP, and Server 2003 does not properly "validate the use of memory regions" for COM structured storage files, which allows attackers to execute arbitrary code, aka the "COM Structured Storage Vulnerability." TA05-039A VU#597889 MS05-012 win-com-gain-privileges(19105) http://www.argeniss.com/research/SSExploit.c 20050530 [Argeniss] MS05-012 Exploit oval:org.mitre.oval:def:901 oval:org.mitre.oval:def:2892 oval:org.mitre.oval:def:2351 oval:org.mitre.oval:def:1159 Microsoft Windows XP SP2 and earlier, 2000 SP3 and SP4, Server 2003, and older operating systems allows remote attackers to cause a denial of service and possibly execute arbitrary code via crafted IP packets with malformed options, aka the "IP Validation Vulnerability." TA05-102A VU#233754 MS05-019 20050412 Windows IP Options Remote Compromise oval:org.mitre.oval:def:4549 oval:org.mitre.oval:def:3824 oval:org.mitre.oval:def:1744 Windows SharePoint Services and SharePoint Team Services for Windows Server 2003 does not properly validate an HTTP redirection query, which allows remote attackers to inject arbitrary HTML and web script via a cross-site scripting (XSS) attack, or to spoof the web cache. TA05-039A VU#340409 MS05-006 win-sharepoint-services-xss(19091) The License Logging service for Windows NT Server, Windows 2000 Server, and Windows Server 2003 does not properly validate the length of messages, which leads to an "unchecked buffer" and allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code, aka the "License Logging Service Vulnerability." TA05-039A VU#130433 MS05-010 win-license-code-execution(19101) oval:org.mitre.oval:def:644 oval:org.mitre.oval:def:4786 oval:org.mitre.oval:def:3582 oval:org.mitre.oval:def:2568 The Server service (srvsvc.dll) in Windows XP SP1 and SP2 allows remote attackers to obtain sensitive information (users who are accessing resources) via an anonymous logon using a named pipe, which is not properly authenticated, aka the "Named Pipe Vulnerability." TA05-039A VU#939074 MS05-007 win-named-pipe-information-disclosure(19093) 12486 1013112 14189 oval:org.mitre.oval:def:3055 oval:org.mitre.oval:def:2292 Internet Explorer 5.01, 5.5, and 6 allows remote attackers to execute arbitrary code via drag and drop events, aka the "Drag-and-Drop Vulnerability." TA05-039A VU#698835 ie-dragdrop-gain-privileges(19117) 11466 MS05-014 MS05-008 oval:org.mitre.oval:def:4864 oval:org.mitre.oval:def:4726 oval:org.mitre.oval:def:3006 oval:org.mitre.oval:def:2953 oval:org.mitre.oval:def:2046 oval:org.mitre.oval:def:1334 oval:org.mitre.oval:def:1015 Internet Explorer 5.01, 5.5, and 6 allows remote attackers to spoof a less restrictive security zone and execute arbitrary code via an HTML page containing URLs that contain hostnames that have been double hex encoded, which are decoded twice to generate a malicious hostname, aka the "URL Decoding Zone Spoofing Vulnerability." TA05-039A VU#580299 MS05-014 20050209 Internet Explorer zone spoofing with encoded URLs ie-file-url-encode(19214) oval:org.mitre.oval:def:3586 oval:org.mitre.oval:def:3196 oval:org.mitre.oval:def:3060 oval:org.mitre.oval:def:1736 oval:org.mitre.oval:def:1308 Internet Explorer 5.01, 5.5, and 6 does not properly validate buffers when handling certain DHTML methods including the createControlRange Javascript function, which allows remote attackers to execute arbitrary code, aka the "DHTML Method Heap Memory Corruption Vulnerability." TA05-039A VU#843771 MS05-014 ie-cdf-execute-code(19137) 1013125 oval:org.mitre.oval:def:710 oval:org.mitre.oval:def:3910 oval:org.mitre.oval:def:3137 oval:org.mitre.oval:def:2692 oval:org.mitre.oval:def:1005 Internet Explorer 5.01, 5.5, and 6 does not properly validate certain URLs in Channel Definition Format (CDF) files, which allows remote attackers to obtain sensitive information or execute arbitrary code, aka the "Channel Definition Format (CDF) Cross Domain Vulnerability." TA05-039A VU#823971 12427 MS05-014 ie-cdf-execute-code(19137) 1013126 oval:org.mitre.oval:def:4947 oval:org.mitre.oval:def:4085 oval:org.mitre.oval:def:3318 oval:org.mitre.oval:def:2817 oval:org.mitre.oval:def:2385 The Hyperlink Object Library for Windows 98, 2000, XP, and Server 2003 allows remote attackers to execute arbitrary code via a crafted link that triggers an "unchecked buffer" in the library, possibly due to a buffer overflow. TA05-039A VU#820427 MS05-015 win-hyperlink-code-execution(19110) 12479 1013119 14195 oval:org.mitre.oval:def:713 oval:org.mitre.oval:def:3203 oval:org.mitre.oval:def:2570 Buffer overflow in the Telephony Application Programming Interface (TAPI) for Microsoft Windows 98, Windows 98 SE, Windows ME, Windows 2000, Windows XP, and Windows Server 2003 allows attackers elevate privileges or execute arbitrary code via a crafted message. MS05-040 16354 14518 1014639 oval:org.mitre.oval:def:1297 oval:org.mitre.oval:def:1213 oval:org.mitre.oval:def:1075 oval:org.mitre.oval:def:100088 oval:org.mitre.oval:def:100086 oval:org.mitre.oval:def:100085 oval:org.mitre.oval:def:100084 Buffer overflow in the Message Queuing component of Microsoft Windows 2000 and Windows XP SP1 allows remote attackers to execute arbitrary code via a crafted message. MS05-017 oval:org.mitre.oval:def:4988 oval:org.mitre.oval:def:4384 Buffer overflow in the font processing component of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via a specially-designed application. MS05-018 http://www.ngssoftware.com/advisories/ms-01.txt 20050413 Windows kernel overflow fixed oval:org.mitre.oval:def:4797 oval:org.mitre.oval:def:3941 oval:org.mitre.oval:def:2731 oval:org.mitre.oval:def:2562 The kernel of Microsoft Windows 2000, Windows XP SP1 and SP2, and Windows Server 2003 allows local users to gain privileges via certain access requests. MS05-018 oval:org.mitre.oval:def:4593 oval:org.mitre.oval:def:3994 oval:org.mitre.oval:def:1761 oval:org.mitre.oval:def:1656 The document processing application used by the Windows Shell in Microsoft Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by modifying the CLSID stored in a file so that it is processed by HTML Application Host (MSHTA), as demonstrated using a Microsoft Word document. MS05-016 20050412 Microsoft MSHTA Script Execution Vulnerability ADV-2005-0335 http://www.securiteam.com/exploits/5YP0T0AFFW.html 13132 20050529 Spam exploiting MS05-016 oval:org.mitre.oval:def:587 oval:org.mitre.oval:def:573 oval:org.mitre.oval:def:4710 oval:org.mitre.oval:def:407 oval:org.mitre.oval:def:3456 oval:org.mitre.oval:def:2184 Buffer overflow in the Decrypt::makeFileKey2 function in Decrypt.cc for xpdf 3.00 and earlier allows remote attackers to execute arbitrary code via a PDF file with a large /Encrypt /Length keyLength value. FLSA:2353 FLSA:2352 2005-0003 RHSA-2005:066 RHSA-2005:059 RHSA-2005:057 RHSA-2005:053 RHSA-2005:034 20050118 Multiple Unix/Linux Vendor Xpdf makeFileKey2 Stack Overflow GLSA-200502-10 DSA-648 DSA-645 20050119 [USN-64-1] xpdf, CUPS vulnerabilities CLA-2005:921 ftp://ftp.foolabs.com/pub/xpdf/xpdf-3.00pl3.patch RHSA-2005:026 17277 oval:org.mitre.oval:def:11781 SCOSA-2005.42 MDKSA-2005:021 MDKSA-2005:020 MDKSA-2005:019 MDKSA-2005:018 MDKSA-2005:017 MDKSA-2005:016 The original design of TCP does not check that the TCP sequence number in an ICMP error message is within the range of sequence numbers for data that has been sent but not acknowledged (aka "TCP sequence number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of TCP does not check that the TCP Acknowledgement number in an ICMP error message generated by an intermediate router is within the range of possible values for data that has already been acknowledged (aka "TCP acknowledgement number checking"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of TCP does not require that port numbers be assigned randomly (aka "Port randomization"), which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The original design of ICMP does not require authentication for host-generated ICMP error messages, which makes it easier for attackers to forge ICMP error messages for specific TCP connections and cause a denial of service, as demonstrated using (1) blind connection-reset attacks with forged "Destination Unreachable" messages, (2) blind throughput-reduction attacks with forged "Source Quench" messages, or (3) blind throughput-reduction attacks with forged ICMP messages that cause the Path MTU to be reduced. NOTE: CVE-2004-0790, CVE-2004-0791, and CVE-2004-1060 have been SPLIT based on different attacks; CVE-2005-0065, CVE-2005-0066, CVE-2005-0067, and CVE-2005-0068 are related identifiers that are SPLIT based on the underlying vulnerability. While CVE normally SPLITs based on vulnerability, the attack-based identifiers exist due to the variety and number of affected implementations and solutions that address the attacks instead of the underlying vulnerabilities. http://www.gont.com.ar/drafts/icmp-attacks-against-tcp.html 13124 The (1) tcltags or (2) vimspell.sh scripts in vim 6.3 allow local users to overwrite or create arbitrary files via a symlink attack on temporary files. vim-symlink(18870) RHSA-2005:122 RHSA-2005:036 13841 20050118 [USN-61-1] vim vulnerabilities FLSA:2343 oval:org.mitre.oval:def:9402 1012938 Synaesthesia 2.1 and earlier, and possibly other versions, when installed setuid root, does not drop privileges before processing configuration and mixer files, which allows local users to read arbitrary files. DSA-681 12546 1013206 14300 vdr before 1.2.6 does not securely create files, which allows attackers to overwrite arbitrary files. vdr-dvdapi-file-overwrite(19066) GLSA-200501-42 DSA-656 12356 14066 13995 13930 zhcon before 0.2 does not drop privileges before reading a user configuration file, which allows local users to read arbitrary files. DSA-655 zhcon-information-disclosure(19045) 12343 MDKSA-2005:012 1012977 13987 13982 13977 Buffer overflow in queue.c in a support script for sympa 3.3.3, when running setuid, allows local users to execute arbitrary code. DSA-677 1013163 14224 14217 Buffer overflow in pcdsvgaview in xpcd 2.08 allows local users to execute arbitrary code. DSA-676 12523 1013162 14250 14248 prefs.php in SquirrelMail before 1.4.4, with register_globals enabled, allows remote attackers to inject local code into the SquirrelMail code via custom preference handlers. http://www.squirrelmail.org/security/issue/2005-01-14 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 oval:org.mitre.oval:def:9587 20050129 SquirrelMail Security Advisory GLSA-200501-39 Multiple buffer overflows in the XView library 3.2 may allow local users to execute arbitrary code via setuid applications that use the library. xview-xvparseone-bo(19271) DSA-672 The DBI library (libdbi-perl) for Perl allows local users to overwrite arbitrary files via a symlink attack on a temporary PID file. dbi-library-file-overwrite(19068) RHSA-2005:072 GLSA-200501-38 DSA-658 20050125 [USN-70-1] Perl DBI module vulnerability oval:org.mitre.oval:def:10552 12360 FLSA-2006:178989 MDKSA-2005:030 1013007 14050 14015 The KDE screen saver in KDE before 3.0.5 does not properly check the return value from a certain function call, which allows attackers with physical access to cause a crash and access the desktop session. kdebase-screensaver-security-bypass(19084) RHSA-2005:009 DSA-660 oval:org.mitre.oval:def:9260 Buffer overflow in xtrlock 2.0 allows local users to cause a denial of service (application crash) and hijack the desktop session. DSA-649 xtrlock-screen-lock-bypass(18991) 12316 13938 The 55_options_traceback.dpatch patch for mailman 2.1.5 in Ubuntu 4.10 displays a different error message depending on whether the e-mail address is subscribed to a private list, which allows remote attackers to determine the list membership for a given e-mail address. 20050110 [USN-59-1] mailman vulnerabilities http://qa.debian.org/bts-security.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=285839 MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via an HTTP request with invalid headers. 20050119 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities The sapdbwa_GetUserData function in MySQL MaxDB 7.5.0.0, and other versions before 7.5.0.21, allows remote attackers to cause a denial of service (crash) via invalid parameters to the WebDAV handler code, which triggers a null dereference that causes the SAP DB Web Agent to crash. 20050119 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities MySQL MaxDB 7.5.00 for Windows, and possibly earlier versions and other platforms, allows remote attackers to cause a denial of service (application crash) via invalid parameters to the (1) DBMCli_String::ReallocString, (2) DBMCli_String::operator, (3) DBMCli_Buffer::ForceResize, (4) DBMCli_Wizard::InstallDatabase, (5) DBMCli_Devspaces::Complete, (6) DBMWeb_TemplateWizard::askForWriteCountStep5, or (7) DBMWeb_DBMWeb::wizardDB functions, which triggers a null dereference. maxdb-null-pointer-dos(19687) 20050314 MySQL MaxDB Web Agent Multiple Denial of Service Vulnerabilities Buffer overflow in the X11 dissector in Ethereal 0.8.10 through 0.10.8 allows remote attackers to execute arbitrary code via a crafted packet. GLSA-200501-27 DSA-653 13946 ethereal-x11-bo(19004) RHSA-2005:037 http://www.ethereal.com/appnotes/enpa-sa-00017.html P-106 oval:org.mitre.oval:def:9140 12326 FLSA-2006:152922 MDKSA-2005:013 Cross-site scripting (XSS) vulnerability in ht://dig (htdig) before 3.1.6-r7 allows remote attackers to execute arbitrary web script or HTML via the config parameter, which is not properly sanitized before it is displayed in an error message. 12442 DSA-680 htdig-config-xss(19223) RHSA-2005:073 GLSA-200502-16 1013078 oval:org.mitre.oval:def:10878 RHSA-2005:090 FLSA-2006:152907 MDKSA-2005:063 17415 17414 15007 14795 14303 14276 14255 SCOSA-2005.46 Heap-based buffer overflow in less in Red Hat Enterprise Linux 3 allows attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted file, as demonstrated using the UTF-8 locale. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=145527 FLSA:2404 less-file-bo(19131) RHSA-2005:068 oval:org.mitre.oval:def:11027 The alsa-lib package in Red Hat Linux 4 disables stack protection for the libasound.so library, which makes it easier for attackers to execute arbitrary code if there are other vulnerabilities in the library. RHSA-2005:033 oval:org.mitre.oval:def:10355 The publisher handler for mod_python 2.7.8 and earlier allows remote attackers to obtain access to restricted objects via a crafted URL. VU#356409 DSA-689 GLSA-200502-14 2005-0003 12519 FLSA:152896 RHSA-2005:104 RHSA-2005:100 1013156 oval:org.mitre.oval:def:10617 20050211 [USN-80-1] mod_python vulnerability CLA-2005:926 The SimpleXMLRPCServer library module in Python 2.2, 2.3 before 2.3.5, and 2.4, when used by XML-RPC servers that use the register_instance method to register an object without a _dispatch method, allows remote attackers to read or modify globals of the associated module, and possibly execute arbitrary code, via dotted attributes. http://www.python.org/security/PSF-2005-001/ DSA-666 http://python.org/security/PSF-2005-001/patch-2.2.txt 20050203 Python Security Advisory PSF-2005-001 - SimpleXMLRPCServer.py python-simplexmlrpcserver-bypass(19217) 2005-0003 RHSA-2005:108 oval:org.mitre.oval:def:9811 12437 MDKSA-2005:035 1013083 14128 A regression error in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch omits an "access check," which allows local users to cause a denial of service (crash). red-hat-regression-dos(20618) 12599 RHSA-2005:092 oval:org.mitre.oval:def:10425 Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when using the hugemem kernel, allows local users to read and write to arbitrary kernel memory and gain privileges via certain syscalls. red-hat-patch-gain-privileges(20619) 12599 RHSA-2005:092 oval:org.mitre.oval:def:11249 Unknown vulnerability in the Red Hat Enterprise Linux 4 kernel 4GB/4GB split patch, when running on x86 with the hugemem kernel, allows local users to cause a denial of service (crash). 12599 RHSA-2005:092 red-hat-patch-dos(20620) oval:org.mitre.oval:def:11647 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none. Buffer overflow in the gopherToHTML function in the Gopher reply parser for Squid 2.5.STABLE7 and earlier allows remote malicious Gopher servers to cause a denial of service (crash) via crafted responses. RHSA-2005:061 RHSA-2005:060 DSA-651 GLSA-200501-25 13825 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-gopher_html_parsing.patch http://www.squid-cache.org/Advisories/SQUID-2005_1.txt SUSE-SA:2005:006 oval:org.mitre.oval:def:11146 CLA-2005:923 12276 MDKSA-2005:014 FLSA-2006:152809 The WCCP message parsing code in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via malformed WCCP messages with source addresses that are spoofed to reference Squid's home router and invalid WCCP_I_SEE_YOU cache numbers. 2005-0003 http://www.squid-cache.org/Advisories/SQUID-2005_2.txt RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-651 GLSA-200501-25 13825 CLA-2005:923 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_denial_of_service.patch oval:org.mitre.oval:def:10269 12275 12886 MDKSA-2005:014 1012882 FLSA-2006:152809 Memory leak in the NTLM fakeauth_auth helper for Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (memory consumption). http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 GLSA-200501-25 CLA-2005:923 2005-0003 SUSE-SA:2005:006 oval:org.mitre.oval:def:10233 12324 1012818 FLSA-2006:152809 The NTLM component in Squid 2.5.STABLE7 and earlier allows remote attackers to cause a denial of service (crash) via a malformed NTLM type 3 message that triggers a NULL dereference. 2005-0003 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-fakeauth_auth RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 GLSA-200501-25 13789 oval:org.mitre.oval:def:11646 12220 1012818 FLSA-2006:152809 Multiple buffer overflows in the SDL port of abuse (abuse-SDL) before 2.00 allow local users to execute arbitrary code via the command line. DSA-691 14495 The SDL port of abuse (abuse-SDL) before 2.00 does not properly drop privileges before creating certain files, which allows local users to create or overwrite arbitrary files. DSA-691 14495 14610 Format string vulnerability in the movemail utility in (1) Emacs 20.x, 21.3, and possibly other versions, and (2) XEmacs 21.4 and earlier, allows remote malicious POP3 servers to execute arbitrary code via crafted packets. xemacs-movemail-format-string(19246) RHSA-2005:133 RHSA-2005:112 RHSA-2005:110 DSA-685 DSA-671 DSA-670 oval:org.mitre.oval:def:9408 20050207 [USN-76-1] Emacs vulnerability 12462 FLSA-2006:152898 MDKSA-2005:038 Buffer overflow in the socket_getline function in Newspost 2.1.1 and earlier allows remote malicious NNTP servers to execute arbitrary code via a long string without a newline character. GLSA-200502-05 newspost-socketgetline-bo(19178) http://www.vuxml.org/freebsd/7f13607b-6948-11d9-8937-00065be4b5b6.html 14092 http://people.freebsd.org/~niels/issues/newspost-20050114.txt 20050202 RE: SECURITEY.NNOV.RU NewsPost buffer overflow [EXPLOIT] 12418 1013056 14098 Integer overflow in camel-lock-helper in Evolution 2.0.2 and earlier allows local users or remote malicious POP3 servers to execute arbitrary code via a length value of -1, which leads to a zero byte memory allocation and a buffer overflow. evolution-camellockhelper-bo(19031) 12354 RHSA-2005:397 DSA-673 GLSA-200501-35 CLA-2005:925 RHSA-2005:238 oval:org.mitre.oval:def:9616 USN-69-1 MDKSA-2005:024 1012981 13830 PHP remote file inclusion vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to execute arbitrary PHP code by modifying a URL parameter to reference a URL on a remote web server that contains the code. http://www.squirrelmail.org/security/issue/2005-01-19?PHPSESSID=8af117822fb1ca3aa966a64248b5d223 RHSA-2005:135 RHSA-2005:099 13962 APPLE-SA-2005-03-21 squirrelmail-frame-file-include(19037) GLSA-200501-39 oval:org.mitre.oval:def:10670 20050129 SquirrelMail Security Advisory Cross-site scripting (XSS) vulnerability in webmail.php in SquirrelMail before 1.4.4 allows remote attackers to inject arbitrary web script or HTML via certain integer variables. http://www.squirrelmail.org/security/issue/2005-01-20 RHSA-2005:135 RHSA-2005:099 DSA-662 14096 13962 20050129 SquirrelMail Security Advisory APPLE-SA-2005-03-21 oval:org.mitre.oval:def:10568 squirrelmail-webmailphp-xss(19036) GLSA-200501-39 Unknown vulnerability in typespeed 0.4.1 and earlier allows local users to gain privileges. DSA-684 SSLeay.pm in libnet-ssleay-perl before 1.25 uses the /tmp/entropy file for entropy if a source is not set in the EGD_PATH variable, which allows local users to reduce the cryptographic strength of certain operations by modifying the file. USN-113-1 13471 MDKSA-2006:023 18639 bsmtpd 2.3 and earlier does not properly sanitize e-mail addresses, which allows remote attackers to execute arbitrary commands. DSA-690 Apache mod_auth_radius 1.5.4 and libpam-radius-auth allow remote malicious RADIUS servers to cause a denial of service (crash) via a RADIUS_REPLY_MESSAGE with a RADIUS attribute length of 1, which leads to a memcpy operation with a -1 length argument. modauthradius-dos(18841) DSA-659 http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-02 20050111 Apache mod_auth_radius remote integer overflow 12217 1012829 14046 13773 Hyper-Threading technology, as used in FreeBSD and other operating systems that are run on Intel Pentium and other processors, allows local users to use a malicious thread to create covert channels, monitor the execution of other threads, and obtain sensitive information such as cryptographic keys, via a timing attack on memory cache misses. VU#911878 12724 1013967 ADV-2005-3002 ADV-2005-0540 RHSA-2005:800 RHSA-2005:476 http://www.daemonology.net/papers/htt.pdf http://www.daemonology.net/hyperthreading-considered-harmful/ http://www-1.ibm.com/support/docview.wss?uid=isg1SSRVHMCHMC_C081516_754 101739 18165 15348 oval:org.mitre.oval:def:9747 [openbsd-misc] 20050304 Re: FreeBSD hiding security stuff [freebsd-security] 20050304 [Fwd: Re: FW:FreeBSD hiding security stuff] [freebsd-hackers] 20050304 Re: FW:FreeBSD hiding security stuff SCOSA-2005.24 Internet Explorer 6 on Windows XP SP2 allows remote attackers to bypass the file download warning dialog and possibly trick an unknowledgeable user into executing arbitrary code via a web page with a body element containing an onclick tag, as demonstrated using the createElement function. 