Summary of Security Items from August 18 through
August 31, 2004
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between August 18 and August 31, 2004. Updates to items appearing in previous bulletins are listed in bold text.The text in the Risk column appears in red for vulnerabilities ranking High. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the
following tables has been discussed in newsgroups and
on web sites.
Risk is defined as follows:
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
A buffer overflow vulnerability exists in the server information parsing routines for Half-Life game servers due to a boundary error when receiving
information, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Proof of Concept exploit has been published.
aGSM Half-Life Server Info Response Buffer Overflow
High
Secunia Advisory, SA12334, August 24, 2004
birdchat.sourceforge.net
Internet Chat Server 1.61
A remote Denial of Service vulnerability exists due to insufficient sanitization of user-supplied input.
No workaround or patch available at time of publishing.
An exploit script has been published.
Bird Chat Remote Denial of Service
Low
Securiteam, August 25, 2004
Cisco Systems
Access Control Server Solution Engine, Secure Access Control Server 3.2 (3), 3.2 (2), 3.2, Secure ACS for Windows Server 3.2
Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists in the web-based management interface (CSAdmin); a remote Denial of Service vulnerability exists when processing LEAP (Light Extensible Authentication Procotol) authentication requests when the device is configured as a LEAP RADIUS proxy; a vulnerability exists when handling NDS (Novell Directory Services) users, which could let a remote malicious user bypass authentication; and a vulnerability exists in the ACS administration web services, which could let a remote malicious user bypass authentication.
Secure Access Control Server Multiple Remote Vulnerabilities
Low/Medium
(Medium if authentication can be bypassed)
Cisco Security Advisory, 61603, August 25, 2004
EFS Software Inc.
Easy File Sharing Web Server 1.2, 1.25
Several vulnerabilities exist: a vulnerability exists due to insufficient restrictions on the web server's virtual folders, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when a malicious user submits several large HTTP requests.
No workaround or patch available at time of publishing.
There is no exploit code required.
Easy File Sharing Web Server Information Disclosure & Remote Denial of Service
Low/Medium
(Medium if sensitive information can be obtained)
GulfTech Security Research Advisory, August 24, 2004
gadu-gadu.pl
Gadu-Gadu Instant Messenger 6.0
A vulnerability exists because a link can be created with a specially crafted filename, which could let a remote malicious user send a file with a spoofed file extension.
No workaround or patch available at time of publishing.
There is not exploit code required; however, a Proof of Concept exploit has been published.
Gadu-Gadu Spoofed File Extension
Medium
SecurityTracker Alert ID, 1011037, August 24, 2004
Ipswitch
WhatsUp Gold 7.0 4, 7.0 3, 7.0, 8.0 3, 8.0 1, 8.0
A buffer overflow vulnerably exists in the '_maincfgret.cgi' script due to a failure to validate user-supplied string lengths, which could let a remote malicious user execute arbitrary code.
A Directory Traversal vulnerability exists when files are requested outside of the webroot of the application using hex encoded character sequences, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however a Proof of Concept exploit has been published.
Keene Digital Media Server Directory Traversal
Medium
Securiteam, August 30, 2004
Massive Entertainment
Ground Control II 1.0 .0.7
A remote Denial of Service vulnerability exists when a game client or server receives a packet larger than 512 bytes.
No workaround or patch available at time of publishing.
Proof of Concept exploit script has been published.
Ground Control II Remote Denial of Service
Low
Securiteam, August 30, 2004
Merak Mail Server, Inc.
Merak Mail Server 7.4.5
Multiple vulnerabilities exist: several Cross-Site Scripting vulnerabilities exist due to insufficient validation of user-supplied input in a number of variables, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists because specially crafted HTML can be injected directly into a message or included in the subject field, which could let a remote malicious user execute arbitrary code; a vulnerability exists in 'adress.html' or 'calendar.html' when a remote malicious user submits specially crafted parameters which results in the disclosure of sensitive information; a vulnerability exists because a remote malicious user can download any file with a '.php' extension which results in the disclosure of sensitive information; and a vulnerability exists in 'calendar.html' because a remote malicious user can inject SQL commands.
There is no exploit code required; however, Proofs of Concept exploits have been published.