20050114 Internet Explorer (SP2) - Remote File Download Stack-based buffer overflow in the websql CGI program in MySQL MaxDB 7.5.00 allows remote attackers to execute arbitrary code via a long password parameter. 20050113 MySQL MaxDB WebAgent websql logon Buffer Overflow Vulnerability 12265 1012893 The web-based administrative interface for 3Com OfficeConnect Wireless 11g Access Point (AP) 1.00.08, and possibly earlier versions before 1.03.07A, allows remote attackers to bypass authentication and obtain sensitive information by directly accessing the (1) config.bin (2) profile.wlp?PN=ggg or (3) event.logs URLs. 3com-officeconnect-information-disclosure(18994) 12322 20050120 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability 1012958 13942 inpview in SGI IRIX allows local users to execute arbitrary commands via the SUN_TTSESSION_CMD environment variable, which is executed by inpview without dropping privileges. irix-inpview-gain-privileges(18894) 20050113 SGI IRIX inpview Design Error Vulnerability 13858 12259 12915 1012894 vsdatant.sys in Zone Lab ZoneAlarm before 5.5.062.011, ZoneAlarm Wireless before 5.5.080.000, Check Point Integrity Client 4.x before 4.5.122.000 and 5.x before 5.1.556.166 do not properly verify that the ServerPortName argument to the NtConnectPort function is a valid memory address, which allows local users to cause a denial of service (system crash) when ZoneAlarm attempts to dereference an invalid pointer. 20050211 ZoneAlarm 5.1 Invalid Pointer Dereference Vulnerability http://download.zonelabs.com/bin/free/securityAlert/19.html 12531 14256 Stack-based buffer overflow in DataRescue Interactive Disassembler (IDA) Pro 4.7 allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name. database-ida-portable-executable-bo(19042) http://www.datarescue.com/ubb/ultimatebb.php?/topic/2/146.html 20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability 12353 1012975 13980 AWStats 6.1, and other versions before 6.3, allows remote attackers to execute arbitrary commands via shell metacharacters in the configdir parameter to aswtats.pl. VU#272296 20050117 AWStats Remote Command Execution Vulnerability 13893 http://awstats.sourceforge.net/docs/awstats_changelog.txt 12298 13002 http://packetstormsecurity.org/0501-exploits/AWStatsVulnAnalysis.pdf Buffer overflow in XShisen before 1.36 allows local users to execute arbitrary code via a long GECOS field. http://www.vuxml.org/freebsd/56971fa6-641c-11d9-a097-000854d03344.html http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289784 helvis 1.8h2_1 and earlier stores recovery files in world readable directories with world readable permissions, which allows local users to read the recovered files of other users. http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.html helvis 1.8h2_1 and earlier allows local users to recover and read the files of other users via the elvrec setuid program. http://www.vuxml.org/freebsd/bb99f803-5fde-11d9-b721-00065be4b5b6.html helvis 1.8h2_1 and earlier allows local users to delete arbitrary files via the elvprsv setuid program. http://people.freebsd.org/~niels/ports/korean/helvis/issues.txt Multiple buffer overflows in golddig 2.0 and earlier allow local users to execute arbitrary code via (1) a long map name command line argument or (2) a long username as recorded in the USER environment variable. http://www.vuxml.org/freebsd/949c470e-528f-11d9-ac20-00065be4b5b6.html golddig-long-username-bo(19040) golddig-long-mapname-bo(19039) ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0975. Reason: This candidate is a duplicate of CVE-2005-0975. Notes: All CVE users should reference CVE-2005-0975 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. The coda_pioctl function in the coda functionality (pioctl.c) for Linux kernel 2.6.9 and 2.4.x before 2.4.29 may allow local users to cause a denial of service (crash) or execute arbitrary code via negative vi.in_size or vi.out_size values, which may trigger a buffer overflow. ADV-2005-1878 [linux-kernel] 20050107 [PATCH 2.6.10-mm2] fs/coda Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20050107 [PATCH 2.4.29-pre3-bk4] fs/coda Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20050105 Re: [Coverity] Untrusted user data in kernel [linux-kernel] 20041216 [Coverity] Untrusted user data in kernel oval:org.mitre.oval:def:11690 14967 FLSA:157459-1 RHSA-2006:0191 RHSA-2005:663 DSA-1082 DSA-1070 DSA-1069 DSA-1067 DSA-1017 1013018 20338 20202 20163 19374 18684 17002 The "at" commands on Mac OS X 10.3.7 and earlier do not properly drop privileges, which allows local users to (1) delete arbitrary files via atrm, (2) execute arbitrary programs via the -f argument to batch, or (3) read arbitrary files via the -f argument to batch, which generates a job file that is readable by the local user. VU#678150 APPLE-SA-2005-01-25 macos-at-gain-privileges(18981) http://www.digitalmunition.com/DMA[2005-0127a].txt 20050127 DMA[2005-0127a] - 'Apple OSX batch family poor use of setuid' ColorSync on Mac OS X 10.3.7 and 10.3.8 allows attackers to execute arbitrary code via malformed ICC color profiles that modify the heap. VU#980078 macos-icc-profile-bo(19083) APPLE-SA-2005-01-25 12367 1013000 Mail in Mac OS X 10.3.7, when generating a Message-ID header, generates a GUUID that includes information that identifies the Ethernet hardware being used, which allows remote attackers to link mail messages to a particular machine. VU#464662 macos-ethernet-address-disclosure(19085) 14005 APPLE-SA-2005-01-25 1013001 The Quick Buttons feature in Konversation 0.15 allows remote attackers to execute certain IRC commands via a channel name containing "%" variables, which are recursively expanded by the Server::parseWildcards function when the Part Button is selected. 20050119 Multiple vulnerabilities in Konversation konversation-expansion-execute-code(19025) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 Certain Perl scripts in Konversation 0.15 allow remote attackers to execute arbitrary commands via shell metacharacters in (1) channel names or (2) song names that are not properly quoted when the user runs IRC sripts. 20050119 Multiple vulnerabilities in Konversation konversation-perlscript-execute-code(19008) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 The Quick Connection dialog in Konversation 0.15 inadvertently uses the user-provided password as the nickname instead of the user-provided nickname when connecting to the IRC server, which could leak the password to other users. 20050119 Multiple vulnerabilities in Konversation konversation-nick-password-information-disclosure(19038) 20050119 Multiple vulnerabilities in Konversation 12312 http://www.kde.org/info/security/advisory-20050121-1.txt GLSA-200501-34 1012972 13989 13919 ClamAV 0.80 and earlier allows remote attackers to cause a denial of service (clamd daemon crash) via a ZIP file with malformed headers. 2005-0003 GLSA-200501-46 http://sourceforge.net/project/shownotes.php?release_id=300116 CLA-2005:928 MDKSA-2005:025 The X server in SCO UnixWare 7.1.1, 7.1.3, and 7.1.4 does not properly create socket directories in /tmp, which could allow attackers to hijack local sockets. SCOSA-2005.8 ADV-2005-0077 The unw_unwind_to_user function in unwind.c on Itanium (ia64) architectures in Linux kernel 2.6 allows local users to cause a denial of service (system crash). https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148868 RHSA-2005:366 RHSA-2005:284 15019 oval:org.mitre.oval:def:9040 http://linux.bkbits.net:8080/linux-2.6/cset@41f2beablXVnAs_6fznhhITh1j5hZg 13266 RHSA-2005:293 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 The Linux kernel before 2.6.11 on the Itanium IA64 platform has certain "ptrace corner cases" that allow local users to cause a denial of service (crash) via crafted syscalls, possibly related to MCA/INIT, a different vulnerability than CVE-2005-1761. https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=155283 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=148862 RHSA-2005:663 RHSA-2005:420 http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11 [linux-ia64] 20040916 Re: [Patch] Per CPU MCA/INIT data save areas 17002 http://openvz.org/news/updates/kernel-022stab045.1-released ADV-2005-1878 oval:org.mitre.oval:def:11628 [kernel-svn-changes] 20050816 r3920 - in branches/dist/sarge-security: . kernel kernel/i386 kernel/source kernel/source/kernel-source-2.6.8-2.6.8/debian Linux kernel 2.6 on Itanium (ia64) architectures allows local users to cause a denial of service via a "missing Itanium syscall table entry." RHSA-2005:293 RHSA-2005:284 oval:org.mitre.oval:def:11039 rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not correctly allow access to anonymous clients that connect from a system whose hostname can not be determined. NOTE: while this issue occurs in a security mechanism, there is no apparent attacker role and probably does not satisfy the CVE definition of a vulnerability. P-214 ADV-2005-0702 15619 Unknown vulnerability in rpc.mountd in SGI IRIX 6.5.25, 6.5.26, and 6.5.27 does not sufficiently restrict access rights for read-mostly exports, which allows attackers to conduct unauthorized activities. P-214 ADV-2005-0702 15619 Buffer overflow in PeID allows attackers to execute arbitrary code via a PE file with an Import Address Table containing a long import library name. database-ida-portable-executable-bo(19042) 20050124 DataRescue Interactive Disassembler Pro Buffer Overflow Vulnerability 12355 13984 Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to load local files via links "with a custom getter and toString method" that are middle-clicked by the user to be opened in a new tab. mozilla-firefox-file-upload(19168) RHSA-2005:335 RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=249332 http://www.mozilla.org/security/announce/mfsa2005-01.html oval:org.mitre.oval:def:10756 12407 oval:org.mitre.oval:def:100057 Firefox 0.9, Thunderbird 0.6 and other versions before 0.9, and Mozilla 1.7 before 1.7.5 save temporary files with world-readable permissions, which allows local users to read certain web content or attachments that belong to other users, e.g. content that is managed by helper applications such as PDF. mozilla-world-readable(17832) RHSA-2005:335 https://bugzilla.mozilla.org/show_bug.cgi?id=251297 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-02.html oval:org.mitre.oval:def:9543 RHSA-2005:384 SUSE-SA:2006:022 19823 oval:org.mitre.oval:def:100056 Firefox before 1.0 and Mozilla before 1.7.5 display the SSL lock icon when an insecure page loads a binary file from a trusted site, which could facilitate phishing attacks. https://bugzilla.mozilla.org/show_bug.cgi?id=257308 mozilla-ssl-spoofing(19166) RHSA-2005:335 http://www.mozilla.org/security/announce/mfsa2005-03.html oval:org.mitre.oval:def:11297 12407 RHSA-2005:384 oval:org.mitre.oval:def:100055 Firefox before 1.0 and Mozilla before 1.7.5 display the secure site lock icon when a view-source: URL references a secure SSL site while an insecure page is being loaded, which could facilitate phishing attacks. mozilla-ssl-view-source-spoofing(19169) RHSA-2005:335 RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=262689 http://www.mozilla.org/security/announce/mfsa2005-04.html oval:org.mitre.oval:def:11016 12407 oval:org.mitre.oval:def:100054 Firefox before 1.0 does not properly distinguish between user-generated and synthetic click events, which allows remote attackers to use Javascript to bypass the file download prompt when the user uses the Alt-click feature. https://bugzilla.mozilla.org/show_bug.cgi?id=265176 mozilla-script-click-event-bypass(19170) http://www.mozilla.org/security/announce/mfsa2005-07.html 12407 oval:org.mitre.oval:def:100051 Firefox before 1.0 and Mozilla before 1.7.5 allow remote attackers to obtain sensitive data from the clipboard via Javascript that generates a middle-click event on systems for which a middle-click performs a paste operation. RHSA-2005:335 https://bugzilla.mozilla.org/show_bug.cgi?id=265728 mozilla-middle-click-information-disclosure(19171) http://www.mozilla.org/security/announce/mfsa2005-08.html oval:org.mitre.oval:def:10362 12407 RHSA-2005:384 Firefox before 1.0 and Mozilla before 1.7.5, when configured to use a proxy, respond to 407 proxy auth requests from arbitrary servers, which allows remote attackers to steal NTLM or SPNEGO credentials. mozilla-407-proxy-obtain-information(19174) RHSA-2005:323 https://bugzilla.mozilla.org/show_bug.cgi?id=267263 http://www.mozilla.org/security/announce/mfsa2005-09.html oval:org.mitre.oval:def:9578 12407 oval:org.mitre.oval:def:100049 Thunderbird before 0.9, when running on Windows systems, uses the default handler when processing javascript: links, which invokes Internet Explorer and may expose the Thunderbird user to vulnerabilities in the version of Internet Explorer that is installed on the user's system. NOTE: since the invocation between multiple products is a common practice, and the vulnerabilities inherent in multi-product interactions are not easily enumerable, this issue might be REJECTED in the future. thunderbird-javascript-handler-launch(19173) https://bugzilla.mozilla.org/show_bug.cgi?id=263546 http://www.mozilla.org/security/announce/mfsa2005-10.html 12407 oval:org.mitre.oval:def:100048 Thunderbird 0.6 through 0.9 and Mozilla 1.7 through 1.7.3 does not obey the network.cookie.disableCookieForMailNews preference, which could allow remote attackers bypass the user's intended privacy and security policy by using cookies in e-mail messages. https://bugzilla.mozilla.org/show_bug.cgi?id=268107 mozilla-cookie-policy-bypass(19172) RHSA-2005:335 RHSA-2005:323 RHSA-2005:094 http://www.mozilla.org/security/announce/mfsa2005-11.html SUSE-SA:2006:004 oval:org.mitre.oval:def:11407 12407 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100047 Firefox before 1.0 allows the user to store a (1) javascript: or (2) data: URLs as a Livefeed bookmark, then executes it in the security context of the currently loaded page when the user later accesses the bookmark, which could allow remote attackers to execute arbitrary code. https://bugzilla.mozilla.org/show_bug.cgi?id=265668 mozilla-firefox-livefeed-xss(19187) http://www.mozilla.org/security/announce/mfsa2005-12.html 12407 oval:org.mitre.oval:def:100046 Unknown vulnerability in the installation of Adobe License Management Service, as used in Adobe Photoshop CS, Adobe Creative Suite 1.0, and Adobe Premiere Pro 1.5, allows attackers to gain administrator privileges. http://www.adobe.com/support/techdocs/331688.html 1014170 1014169 1014168 PHP remote file inclusion vulnerability in Squirrelmail 1.2.6 allows remote attackers to execute arbitrary code via "URL manipulation." VU#203214 DSA-662 14096 The PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to create arbitrary files via the PERLIO_DEBUG variable. perl-perliodebug-file-overwrite(19207) 2005-0003 12426 RHSA-2005:105 RHSA-2005:103 GLSA-200502-13 20050207 DMA[2005-0131a] - 'Setuid Perl PERLIO_DEBUG root owned file creation' 20050202 [USN-72-1] Perl vulnerabilities http://www.digitalmunition.com/DMA[2005-0131a].txt oval:org.mitre.oval:def:10404 MDKSA-2005:031 http://support.avaya.com/elmodocs2/security/ASA-2006-163.htm 21646 14120 FLSA-2006:152845 CLSA-2006:1056 Buffer overflow in the PerlIO implementation in Perl 5.8.0, when installed with setuid support (sperl), allows local users to execute arbitrary code by setting the PERLIO_DEBUG variable and executing a Perl script whose full pathname contains a long directory tree. perl-perliodebug-bo(19208) 2005-0003 12426 RHSA-2005:105 RHSA-2005:103 GLSA-200502-13 http://www.digitalmunition.com/DMA[2005-0131b].txt oval:org.mitre.oval:def:10803 20050207 DMA[2005-0131b] - 'Setuid Perl PERLIO_DEBUG 20050202 [USN-72-1] Perl vulnerabilities MDKSA-2005:031 14120 FLSA-2006:152845 CLSA-2006:1056 The confirm add-on in SmartList 3.15 and earlier allows attackers to subscribe arbitrary e-mail addresses by using a valid cookie that specifies an address other than the address for which the cookie was assigned. DSA-720 Format string vulnerability in bidwatcher before 1.3.17 allows remote malicious web servers from eBay, or a spoofed eBay server, to cause a denial of service and possibly execute arbitrary code via certain responses. GLSA-200503-06 DSA-687 The tpkg-* scripts in the toolchain-source 3.0.4 package on Debian GNU/Linux 3.0 allow local users to overwrite arbitrary files via a symlink attack on temporary files. 12540 DSA-679 toolchain-source-symlink(19317) 14277 Multiple buffer overflows in unace 1.2b allow attackers to execute arbitrary code via (1) 2 overflows in ACE archives, (2) a long command line argument, or (3) certain "Ready for next volume" messages. VU#215006 SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12630 Multiple directory traversal vulnerabilities in unace 1.2b allow attackers to overwrite arbitrary files via an ACE archive containing (1) ../ sequences or (2) absolute pathnames. SUSE-SR:2005:016 14359 20050222 unace-1.2b multiple buffer overflows and directory traversal bugs 12628 Stack-based buffer overflow in the get_internal_addresses function in the pluto application for Openswan 1.x before 1.0.9, and Openswan 2.x before 2.3.0, when compiled with XAUTH and PAM enabled, allows remote authenticated attackers to execute arbitrary code. openswan-xauth-pam-bo(19078) http://www.openswan.org/support/vuln/IDEF0785/ 20050126 Openswan XAUTH/PAM Buffer Overflow Vulnerability 12377 FEDORA-2005-082 13195 1013014 14062 14038 squid_ldap_auth in Squid 2.5 and earlier allows remote authenticated users to bypass username-based Access Control Lists (ACLs) via a username with a space at the beginning or end, which is ignored by the LDAP server. VU#924198 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-ldap_spaces.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-ldap_spaces RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:923 http://www.squid-cache.org/bugs/show_bug.cgi?id=1187 oval:org.mitre.oval:def:10251 12431 MDKSA-2005:034 FLSA-2006:152809 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache or conduct certain attacks via headers that do not follow the HTTP specification, including (1) multiple Content-Length headers, (2) carriage return (CR) characters that are not part of a CRLF pair, and (3) header names containing whitespace characters. VU#768702 RHSA-2005:061 RHSA-2005:060 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-header_parsing FEDORA-2005-373 SUSE-SA:2005:006 oval:org.mitre.oval:def:10656 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 12412 MDKSA-2005:034 FLSA-2006:152809 Squid 2.5 up to 2.5.STABLE7 allows remote attackers to poison the cache via an HTTP response splitting attack. VU#625878 RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities CLA-2005:931 http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-response_splitting http://www.squid-cache.org/Advisories/SQUID-2005_5.txt FEDORA-2005-373 oval:org.mitre.oval:def:11605 12433 MDKSA-2005:034 FLSA-2006:152809 The shmctl function in Linux 2.6.9 and earlier allows local users to unlock the memory of other processes, which could cause sensitive memory to be swapped to disk, which could allow it to be read by other users once it has been released. RHSA-2005:092 oval:org.mitre.oval:def:8778 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 12598 RHSA-2005:472 19607 20060402-01-U oval:org.mitre.oval:def:1225 nls_ascii.c in Linux before 2.6.8.1 uses an incorrect table size, which allows attackers to cause a denial of service (kernel crash) via a buffer overflow. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41e2bfbeOiXFga62XrBhzm7Kv9QDmQ CLA-2005:930 12598 oval:org.mitre.oval:def:10298 20050215 [USN-82-1] Linux kernel vulnerabilities Race condition in the setsid function in Linux before 2.6.8.1 allows local users to cause a denial of service (crash) and possibly access portions of kernel memory, related to TTY changes, locking, and semaphores. RHSA-2005:092 http://linux.bkbits.net:8080/linux-2.6/cset@41ddda70CWJb5nNL71T4MOlG2sMG8A 12598 oval:org.mitre.oval:def:10647 20050215 [USN-82-1] Linux kernel vulnerabilities CLA-2005:930 Linux kernel 2.4.x and 2.6.x allows local users to cause a denial of service (CPU and memory consumption) and bypass RLIM_MEMLOCK limits via the mlockall call. RHSA-2005:092 ADV-2005-1878 oval:org.mitre.oval:def:9890 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 RHSA-2005:663 17002 Multiple integer signedness errors in the sg_scsi_ioctl function in scsi_ioctl.c for Linux 2.6.x allow local users to read or modify kernel memory via negative integers in arguments to the scsi ioctl, which bypass a maximum length check before calling the copy_from_user and copy_to_user functions. RHSA-2005:092 MDKSA-2005:219 oval:org.mitre.oval:def:10667 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories CLA-2005:930 12198 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories MDKSA-2005:219 MDKSA-2005:218 17826 The mod_dosevasive module 1.9 and earlier for Apache creates temporary files with predictable filenames, which could allow remote attackers to overwrite arbitrary files via a symlink attack. moddosevasive-symlink(18765) 12181 http://security.lss.hr/index.php?page=details&ID=LSS-2005-01-01 20050111 Mod_dosevasive symlink and race vulnerability 13725 ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to execute arbitrary commands via shell metacharacters in a command line argument. vacation-ftpfile-command-execution(18855) http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 20050111 Squirrelmail vacation v0.15 local root exploit http://www.squirrelmail.org/plugin_view.php?id=51 12222 1012866 13791 Directory traversal vulnerability in ftpfile in the Vacation plugin 0.15 and earlier for Squirrelmail allows local users to read arbitrary files via a .. (dot dot) in a get request. vacation-ftpfile-directory-traversal(18856) http://security.lss.hr/en/index.php?page=details&ID=LSS-2005-01-03 20050111 Squirrelmail vacation v0.15 local root exploit http://www.squirrelmail.org/plugin_view.php?id=51 12222 1012866 13791 Stack-based buffer overflow in NodeManager Professional 2.00 allows remote attackers to execute arbitrary commands via a LinkDown-Trap packet that contains a long OCTET-STRING in the Trap variable-bindings field. nodemanager-linkdown-bo(18937) http://www.security.org.sg/vuln/nodemanager200.html 13881 20050117 [SIG^2 G-TEC] NodeManager Professional V2.00 Buffer Overflow Vulnerability 12283 1012915 Cisco IOS 12.1YD, 12.2T, 12.3 and 12.3T, when configured for the IOS Telephony Service (ITS), CallManager Express (CME) or Survivable Remote Site Telephony (SRST), allows remote attackers to cause a denial of service (device reboot) via a malformed packet to the SCCP port. cisco-ios-sccp-dos(18956) 20050119 Vulnerability in Cisco IOS Embedded Call Processing Solutions oval:org.mitre.oval:def:4849 1012945 13913 Stack-based buffer overflow in the SetSkin function in AtHoc toolbar allows remote attackers to execute arbitrary code via a long skin name. athoc-toolbar-bo(17627) 11341 http://www.ngssoftware.com/advisories/athoc-01full.txt 20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c) 20041006 Patch available for high risk flaws in the AtHoc Toolbar Format string vulnerability in the SetBaseURL function in AtHoc toolbar allows remote attackers to execute arbitrary code via format string specifiers in an invalid URL that is recorded in the debug log. athoc-toolbar-format-string(17628) 11341 http://www.ngssoftware.com/advisories/athoc-01full.txt 20050119 Multiple vulnerabilities in the AtHoc Toolbar (#NISR19012005c) 20041006 Patch available for high risk flaws in the AtHoc Toolbar Stack-based buffer overflow in the HandleAction function in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to execute arbitrary code via a long ShowPreferences argument. VU#698390 12311 http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20050119 RealPlayer 'ShowPreferences' Buffer Overflow Vulnerability (#NISR19012005e) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to delete arbitrary files via a Real Metadata Packages (RMP) file with a FILENAME tag containing .. (dot dot) sequences in a filename that ends with a ? (question mark) and an allowed file extension (e.g. .mp3), which bypasses the check for the file extension. realplayer-media-file-deletion(17551) 11308 http://www.ngssoftware.com/advisories/real-02full.txt http://service.real.com/help/faq/security/040928_player/EN/ 12672 20050119 RealPlayer Arbitrary File Deletion Vulnerability (#NISR19012005f) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Off-by-one buffer overflow in the processing of tags in Real Metadata Package (RMP) files in RealPlayer 10.5 (6.0.12.1040) and earlier could allow remote attackers to execute arbitrary code via a long tag. realplayer-long-filename-offbyone-bo(18982) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Directory traversal vulnerability in the parsing of Skin file names in RealPlayer 10.5 (6.0.12.1040) and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in an RJS filename. realplayer-rjs-filenane-directory-traversal(18984) http://www.ngssoftware.com/advisories/real-03full.txt http://service.real.com/help/faq/security/040928_player/EN/ 20050119 RealPlayer Miscellaneous Vulnerabilities (#NISR19012005g) 20041006 Patch available for multiple high risk vulnerabilities in RealPlayer Buffer overflow in the (1) -v and (2) -a switches in mRouter in iSync 1.5 in Mac OS X 10.3.7 and earlier allows local users to execute arbitrary code. isync-mrouter-bo(19011) 20050122 Mac OS X 10.3 iSync Privilege Escalation APPLE-SA-2005-04-19 12334 1012974 13965 Squid 2.5, when processing the configuration file, parses empty Access Control Lists (ACLs), including proxy_auth ACLs without defined auth schemes, in a way that effectively removes arguments, which could allow remote attackers to bypass intended ACLs if the administrator ignores the parser warnings. VU#260421 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-empty_acls.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-empty_acls DSA-667 20050221 [USN-84-1] Squid vulnerabilities CLA-2005:923 http://www.squid-cache.org/bugs/show_bug.cgi?id=1166 FLSA-2006:152809 Cisco IOS 12.0S through 12.3YH allows remote attackers to cause a denial of service (device restart) via a crafted IPv6 packet. TA05-026A VU#472582 cisco-ios-ipv6-dos(19072) 20050126 Multiple Crafted IPv6 Packets Cause Reload oval:org.mitre.oval:def:5813 Cisco IOS 12.0 through 12.3YL, with BGP enabled and running the bgp log-neighbor-changes command, allows remote attackers to cause a denial of service (device reload) via a malformed BGP packet. TA05-026A VU#689326 cisco-ios-bgp-packetdos(19074) 20050126 Cisco IOS Misformed BGP Packet Causes Reload oval:org.mitre.oval:def:5652 1013013 14034 Cisco IOS 12.1T, 12.2, 12.2T, 12.3 and 12.3T, with Multi Protocol Label Switching (MPLS) installed but disabled, allows remote attackers to cause a denial of service (device reload) via a crafted packet sent to the disabled interface. TA05-026A VU#583638 cisco-ios-mpls-dos(19071) 20050126 Crafted Packet Causes Reload on Cisco Routers 12369 1013015 14031 oval:org.mitre.oval:def:5662 A logic error in the CRAM-MD5 code for the University of Washington IMAP (UW-IMAP) server, when Challenge-Response Authentication Mechanism with MD5 (CRAM-MD5) is enabled, does not properly enforce all the required conditions for successful authentication, which allows remote attackers to authenticate as arbitrary users. http://www.kb.cert.org/vuls/id/CRDY-68QSL5 VU#702777 RHSA-2005:128 GLSA-200502-02 oval:org.mitre.oval:def:11306 12391 MDKSA-2005:026 1013037 14097 14057 Integer underflow in the Lists_MakeMask() function in lists.c in ngIRCd before 0.8.2 allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a long MODE line that causes an incorrect length calculation, which leads to a buffer overflow. ngircd-listmakemask-bo(19143) 12397 GLSA-200501-40 [ngIRCd-ML] 20050126 ngIRCd 0.8.2 http://bugs.gentoo.org/show_bug.cgi?id=79705 1013047 14059 14056 TikiWiki before 1.8.5 does not properly validate files that have been uploaded to the temp directory, which could allow remote attackers to upload and execute arbitrary PHP scripts, a different vulnerability than CVE-2004-1386. GLSA-200501-41 http://tikiwiki.org/art102 13948 D-BUS (dbus) before 0.22 does not properly restrict access to a socket, if the socket address is known, which allows local users to listen or send arbitrary messages on another user's per-user session bus via that socket. RHSA-2005:102 MDKSA-2005:105 USN-144-1 ESB-2005.0435 oval:org.mitre.oval:def:10973 12435 1013075 15844 15833 15638 14119 Directory traversal vulnerability in the true_path function in private.py for Mailman 2.1.5 and earlier allows remote attackers to read arbitrary files via ".../....///" sequences, which are not properly cleansed by regular expressions that are intended to remove "../" and "./" sequences. RHSA-2005:137 RHSA-2005:136 GLSA-200502-11 20050209 [USN-78-1] Mailman vulnerability APPLE-SA-2005-03-21 DSA-674 oval:org.mitre.oval:def:10657 20050209 Administrivia: List Compromised due to Mailman Vulnerability SUSE-SA:2005:007 MDKSA-2005:037 1013145 14211 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none. Linux kernel before 2.6.9, when running on the AMD64 and Intel EM64T architectures, allows local users to write to privileged IO ports via the OUTS instruction. RHSA-2005:092 2006-0006 12598 RHSA-2005:293 18784 oval:org.mitre.oval:def:10320 KPPP 2.1.2 in KDE 3.1.5 and earlier, when setuid root without certain wrappers, does not properly close a privileged file descriptor for a domain socket, which allows local users to read and write to /etc/hosts and /etc/resolv.conf and gain control over DNS name resolution by opening a number of file descriptors before executing kppp. RHSA-2005:175 http://www.kde.org/info/security/advisory-20050228-1.txt 20050228 KPPP Privileged File Descriptor Leak Vulnerability DSA-692 CLA-2005:934 oval:org.mitre.oval:def:9596 The patch for integer overflow vulnerabilities in Xpdf 2.0 and 3.0 (CVE-2004-0888) is incomplete for 64-bit architectures on certain Linux distributions such as Red Hat, which could leave Xpdf users exposed to the original vulnerabilities. 11501 RHSA-2005:213 xpdf-pdf-bo(17818) RHSA-2005:132 RHSA-2005:057 RHSA-2005:053 RHSA-2005:034 oval:org.mitre.oval:def:11107 MDKSA-2005:056 MDKSA-2005:052 MDKSA-2005:044 MDKSA-2005:043 MDKSA-2005:042 MDKSA-2005:041 Unknown vulnerability in Linux kernel 2.4.x, 2.5.x, and 2.6.x allows NFS clients to cause a denial of service via O_DIRECT. 12330 SUSE-SA:2005:003 CLA-2005:930 oval:org.mitre.oval:def:11001 RHSA-2005:366 The HTML parsing functions in Gaim before 1.1.4 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0473. VU#795812 RHSA-2005:215 GLSA-200503-03 14386 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 oval:org.mitre.oval:def:10477 http://gaim.sourceforge.net/security/?id=12 12660 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 Netfilter in Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via crafted IP packet fragments. SUSE-SA:2005:018 20050315 [USN-95-1] Linux kernel vulnerabilities CLA-2005:945 12598 RHSA-2005:420 RHSA-2005:366 oval:org.mitre.oval:def:11855 Netfilter in the Linux kernel 2.6.8.1 allows local users to cause a denial of service (memory consumption) via certain packet fragments that are reassembled twice, which causes a data structure to be allocated twice. SUSE-SA:2005:018 20050315 [USN-95-1] Linux kernel vulnerabilities CLA-2005:945 ADV-2005-1878 12816 14966 MDKSA-2005:219 MDKSA-2005:219 MDKSA-2005:218 17826 17002 14295 RHSA-2005:663 RHSA-2005:366 oval:org.mitre.oval:def:10275 Buffer overflow in wccp.c in Squid 2.5 before 2.5.STABLE7 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long WCCP packet, which is processed by a recvfrom function call that uses an incorrect length parameter. VU#886006 http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-wccp_buffer_overflow.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-wccp_buffer_overflow RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 DSA-667 20050207 [USN-77-1] Squid vulnerabilities oval:org.mitre.oval:def:9573 12432 13319 MDKSA-2005:034 1013045 14076 FLSA-2006:152809 The Amp II engine as used by Gore: Ultimate Soldier 1.50 and earlier allows remote attackers to cause a denial of service (infinite loop) via a zero byte UDP packet. amp-3d-socket-dos(18789) 12192 http://aluigi.altervista.org/adv/amp2zero-adv.txt 13754 20050106 Socket unreacheable in Amp II engine Directory traversal vulnerability in WinHKI 1.4d allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a zip file. winhki-zip-directory-traversal(18798) 12176 20050106 WinAc AND WinHKI ZIP File Directory Transversal 1012798 13738 Directory traversal vulnerability in Simple PHP Blog (SPHPBlog) 0.3.7c allows remote attackers to read or create arbitrary files via a .. (dot dot) in the entry parameter. 12193 sphp-dotdot-directory-traversal(18802) 20050107 Simple PHP Blog directory traversal vulnerability 20050107 Simple PHP Blog directory traversal vulnerability Mozilla 1.6 and possibly other versions allows remote attackers to cause a denial of service (application crash) via a XBM (X BitMap) file with a large (1) height or (2) width value. 20050107 Mozilla XBM Image Vulnerability mozilla-xbm-dos(18803) Cross-site scripting (XSS) vulnerability in formmail.php in Woltlab Burning Board Lite 1.0.0, 1.0.1e, and possibly other versions, allows remote attackers to inject arbitrary web sript and HTML via the userid parameter. wbb-formmail-userid-xss(18814) 12199 20050108 Security Advisory: Woltlab Burning Board Lite formmail.php XSS 13782 SQL injection vulnerability in index.php in Invision Community Blog allows remote attackers to execute arbitrary SQL commands via the eid parameter. icb-sql-injection(18815) 12205 20050109 SQL Injection Vulnerability in Invision Community Blog 12817 1012831 13783 ClamAV 0.80 and earlier allows remote attackers to bypass virus scanning via a base64 encoded image in a data: (RFC 2397) URL. GLSA-200501-46 http://sourceforge.net/project/shownotes.php?release_id=300116 13900 MDKSA-2005:025 Multiple cross-site scripting (XSS) vulnerabilities in Gallery 1.3.4-pl1 allow remote attackers to inject arbitrary web script or HTML via (1) the index field in add_comment.php, (2) set_albumName, (3) slide_index, (4) slide_full, (5) slide_loop, (6) slide_pause, (7) slide_dir fields in slideshow_low.php, or (8) username field in search.php. http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 gallery-multiple-xss(18938) 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability gallery-multiple-scripts-xss(43473) Cross-site scripting vulnerability in login.php in Gallery 1.4.4-pl2 allows remote attackers to inject arbitrary web script or HTML via the username field. 13887 http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 gallery-multiple-xss(18938) GLSA-200501-45 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability Cross-site scripting (XSS) vulnerability in login.php in Gallery 2.0 Alpha allows remote attackers to inject arbitrary web script or HTML via the g2_form[subject] field. gallery-multiple-xss(18938) http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 http://theinsider.deep-ice.com/texts/advisory69.txt 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability 20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability gallery-g2formsubject-xss(43472) main.php in Gallery 2.0 Alpha allows remote attackers to gain sensitive information by changing the value of g2_subView parameter, which reveals the path in an error message. gallery-mainphp-obtain-information(18940) http://theinsider.deep-ice.com/texts/advisory69.txt 20050117 Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability http://gallery.menalto.com/modules.php?op=modload&name=News&file=article&sid=147 20050117 [VulnWatch] Gallery v1.3.4-pl1, v1.4.4-pl2, 2.0 Alpha Cross Site Scripting Vulnerability The Software Development Kit (SDK) and Run Time Environment (RTE) 1.4.1 and 1.4.2 for Tru64 UNIX allows remote attackers to cause a denial of service (Java Virtual Machine hang) via object deserialization. SSRT4875 Unknown vulnerability in HP-UX B.11.04 running Virtualvault 4.5 through 4.7, when running the TGA daemon, allows remote attackers to cause a denial of service via certain network traffic. 14082 SSRT5900 firehol.sh in FireHOL before 1.224 creates temporary files with predictable file names, which could allow local users to overwrite arbitrary files via a symlink attack. GLSA-200502-01 http://cvs.sourceforge.net/viewcvs.py/firehol/firehol/firehol.sh firehol-symlink(19032) 12336 13137 1012969 14102 13970 Format string vulnerability in the Log_Resolver function in log.c for ngIRCd 0.8.2 and earlier, when compiled with IDENT, logging to SYSLOG, and with DEBUG enabled, allows remote attackers to execute arbitrary code. http://www.nosystem.com.ar/advisories/advisory-11.txt 14114 20050203 ngIRCd <= v0.8.2 Format String Vulnerability 12434 PostgreSQL (pgsql) 7.4.x, 7.2.x, and other versions allows local users to load arbitrary shared libraries and execute code via the LOAD extension. 2005-0003 RHSA-2005:150 RHSA-2005:138 DSA-668 200502-08 12948 20050201 [USN-71-1] PostgreSQL vulnerability [pgsql-announce] 20050201 PostgreSQL Security Release 12411 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:10234 [pgsql-bugs] 20050121 Privilege escalation via LOAD ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2004-1388. Reason: This candidate is a duplicate of CVE-2004-1388. Notes: All CVE users should reference CVE-2004-1388 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. CitrusDB 0.3.5 and earlier stores the newfile.txt temporary data file under the web root, which allows remote attackers to steal credit card information via a direct request to newfile.txt. 12402 20050212 Credit Card data disclosure in CitrusDB citrus-information-disclosure(19145) http://www.redteam-pentesting.de/advisories/rt-sa-2005-001.txt http://www.citrusdb.org/forums/viewtopic.php?t=49 1013040 Firefox 1.0 does not prevent the user from dragging an executable file to the desktop when it has an image/gif content type but has a dangerous extension such as .bat or .exe, which allows remote attackers to bypass the intended restriction and execute arbitrary commands via malformed GIF files that can still be parsed by the Windows batch file parser, aka "firedragging." http://www.mozilla.org/security/announce/mfsa2005-25.html GLSA-200503-30 GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=279945 12468 SUSE-SA:2006:004 http://www.mikx.de/firedragging/ 20050207 Firedragging [Firefox 1.0] SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100033 Firefox 1.0 does not invoke the Javascript Security Manager when a user drags a javascript: or data: URL to a tab, which allows remote attackers to bypass the security model, aka "firetabbing." https://bugzilla.mozilla.org/show_bug.cgi?id=280056 mozilla-firefox-tab-gain-access(19264) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-26.html GLSA-200503-30 GLSA-200503-10 http://www.mikx.de/firetabbing/ oval:org.mitre.oval:def:10079 20050207 Firetabbing [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100032 Firefox 1.0 allows remote attackers to modify Boolean configuration parameters for the about:config site by using a plugin such as Flash, and the -moz-opacity filter, to display the about:config site then cause the user to double-click at a certain screen position, aka "Fireflashing." mozilla-firefox-aboutconfig-modify(19266) RHSA-2005:323 SUSE-SA:2005:016 GLSA-200503-30 GLSA-200503-10 https://bugzilla.mozilla.org/show_bug.cgi?id=280664 http://www.mozilla.org/security/announce/mfsa2005-27.html http://www.mikx.de/fireflashing/ oval:org.mitre.oval:def:10967 20050207 Fireflashing [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 The International Domain Name (IDN) support in Firefox 1.0, Camino .8.5, and Mozilla before 1.7.6 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) SUSE-SA:2005:016 http://www.mozilla.org/security/announce/mfsa2005-29.html GLSA-200503-30 GLSA-200503-10 http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:11229 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks oval:org.mitre.oval:def:100029 The International Domain Name (IDN) support in Safari 1.2.5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks APPLE-SA-2005-03-21 12461 The International Domain Name (IDN) support in Opera 7.54 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks 12461 SUSE-SA:2005:031 The International Domain Name (IDN) support in Omniweb 5 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 20050208 International Domain Name [IDN] support in modern browsers allows attackers to spoof domain name URLs + SSL certs. 