Merak Mail Server Webmail Multiple Vulnerabilities
Medium/High
(High if arbitrary code can be executed)
Securiteam, August 19, 2004
Microsoft
Internet Explorer 5.0, 6.0, SP1
A vulnerability exists because an IFRAME that is accessible in the same domain may be used to change the URI to the location of a file or directory, which could let a malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
Proof of Concept exploit has been published.
Internet Explorer Resource Detection
Medium
Bugtraq, August 24, 2004
Microsoft
Internet Explorer 5.5, SP1&SP2. 6.0, SP1
A vulnerability exists due to insufficient validation of drag
and drop events issued from the 'Internet' zone, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Proof of Concept exploit has been published.
Internet Explorer Drag & Drop File Installation
High
Secunia Advisory,
SA12321 August 19, 2004
Microsoft
Internet Explorer 6.0 SP1
A cross security domain script vulnerability exists when a malicious MHTML file is submitted, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Proof of Concept exploit script has been published.
Internet Explorer MHTML Content-Location Cross Security Domain Scripting
High
Bugtraq, August 19, 2004
Microsoft
Outlook Express 6.0, SP1
A vulnerability exists in the 'bcc:' field due to an error when sending multipart
messages, which could let a remote malicious user obtain sensitive information.
Small Business Server 2000, 2003, Windows 2000 Advanced Server, SP1-SP4, 2000 Datacenter Server, SP1-SP4, 2000 Professional, SP1-SP4, 2000 Server, SP1-SP4, 2000 Server Japanese Edition, 2003 Datacenter Edition, 64-bit,
2003 Enterprise Edition, 64-bit, 2003 Standard Edition, 2003 Web Edition, XP 64-bit Edition, SP1, XP 64-bit Edition Version 2003, SP1, XP Embedded. SP1, XP Embedded
XP Professional, SP1&SP2l
A time spoofing vulnerability exists in the Network Time Protocol (NTP) implementation because the time on the domain controller can be altered, which could let a remote malicious user cause a Denial of Service and possibly other attacks.
Microsoft has released a knowledge base article (884776) describing methods of mitigation. This article recommends that a hardware time source be used on the authoritative time server, instead of an unauthenticated network time source.
We are not aware of any exploits for this vulnerability.
Microsoft NTP Time Synchronization Spoof
Low
SecurityFocus, August 19, 2004
NakedSoft
Gaucho 1.4 build 145
A buffer overflow vulnerability exists in the 'Content-Type:"'header due to insufficient validation, which could let a remote malicious user execute arbitrary code.
Proof of Concept exploit script has been published.
Gaucho POP3 Email Header Buffer Overflow
High
SIG^2 Vulnerability Research Advisory, August 23, 2004
Nihuo Software, Inc.
Web Log Analyzer 1.6
A Cross-Site Scripting vulnerability exists in the 'user-agent' and referer' fields due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is not exploit code required; however, a Proof of Concept exploit has been published.
A vulnerability exists due to insufficient restrictions on Winamp skin
zip files (.wsz), which could let a remote malicious user execute arbitrary code.
This issue is known to be exploited in the wild and a Proof of Concept exploit has been published.
Winamp Skin File Remote Code Execution
High
Bugtraq, August 26, 2004
Pedestal Software
Integrity Protection Driver 1.2, 1.3, 1.4
A Denial of Service vulnerability exists due to improperly validation of some pointer references in some of the application's kernel hooks.
No workaround or patch available at time of publishing.
We are not aware of any exploits for this vulnerability.
Integrity Protection Driver Local Denial of Service
Low
Next Generation Security Technologies Security Advisory, NGSEC-2004-6, August 14, 2004
People Can Fly
Painkiller 1.3.1
A buffer overflow vulnerability exists due to insufficient boundary checking when processing a password supplied by a client during the connection
establishment, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.
No workaround or patch available at time of publishing.
Proof of Concept exploit has been published.