20050206 state of homograph attacks The International Domain Name (IDN) support in Konqueror 3.2.1 on KDE 3.2.1 allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. multiple-browsers-idn-spoof(19236) http://www.kde.org/info/security/advisory-20050316-2.txt 14162 http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn oval:org.mitre.oval:def:10671 20050206 Re: state of homograph attacks 20050206 state of homograph attacks 12461 FLSA:178606 RHSA-2005:325 MDKSA-2005:058 The International Domain Name (IDN) support in Epiphany allows remote attackers to spoof domain names using punycode encoded domain names that are decoded in URLs and SSL certificates in a way that uses homograph characters from other character sets, which facilitates phishing attacks. https://bugzilla.redhat.com/beta/show_bug.cgi?id=147399 multiple-browsers-idn-spoof(19236) http://www.shmoo.com/idn/homograph.txt http://www.shmoo.com/idn 12461 20050206 state of homograph attacks viewcert.php in the S/MIME plugin 0.4 and 0.5 for Squirrelmail allows remote attackers to execute arbitrary commands via shell metacharacters in the cert parameter. VU#502328 squirrelmail-smime-command-execution(19242) http://www.squirrelmail.org/plugin_view.php?id=54 20050207 SquirrelMail S/MIME Plugin Command Injection Vulnerability Format string vulnerability in chdev on IBM AIX 5.2 allows local users to execute arbitrary code via format string specifiers in a command line argument, which is not properly handled when printing an error message. aix-chdev-format-string(19244) 20050207 IBM AIX chdev Local Format String Vulnerability IY67654 IY67455 The httpProcessReplyHeader function in http.c for Squid 2.5-STABLE7 and earlier does not properly set the debug context when it is handling "oversized" HTTP reply headers, which might allow remote attackers to poison the cache or bypass access controls based on header size. VU#823350 squid-http-cache-poisoning(19060) http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-oversize_reply_headers.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE7-oversize_reply_headers http://www.squid-cache.org/bugs/show_bug.cgi?id=1216 RHSA-2005:061 RHSA-2005:060 SUSE-SA:2005:006 CLA-2005:931 oval:org.mitre.oval:def:10998 12412 14091 FLSA-2006:152809 The Audio Setup Wizard (asw.dll) in Yahoo! Messenger 6.0.0.1750, and possibly other versions, allows attackers to arbitrary code by placing a malicious ping.exe program into the Messenger program directory, which is installed with weak default permissions. http://secunia.com/secunia_research/2004-6/advisory/ 11815 Yahoo! Messenger 6.0.0.1750, and possibly other versions before 6.0.0.1921, does not properly display long filenames in file dialog boxes, which could allow remote attackers to trick users into downloading and executing programs via file names containing a large number of spaces and multiple file extensions. http://secunia.com/secunia_research/2005-2/advisory/ 13712 PostgreSQL 8.0.0 and earlier allows local users to bypass the EXECUTE permission check for functions by using the CREATE AGGREGATE command. postgresql-security-bypass(19184) RHSA-2005:138 12948 20050210 [USN-79-1] PostgreSQL vulnerabilities 12417 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:10927 [pgsql-hackers] 20050127 Permissions on aggregate component functions Buffer overflow in gram.y for PostgreSQL 8.0.0 and earlier may allow attackers to execute arbitrary code via a large number of arguments to a refcursor function (gram.y), which leads to a heap-based buffer overflow, a different vulnerability than CVE-2005-0247. postgresql-cursor-bo(19188) RHSA-2005:150 RHSA-2005:138 12948 DSA-683 oval:org.mitre.oval:def:10175 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-patches] 20050120 Re: WIP: pl/pgsql cleanup [pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser. [pgsql-committers] 20050121 pgsql: Prevent overrunning a heap-allocated buffer is more than 1024 12417 SUSE-SA:2005:036 MDKSA-2005:040 The intagg contrib module for PostgreSQL 8.0.0 and earlier allows attackers to cause a denial of service (crash) via crafted arrays. postgresql-contribintagg-dos(19185) RHSA-2005:138 12948 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-committers] 20050127 pgsql: Fix security and 64-bit issues in contrib/intagg. oval:org.mitre.oval:def:10148 12417 SUSE-SA:2005:036 MDKSA-2005:040 Multiple buffer overflows in gram.y for PostgreSQL 8.0.1 and earlier may allow attackers to execute arbitrary code via (1) a large number of variables in a SQL statement being handled by the read_sql_construct function, (2) a large number of INTO variables in a SELECT statement being handled by the make_select_stmt function, (3) a large number of arbitrary variables in a SELECT statement being handled by the make_select_stmt function, and (4) a large number of INTO variables in a FETCH statement being handled by the make_fetch_stmt function, a different set of vulnerabilities than CVE-2005-0245. postgresql-fetch-makefetchstmt-bo(19378) postgresql-makeselectstmt-arbitrary-bo(19377) postgresql-makeselectstmt-input-bo(19376) postgresql-readsqlconstruct-bo(19375) RHSA-2005:150 RHSA-2005:138 SUSE-SA:2005:027 GLSA-200502-19 DSA-683 20050210 [USN-79-1] PostgreSQL vulnerabilities [pgsql-committers] 20050207 pgsql: Prevent 4 more buffer overruns in the PL/PgSQL parser. 12417 SUSE-SA:2005:036 MDKSA-2005:040 oval:org.mitre.oval:def:9345 The Solaris Management Console (SMC) GUI for Solaris 8 and 9, when creating user accounts that are configured for password aging, creates the accounts with a blank password, which allows remote or local attackers to break into those accounts. solaris-smc-blank-password(18868) 12260 57717 13803 P-096 1012860 Heap-based buffer overflow in the DEC2EXE module for Symantec AntiVirus Library allows remote attackers to execute arbitrary code via a UPX compressed file containing a negative virtual offset to a crafted PE header. VU#107822 upx-engine-gain-control(18869) 20050208 Symantec AntiVirus Library Heap Overflow http://www.symantec.com/avcenter/security/Content/2005.02.08.html 1013133 Format string vulnerability in auditselect on IBM AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via format string specifiers in a command line argument. VU#896729 12496 20050208 IBM AIX auditselect Local Format String Vulnerability aix-auditselect-format-string(19255) IY67802 IY67519 IY67472 14198 1013103 Cross-site scripting (XSS) vulnerability in bibindex.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to inject arbitrary HTML and web script via the search parameter. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB SQL injection vulnerability in BibORB 1.3.2, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the (1) Username or (2) Password. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB Directory traversal vulnerability in index.php for BibORB 1.3.2, and possibly earlier versions, allows remote attackers to delete arbitrary files via a Delete action and .. (dot dot) sequences in the database_name parameter. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB BibORB 1.3.2, and possibly earlier versions, does not properly enforce a restriction for uploading only PDF and PS files, which allows remote attackers to upload arbitrary files that are presented to other users with PDF or PS icons, which may trick some users into downloading and executing those files. 12583 20050217 Advisory: Multiple Vulnerabilities in BibORB 20050217 Advisory: Multiple Vulnerabilities in BibORB String handling functions in Mozilla 1.7.3, Firefox 1.0, and Thunderbird before 1.0.2, such as the nsTSubstring_CharT::Replace function, do not properly check the return values of other functions that resize the string, which allows remote attackers to cause a denial of service and possibly execute arbitrary code by forcing an out-of-memory state that causes a reallocation to fail and return a pointer to a fixed address, which leads to heap corruption. RHSA-2005:337 RHSA-2005:277 SUSE-SA:2005:016 20050228 Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design Error GLSA-200503-30 GLSA-200503-10 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-18.html oval:org.mitre.oval:def:9111 12659 RHSA-2005:176 SUSE-SA:2006:004 19823 oval:org.mitre.oval:def:100040 The wu_fnmatch function in wu_fnmatch.c in wu-ftpd 2.6.1 and 2.6.2 allows remote attackers to cause a denial of service (CPU exhaustion by recursion) via a glob pattern with a large number of * (wildcard) characters, as demonstrated using the dir command. DSA-705 ADV-2006-1271 ADV-2005-0588 14203 20050225 WU-FTPD File Globbing Denial of Service Vulnerability 57795 101699 19561 18210 14411 HPSBUX02110 SSRT061110 SCOSA-2005.63 oval:org.mitre.oval:def:1762 oval:org.mitre.oval:def:1333 oval:org.mitre.oval:def:1265 Directory traversal vulnerability in (1) usercp_register.php and (2) usercp_avatar.php for phpBB 2.0.11, and possibly other versions, with gallery avatars enabled, allows remote attackers to delete (unlink) arbitrary files via "/../" sequences in the avatarselect parameter. 20050222 phpBB Group phpBB2 Arbitrary File Unlink Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 phpBB 2.0.11, and possibly other versions, with remote avatars and avatar uploading enabled, allows local users to read arbitrary files by providing both a local and remote location for an avatar, then modifying the "Upload Avatar from a URL:" field to reference the target file. VU#774686 20050222 phpBB Group phpBB Arbitrary File Disclosure Vulnerability http://www.phpbb.com/support/documents.php?mode=changelog GLSA-200503-02 14362 Stack-based buffer overflow in the Discovery Service for BrightStor ARCserve Backup 11.1 and earlier allows remote attackers to execute arbitrary code via a long packet to UDP port 41524, which is not properly handled in a recvfrom call. 20050209 Computer Associates BrightStor ARCserve Backup v11 Discovery Service Remote Buffer Overflow Vulnerability http://supportconnectw.ca.com/public/enews/BrightStor/brigcurrent.asp#news1 brightstor-discovery-bo(19251) 1013138 14183 lspath in AIX 5.2, 5.3, and possibly earlier versions, does not drop privileges before processing the -f option, which allows local users to read one line of arbitrary files. IY67655 IY67457 ibm-aix-ispath-information-disclosure(19281) 20050210 IBM AIX lspath Local File Access Vulnerability 12513 14232 Buffer overflow in ipl_varyon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -d argument. 20050210 IBM AIX ipl_varyon Local Buffer Overflow Vulnerability ibm-aix-iplvaryon-bo(19282) IY67812 IY67750 IY66933 12516 14231 Buffer overflow in netpmon on AIX 5.1, 5.2, and 5.3 allows local users to execute arbitrary code via a long -O argument. 20050210 IBM AIX netpmon Local Buffer Overflow Vulnerability ibm-aix-netpmon-bo(19278) IY67807 IY67136 IY67124 12517 14237 Multiple cross-site scripting (XSS) vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to inject arbitrary web script or HTML via the (1) expand or (2) order parameter. 20050101 Various Vulnerabilities in OWL Intranet Engine owl-intranet-engine-xss(18705) 12114 13695 Multiple SQL injection vulnerabilities in browse.php in OWL 0.7 and 0.8 allow remote attackers to execute arbitrary SQL commands via the (1) parent or (2) sortposted parameter. 12114 owl-intranet-engine-sql-injection(18704) 20050101 Various Vulnerabilities in OWL Intranet Engine 13695 Cross-site scripting (XSS) vulnerability in index.php in SugarCRM 1.X allows remote attackers to inject arbitrary web script or HTML via the (1) return_module, (2) return_action, (3) name, (4) module, or (5) record parameter. 20050101 Cross Site Scripting Vulnerabilities and Possible Code Execution sugar-sales-index-xss(18719) 12113 index.php in FlatNuke 2.5.1 allows remote attackers to create an administrator account via carriage returns and #10 in the url_avatar field, which is interpreted as a sensitive directive. 12150 flatnuke-indexphp-gain-access(18741) 20050102 Multiple Vulnerabilities in FlatNuke Direct code injection vulnerability in FlatNuke 2.5.1 allows remote attackers to execute arbitrary PHP code by placing the code into the url_avatar field. flatnuke-indexphp-xss(18746) 12150 20050102 Multiple Vulnerabilities in FlatNuke The file extension check in GNUBoard 3.40 and earlier only verifies extensions that contain all lowercase letters, which allows remote attackers to upload arbitrary files via file extensions that include uppercase letters. gnuboard-gbupdate-file-upload(18729) 12149 13711 20050103 STG Security Advisory: [SSA-20041224-21] File extensions Multiple cross-site scripting (XSS) vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to inject arbitrary web script or HTML via the (1) si parameter to showcat.php, (2) cat or (3) page parameter to showproduct.php, or (4) report parameter to reportproduct.php. reviewpost-php-xss(18731) http://www.gulftech.org/?node=research&article_id=00062-01022005 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost Multiple SQL injection vulnerabilities in ReviewPost PHP Pro before 2.84 allow remote attackers to execute arbitrary SQL commands via the (1) cat parameter to showcat.php or (2) product parameter to addfav.php. reviewpost-php-sql-injection(18732) http://www.gulftech.org/?node=research&article_id=00062-01022005 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost ReviewPost PHP Pro before 2.84 allows remote attackers to upload and execute arbitrary PHP files by posting a review file with multiple extensions, which bypasses the intended restrictions. 13697 20050103 Serious Vulnerabilities In PhotoPost ReviewPost reviewpost-php-file-upload(18735) Multiple SQL injection vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to execute arbitrary SQL commands via the (1) cat or (2) ppuser parameter. photopost-php-showgallery-xss(18744) 12156 http://www.gulftech.org/?node=research&article_id=00063-01032005 13680 20050103 Multiple PhotoPost Pro Vulnerabilities Multiple cross-site scripting (XSS) vulnerabilities in showgallery.php in PhotoPost before 4.86 allow remote attackers to inject arbitrary web script or HTML via the (1) cat, (2) si, (3) page, or (4) ppuser parameters. photopost-php-showgallery-xss(18744) 12156 http://www.gulftech.org/?node=research&article_id=00063-01032005 20050103 Multiple PhotoPost Pro Vulnerabilities 13680 TFTP in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) via a GET request containing an MS-DOS device name. 3cdaemon-reserved-name-dos(18750) 20050104 3Com 3CDaemon Multiple Vulnerabilities Multiple format string vulnerabilities in the FTP service in 3Com 3CDaemon 2.0 revision 10 allow remote attackers to cause a denial of service (application crash) via format string specifiers in (1) the username, (2) cd, (3) delete, (4) rename, (5) rmdir, (6) literal, (7) stat, or (8) CWD commands. 3cdaemon-login-dos(18751) 12155 20050104 3Com 3CDaemon Multiple Vulnerabilities Buffer overflow in the FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to cause a denial of service (application crash) and execute arbitrary code via (1) a long username in the USER command or (2) an FTP command that contains a long argument, such as cd, send, or ls. 3cdaemon-long-command-dos(18754) 12155 20050218 3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow 20050104 3Com 3CDaemon Multiple Vulnerabilities The FTP service in 3Com 3CDaemon 2.0 revision 10 allows remote attackers to gain sensitive information via a cd command that contains an MS-DOS device name, which reveals the installation path in an error message. 3cdaemon-command-obtain-information(18756) 12155 20050104 3Com 3CDaemon Multiple Vulnerabilities Soldner Secret Wars 30830 and earlier does not properly handle the "message too long" socket error, which allows remote attackers to cause a denial of service (socket termination) via a long UDP packet. soldner-secret-wars-dos(18749) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars Format string vulnerability in Soldner Secret Wars 30830 and earlier allows remote attackers to cause a denial of service (server crash) and possibly execute arbitrary code via format string specifiers in a message. soldner-secret-wars-format-string(18752) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars Cross-site scripting (XSS) vulnerability in the web interface in Soldner Secret Wars 30830 allows remote attackers to inject arbitrary web script or HTML via a user message, which is not filtered or quoted when the administrator views the server logs. soldner-secret-wars-xss(18753) 12162 13716 20050104 Socket termination, format string and XSS in Soldner Secret Wars SQL injection vulnerability in member.php in MyBulletinBoard (MyBB) allows remote attackers to execute arbitrary SQL commands via the uid parameter. mybb-member-sql-injection(18755) 12161 20050104 MyBB SQL Injection Directory traversal vulnerability in index.php in QwikiWiki allows remote attackers to read arbitrary files via a .. (dot dot) and a %00 at the end of the filename in the page parameter. qwikiwiki-directory-traversal(18748) 12163 20050104 QWikiwiki directory traversal vulnerability http://www.qwikiwiki.com/index.php?page=QwikiVulnerability 12044 SQL injection vulnerability in addentry.php in Woltlab Burning Book 1.0 Gold, 1.1.1e, and possibly other versions, allows remote attackers to execute arbitrary SQL commands via the user-agent parameter. woltlab-book-addentry-sql-injection(18859) 20050110 Woltlab Burning Book addentry.php SQL Injection Webseries Payment Application does not properly restrict privileged operations, which allows remote authenticated users to gain privileges by directly accessing certain URLs. webseries-pa-url-security-bypass(18848) 12216 20050110 Portcullis Security Advisory 05-001 1012854 13821 eMotion MediaPartner Web Server 5.0 and 5.1 allows remote attackers to obtain sensitive information via an HTTP request for a .bhtml file that contains a (1) . (dot) or (2) + (plus sign) at the end, which returns the source code for that file. mediapartner-bhtml-source-disclosure(18861) 12236 20050110 Portcullis Security Advisory 05-004 1012855 13820 Bottomline Webseries Payment Application allows remote attackers to read arbitrary files on the network via a report template with modified ReportPath or ReportName values. webseries-report-execution(18862) 20050110 Portcullis Security Advisory 05-009 1012854 13821 The change password functionality in Bottomline Webseries Payment Application does not require the old password when users enter a new password, which could allow remote authenticated users to change other users' passwords. webseries-pa-password-gain-access(18860) 12231 20050110 Portcullis Security Advisory 05-008 1012854 13821 Apple AirPort Express prior to 6.1.1 and Extreme prior to 5.5.1, configured as a Wireless Data Service (WDS), allows remote attackers to cause a denial of service (device freeze) by connecting to UDP port 161 and before link-state change occurs. 20050115 Apple Airport WDS DoS apple-airport-dos(18865) 12152 13753 NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to bypass the filters using hex encoded URLs, as demonstrated using a hex encoded file extension. netgear-fvs318-filter-bypass(18920) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 1012913 13787 Cross-site scripting (XSS) vulnerability in the log viewer in NETGEAR FVS318 running firmware 2.4, and possibly other versions, allows remote attackers to inject arbitrary web script or HTML via a blocked URL phrase. netgear-fvs318-log-xss(18921) 12278 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 20050117 Multiple Vulnerabilities in Netgear FVS318 Router 13012 1012913 13787 Multiple SQL injection vulnerabilities in index.php in PHP Gift Registry (phpGiftReg) 1.4.0, and possibly other versions before 1.5.0b1, allow remote attackers to execute arbitrary SQL commands via the (1) messageid, (2) shopper, (3) shopfor, or (4) itemid parameters. 12289 20050307 Re: phpGiftReq SQL Injection phpgiftregistry-sql-injection(18925) 13873 20050116 phpGiftReq SQL Injection 20050116 phpGiftReq SQL Injection 1012910 Directory traversal vulnerability in minis.php in Minis 0.2.1 allows remote attackers to read arbitrary files via a .. (dot dot) in the month parameter. minis-month-directory-traversal(18928) 12279 20050116 Minis directory traversal vulnerability 1012911 13866 minis.php in Minis 0.2.1 allows remote attackers to cause a denial of service (infinite loop) via an HTTP request for a file that the web server does not have permission to read, as demonstrated using the month parameter. minis-month-dos(18929) 20050116 Minis directory traversal vulnerability 20050116 Minis directory traversal vulnerability 1012911 13866 npptnt2.sys in nProtect Gameguard provides unrestricted I/O to any process that calls it, which allows local users to gain privileges. nprotect-npptnt2-gain-access(18952) 12280 20050116 Unrestricted I/O access vulnerability in INCA Gameguard 13928 ** DISPUTED ** NOTE: this issue has been disputed by the vendor. The error module in Novell GroupWise WebAccess allows remote attackers who have not authenticated to read potentially sensitive information, such as the version, via an incorrect login and a modified (1) error or (2) modify parameter that returns template files or the "about" information page. NOTE: the vendor has disputed this issue. groupwise-error-auth-bypass(18954) 12285 20050127 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) 20050121 NOVL-2005-10096251 GroupWise WebAccess error handling modules (report) http://support.novell.com/servlet/tidfinder/10096251 20050117 Novell GroupWise WebAccess error modules loading 13135 SQL injection vulnerability in Oracle Database 9i and 10g allows remote attackers to execute arbitrary SQL commands and gain privileges. 20050118 Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i The DIRECTORY objects in Oracle 8i through Oracle 10g contain the location of a specific operating system directory, which allows users with read privileges to a DIRECTORY object to obtain sensitive information. oracle-directory-lob-obtain-info(18947) http://www.petefinnigan.com/directory_traversal.pdf http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf 20050118 PeteFinnigan.com - Oracle security advisory Directory traversal vulnerability in GForge 3.3 and earlier allows remote attackers to list arbitrary directories via a .. (dot dot) in the (1) dir parameter to controller.php or (2) dir_name parameter to controlleroo.php. 12318 20050120 STG Security Advisory: [SSA-20050120-24] GForge 3.x directory gforge-dir-dirname-directory-traversal(18988) 1012950 Directory traversal vulnerability in session.php in JSBoard 2.0.9 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the table parameter. jsboard-session-file-include(18990) 12319 20050120 STG Security Advisory: [SSA-20050120-22] JSBoard file disclosure 1012949 13920 comersus_backoffice_install10.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to bypass authentication and gain privileges via a direct request to the program. backoffice-lite-administrative-bypass(19010) 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html http://www.comersus.org/forum/displayMessage.asp?mid=32753 SQL injection vulnerability in default.asp in BackOffice Lite 6.0 and 6.01 allows remote attackers to execute arbitrary SQL commands via the referer field in the HTTP header. backoffice-lite-sql-injection(19013) http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 Multiple cross-site scripting (XSS) vulnerabilities in (1) comersus_supportError.asp or (2) comersus_backofficelite_supportError.asp in BackOffice Lite 6.0 and 6.01 allow remote attackers to inject arbitrary web script or HTML via the error parameter. backoffice-lite-xss(19014) 20050121 bug report comersus Back Office Lite 6.0 and 6.0.1 http://www.securiteam.com/windowsntfocus/5TP0Q0UEKI.html Directory traversal vulnerability in DivX Player 2.6 and earlier allows remote attackers to overwrite arbitrary files via a .. (dot dot) in a filename in a ZIP file for a skin. divx-player-directory-traversal(19030) 12332 20050121 Arbitrary files overwriting through skins in DivX Player 2.6 13969 http://aluigi.altervista.org/adv/divxplayer-adv.txt CRLF injection vulnerability in users.php in Siteman 1.1.10 and earlier allows remote attackers to add arbitrary users and gain privileges via the line parameter in a docreate operation. siteman-gain-access(18998) 12304 20050122 Siteman User Database Line Insertion Vulnerability 20050120 God Admin Injection Vulnerability in Siteman 1.0.x, 13131 1012951 MercuryBoard 1.1.1 allows remote attackers to gain sensitive information via an HTTP request with the n parameter set to 0, which causes a divide-by-zero error and reveals the path in the resulting error message. mercuryboard-multiple-script-path-disclosure(19048) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Multiple cross-site scripting (XSS) vulnerabilities in index.php in MercuryBoard 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) s, (2) l, (3) a, (4) t, (5) to, or (6) re parameters. mercuryboard-multiple-scripts-xss(19050) 12359 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 Buffer overflow in the wsprintf function in W32Dasm 8.93 and earlier allows remote attackers to execute arbitrary code via a large import or export function name. w32dasm-wsprintf-bo(19044) 12352 20050124 Local buffer-overflow in W32Dasm 8.93 1012997 13986 Multiple cross-site scripting (XSS) vulnerabilities in (1) index.php or (2) mod.php in Exponent 0.95 allow remote attackers to inject arbitrary web script or HTML via the module parameter. exponent-module-xss(19061) 12358 20050125 Vulnerabilities in eXponent 0.95 13190 13188 Exponent 0.95 allows remote attackers to obtain sensitive information via a direct HTTP request to (1) search.info.php, (2) permissions.info.php, (3) security.info.php, (4) formcontrol.php, or (5) file_modules.php, which reveals the path in an error message because the pathos_core_version variable is undefined. exponent-pathoscoreversion-path-disclosure(19064) 20050125 Vulnerabilities in eXponent 0.95 Ingate Firewall 4.1.3 and earlier does not terminate the PPTP session for an active user when the administrator disables that user from a resource, which could allow remote authenticated users to retain unauthorized access to resources. ingate-firewall-unath-access(19123) 12383 20050127 Ingate Firewall: Removed PPTP tunnels not deactivated http://www.ingate.com/relnote-422.php 1013022 14060 WarFTPD 1.82 RC9, when running as an NT service, allows remote authenticated users to cause a denial of service (access violation) via a CWD command with a crafted pathname, as demonstrated using a large string of "%s" sequences, possibly indicating a format string vulnerability. 12384 20050127 WarFTPD 1.82 RC9 DoS warftpd-cwd-dos(19129) http://support.jgaa.com/index.php?cmd=ShowReport&ID=02643 Multiple directory traversal vulnerabilities in Magic Winmail Server 4.0 Build 1112 allow remote attackers to (1) upload arbitrary files via certain parameters to upload.php or (2) read arbitrary files via certain parameters to download.php, and remote authenticated users to read, create, or delete arbitrary directories and files via the IMAP commands (3) CREATE, (4) EXAMINE, (5) SELECT, or (6) DELETE. magic-winmail-command-directory-traversal(19114) magicwinmail-uploadphp-file-upload(19108) 12388 1013017 14053 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities Cross-site scripting (XSS) vulnerability in user.php in Magic Winmail Server 4.0 Build 1112 allows remote attackers to inject arbitrary web script or HTML via the personal information fields. magic-winmail-userphp-xss(19113) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 The FTP service in Magic Winmail Server 4.0 Build 1112 does not verify that the IP address in a PORT command is the same as the IP address of the user of the FTP session, which allows remote authenticated users to use the server as an intermediary for port scanning. magicwinmail-ftp-obtain-information(19115) 12388 20050127 [SIG^2 G-TEC] Magic Winmail Server v4.0 Multiple Vulnerabilities 1013017 14053 WebWasher Classic 2.2.1 and 3.3, when running in server mode, does not properly drop CONNECT requests to the localhost from external systems, which could allow remote attackers to bypass intended access restrictions. 12394 14058 webwasher-classic-connect-gain-access(19144) http://www.oliverkarow.de/research/WebWasherCONNECT.txt 20050128 WebWasher Classic - HTTP CONNECT weakness 1013036 Cross-site scripting (XSS) vulnerability in useredit_account.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to inject arbitrary web script or HTML via the user parameter. webadmin-usereditaccountwdm-xss(19161) 12395 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 1013038 14079 useredit_account.wdm in Alt-N WebAdmin 3.0.4 does not properly validate account edits by the logged in user, which allows remote authenticated users to edit other users' account information via a modified user parameter. 12395 1013038 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Direct remote injection vulnerability in modalfram.wdm in Alt-N WebAdmin 3.0.4 allows remote attackers to load external webpages that appear to come from the WebAdmin server, which allows remote attackers to inject arbitrary HTML or web script to facilitate cross-site scripting (XSS) and phishing attacks. 12395 webadmin-html-injection(19162) 20050128 Multiple vulnerabilities in Alt-N WebAdmin <= 3.0.2 Multiple cross-site scripting vulnerabilities in MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) username parameter to login.html, (2) accountid parameter to accountsettings_add.html, or the (3) note, (4) title, and (5) location fields to calendar.html. 12396 merak-icewarp-multiple-xss(19147) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 allows remote authenticated users to gain sensitive information via an HTTP request to (1) calendar_d.html, (2) calendar_m.html, (3) calendar_w.html, or (4) calendar_y.html, which reveal the installation path. merak-icewarp-user-path-disclosure(19152) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes MERAK Mail Server 7.6.0 with Icewarp Web Mail 5.3.0 and Mail Server 7.6.4r with Icewarp Mail Server 5.3.2 uses weak encryption in the (1) users.cfg, (2) settings.cfg, (3) users.dat or (4) user.dat files, which allows local users to extract the passwords. merak-icewarp-weak-password-encryption(19153) 20050128 Multiple vulnerabilities in Icewarp Web Mail 5.3.0: New holes Cross-site scripting (XSS) vulnerability in Infinite Mobile Delivery Webmail 2.6 allows remote attackers to inject arbitrary web script or HTML via the URL. infinite-mobile-delivery-xss(19151) 20050129 XSS in Infinite Mobile Delivery v2.6 Webmail 12399 http://www.lovebug.org/imd_advisory.txt 1013044 14075 Infinite Mobile Delivery Webmail 2.6 allows remote attackers to gain sensitive information via an HTTP request that contains invalid characters for a Windows foldername, which reveals the path in an error message. infinite-mobile-delivery-path-disclosure(19154) 20050129 XSS in Infinite Mobile Delivery v2.6 Webmail 12399 http://www.lovebug.org/imd_advisory.txt 1013044 14075 Xpand Rally 1.0.0.0 allows remote attackers or remote malicious game servers to cause a denial of service (application crash) via a packet with large values that are not properly handled in certain malloc or memcpy operations. xpand-rally-memory-dos(19150) 20050130 Broadcast crash in Xpand Rally 1.0.0.0 http://aluigi.altervista.org/adv/xprallyboom-adv.txt 12409 1013043 14073 20050130 Broadcast crash in Xpand Rally 1.0.0.0 pafiledb.php in PaFileDB 3.1 allows remote attackers to gain sensitive information via an invalid or missing action parameter, which reveals the path in an error message when it cannot include a login.php script. 20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final pafiledb-login-path-disclosure(19175) pafiledb.php in Pafiledb 3.1 may allow remote attackers to execute arbitrary PHP code via a modified action parameter that is used in an include statement for login.php. pafiledb-login-file-include(19176) 20050131 [PersianHacker.net] Full Path Disclosure and PHP Injection In Pafiledb 3.1 Final Zyxel P310, P314, P324 and Netgear RT311, RT314 running the latest firmware, allows remote attackers on the WAN to obtain the IP address of the LAN side interface by pinging a valid LAN IP address, which generates an ARP reply from the WAN address side that maps the LAN IP address to the WAN's MAC address. zyxel-netgear-ping-information-disclosure(20609) 20050131 Zyxel / Netgear and probably other routers leaking information. Directory traversal vulnerability in ZipGenius 5.5 and earlier allows remote attackers to create and possibly modify arbitrary files via a ZIP file with a file whose name includes .. (dot dot) sequences. 12419 1013542 20050202 7a69Adv#19 - ZipGenius unpack path disclosure zipgenius-path-disclosure(19203) 14123 Buffer overflow in Painkiller 1.35 and earlier, and possibly other versions before 1.61, allows remote authenticated users to cause a denial of service and possibly execute arbitrary code via a long cd-key hash. painkiller-long-cdkey-bo(19205) 12423 14113 1013066 20050202 Limited buffer-overflow in Painkiller 1.35 Directory traversal vulnerability in WinRAR 3.42 and earlier, when the user clicks on the ZIP file to extract it, allows remote attackers to create arbitrary files via a ... (triple dot) in the filename of the ZIP file. winrar-dotdotdotdirectory-traversal(20585) 12422 20050202 7a69Adv#21 - WinRAR unpack one-folder path disclosure Directory traversal vulnerability in DeskNow Mail and Collaboration Server 2.5.12 allows remote attackers to (1) upload and possibly execute files outside the directory via the AttachmentsKey parameter to attachment.do, as demonstrated using JSP pages, or (2) delete arbitrary files via the select_file parameter to file.do. desknow-jsp-gain-access(19211) desknow-attachmentkey-file-upload(19206) 12421 desknow-filedo-file-deletion(19212) http://www.security.org.sg/vuln/desknow2512.html 1013060 14116 20050202 [SIG^2 G-TEC] DeskNow Mail and Collaboration Server Directory Traversal Vulnerabilities LANChat Pro Revival 1.666c allows remote attackers to cause a denial of service (application crash) via a malformed UDP packet. lanchatpro-udp-packet-dos(19213) 12439 http://www.autistici.org/fdonato/advisory/LANChatRevival1.666c-adv.txt 20050203 DoS in LANChat Pro Revival 1.666c Linksys PSUS4 running firmware 6032 allows remote attackers to cause a denial of service (device crash) via an HTTP POST request containing an unknown parameter without a value. linksys-psus4-dos(19222) 12443 14136 20050203 [ RSTACK Public Security Advisory ] Remote DOS against Linksys PSUS4 Directory traversal vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the URL. mediapartner-dotdot-directory-traversal(18842) 12236 1012838 20050110 Portcullis Security Advisory 05-010 13820 Cross-site scripting (XSS) vulnerability in EMotion MediaPartner Web Server 5.0 allows remote attackers to inject arbitrary HTML or web script, as demonstrated using a URL containing .. sequences and HTML, which results in a directory browsing page that does not properly filter the HTML. mediapartner-url-xss(18845) 12236 1012838 20050110 Portcullis Security Advisory 05-010 13820 Postfix 2.1.3, when /proc/net/if_inet6 is not available and permit_mx_backup is enabled in smtpd_recipient_restrictions, allows remote attackers to bypass e-mail restrictions and perform mail relaying by sending mail to an IPv6 hostname. postfix-ipv6-security-bypass(19218) 12445 14137 20050204 [USN-74-1] Postfix vulnerability oval:org.mitre.oval:def:11339 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=267837 RHSA-2005:152 Buffer overflow in Savant Web Server 3.1 allows remote attackers to execute arbitrary code via a long HTTP request. savant-bo(19177) 12429 20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1 20050201 Remotely exploitable buffer overflow vulnerability in Savant Web Server 3.1 20050204 Exploit For Savant Web Server 3.1 (tested on win2003) Buffer overflow in Foxmail 2.0 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a long MAIL FROM command. foxmail-mailfrom-bo(19229) 12454 20050205 Foxmail Server Remote Buffer Overflow Vulnerability Integer signedness error in Apple File Service (AFP Server) allows remote attackers to cause a denial of service (application crash) via a negative UAM string length in a FPLoginExt packet. APPLE-SA-2005-03-21 Applefileserver-fploginext-dos(19263) 20050208 AppleFileServer Denial of Service. 12478 Apple Safari 1.2.4 does not obey the Content-type field in the HTTP header and renders text as HTML, which allows remote attackers to inject arbitrary web script or HTML and perform cross-site scripting (XSS) attacks. safari-contenttype-xss(19227) http://tigger.uic.edu/~jrockw2/safari_20050204.txt 1013087 20050204 Input Validation Vulnerability in Apple Safari version 1.2.4 v125.12 The Finder in Mac OS X and earlier allows local users to overwrite arbitrary files and gain privileges by creating a hard link from the .DS_Store file to an arbitrary file. 14188 APPLE-SA-2005-05-03 finder-dsstore-file-overwrite(19253) 12458 20050207 [OSX Finder] DS_Store arbitrary file overwrite vulnerability. SQL injection vulnerability in PerlDesk 1.x allows remote attackers to inject arbitrary SQL commands via the view parameter. 12471 12512 perldesk-view-sql-injection(19245) http://www.security-project.org/projects/board/showthread.php?p=5172#post5172 20050207 [SePro Bugtraq] SQL-Injection in PerlDesk 1.x Directory traversal vulnerability in 602LAN SUITE 2004.0.04.1221 allows remote authenticated users to upload and execute arbitrary files via a .. (dot dot) in the filename parameter. http://www.security.org.sg/vuln/602lansuite1221.html 14169 20050208 [SIG^2 G-TEC] 602LAN SUITE Web Mail Vulnerability Allows File Upload to Arbitrary Directories 602lansuite-webmail-directory-traversal(19258) 1013106 viewthread.php in php-fusion 4.x does not check the (1) forum_id or (2) forum_cat parameters, which allows remote attackers to view protected forums via the thread_id parameter. phpfusion-viewthread-obtain-information(19257) 20050208 php-fusion 4.x vuln 12482 SafeNet SoftRemote VPN Client stores the VPN password (pre-shared key) in cleartext in memory of the IreIKE.exe process, which allows local users to gain sensitive information if they have access to that process. softremote-vpn-password-disclosure(19256) http://www.nta-monitor.com/news/vpn-flaws/safenet/index.htm 20050208 SafeNet SoftRemote VPN Client Issue: Clear-text password 1013134 Integer overflow in RealArcade 1.2.0.994 and earlier allows remote attackers to execute arbitrary code via an RGS file with an invalid size string for the GUID and game name, which leads to a buffer overflow. realarcade-rgs-bo(19259) 14187 20050208 Integer overflow and arbitrary files deletion in RealArcade 1013128 Directory traversal vulnerability in RealArcade 1.2.0.994 allows remote attackers to delete arbitrary files via an RGP file with a .. (dot dot) in the FILENAME tag. realarcade-rgp-file-deletion(19260) 12494 14187 20050208 Integer overflow and arbitrary files deletion in RealArcade 1013128 The production release of the UniversalAgent for UNIX in BrightStor ARCserve Backup 11.1 contains hard-coded credentials, which allows remote attackers to access the file system and possibly execute arbitrary commands. 20050210 Computer Associates BrightStor ARCserve Backup UniversalAgent Backdoor Vulnerability http://supportconnect.ca.com/sc/solcenter/sol_detail.jsp?aparno=QO63672&os=UNIX&returninput=0 ADV-2005-0145 12522 13706 1013144 14233 Heap-based buffer overflow in multiple F-Secure Anti-Virus and Internet Security products allows remote attackers to execute arbitrary code via a crafted ARJ archive. 