Painkiller Remote Buffer Overflow
Low/High
(High if arbitrary code can be executed)
Securiteam, August 29, 2004
RealVNC
RealVNC 4.0
A remote Denial of Service vulnerability exists when a malicious user establishes a large amount of connections.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
RealVNC Server Remote Denial of Service
Low
SecurityTracker Alert ID: 1011072, August 26, 2004
Sysinternals
Regmon 6.11
A Denial of Service vulnerability exists due to insufficient validation of some argument pointers.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
Regmon Local Denial of Service
Low
Next Generation Security Technologies Security Advisory, NGSEC-2004-7, August 14, 2004
Webroot Software, Inc
Window Washer 5.5
A vulnerability exists in the 'AddBleach to Wash' function because the content of erased files is not properly overwritten, which could let a malicious user person modify system information.
No workaround or patch available at time of publishing.
There is no exploit code required.
Webroot Window Washer Erased Files
Medium
Secunia Advisory, SA12380, August 26, 2004
Working Resources Inc.
BadBlue 2.5
A remote Denial of Service vulnerability exists when processing multiple connections.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
BadBlue Webserver Denial of Service
Low
GulfTech Security Research Advisory, August 18, 2004
Zone Labs
ZoneAlarm 2.1-2.6, 3.0, 3.1, 3.7 .202, 4.0, 4.5 .538.001, ZoneAlarm for Windows 95 1.0, 2.2-2.6, ZoneAlarm for Windows 98 2.1-2.6, ZoneAlarm For Windows NT 4.0 2.1-4.0 2.6, ZoneAlarm for Windows XP 2.6, ZoneAlarm Plus 4.0, 4.5.538.001, ZoneAlarm Pro 2.4, 2.6, 3.0, 3.1, 4.0, 4.5.538.001, 4.5, 5.0.590.015
A vulnerability exists due to weak default permissions in the folder used to store log and configuration files, which could let a malicious user delete log entries in order to hide malicious activities.
No workaround or patch available at time of publishing.
An input validation and boundary error vulnerability exists in in the uudecoding feature of Adobe Acrobat Reader, which can be exploited by a malicious user to compromise a user's system. An input validation error injection of arbitrary shell commands. The boundary vulnerability can be exploited to cause a buffer overflow via a malicious PDF document with an overly long filename. Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into opening a malicious document.
Gentoo Linux Security Advisory GLSA 200408-14, August 15, 2004
RedHat Security Advisory, RHSA-2004:432-08, August 26,2 004
Anton Raharja
PlaySMS 0.6, 0.7
An input validation vulnerability exists in the 'valid()' function if the 'magic_quotes_gpc' setting if set to 'Off' due to insufficient verification, which could let a remote malicious user execute arbitrary SQL commands.
We are not aware of any exploits for this vulnerability.
MySQL Backup Pro Information Disclosure
Medium
SecurityFocus, August 20, 2004
Bharat Mediratta
Gallery 1.4.4
A vulnerability exists in the 'set_time_limit' function due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary code.
SecurityTracker Alert ID: 1010971, August 18, 2004
British National Corpus
SARA
A remote buffer overflow vulnerability exists due to insufficient sanitization of user-supplied data, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
A format string vulnerability exists in the
'auth_debug()' function used for login debugging, which could let a remote malicious user execute arbitrary code.
A vulnerability exists due to insufficient filtering when a packet payload is displayed, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
We are not aware of any exploits for this vulnerability.
Hafiye Terminal Escape Sequence
High
SecurityFocus, August 23, 2004
fidogate.org
FIDOGATE 4.4.5-4.4.7, 4.4.9
An input validation vulnerability exists in '/src/common/log.c' which could let a malicious user obtain elevated privileges.
SecurityTracker Alert ID: 1011021, August 23, 2004
Gaim
Gentoo
Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions.
Mandrakelinux Security Update Advisory, MDKSA-2004:081, August 13, 2004
Slackware Security Advisory, SSA:2004-239-01, August 26, 2004
GNU
a2ps 4.13
A vulnerability exists in filenames due to insufficient validation of shell escape characters, which could let a malicious user execute arbitrary commands.
There is no exploit code required; however, a Proof of Concept exploit has been published.
GNU a2ps Command Injection
High
Securiteam, August 29, 2004
Hitachi
Job Management Partner-1 6 & 7
Multiple vulnerabilities exist: a vulnerability exists in the login authentication procedure, which could let a malicious user obtain unauthorized access; and a remote Denial of Service vulnerability exists when a malicious user submits a specially crafted reset packet.
We are not aware of any exploits for this vulnerability.