20050210 F-Secure AntiVirus Library Heap Overflow http://www.f-secure.com/security/fsc-2005-1.shtml Buffer overflow in (1) termsh, (2) atcronsh, and (3) auditsh in SCO OpenServer 5.0.6 and 5.0.7 might allow local users to execute arbitrary code via a long HOME environment variable. SCOSA-2005.15 13062 Servers Alive 4.1 and 5.0, when running as a service, does not drop SYSTEM privileges before loading local manual under the help menu, which allows local users to gain privileges. serversalive-gain-privileges(19715) 12822 14616 20050316 Servers Alive: Local Privilege Escalation Buffer overflow in the Sentinel LM (Lservnt) service in the Sentinel License Manager 7.2.0.2 allows remote attackers to execute arbitrary code by sending a large amount of data to UDP port 5093. VU#108790 http://www.cirt.dk/advisories/cirt-30-advisory.pdf 14511 sentinel-license-manager-bo(19621) 12742 20050313 [HAT-SQUAD] SafeNet Sentinel LM, UDP License Manager Exploit 20050307 CIRT.DK Advisory - SafeNet Inc Sentinel License Manager 7.2.0.2 Buffer Overflow Multiple TCP implementations with Protection Against Wrapped Sequence Numbers (PAWS) with the timestamps option enabled allow remote attackers to cause a denial of service (connection loss) via a spoofed packet with a large timer value, which causes the host to discard later packets because they appear to be too old. VU#637934 15417 tcp-ip-timestamp-dos(20635) 13676 20050518 Vulnerability in a Variant of the TCP Timestamps Option 15393 http://support.avaya.com/elmodocs2/security/ASA-2006-032.htm 18662 18222 SCOSA-2005.64 FreeBSD-SA-05:15 EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 rely on AUTH_UNIX authentication, which relies on user ID for authentication and allows remote attackers to bypass authentication and gain privileges by spoofing a username or UID. VU#606857 legato-authunix-bypass-authentication(21887) 14582 http://www.legato.com/support/websupport/product_alerts/081605_NW_authentication.htm 101886 1014713 16464 18800 16470 EMC Legato NetWorker, Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 6.0 through 7.2 do not properly verify authentication tokens, which allows remote attackers to gain privileges by modifying an authentication token. VU#407641 legato-token-gain-privileges(21892) 14582 101886 1014713 16464 18801 http://www.legato.com/support/websupport/product_alerts/081605_NW_token_authentication.htm 16470 The Legato PortMapper in EMC Legato NetWorker, Sun Solstice Backup 6.0 and 6.1, and StorEdge Enterprise Backup 7.0 through 7.2 does not restrict access to the pmap_set and pmap_unset commands, which allows remote attackers to (1) cause a denial of service by using pmap_unset to un-register a NetWorker service, or (2) obtain sensitive information from NetWorker services by using pmap_set to register a new service. VU#801089 legato-portmapper-obtain-information(21893) 14582 http://www.legato.com/support/websupport/product_alerts/081605_NW_port_mapper.htm 101886 1014713 16464 18802 16470 The Microsoft Log Sink Class ActiveX control in pkmcore.dll is marked as "safe for scripting" for Internet Explorer, which allows remote attackers to create or append to arbitrary files. VU#165022 awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 16089 awstats.pl in AWStats 4.0 and 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the config parameter. DSA-682 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 Unknown vulnerability in BIND 9.2.0 in HP-UX B.11.00, B.11.11, and B.11.23 allows remote attackers to cause a denial of service. hpux-bind-dos(19276) 14220 HPSBUX01117 oval:org.mitre.oval:def:5690 The dcopidlng script in KDE 3.2.x and 3.3.x creates temporary files with predictable filenames, which allows local users to overwrite arbitrary files via a symlink attack. http://www.kde.org/info/security/advisory-20050316-2.txt GLSA-200503-14 20050211 insecure temporary file creation in kdelibs 3.3.2 http://bugs.kde.org/show_bug.cgi?id=97608 oval:org.mitre.oval:def:10676 RHSA-2005:325 MDKSA-2005:058 MDKSA-2005:045 1013525 14254 FEDORA-2005-245 The integrity check feature in OpenPGP, when handling a message that was encrypted using cipher feedback (CFB) mode, allows remote attackers to recover part of the plaintext via a chosen-ciphertext attack when the first 2 bytes of a message block are known, and an oracle or other mechanism is available to determine whether an integrity check failed. VU#303094 http://www.pgp.com/library/ctocorner/openpgp.html GLSA-200503-29 http://eprint.iacr.org/2005/033.pdf 12529 13775 SUSE-SR:2005:007 MDKSA-2005:057 1013166 http://eprint.iacr.org/2005/033 Multiple directory traversal vulnerabilities in ArGoSoft Mail Server 1.8.7.3 allow remote authenticated users to read, delete, or upload arbitrary files via a .. (dot dot) in (1) the filename of an e-mail attachment, (2) the _msgatt.rec file, (3) and the /msg, /delete, /folderadd, and /folderdelete operations for the Folder parameter. 20050209 [SIG^2 G-TEC] ArGoSoft Mail Server Webmail Multiple Directory Traversal Vulnerabilities http://www.security.org.sg/vuln/argosoftmail1873.html Multiple SQL injection vulnerabilities in CMScore allow remote attackers to execute arbitrary SQL commands via the (1) EntryID or (2) searchterm parameter to index.php, or (3) username parameter to authenticate.php. cmscore-multiple-sql-injection(19235) 12457 14142 20050209 CMS Core SQL injection Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 earlier allows remote attackers to cause a denial of service (application crash) via a packet with a large (1) descriptor ID or (2) claim_id, which exceeds the boundaries of an array. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (network disconnection) via an empty UDP packet, which is not properly distinguished from the "no new packets" state of the associated socket. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Armagetron 0.2.6.0 and earlier and Armagetron Advanced 0.2.7.0 and earlier allow remote attackers to cause a denial of service (freeze) via a large number of player connections that do not send any data. 20050210 Crashes and socket unreacheable in Armagetron Advanced 0.2.7.0 Directory traversal vulnerability in gftp before 2.0.18 for GTK+ allows remote malicious FTP servers to read arbitrary files via .. (dot dot) sequences in filenames returned from a LIST command. 12539 GLSA-200502-27 DSA-686 FEDORA-2005-310 FEDORA-2005-309 oval:org.mitre.oval:def:9923 CLSA-2005:957 RHSA-2005:410 MDKSA-2005:050 oval:org.mitre.oval:def:717 Buffer overflow in digestmd5.c CVS release 1.170 (also referred to as digestmda5.c), as used in the DIGEST-MD5 SASL plugin for Cyrus-SASL but not in any official releases, allows remote attackers to execute arbitrary code. cyrus-sasl-digestmda5-bo(17642) 11347 [openbsd-ports] 20040717 UPDATE: cyrus-sasl-2.1.19 SUSE-SR:2005:006 GLSA-200410-05 https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c?rev=1.171&content-type=text/x-cvsweb-markup https://bugzilla.andrew.cmu.edu/cgi-bin/cvsweb.cgi/src/sasl/plugins/digestmd5.c.diff?r1=1.170&r2=1.171 MDKSA-2005:054 Cross-site scripting (XSS) vulnerability in Bitboard 2.5 and earlier allows remote attackers to inject arbitrary web script or HTML via an [img] bbcode image tag with an event such as mouseover. bitshifters-bitboard-xss(18871) 12248 1012864 20050112 Security Advisory: BiTBOARD xss imageview.php in SGallery 1.01 allows remote attackers to obtain sensitive information via an HTTP request with (1) idalbum and (2) idimage unset, which reveals the installation path in an error message for the sql_fetch_row function. 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke sgallery-path-disclosure(18877) http://www.waraxe.us/advisory-39.html 1012868 PHP remote file inclusion vulnerability in SGallery 1.01 allows local and possibly remote attackers to execute arbitrary PHP code by modifying the DOCUMENT_ROOT parameter to reference a URL on a remote web server that contains (1) config.php or (2) sql_layer.php. sgallery-file-include(18878) http://www.waraxe.us/advisory-39.html 1012868 13824 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke SQL injection vulnerability in imageview.php for SGallery 1.01 allows remote attackers to execute arbitrary SQL commands via the (1) idalbum or (2) idimage parameters. sgallery-imageview-sql-injection(18876) http://www.waraxe.us/advisory-39.html 12249 1012868 13824 20050112 [waraxe-2005-SA#039] - Critical Sql Injection in Sgallery module for PhpNuke Multiple cross-site scripting (XSS) vulnerabilities in Horde 3.0 allow remote attackers to inject arbitrary web script or HTML via the (1) group parameter to prefs.php or (2) url parameter to index.php. 12255 20050113 Cross Site Scripting holes found in Horde 3.0 horde-prefs-index-xss(18881) http://www.hyperdose.com/advisories/H2005-01.txt 1012892 Multiple directory traversal vulnerabilities in ZeroBoard 4.1pl5 and earlier allow remote attackers to read arbitrary files via a .. (dot dot) in the _zb_path parameter to (1) _head.php or (2) outlogin.php, or the dir parameter to (3) write.php. zeroboard-file-disclosure(18891) 12257 1012884 20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities Multiple PHP remote file inclusion vulnerabilities in (1) print_category.php, (2) login.php, (3) setup.php, (4) ask_password.php, or (5) error.php in ZeroBoard 4.1pl5 and earlier allow remote attackers to execute arbitrary PHP code by modifying the dir parameter to reference a URL on a remote web server that contains the code. 13769 zeroboard-zero-vote-file-include(18893) zeroboard-printcategory-file-include(18892) 12258 12206 12932 12931 12930 12929 12928 1012884 20050113 STG Security Advisory: [SSA-20050113-25] ZeroBoard multiple vulnerabilities Cross-site scripting (XSS) vulnerability in f.aspx in forumKIT 1.0 allows remote attackers to inject arbitrary web script or HTML via the members parameter. forumkit-members-xss(18880) 12256 1012895 20050113 XSS Vulnerability in ForumKIT Breed patch 1 and earlier allows remote attackers to cause a denial of service (application crash) via an empty UDP packet, which triggers a null dereference. breed-udp-datagram-dos(18890) 12262 13211 20050113 Server crash in Breed patch #1 Trend Micro Control Manager 3.0 Enterprise Edition allows remote attackers to gain privileges via a replay attack of the encrypted username and password. http://www.cirt.dk/advisories/cirt-28-advisory.pdf 20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack control-manager-replay-attack(18887) 20050113 Trend Micro Control Manager - Enterprise Edition 3.0 Web application Replay attack Unknown vulnerability in the PPP driver for the Linux kernel 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) via a pppd client. FLSA:152532 USN-95-1 2005-0009 12810 RHSA-2005:366 RHSA-2005:293 RHSA-2005:284 RHSA-2005:283 SUSE-SA:2005:018 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20338 20202 20163 oval:org.mitre.oval:def:9562 Buffer overflow in luxman before 0.41, if used with certain insecure svgalib libraries, allows local users to execute arbitrary code via a long -f command line argument. 12797 luxman-bo-execute-commands(19680) 20050314 DMA[2005-0310a] - 'Frank McIngvale LuxMan buffer overflow' http://www.digitalmunition.com/DMA[2005-0310a].txt DSA-693 14582 Cross-site scripting (XSS) vulnerability in network.cgi in mailreader before 2.3.29 earlier allows remote attackers to inject arbitrary web script or HTML via MIME text/enriched or text/richtext messages. DSA-700 14777 remstats 1.0.13 and earlier, when processing uptime data, allows local users to create or overwrite arbitrary files via a symlink attack on temporary files. DSA-704 Unknown vulnerability in the remoteping service in remstats 1.0.13 and earlier allows remote attackers to execute arbitrary commands "due to missing input sanitising." DSA-704 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2005-0814. Reason: This candidate is a duplicate of CVE-2005-0814. Notes: All CVE users should reference CVE-2005-0814 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Buffer overflow in the HTTP redirection capability in conn.c for Axel before 1.0b may allow remote attackers to execute arbitrary code. 13059 DSA-706 GLSA-200504-09 14831 http://www.mail-archive.com/debian-devel-changes@lists.debian.org/msg118978.html geneweb 4.10 and earlier does not properly check file permissions and content during conversion, which allows attackers to modify arbitrary files. DSA-712 geneweb-insecure-file-permission(20176) ppxp does not drop root privileges before opening log files, which allows local users to execute arbitrary commands. 13681 DSA-725 The helper scripts for crip 3.5 do not properly use temporary files, which allows local users to have an unknown impact with unknown attack vectors. DSA-733 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate has been revoked by its Candidate Numbering Authority (CNA) because it was initially assigned to a problem that was not a security issue. Notes: none. Desktop Communication Protocol (DCOP) daemon, aka dcopserver, in KDE before 3.4 allows local users to cause a denial of service (dcopserver consumption) by "stalling the DCOP authentication process." http://www.kde.org/info/security/advisory-20050316-1.txt GLSA-200503-22 20050316 Multiple KDE Security Advisories (2005-03-16) oval:org.mitre.oval:def:10432 12820 FLSA:178606 RHSA-2005:325 RHSA-2005:307 MDKSA-2005:058 Format string vulnerability in the SetImageInfo function in image.c for ImageMagick before 6.0.2.5 may allow remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via format string specifiers in a filename argument to convert, which may be called by other web applications. imagemagick-filename-format-string(19586) RHSA-2005:320 SUSE-SA:2005:017 GLSA-200503-11 DSA-702 20050303 [USN-90-1] Imagemagick vulnerability http://bugs.gentoo.org/show_bug.cgi?id=83542 oval:org.mitre.oval:def:10302 RHSA-2005:070 The KAME racoon daemon in ipsec-tools before 0.5 allows remote attackers to cause a denial of service (crash) via malformed ISAKMP packets. https://bugzilla.redhat.com/bugzilla/attachment.cgi?id=109966&action=view racoon-isakmp-header-dos(19707) 12804 RHSA-2005:232 [ipsec-tools-devel] 20050312 potential remote crash in racoon 1013433 GLSA-200503-33 14584 ADV-2005-0264 oval:org.mitre.oval:def:10028 MDKSA-2005:062 Heap-based buffer overflow in GIF2.cpp in Firefox before 1.0.2, Mozilla before to 1.7.6, and Thunderbird before 1.0.2, and possibly other applications that use the same library, allows remote attackers to execute arbitrary code via a GIF image with a crafted Netscape extension 2 block and buffer size. VU#557948 14654 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=150877 gif-extension-overflow(19269) 20050323 Mozilla Foundation GIF Overflow ADV-2005-0296 12881 RHSA-2005:337 RHSA-2005:336 RHSA-2005:335 RHSA-2005:323 SUSE-SA:2006:004 http://www.mozilla.org/security/announce/mfsa2005-30.html GLSA-200503-30 P-160 oval:org.mitre.oval:def:11377 15495 SUSE-SA:2006:004 19823 SCOSA-2005.49 oval:org.mitre.oval:def:100028 The ext2_make_empty function call in the Linux kernel before 2.6.11.6 does not properly initialize memory when creating a block for a new directory entry, which allows local users to obtain potentially sensitive information by reading the block. kernel-ext2-information-disclosure(19866) FLSA:152532 ADV-2005-1878 USN-103-1 14713 oval:org.mitre.oval:def:10336 http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.11.6 http://arkoon.net/advisories/ext2-make-empty-leak.txt 12932 RHSA-2006:0191 RHSA-2006:0190 RHSA-2005:663 RHSA-2005:366 18684 17002 20050401 Information leak in the Linux kernel ext2 implementation FireFox 1.0.1 and Mozilla before 1.7.6 do not sufficiently address all attack vectors for loading chrome files and hijacking drag and drop events, which allows remote attackers to execute arbitrary XUL code by tricking a user into dragging a scrollbar, a variant of CVE-2005-0527, aka "Firescrolling 2." 12885 ADV-2005-0296 RHSA-2005:336 RHSA-2005:335 http://www.mozilla.org/security/announce/mfsa2005-32.html GLSA-200503-30 14654 oval:org.mitre.oval:def:9650 http://mikx.de/firescrolling2/ 20050324 Firescrolling 2 [Firefox 1.0.1] RHSA-2005:384 oval:org.mitre.oval:def:100026 Firefox before 1.0.2 allows remote attackers to execute arbitrary code by tricking a user into saving a page as a Firefox sidebar panel, then using the sidebar panel to inject Javascript into a privileged page. https://bugzilla.mozilla.org/show_bug.cgi?id=284627 RHSA-2005:336 14654 ADV-2005-0296 http://www.mozilla.org/security/announce/mfsa2005-31.html oval:org.mitre.oval:def:11868 oval:org.mitre.oval:def:100027 init_dev in tty_io.c in the Red Hat backport of NPTL to Red Hat Enterprise Linux 3 does not properly clear controlling tty's in multi-threaded applications, which allows local users to cause a denial of service (crash) and possibly gain tty access via unknown attack vectors that trigger an access of a pointer to a freed structure. RHSA-2005:293 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=144059 oval:org.mitre.oval:def:9435 KMail 1.7.1 in KDE 3.3.2 allows remote attackers to spoof email information, such as whether the email has been digitally signed or encrypted, via HTML formatted email. http://www.securiteam.com/unixfocus/5GP0B0AFFE.html http://bugs.kde.org/show_bug.cgi?id=96020 14925 [kmail-devel] 20050215 [Bug 96020] HTML Allows Spoofing of Emails Content A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image. http://www.redteam-pentesting.de/advisories/rt-sa-2005-008.txt 20050214 Advisory: JPEG EXIF information disclosure Cross-site scripting (XSS) vulnerability in Openconf 1.04, and possibly other versions before 1.10, allows remote attackers to inject arbitrary HTML and web script via the paper title. 12554 http://www.redteam-pentesting.de/advisories/rt-sa-2005-007.txt 14294 20050214 Advisory: Cross Site Scripting Vulnerability in Openconf Conference Management Software CitrusDB 0.3.6 and earlier generates easily predictable MD5 hashes of the user name for the id_hash cookie, which allows remote attackers to bypass authentication and gain privileges by calculating the MD5 checksum of the user name combined with the "boogaadeeboo" string, which is hard-coded in the $hidden_hash variable. http://www.redteam-pentesting.de/advisories/rt-sa-2005-002.txt 20050214 Advisory: Authentication bypass in CitrusDB CitrusDB 0.3.6 and earlier does not verify authorization for the (1) importcc.php and (2) uploadcc.php, which allows remote attackers to upload credit card data and obtain sensitive information such as the pathnames for temporary files that store credit card data, and facilitates the exploitation of other vulnerabilities. http://www.redteam-pentesting.de/advisories/rt-sa-2005-003.txt 20050214 Advisory: Upload Authorization bypass in CitrusDB SQL injection vulnerability in importcc.php for CitrusDB 0.3.6 and earlier allows remote attackers to inject data via the fields of a CSV file. http://www.redteam-pentesting.de/advisories/rt-sa-2005-004.txt 20050214 Advisory: SQL-Injection in CitrusDB Directory traversal vulnerability in index.php for CitrusDB 0.3.6 and earlier allows remote attackers and local users to include arbitrary PHP files via .. (dot dot) sequences in the load parameter. http://www.redteam-pentesting.de/advisories/rt-sa-2005-005.txt 20050214 Advisory: Directory traversal in CitrusDB Cross-site scripting (XSS) vulnerability in Spidean PostWrap allows remote attackers to inject arbitrary HTML and web script via the page parameter. postwrap-xss(19261) 1013130 20050208 XSS VULNERABILITY AT MODULE PostWrap Multiple SQL injection vulnerabilities in MyPHP Forum 1.0 allow remote attackers to execute arbitrary SQL commands via (1) the fid in forum.php, (2) the member parameter in member.php, (3) the email parameter in forgot.php, or (4) the nbuser or nbpass parameters in include.php. NOTE: it was later reported that vector 2 exists in 3.0 and earlier. myphpforum-member-sql-injection(39348) myphpforum-multiple-sql-injection(19272) 27083 12501 4822 1013136 14205 20050209 Several SQL injection bugs in myPHP Forum v.1.0 SQL injection vulnerability in post.php for MercuryBoard 1.1.1 allows remote attackers to execute arbitrary SQL commands via a reply post action for index.php with (1) the t parameter or (2) the qu parameter. 1013137 20050124 Multiple vulnerabilities in MercuryBoard 1.1.1 mercuryboard-index-sql-injection(19051) 20050209 Mercuryboard =?iso-8859-1?Q?<=3D?= 1.1.1 Working Sql Injection http://cvs.sunsite.dk/viewcvs.cgi/mercury/func/post.php.diff?r1=1.68&r2=1.70 Multiple memory leaks in the MQL parser in Emdros before 1.1.22 allow remote attackers to cause a denial of service (memory consumption) via malformed MQL statements. emdros-mql-dos(19273) http://sourceforge.net/tracker/index.php?func=detail&aid=1116935&group_id=37219&atid=419458 http://sourceforge.net/project/shownotes.php?release_id=303465 The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow. win-user32-aniheader-overflow(18879) 12233 MS05-002 http://eeye.com/html/research/advisories/AD20050111.html 20050112 Windows ANI File Parsing Proof Of Concept (MS05-002) 20050111 EEYE: Windows ANI File Parsing Buffer Overflow Unknown "high risk" vulnerability in DB2 Universal Database 8.1 and earlier has unknown impact and attack vectors. NOTE: due to the delayed disclosure of details for this issue, this candidate may be SPLIT in the future. In addition, this may be a duplicate of other issues as reported by the vendor. 12508 20050209 Patch available for high risk IBM DB2 Universal Database flaw http://www.ngssoftware.com/advisories/db2-09-05-05.htm Argument injection vulnerability in Java Web Start for J2SE 1.4.2 up to 1.4.2_06, on Mac OS X, allows untrusted applications to gain privileges via the value parameter of a property tag in a JNLP file. NOTE: it is highly likely that this item will be MERGED with CVE-2005-0836. APPLE-SA-2005-03-24 Multiple heap-based buffer overflows in 3Com 3CServer allow remote authenticated users to execute arbitrary code via long FTP commands, as demonstrated using the STAT command. 3cserver-multiple-command-bo(19250) 20050207 Vulnerability in 3Com 3CServer v1.1 Microsoft Outlook Web Access (OWA), when used with Exchange, allows remote attackers to redirect users to arbitrary URLs for login via a link to the owalogon.asp application. owa-owalogonasp-url-redirect(19225) ADV-2005-0105 12459 14144 20050206 Microsoft Outlook Web Access URL Injection Vulnerability DelphiTurk FTP 1.0 stores usernames and passwords in the profile.dat file, which allows local users to gain privileges. delphiturkcodebank-obtain-information(19248) 1013139 DelphiTurk CodeBank (aka KodBank) 3.1 and earlier stores usernames and passwords in the Codebank registry key, which allows local users to gain privileges. delphiturkcodebank-obtain-information(19248) 1013139 SQL injection vulnerability in login.asp in ASPjar Guestbook allows remote attackers to execute arbitrary SQL commands via the password field. 12521 aspjar-guest-login-sql-injection(19299) 14225 20050210 ASPjar guestbook (Injection in login page) Unknown vulnerability in the delete.asp program in certain versions of ASPjar Guestbook allows remote attackers to delete messages. NOTE: there is insufficient information to know if this is the same issue as CVE-2002-1730. 12521 aspjar-delete-message-deletion(19301) 14225 20050210 ASPjar guestbook (Injection in login page) Unknown vulnerability in IBM Websphere Application Server 5.0, 5.1, and 6.0 when running on Windows, allows remote attackers to obtain the source code for Java Server Pages (.jsp) via a crafted URL that causes the page to be processed by the file serving servlet instead of the JSP engine. http://www-1.ibm.com/support/docview.wss?uid=swg24008815 http://www-1.ibm.com/support/docview.wss?uid=swg24008814 14274 Unknown vulnerability in Solaris 8 and 9 allows remote attackers to cause a denial of service (panic) via "Heavy UDP Usage" that triggers a NULL dereference. solaris-udp-end-point-dos(19119) 12385 57728 The ebuild of Webmin before 1.170-r3 on Gentoo Linux includes the encrypted root password in the miniserv.users file when building a tbz2 of the webmin package, which allows remote attackers to obtain and possibly crack the encrypted password. GLSA-200502-12 webmin-encrypted-password(19315) http://bugs.gentoo.org/show_bug.cgi?id=77731 The DNSPacket::expand method in dnspacket.cc in PowerDNS before 2.9.17 allows remote attackers to cause a denial of service by sending a random stream of bytes. powerdns-random-bytes-dos(19221) 12446 GLSA-200502-15 http://ds9a.nl/cgi-bin/cvstrac/pdns/tktview?tn=21 http://doc.powerdns.com/changelog.html#CHANGELOG-2-9-17 Direct code injection vulnerability in forumdisplay.php in vBulletin 3.0 through 3.0.4, when showforumusers is enabled, allows remote attackers to execute inject arbitrary PHP commands via the comma parameter. 20050213 vbulletin 3.0.x PHP code execution 12542 The Quake 3 engine, as used in multiple game packages, allows remote attackers to cause a denial of service (shutdown game server) and possibly crash the server via a long infostring, possibly triggering a buffer overflow. http://aluigi.altervista.org/adv/q3infoboom-adv.txt 12534 20050212 Infostring crash and shutdown in the Quake 3 engine Barracuda Spam Firewall 3.1.10 and earlier does not restrict the domains that white-listed domains can send mail to, which allows members of white-listed domains to use Barracuda as an open mail relay for spam. barracuda-open-relay(19283) 14243 20050210 Barracuda Spam Firewall <= 3.1.10 acts as open relay for whitelisted senders. BEA WebLogic Server 7.0 Service Pack 5 and earlier, and 8.1 Service Pack 3 and earlier, generates different login exceptions that suggest why an authentication attempt fails, which makes it easier for remote attackers to guess passwords via brute force attacks. 14298 http://dev2dev.bea.com/resourcelibrary/advisoriesnotifications/BEA05-74.00.jsp Php-Nuke 7.5 allows remote attackers to determine the full path of the web server via invalid or missing arguments to (1) db.php, (2) mainfile.php, (3) Downloads/index.php, or (4) Web_Links/index.php, which lists the path in a PHP error message. phpnuke-multiple-scripts-path-disclosure(19344) http://www.waraxe.us/advisory-40.html 12561 Multiple cross-site scripting (XSS) vulnerabilities in Php-Nuke 7.5 allow remote attackers to inject arbitrary HTML or web script via (1) the newdownloadshowdays parameter in a NewDownloads operation or (2) the newlinkshowdays parameter in a NewLinks operation. phpnuke-downloads-weblinks-xss(19346) http://www.waraxe.us/advisory-40.html 12561 awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to read server web logs by setting the loadplugin and pluginmode parameters to rawlog. 14299 awstats-awstatpl-obtain-information(19333) 20050214 AWStats <= 6.4 Multiple vulnerabilities Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. 14299 awstats-function-code-execution(19336) 20050214 AWStats <= 6.4 Multiple vulnerabilities 13832 Directory traversal vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to include arbitrary Perl modules via .. (dot dot) sequences in the loadplugin parameter. 14299 20050214 AWStats <= 6.4 Multiple vulnerabilities awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to obtain sensitive information by setting the debug parameter. 14299 awstats-information-disclosure(19477) 20050214 AWStats <= 6.4 Multiple vulnerabilities Buffer overflow in the decode_post function in ELOG before 2.5.7 allows remote attackers to execute arbitrary code via attachments with long file names. 12556 http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880 http://midas.psi.ch/elogs/Forum/941 elog-weblog-bo(19313) ELOG before 2.5.7 allows remote attackers to bypass authentication and download a configuration file that contains a sensitive write password via a modified URL. 12556 http://sourceforge.net/project/shownotes.php?group_id=40505&release_id=304880 http://midas.psi.ch/elogs/Forum/941 Multiple stack-based buffer overflows in Sybase Adaptive Server Enterprise (ASE) 12.x before 12.5.3 ESD#1 allow remote authenticated users to execute arbitrary code via the (1) attrib_valid function, (2) covert function, (3) declare statement, or (4) a crafted query plan, or remote authenticated users with database owner or "sa" role privileges to execute arbitrary code via (5) a crafted install java statement. sybase-ase-install-java-bo(19980) sybase-ase-abstract-bo(19979) sybase-ase-declare-bo(19978) sybase-ase-convert-bo(19976) sybase-ase-attribvalid-bo(19974) sybase-adaptive-server(19354) http://www.sybase.com/detail?id=1034752 http://www.sybase.com/detail?id=1034520 12080 20050321 Details of Sybase ASE bugs withheld 13632 20050405 Sybase ASE Multiple Security Issues (#NISR05042005) 20041222 Sybase ASE 12.5.2 vulnerabilities http://www.ngssoftware.com/advisories/sybase-ase.txt Directory traversal vulnerability in index.php for CubeCart 2.0.4 allows remote attackers to read arbitrary files via the language parameter. 12549 http://www.cubecart.com/site/forums/index.php?showtopic=5741 14272 cubecart-dotdot-directory-traversal(19322) 20050406 RE: [NOBYTES.COM: #6] CubeCart 2.0.6 - Information Disclosure 20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities index.php in CubeCart 2.0.4 allows remote attackers to (1) obtain the full path for the web server or (2) conduct cross-site scripting (XSS) attacks via an invalid language parameter, which echoes the parameter in a PHP error message. 12549 http://www.cubecart.com/site/forums/index.php?showtopic=5741 cubecart-index-xss(19328) 20050214 [NOBYTES.COM: #2] CubeCart 2.0.4 - Multiple Vulnerabilities 14064 VMware before 4.5.2.8848-r5 searches for gdk-pixbuf shared libraries using a path that includes the rrdharan world-writable temporary directory, which allows local users to execute arbitrary code. GLSA-200502-18 Cross-site scripting (XSS) vulnerability in Open WebMail 2.x allows remote attackers to inject arbitrary HTML or web script via the domain name parameter (logindomain) in the login page. 14253 open-webmail-logindomain-xss(19335) http://turtle.ee.ncku.edu.tw/openwebmail/download/cert/patches/SA-05:01/2.5x.patch http://turtle.ee.ncku.edu.tw/openwebmail/doc/changes.txt 12547 1013172 Squid 2.5.STABLE8 and earlier allows remote attackers to cause a denial of service (crash) via certain DNS responses regarding (1) Fully Qualified Domain Names (FQDN) in fqdncache.c or (2) IP addresses in ipcache.c, which trigger an assertion failure. http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE8-dns_assert.patch http://www.squid-cache.org/Versions/v2/2.5/bugs/#squid-2.5.STABLE8-dns_assert RHSA-2005:173 GLSA-200502-25 DSA-688 14271 CLA-2005:931 squid-xstrndup-dos(19332) oval:org.mitre.oval:def:11264 20050221 [USN-84-1] Squid vulnerabilities 12551 RHSA-2005:201 MDKSA-2005:047 FLSA-2006:152809 Solaris 7, 8, and 9 allows remote attackers to cause a denial of service (hang) via a flood of certain ARP packets. 14286 solaris-arp-dos(19331) 12553 57673 1013179 Race condition in the rmtree function in File::Path.pm in Perl before 5.8.4 allows local users to create arbitrary setuid binaries in the tree being deleted, a different vulnerability than CVE-2004-0452. GLSA-200501-38 DSA-696 HPSBUX01208 oval:org.mitre.oval:def:10475 USN-94-1 12767 HPSBUX01208 RHSA-2005:881 RHSA-2005:674 MDKSA-2005:079 18517 18075 17079 14531 FLSA-2006:152845 CLSA-2006:1056 20060101-01-U oval:org.mitre.oval:def:728 The netfilter/iptables module in Linux before 2.6.8.1 allows remote attackers to cause a denial of service (kernel crash) or bypass firewall rules via crafted packets, which are not properly handled by the skb_checksum_help function. RHSA-2005:284 RHSA-2005:283 SUSE-SA:2005:018 CLA-2005:945 FLSA:152532 USN-82-1 12598 RHSA-2005:366 RHSA-2005:293 MDKSA-2005:218 DSA-1018 DSA-1017 19607 19374 19369 oval:org.mitre.oval:def:10753 [netdev] 20050124 Re: skb_checksum_help 20060402-01-U Directory traversal vulnerability in Sami HTTP Server 1.0.5 allows remote attackers to read arbitrary files via an HTTP request containing (1) .. (dot dot) or (2) "%2e%2e" (encoded dot dot) sequences. 1013191 14283 Sami HTTP Server 1.0.5 allows remote attackers to cause a denial of service via an HTTP request containing two CRLF sequences, which triggers a NULL dereference. 1013191 14283 Multiple cross-site scripting (XSS) vulnerabilities in Microsoft ASP.NET (.Net) 1.0 and 1.1 to SP1 allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 12574 14214 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The buffer_urldecode function in Lighttpd 1.3.7 and earlier does not properly handle control characters, which allows remote attackers to obtain the source code for CGI and FastCGI scripts via a URL with a %00 (null) character after the file extension. GLSA-200502-21 14297 http://article.gmane.org/gmane.comp.web.lighttpd/1171 Multiple SQL injection vulnerabilities in DCP-Portal 6.1.1 and earlier allow remote attackers to execute arbitrary SQL commands via (1) the lcat, doc, or uid parameters to index.php, or (2) the mid or bid parameters to forums.php. http://www.hackgen.org/advisories/hackgen-2005-003.txt 1013216 20050216 [hackgen-2005-#003] - SQL injection bugs in DCP-Portal dcpportal-multiple-sql-injection(19361) 12573 20051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities 108 http://glide.stanford.edu/yichen/research/sec.pdf Stack-based buffer overflow in the CSmil1Parser::testAttributeFailed function in smlparse.cpp for RealNetworks RealPlayer 10.5 (6.0.12.1056 and earlier), 10, 8, and RealOne Player V2 and V1 allows remote attackers to execute arbitrary code via a .SMIL file with a large system-screen-size value. RHSA-2005:265 20050301 RealNetworks RealPlayer .smil Buffer Overflow Vulnerability http://service.real.com/help/faq/security/050224_player oval:org.mitre.oval:def:10926 RHSA-2005:271 Opera 7.54 and earlier does not properly validate base64 encoded binary data in a data: (RFC 2397) URL, which causes the URL to be obscured in a download dialog, which may allow remote attackers to trick users into executing arbitrary code. VU#882926 http://www.opera.com/linux/changelogs/754u2/ GLSA-200502-17 13818 opera-data-dialog-spoofing(18867) SUSE-SA:2005:031 Opera 7.54 and earlier on Gentoo Linux uses an insecure path for plugins, which could allow local users to gain privileges by inserting malicious libraries into the PORTAGE_TMPDIR (portage) temporary directory. GLSA-200502-17 http://bugs.gentoo.org/show_bug.cgi?id=81747 Cross-site scripting (XSS) vulnerability in contact_us.php in osCommerce 2.2-MS2 allows remote attackers to inject arbitrary web script or HTML via the enquiry parameter. 20050215 [NOBYTES.COM: #3] osCommerce 2.2-MS2 - XSS Vulnerability phpMyAdmin 2.6.2-dev, and possibly earlier versions, allows remote attackers to determine the full path of the web root via a direct request to select_lang.lib.php, which reveals the path in a PHP error message. 1013210 index.php in MercuryBoard 1.0.x and 1.1.x allows remote attackers to obtain sensitive information by setting the debug parameter. 13787 14284 http://lostmon.blogspot.com/2005/02/mercuryboard-debug-information.html Unknown vulnerability in NewsBruiser 2.x before 2.6.1 allows remote attackers to "take actions on comments." 14262 http://newsbruiser.tigris.org/servlets/NewsItemView?newsItemID=1016 http://newsbruiser.tigris.org/source/browse/newsbruiser/CHANGELOG?rev=1.283&content-type=text/x-cvsweb-markup Cross-site scripting (XSS) vulnerability in MercuryBoard 1.0.x and 1.1.x allows remote attackers to inject arbitrary HTML and web script via the f parameter. 13937 http://lostmon.blogspot.com/2005/02/mercuryboard-forumphp-f-variable-xss.html Unknown "major security flaws" in Ulog-php before 1.0, related to input validation, have unknown impact and attack vectors, probably related to SQL injection vulnerabilities in (1) host.php, (2) port.php, and (3) index.php. 12610 http://www.inl.fr/article.php3?id_article=7 1013220 14321 13853 gr_osview in SGI IRIX 6.5.22, and possibly other 6.5 versions, does not drop privileges when opening description files while in debug mode, which allows local users to read a line from arbitrary files via the -d and -D options, which prints the line as a formatting error. 20050407 SGI IRIX gr_osview Information Disclosure Vulnerability 20050402-01-P 15351 1013662 14875 gr_osview in SGI IRIX does not drop privileges before opening files, which allows local users to overwrite arbitrary files via the -s option. 20050407 SGI IRIX gr_osview File Overwrite Vulnerability 20050402-01-P 1013662 14875 Multiple integer overflows in the (1) sftp_pkt_getstring and (2) fxp_readdir_recv functions in the PSFTP and PSCP clients for PuTTY 0.56, and possibly earlier versions, allow remote malicious web sites to execute arbitrary code via SFTP responses that corrupt the heap after insufficient memory has been allocated. 20050221 Multiple PuTTY SFTP Client Packet Parsing Integer Overflow Vulnerabilities GLSA-200502-28 14333 putty-sftppktgetstring-bo(19403) http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-string.html http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-sftp-readdir.html http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002416 http://www-1.ibm.com/support/docview.wss?uid=ssg1S1002414 17214 Heap-based buffer overflow in the env_opt_add function in telnet.c for various BSD-based Telnet clients allows remote attackers to execute arbitrary code via responses that contain a large number of characters that require escaping, which consumers more memory than allocated. VU#341908 RHSA-2005:330 RHSA-2005:327 DSA-703 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt 20050405-01-P USN-224-1 12919 20050328 Multiple Telnet Client env_opt_add() Buffer Overflow Vulnerability DSA-731 57761 57755 101671 101665 17899 14745 oval:org.mitre.oval:def:9640 CLA-2005:962 FreeBSD-SA-05:01.telnet MDKSA-2005:061 Buffer overflow in the slc_add_reply function in various BSD-based Telnet clients, when handling LINEMODE suboptions, allows remote attackers to execute arbitrary code via a reply with a large number of Set Local Character (SLC) commands. VU#291924 RHSA-2005:330 RHSA-2005:327 20050328 Multiple Telnet Client slc_add_reply() Buffer Overflow Vulnerability GLSA-200503-36 DSA-703 DSA-699 DSA-697 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-001-telnet.txt 57755 20050405-01-P USN-224-1 12918 DSA-731 57761 101671 101665 17899 14745 oval:org.mitre.oval:def:9708 FreeBSD-SA-05:01.telnet MDKSA-2005:061 Buffer overflow in wpa_supplicant before 0.2.7 allows remote attackers to cause a denial of service (segmentation fault) via invalid EAPOL-Key packet data. wpasupplicant-bo(19357) GLSA-200502-22 14313 1013226 [HostAP] 20050213 wpa_supplicant - new stable releases v0.3.8 and v0.2.7 Sun Java JRE 1.1.x through 1.4.x writes temporary files with long filenames that become predictable on a file system that uses 8.3 style short names, which allows remote attackers to write arbitrary files to known locations and facilitates the exploitation of vulnerabilities in applications that rely on unpredictable file names. VU#544392 sun-java-create-files(19285) http://secunia.com/secunia_research/2004-7/advisory/ 11070 Gaim before 1.1.3 allows remote attackers to cause a denial of service (infinite loop) via malformed SNAC packets from (1) AIM or (2) ICQ. VU#839280 gaim-snac-dos(19380) RHSA-2005:432 RHSA-2005:215 GLSA-200503-03 DSA-716 14322 oval:org.mitre.oval:def:10433 http://gaim.sourceforge.net/security/index.php?id=10 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 The HTML parsing functions in Gaim before 1.1.3 allow remote attackers to cause a denial of service (application crash) via malformed HTML that causes "an invalid memory access," a different vulnerability than CVE-2005-0208. VU#523888 gaim-html-dos(19381) RHSA-2005:215 GLSA-200503-03 14322 oval:org.mitre.oval:def:10212 http://gaim.sourceforge.net/security/index.php?id=11 12589 FLSA:158543 SUSE-SA:2005:036 MDKSA-2005:049 20050225 [USN-85-1] Gaim vulnerabilities CLA-2005:933 SQL injection vulnerability in the user_valid_crypt function in user.php in WebCalendar 0.9.45 allows remote attackers to execute arbitrary SQL commands via an encoded webcalendar_session cookie. webcalendar-sql-injection(19369) http://www.scovettalabs.com/advisory/SCL-2005.001.txt 14319 13918 1013231 20050217 [ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie SQL injection vulnerability in paFAQ Beta4, and possibly other versions, allows remote attackers to execute arbitrary SQL code via the (1) offset, (2) limit, (3) order, or (4) orderby parameter to question.php, (5) offset parameter to answer.php, (6) search_item parameter to search.php, (7) cat_id, (8) cid, or (9) id parameter to comment.php. 20050217 [PersianHacker.NET 200505-07] paFAQ Beta4 Sql Injection pafaq-sql-injection(19371) Cross-site scripting (XSS) vulnerability in hpm_guestbook.cgi allows remote attackers to inject arbitrary web script or HTML by posting a message. hpm-guestbook-xss(19372) 20050217 hpm_guestbook.cgi JavaScript-Injection Cross-site scripting (XSS) vulnerability in the SML code for Invision Power Board 1.3.1 FINAL allows remote attackers to inject arbitrary web script via (1) a signature file or (2) a message post containing an IMG tag within a COLOR tag whose style is set to background:url. invision-power-board-sml-xss(19399) 20050217 Invision Power Boards 1.3.1 FINAL XSS Exploit Multiple buffer overflows in TrackerCam 5.12 and earlier allow remote attackers to cause a denial of service and possibly execute arbitrary code via (1) an HTTP request with a long User-Agent header or (2) a long argument to an arbitrary PHP script. trackercam-php-bo(19411) trackercam-useragent-bo(19409) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Directory traversal vulnerability in ComGetLogFile.php3 for TrackerCam 5.12 and earlier allows remote attackers to read arbitrary files via ".." sequences and (1) "/" slash), (2) "\" (backslash), or (3) hex-encoded characters in the fn parameter. trackercam-fn-directory-traversal(19414) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Cross-site scripting (XSS) vulnerability in TrackerCam 5.12 and earlier allows remote attackers to inject arbitrary HTML or web script via the login request, which is recorded in a log file but not properly handled when the administrator views the log file. trackercam-xss(19416) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 TrackerCam 5.12 and earlier allows remote attackers to read log files via the fn parameter in a direct request to the ComGetLogFile.php3 script. trackercam-fn-path-disclosure(19415) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 TrackerCam 5.12 and earlier allows remote attackers to cause a denial of service (crash) via (1) a large number of connections with a negative Content-Length header, possibly triggering an integer signedness error, or (2) a large amount of data. trackercam-contentlength-dos(19417) 12592 20050218 Multiple vulnerabilities in TrackerCam 5.12 Multiple directory traversal vulnerabilities in sitenfo.sh, sitezipchk.sh, and siteziplist.sh in Glftpd 1.26 to 2.00 allow remote authenticated users to (1) determine the existence of arbitrary files, (2) list files in restricted directories, or (3) read arbitrary files from within ZIP or gzip files, via .. (dot dot) sequences and globbing ("*") characters in a SITE NFO command. glftpd-sitenfosh-directory-traversal(19401) 12586 20050218 Multiple vulnerabilities in Glftpd v1.26 - v2.00 default zip based plug-ins Format string vulnerability in gprostats for GProFTPD before 8.1.9 may allow remote attackers to execute arbitrary code via an FTP transfer with a crafted filename that causes format string specifiers to be inserted into the ProFTPD transfer log. GLSA-200502-26 http://bugs.gentoo.org/show_bug.cgi?id=81894 Cross-site scripting (XSS) vulnerability in comment.php for paNews 2.0b4 for PHP Arena allows remote attackers to inject arbitrary HTML and web script via the showpost parameter. 