Hitachi Job Management Partner 1 Authentication Flaw & Remote Denial of Service
Low/Medium
(Medium if unuauthorized access can be obtained)
HS04-004-01 & HS04-005-01, August 23, 2004
imwheel.sourceforge.net
IMWheel 1.0 pre11
A vulnerability exists due to a race condition and insecure
creation of a temporary file ('/tmp/imwheel.pid') used for managing
running imwheel processes, which could let a malicious user cause a Denial of Service or obtain elevated privileges.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
IMWheel Insure File Creation
Low/Medium
(Medium is elevated privileges can be obtained)
Computer Academic Underground Security Advisory, CAU-2004-0002, August 26, 2004
Two vulnerabilities exist: a format string vulnerability exists in the 'LogMsg()' function due to insufficient sanitization, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability exists in the 'HandleCPCCommand()' function due to insufficient sanitization, which could let a remote malicious user execute arbitrary code.
We are not aware of any exploits for this vulnerability.
SERCD, SREDIRD Format String & Buffer Overflow
High
SecurityTracker Alert ID: 1011038, August 24, 2004
INL
Ulog-php 0.8, 0.8.1
An input validation vulnerability exists in 'port.php' due to insufficient validation of the 'proto' parameter, which could let a remote malicious user execute arbitrary SQL commands.
Multiple buffer overflow and format string vulnerabilities exist in the 'vsybase.c' file, which could let a malicious user cause a Denial of Service, obtain unauthorized access, or execute arbitrary code.
An SQL injection vulnerability exists due to insufficient sanitization of user-supplied input data before using it in an SQL query, which could let a remote malicious user insert additional SQL commands into data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login. Note: Vpopmail is only vulnerable if SQL servers are utilized by the application. Sites using the 'cdb' backend for data storage are not affected.
Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'xvbmp.c' source file, which could let a remote malicious user execute arbitrary code; multiple heap overflow vulnerabilities exist in the 'xviris.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; a heap overflow vulnerability exists in the 'xvpcx.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; and a heap overflow vulnerability exists in the 'xvpm.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Exploit script has been published.
XV Multiple Buffer Overflow and Integer Handling
High
Bugtraq, August 24, 2004
Linux
Fedora
RedHat
SuSE
Linux kernel 2.4 through 2.4.26, 2.6 through 2.6.7
A vulnerability exists in the Linux kernel in the processing of 64-bit file offset pointers thus allowing a local malicious user to view kernel memory. The kernel's file handling API does not properly convert 64-bit file offsets to 32-bit file offsets. In addition, the kernel provides insecure access to the file offset member variable. As a result, a local user can gain read access to large portions of kernel memory.
SGI Security Advisory, 20040804-01-U, August 26, 2004
Gentoo Linux Security Advisory GLSA 200408-24, August 25, 2004
Mandrakelinux Security Update Advisory, August 26, 2004
Trustix Secure Linux Security Advisory, TSLSA-2004-0041, August 9, 2004
Marc Lehmann
RXVT-Unicode 3.4, 3.5
A vulnerability exist due to a failure to properly close file descriptors when spawning new child terminal windows, which could let a malicious user obtain sensitive information.
We are not aware of any exploits for this vulnerability.
GLibC LD_DEBUG Information Disclosure
Medium
Gentoo Linux Security Advisory GLSA 200408-16, August 16, 2004
Multiple Vendors
Gentoo Linux 1.4;
RedHat Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1, Desktop 3.0, t Enterprise Linux WS 3, WS 2.1 IA64, WS 2.1, ES 3, 2.1 IA64, 2.1, AS 3, AS 2.1 IA64, AS 2.1'
Trolltech Qt 3.0, 3.0.5, 3.1, 3.1.1, 3.1.2, 3.2.1, 3.2.3, 3.3 .0, 3.3.1, 3.3.2
Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'read_dib()' function when handling 8-bit RLE encoded BMP files, which could let a malicious user execute arbitrary code; and buffer overflow vulnerabilities exist in the in the XPM, GIF, and JPEG image file handlers, which could let a remote malicious user execute arbitrary code.
Gentoo Linux 1.4;
KDE KDE 3.0-3.0.5, 3.1-3.1.5, 3.2-3.2.3; MandrakeSoft Linux Mandrake 9.2 amd64, 9.2, 10.0 AMD64, 10.0
A vulnerability exists due to insufficient validation of ownership of temporary directories, which could let a malicious user cause a Denial of Service, overwrite arbitrary files, or obtain elevated privileges.
Gentoo Linux 1.4;
KDE KDE 3.2-3.2.3;
MandrakeSoft Linux Mandrake 9.2 amd64, 9.2, 10.0 AMD64, 10.0
A vulnerability exists in DCOPServer due to insecure file creation, which could let a malicious user obtain elevated privileges or overwrite arbitrary files.
A frame injection vulnerability exists in the Konqueror web browser that allows websites to load web pages into a frame of any other frame-based web page that the user may have open. A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website.
Several vulnerabilities exist in the out-of-band signal handling code due to race condition errors, which could let a remote malicious user obtain superuser privileges.
We are not aware of any exploits for this vulnerability.
TNFTPD Multiple Signal Handler Remote Privilege Escalation
High
NetBSD Security Advisory 2004-009, August 17, 2004
Multiple Vendors
Mozilla Browser 1.7.2,
Mozilla Firefox 0.9.3;
Netscape Navigator 7.1, 7.2
A vulnerability exists when the browser is configure to employ the 'Tabbed Browsing' functionality, which could let a remote malicious user conduct phishing attacks.
No workaround or patch available at time of publishing.
A vulnerability exists due to insufficient authentication of user-supplied commands, which could let a remote malicious user obtain sensitive information information or cause a Denial of Service.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue.
No workaround or patch available at time of publishing.
We are not aware of any exploits for this vulnerability.
MySQL Mysql_real_connect Function Remote Buffer Overflow
High/Low
(Low if a DoS)
Secunia Advisory,
SA12305, August 20, 2004
MySQL AB
MySQL 3.23.49, 4.0.20
A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges.
Multiple Cross-Site Scripting vulnerabilities exist in 'index.php' due to insufficient sanitization of the 'cat_select' and 'show' parameters, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A vulnerability exists in the 'auth_login.php' script due to insufficient validation of user-supplied input in the username or password fields, which could let a remote malicious user bypass the authentication interface.
SecurityTracker Alert ID: 1010961, August 17, 2004
RedHat
GNOME VFS
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64
Multiple vulnerabilities exist in several of the GNOME VFS exists backend scripts, which could let a malicious user influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.
Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/
Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004
SGI Security Advisory, 20040802-01-U, August 14, 2004
Rob Flynn
Gaim 0.10 x, 0.10.3, 0.50-0.75
Multiple vulnerabilities exist which could let a remote malicious user execute arbitrary code or cause a Denial of Service: a vulnerability exists during the installation of a smiley theme; a heap overflow vulnerability exists when processing data from a groupware server; a buffer overflow vulnerability exists in the URI parsing utility; a buffer overflow vulnerability exists when performing a DNS query to obtain a hostname when signing on to zephyr; a buffer overflow vulnerability exists when processing Rich Text Format (RTF) messages; and a buffer overflow vulnerability exists in the 'content-length' header when an excessive value is submitted.
A vulnerability exists in rsync when running in daemon mode with chroot disabled. A remote user may be able read or write files on the target system that are located outside of the module's path. A remote user can supply a specially crafted path to cause the path cleaning function to generate an absolute filename instead of a relative one. The flaw resides in the sanitize_path() function.
Multiple vulnerabilities exist that could allow a remote malicious user to execute arbitrary code This is due to boundary errors within the "st_wavstartread()" function when processing ".WAV" file headers and can be exploited to cause stack-based buffer overflows. Successful exploitation requires that a user is tricked into playing a malicious ".WAV" file with a large value in a length field.
SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004
Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004
PacketStorm, August 5, 2004
Slackware Security Advisory, SSA:2004-223-03, august 10, 2004
SGI Security Advisory, 20040802-01-U, August 14, 2004
SpamAssassin.org
SpamAssassin prior to 2.64
A Denial of Service vulnerability exists in SpamAssassin. A a remote user can send an e-mail message with specially crafted headers to cause a Denial of Service attack against the SpamAssassin service.
We are not aware of any exploits for this vulnerability.