20050216 [PersianHacker.NET 200505-06] paNews v2.0b4 XSS Vulnerability panews-commentphp-xss(19359) 12576 Tarantella Secure Global Desktop Enterprise Edition 4.00 and 3.42, and Tarantella Enterprise 3 3.40 and 3.30, when using RSA SecurID and multiple users have the same username, reveals sensitive information during authentication, which allows remote attackers to identify valid usernames and the authentication scheme. http://www.tarantella.com/security/bulletin-11.html tarantella-enterprise-obtain-information(19407) Cross-site scripting (XSS) vulnerability in index.php for Kayako ESupport 2.3.1, and possibly other versions, allows remote attackers to inject arbitrary HTML and web script via the nav parameter. kayako-index-xss(18571) 12563 20050215 Kayako eSupport v2.3.1 Support Tracker XSS Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command. VU#800829 TA06-214A 57761 57755 ADV-2006-3101 RHSA-2005:504 SUSE-SR:2005:016 oval:org.mitre.oval:def:11373 20050614 Multiple Vendor Telnet Client Information Disclosure Vulnerability 19289 13940 RHSA-2005:562 101671 101665 1014203 21253 17135 APPLE-SA-2006-08-01 oval:org.mitre.oval:def:1139 The /proc handling (proc/base.c) Linux kernel 2.4 before 2.4.17 allows local users to cause a denial of service via unknown vectors that cause an invalid access of free memory. This vulnerability is addressed in the following product release: Linux, Linux kernel, 2.4.27 18173 DSA-1082 DSA-1070 DSA-1069 DSA-1067 20202 20163 http://kernel.debian.net/debian/pool/main/kernel-source-2.4.17/kernel-source-2.4.17_2.4.17-1woody4_ia64.changes 20338 Multiple stack-based buffer overflows in libcURL and cURL 7.12.1, and possibly other versions, allow remote malicious web servers to execute arbitrary code via base64 encoded replies that exceed the intended buffer lengths when decoded, which is not properly handled by (1) the Curl_input_ntlm function in http_ntlm.c during NTLM authentication or (2) the Curl_krb_kauth and krb4_auth functions in krb4.c during Kerberos authentication. GLSA-200503-20 20050228 [USN-86-1] cURL vulnerability CLA-2005:940 curl-kerberos-bo(19423) 20050221 Multiple Unix/Linux Vendor cURL/libcURL Kerberos Authentication Buffer Overflow Vulnerability 20050221 Multiple Unix/Linux Vendor cURL/libcURL NTLM Authentication Buffer Overflow Vulnerability oval:org.mitre.oval:def:10273 12616 12615 RHSA-2005:340 SUSE-SA:2005:011 MDKSA-2005:048 Stack-based buffer overflow in Knox Arkeia Server Backup 5.3.x allows remote attackers to execute arbitrary code via a long type 77 request. 12594 14327 arkeia-backup-client-bo(19398) 20050218 Knox Arkeia remote root/system exploit Adobe Acrobat Reader 6.0.3 and 7.0.0 allows remote attackers to cause a denial of service (application crash) via a PDF file that contains a negative Count value in the root page node. http://www.adobe.com/support/techdocs/331468.html adobe-root-page-node-dos(19946) ADV-2005-0310 20050218 Adobe Reader invalid root page node Count value DOS 14813 CRLF injection vulnerability in bizmail.cgi in Biz Mail Form before 2.2 allows remote attackers to bypass the email check and send spam e-mail via CRLF sequences and forged mail headers in the email parameter. Upgrade to newest version. 20050218 BizMail 2.1 Spam Exploit The RgSecurity form in the HTTP server for the Thomson TCW690 cable modem running firmware 2.1 and software ST42.03.0a does not properly validate the password before performing changes, which allows remote attackers on the LAN to gain access via a direct POST request. thomson-tcw690-gain-access(19387) 14353 20050219 Thomson TCW690 POST Password Validation Vulnerability Cross-site scripting (XSS) vulnerability in ZeroBoard allows remote attackers to inject arbitrary web script or HTML via the (1) sn1, (2) year, or (3) page parameter to zboard.php or (4) filename to view_image.php. zeroboard-xss(19420) 1013243 20050219 Multiples vulnerability in ZeroBoard, Arkeia Network Backup Client 5.x contains hard-coded credentials that effectively serve as a back door, which allows remote attackers to access the file system and possibly execute arbitrary commands. arkeia-backup-client-gain-access(20667) 1013256 http://metasploit.com/research/arkeia_agent/ 20050220 Arkeia Network Backup Client Remote Access ADP Elite System Max 9000 allows remote authenticated users to gain privileges by uploading a .profile that sets the ADPROOT environment variable to the root directory. 20050219 ADP Elite System Max 9000 Series Login Vulnerability adp-elite-gain-privileges(20622) Gigafast router (aka CompUSA router) allows remote attackers to gain sensitive information and bypass the login page via a direct request to backup.cfg, which reveals the administrator password in plaintext. gigafast-backupcfg-plaintext-password(19422) 20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilities Gigafast router (aka CompUSA router) with the DNS proxy option enabled allows remote attackers to cause a denial of service via malformed DNS queries. gigafast-dns-queries-dos(19426) 20050220 Gigafast/CompUSA router (model EE400-R) vulnerabilities Internet Explorer 6.0 on Windows XP SP2 allows remote attackers to spoof the domain name of a URL in a titlebar for a script-initiated popup window, which could facilitate phishing attacks. ie-title-bar-spoofing(19452) 12602 20050221 WindowsXPSP2 script-initiated popup window 14335 Buffer overflow in Bontago 1.1 and earlier allows remote attackers exeucte arbitrary code via a long nickname. bontago-nickname-bo(19406) 12603 14350 http://aluigi.altervista.org/adv/bontagobof-adv.txt Directory traversal vulnerability in Xinkaa 1.0.3 and earlier allows remote attackers to read arbitrary files via (1) ../ and (2) ..\ characters in an HTTP request. xinkaa-web-directory-traversal(19404) ADV-2005-0189 12606 14349 http://aluigi.altervista.org/adv/xinkaa-adv.txt uim before 0.4.5.1 trusts certain environment variables when libUIM is used in setuid or setgid applications, which allows local users to gain privileges. 12604 13981 [uim] 20050220 uim 0.4.5.1 released MDKSA-2005:046 Buffer overflow in the MoxaDriverIoctl function for the moxa serial driver (moxa.c) in Linux 2.2.x, 2.4.x, and 2.6.x before 2.6.22 allows local users to execute arbitrary code via a certain modified length value. 12195 ADV-2005-1878 USN-508-1 RHSA-2005:663 RHSA-2005:551 RHSA-2005:529 DSA-1082 DSA-1070 DSA-1069 DSA-1067 1013273 30112 26651 20338 20202 20163 17002 oval:org.mitre.oval:def:9770 20050107 grsecurity 2.1.0 release / 5 Linux kernel advisories http://kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.22 RHSA-2008:0237 Unknown vulnerability in Information Resource Manager (IRM) before 1.5.2.1 allows remote attackers has "potentially serious" impact, related to LDAP logins. irm-ldap-security-bypass(19419) http://sourceforge.net/project/shownotes.php?release_id=306629 14342 The Avaya IP Office Phone Manager, and other products such as the IP Softphone, stores sensitive data in cleartext in a registry key, which allows local and possibly remote users to steal usernames and passwords and impersonate other users via keys such as Avaya\IP400\Generic. http://support.avaya.com/elmodocs2/security/ASA-2005-041_Sensitive_Info_Leak.pdf 20050222 Re: Avaya IP Office Phone Manager - Sensitive Information Cleartext Vulnerability 20050222 Avaya IP Office Phone Manager - Sensitive Information Cleartext Directory traversal vulnerability in SD Server 4.0.70 and earlier allows remote attackers to read arbitrary files via .. sequences in an HTTP request. 14365 20050221 SD Server 4.0.70 Directory Traversal Bug http://www.gdsoftware.dk/ 20050222 SD Server 4.0.70 Directory Traversal Bug Unknown vulnerability in Squiggle for Batik before 1.5.1 allows attackers to bypass certain access controls via certain features of the Rhino scripting engine due to a "script security issue." 12619 14336 http://xml.apache.org/batik/#SecurityWarning Multiple cross-site scripting (XSS) vulnerabilities in the Mono 1.0.5 implementation of ASP.NET (.Net) allow remote attackers to inject arbitrary HTML or web script via Unicode representations for ASCII fullwidth characters that are converted to normal ASCII characters, including ">" and "<". 14325 20050217 XSS vulnerabilty in ASP.Net [with details] http://it-project.ru/andir/docs/aspxvuln/aspxvuln.en.xml The daemon for fallback-reboot before 0.995 allows attackers to cause a denial of service (daemon exit), possibly related to verbose debug messages when the daemon is not on a tty. 14328 http://dcs.nac.uci.edu/~strombrg/fallback-reboot/ misc.php for vBulletin 3.0.6 and earlier, when "Add Template Name in HTML Comments" is enabled, allows remote attackers to execute arbitrary PHP code via nested variables in the template parameter. 14326 http://www.vbulletin.com/forum/showthread.php?postid=819562 12622 20050222 [SCAN Associates Security Advisory] vbulletin 3.0.6 and below php code injection PHP remote file inclusion vulnerability in Tar.php in Mambo 4.5.2 allows remote attackers to execute arbitrary PHP code by modifying the mosConfig_absolute_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2004-1693. 14337 http://mamboforge.net/frs/download.php/4043/Patch_4.5.2_to_4.5.2.1.zip PHP remote file inclusion vulnerability in mail_autocheck.php in the Email This Entry add-on for pMachine Pro 2.4, and possibly other versions including pMachine Free, allows remote attackers to execute arbitrary PHP code by directly requesting mail_autocheck.php and modifying the pm_path parameter to reference a URL on a remote web server that contains the code, a different vulnerability than CVE-2003-1086. 12597 15473 20050219 pMachine Pro / pMachine Free Remote Code Execution Cross-site scripting (XSS) vulnerability in Verity Ultraseek before 5.3.3 allows remote attackers to inject arbitrary HTML and web script via search parameters. VU#716144 http://www.mikx.de/index.php?p=6 14367 20041223 Cross-Site Scripting - an industry-wide problem Smc.exe in My Firewall Plus 5.0 build 1117, and possibly other versions, does not drop privileges before launching the Log Viewer export functionality, which allows local users to corrupt arbitrary files by saving log files. http://www.webroot.com/services/mfp_advisory.php 12842 http://secunia.com/secunia_research/2004-20/advisory/ 13577 The ImageGalleryPlugin (ImageGalleryPlugin.pm) in Twiki allows remote attackers to execute arbitrary commands via certain commands that generate thumbnails. 14384 http://www.enyo.de/fw/security/notes/twiki-robustness.html http://static.enyo.de/fw/patches/twiki/imagegallery-robustness-20041128.diff 20050223 Robustness patch for TWiki, vulnerability in ImageGalleryPlugin PeerFTP_5 stores sensitive information such as passwords in plaintext in the PeerFTP.ini files, which allows local users to gain privileges. 1013263 eXeem 0.21 stores sensitive information such as passwords in plaintext in the Exeem registry key, which allows local users to gain privileges via the proxy_user and proxy_password values. 1013266 ArGoSoft FTP Server before 1.4.2.7 allows remote attackers to read arbitrary files by uploading a ZIP file containing a shortcut (.LNK) file, using SITE UNZIP to extract the .LNK file onto the server, then accessing the file, a different vulnerability than CVE-2005-0520. http://www.argosoft.com/ftpserver/changelist.aspx 14172 argosoft-ink-file-upload(17939) 12487 13614 ArGoSoft FTP Server before 1.4.2.8 allows remote attackers to read arbitrary files via shortcut (.LNK) files in the SITE COPY command, a different vulnerability than CVE-2005-0519. http://www.argosoft.com/ftpserver/changelist.aspx 14372 argosoft-site-copy-files(19442) 12632 14061 SendLink 1.5 stores sensitive information, possibly including passwords, in plaintext in the data.eat file, which allows local users to gain privileges. 1013269 Chat Anywhere 2.72a stores sensitive information such as passwords in plaintext in the .INI file for a chatroom, which allows local users to gain privileges. 1013270 Format string vulnerability in ProZilla 1.3.7.3 and earlier allows remote attackers to execute arbitrary code via format string specifiers in the Location header. DSA-719 12635 http://www.securiteam.com/exploits/5WP082KEUW.html The php_handle_iff function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a -8 size value. 20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities 1013619 14792 php-phphandleiff-dos(19920) ADV-2005-0305 RHSA-2005:406 RHSA-2005:405 GLSA-200504-15 oval:org.mitre.oval:def:9310 APPLE-SA-2005-06-08 15183 MDKSA-2005:072 The php_next_marker function in image.c for PHP 4.2.2, 4.3.9, 4.3.10 and 5.0.3, as reachable by the getimagesize PHP function, allows remote attackers to cause a denial of service (infinite loop) via a JPEG image with an invalid marker value, which causes a negative length value to be passed to php_stream_seek. DSA-708 14792 ADV-2005-0305 20050331 PHP getimagesize() Multiple Denial of Service Vulnerabilities RHSA-2005:406 RHSA-2005:405 GLSA-200504-15 DSA-729 1013619 oval:org.mitre.oval:def:11703 APPLE-SA-2005-06-08 15184 MDKSA-2005:072 Multiple cross-site scripting (XSS) vulnerabilities in PBLang 4.65 allow remote attackers to inject arbitrary web script or HTML via (1) the search string to search.php, (2) the subject of a PM, which is processed by pm.php, or (3) the body of a PM, which is processed by pmpshow.php. 1013277 20050222 Software PBLang 4.65 pm.php XSS vulnerability 20050222 Software PBLang 4.65 pmpshow.php XSS vulnerability 20050222 Software PBLang 4.65 search.php XSS vulnerability Firefox 1.0 allows remote attackers to execute arbitrary code via plugins that load "privileged content" into frames, as demonstrated using certain XUL events when a user drags a scrollbar two times, aka "Firescrolling." GLSA-200503-30 GLSA-200503-10 http://www.mozilla.org/security/announce/mfsa2005-27.html http://www.mikx.de/?p=11 1013301 oval:org.mitre.oval:def:11772 20050225 Firescrolling [Firefox 1.0] RHSA-2005:384 RHSA-2005:176 oval:org.mitre.oval:def:100031 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2003-0985. Reason: This candidate is a duplicate of CVE-2003-0985. Notes: All CVE users should reference CVE-2003-0985 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Linux kernel 2.6.10 and 2.6.11rc1-bk6 uses different size types for offset arguments to the proc_file_read and locks_read_proc functions, which leads to a heap-based buffer overflow when a signed comparison causes negative integers to be used in a positive context. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke SUSE-SA:2005:018 oval:org.mitre.oval:def:8994 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@4201818eC6aMn0x3GY_9rw3ueb2ZWQ CLA-2005:930 RHSA-2005:366 Signedness error in the copy_from_read_buf function in n_tty.c for Linux kernel 2.6.10 and 2.6.11rc1 allows local users to read kernel memory via a negative argument. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke SUSE-SA:2005:018 oval:org.mitre.oval:def:10960 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@420181322LZmhPTewcCOLkubGwOL3w CLA-2005:930 RHSA-2005:366 The atm_get_addr function in addr.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4 may allow local users to trigger a buffer overflow via negative arguments. http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/gnupatch@4208e1fcfccuD-eH2OGM5mBhihmQ3A CLA-2005:930 oval:org.mitre.oval:def:10095 RHSA-2005:366 The reiserfs_copy_from_user_to_file_region function in reiserfs/file.c for Linux kernel 2.6.10 and 2.6.11 before 2.6.11-rc4, when running on 64-bit architectures, may allow local users to trigger a buffer overflow as a result of casting discrepancies between size_t and int data types. SUSE-SA:2005:018 http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html 20050215 linux kernel 2.6 fun. windoze is a joke 20050315 [USN-95-1] Linux kernel vulnerabilities http://linux.bkbits.net:8080/linux-2.6/cset@42018227TkNpHlX6BefnItV_GqMmzQ Heap-based buffer overflow in Trend Micro AntiVirus Library VSAPI before 7.510, as used in multiple Trend Micro products, allows remote attackers to execute arbitrary code via a crafted ARJ file with long header file names that modify pointers within a structure. http://www.trendmicro.com/vinfo/secadvisories/default6.asp?VName=Vulnerability+in+VSAPI+ARJ+parsing+could+allow+Remote+Code+execution 12643 1013290 1013289 14396 20050224 Trend Micro AntiVirus Library Heap Overflow Multiple cross-site scripting (XSS) vulnerabilities in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allow remote attackers to inject arbitrary web script. http://sourceforge.net/project/shownotes.php?release_id=307067 1013260 14360 GLSA-200502-33 Cross-site request forgery (CSRF) vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to perform unauthorized actions as authenticated MediaWiki users. 1013260 14360 GLSA-200502-33 Directory traversal vulnerability in MediaWiki 1.3.x before 1.3.11 and 1.4 beta before 1.4 rc1 allows remote attackers to delete arbitrary files or determine file existence via a parameter related to image deletion. http://sourceforge.net/project/shownotes.php?release_id=307067 1013260 14360 GLSA-200502-33 Multiple SQL injection vulnerabilities in page.php for iGeneric (iG) Shop 1.2 may allow remote attackers to execute arbitrary SQL statements via the (1) cats, (2) l_price, or (3) u_price parameters. 1013268 14369 20050221 [NOBYTES.COM: #5] iGeneric eShop 1.2 - Information Disclosure & Possible SQL Injection Directory traversal vulnerability in (1) GinpPictureServlet.java and (2) PicCollection.java in ginp (Java Photo Gallery Web Application) before 0.22 allows remote attackers to read arbitrary files. http://sourceforge.net/project/shownotes.php?release_id=307518 14373 Unknown vulnerability in IBM Hardware Management Console (HMC) before 4.4 for POWER5 servers allows local users to gain privileges, related to the Guided Setup Wizard. http://techsupport.services.ibm.com/server/hmc/power5/fixes/ptf_MH00220.html 14377 Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to obtain sensitive information via a direct request to the /about.html page. 14073 http://www.cirt.net/advisories/alterpath_disclosure.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities consoleConnect.jsp in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows remote attackers to connect to arbitrary consoles by modifying the consolename parameter. 14075 http://www.cirt.net/advisories/alterpath_console.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities saveUser.do in Cyclades AlterPath Manager (APM) Console Server 1.2.1 allows local users to gain privileges by setting the adminUser parameter to true. 14074 http://www.cirt.net/advisories/alterpath_privesc.shtml 14378 20050224 Cyclades AlterPath Manager Vulnerabilities Cross-site scripting (XSS) vulnerability in phpMyAdmin 2.6.1 allows remote attackers to inject arbitrary HTML and web script via (1) the strServer, cfg[BgcolorOne], or strServerChoice parameters in select_server.lib.php, (2) the bg_color or row_no parameters in display_tbl_links.lib.php, the left_font_family parameter in theme_left.css.php, or the right_font_family parameter in theme_right.css.php. phpmyadmin-multiple-php-xss(19462) 12644 GLSA-200503-07 14382 20050224 [SECURITYREASON.COM] phpMyAdmin 2.6.1 Remote file inclusion and XSS cXIb8O3.4 phpMyAdmin 2.6.1 allows remote attackers to obtain the full path of the server via direct requests to (1) sqlvalidator.lib.php, (2) sqlparser.lib.php, (3) select_theme.lib.php, (4) select_lang.lib.php, (5) relation_cleanup.lib.php, (6) header_meta_style.inc.php, (7) get_foreign.lib.php, (8) display_tbl_links.lib.php, (9) display_export.lib.php, (10) db_table_exists.lib.php, (11) charset_conversion.lib.php, (12) ufpdf.php, (13) mysqli.dbi.lib.php, (14) setup.php, or (15) cookie.auth.lib.php, which reveals the path in a PHP error message. GLSA-200503-07 14382 http://sourceforge.net/tracker/index.php?func=detail&aid=1149383&group_id=23067&atid=377408 Microsoft Windows XP Pro SP2 and Windows 2000 Server SP4 running Active Directory allow local users to bypass group policies that restrict access to hidden drives by using the browse feature in Office 10 applications such as Word or Excel, or using a flash drive. NOTE: this issue has been disputed in a followup post. 12641 20050223 Office 10 applications & flashdrives can be used to browse restricted drives 20050225 Re: Office 10 applications & flashdrives can be used to browse restricted