SpamAssassin Remote Denial of Service
Low
SecurityTracker: 1010903, August 10, 2004
Mandrake Security Advisory, MDKSA-2004:084, August 19, 2004
Sun Microsystems, Inc.
DtMai, Solaris 8.0 _x86, 8.0, 9.0 _x86, 9.0
A buffer overflow vulnerability exists in the dtmailer when processing command line arguments, which could let a malicious user execute arbitrary code.
Sun(sm) Alert Notification, 57627, August 23, 2004
US-CERT Vulnerability Note VU#928598, August 25, 2004
Sun Mircosystems, Inc.
Solaris 7.0 _x86, 7.0, 8.0 _x86, 8.0, 9.0 _x86, 9.0
A buffer overflow vulnerability exists in 'LOGNAME' environment variables in CDE libDTHelp due to insufficient a lack of bounds checking, which could let a malicious user execute arbitrary code.
A vulnerability exists due to insufficient validation during access control checks prior to executing PHP in a target file, which could let a malicious user obtain elevated privileges.
No workaround or patch available at time of publishing.
We are not aware of any exploits for this vulnerability.
SUPHP Elevated Privileges
Medium
Bugtraq, August 23, 2004
SWsoft
Plesk Reloaded 7.1
A Cross-Site Scripting vulnerability exists in 'login_up.php3' due to insufficient sanitization of the 'login_name' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Plesk 'Login_name' Parameter Cross-Site Scripting
High
Secunia Advisory, SA12368, August 25, 2004
Sympa
Sympa 3.x, 2.x, 4.0 .x, 4.1, 4.1.1
A vulnerability exists in 'wwsympa/wwsympa.fcgi' when creating new mailing lists, which could let a malicious user bypass authentication.
A Cross-Site Scripting vulnerability exists in the 'description' field due to insufficient sanitization of user-supplied input data, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Sympa Cross-Site Scripting
High
Securiteam, August 22, 2004
web-app.org
WebAPP 0.9.9
A Directory Traversal vulnerability exists in the 'index.cgi' script due to insufficient sanitization, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
WebAPP Directory Traversal
Medium
SecurityFocus, August 24, 2004
xine-Project
xine 0.99.2
A buffer overflow vulnerability exists in xine in the processing of 'vcd://' protocol identifiers. A remote malicious user can execute arbitrary code on the target system. A remote malicious user can trigger a stack overflow in xine-lib by embedding a specially crafted source identifier within a playlist file, for example. When the target user plays the file, arbitrary code can be executed with the privileges of the target user.
A vulnerability exists in the CGI session management component due to the way temporary files are processed,which could let a malicious user obtain elevated privileges.
An input validation vulnerability exists in the 'awstats.pl' script due to insufficient sanitization, which could let a remote malicious user execute arbitrary commands.
No workaround or patch available at time of publishing.
Proof of Concept exploit has been published.
AWStats 'awstats.pl' Input Validation
High
SecurityFocus, August 19, 2004
Axis Communications
Firmware Version 2.40; Axis 2100/2110/2120/2420/2130, Network Camera, 2400/2401 Video Server
Multiple vulnerabilities exist: an input validation vulnerability exists in the '/axis-cgi/io/virtualinput.cgi' script, which could let a remote malicious user execute arbitrary commands; and a Directory Traversal vulnerability exists, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
Axis Network Camera And Video Server Multiple Vulnerabilities
Medium/High
(High if arbitrary commands can be executed)
Bugtraq, August 22, 2004
Axis Communications
StorPoint CD
A vulnerability exists because a hard-coded administrative backdoor exists, which could let a remote malicious user obtain administrative access.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proofs of Concept exploits have been published.
StorPoint CD Administrative Backdoor
High
Bugtraq, August 22, 2004
Cisco Systems
IOS 12.0S, 12.2, 12.3
A remote Denial of Service vulnerability exists when a malicious user continuously transmits malformed Open Shortest Path First (OSPF) packets.
We are not aware of any exploits for this vulnerability.
Cisco IOS Telnet Service Remote Denial of Service
Low
Cisco Security Advisory, cisco-sa-20040827, August 27, 2004
US-CERT Vulnerability Note VU#384230
Dynix
WebPac
Input validation vulnerabilities exist due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
There is no exploit code required.
WebPAC Input Validation
High
Bugtraq, August 24, 2004
eGroupWare.org
GroupWare 1.0, 1.0.3
Multiple Cross-Site Scripting vulnerabilities exist in the 'addressbook' and 'calendar' modules and HTML injections vulnerabilities exist in the 'Messenger' and 'Ticket' modules, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
EGroupWare Multiple Input Validation
High
Bugtraq, August 22, 2004
Entrust LibKMP ISAKMP Library
A buffer overflow vulnerability exists in the main SA payloads due to insufficient sanity checking, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.
Internet Security Systems Protection Advisory, August 26, 2004
hastymail.sourceforge.net
Hastymail 1.0.1, 1.1
A vulnerability exists when the 'download' link is invoked due to a failure to return the proper heading, which could let a remote malicious user execute arbitrary HTML and script code.
An Cross-Site Scripting vulnerability exists in 'src/http.c' due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
Debian Security Advisory, DSA 541-1, August 24, 2004
Mantis
Mantis 0.19 .0a
A vulnerability exists if the 'REGISTER_GLOBAL' because a remote malicious user can specify the 't_core_dir' variable to cause arbitrary code to be executed.
Two vulnerabilities exist: a vulnerability exists in 'login_page.php' in the 'return' parameter due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML or script code; and a vulnerability exists in 'signup.php' in the 'email' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary script code.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Mantis Cross-Site Scripting & HTML Injection
High
Secunia Advisory, SA12338, August 23, 2004
meindlSOFT
Cute PHP Library (cphplib) 0.42-0.46
An Input validation vulnerability exist in the Cute PHP Library (cphplib) due to insufficient validation of certain parameters, which could let a remote malicious user executed arbitrary HTML code.
We are not aware of any exploits for this vulnerability.
Cute PHP Library (cphplib) Input Validation
High
SecurityFocus, August 27, 2004
Mozilla Organization
Mandrakesoft
Slackware
Mozilla 1.7 and prior;
Firefox 0.9 and prior;
Thunderbird 0.7 and prior
Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads.
RedHat Security Advisory, RHSA-2004:421-17, August 4, 2004
SGI Security Advisory, 20040802-01-U, August 14, 2004
Multiple Vendors
HP HP-UX B.11.23, 11.11, 11.00;
Mozilla Network Security Services (NSS) 3.2, 3.2.1, 3.3-3.3.2, 3.4-3.4.2, 3.5, 3.6, 3.6.1, 3.7-3.7.3, 3.7.5, 3.7.7, 3.8, 3.9; Netscape Certificate Server 1.0 P1, 4.2, Directory Server 1.3, P1&P5, 3.12, 4.1, 4.11-.4.13, Enterprise Server 2.0 a, 2.0, 2.0.1 C, 3.0 L, 3.0, 3.0.1 B, 3.0.1, 3.1, 3.2, 3.5, 3.6, SP1-SP3, 3.51, 4.0, 4.1, SP3-SP8, Enterprise Server for NetWare 4/5 3.0.7 a, 4/5 4.1.1, 4/5 5.0, Enterprise Server for Solaris 3.5, 3.6,
Netscape Personalization Engine; Sun ONE Application Server 6.0, SP1-SP4, 6.5, SP1 MU1&MU2, 6.5 SP1, 6.5 MU1-MU3, 7.0 UR2 Upgrade Standard, 7.0 UR2 Upgrade Platform, Standard Edition, Platform Edition, 7.0 UR1 Standard Edition, Platform Edition, 7.0 Standard Edition, Platform Edition, Certificate Server 4.1, Directory Server 4.16, SP1, 5.0, SP1&SP2, 5.1 x86
SP3 x86, 5.1, SP1-SP3, 5.2, Web Server 4.1, SP1-SP14, 6.0, SP1-SP7, 6.1
A buffer overflow vulnerability exists in the Netscape Network Security Services (NSS) library suite due to insufficient boundary checks, which could let a remote malicious user which may result in remote execute arbitrary code.
We are not aware of any exploits for this vulnerability.
NSS Buffer Overflow
High
Internet Security Systems Advisory, August 23, 2004
Network Everywhere
NR041 1.2 Release 03
A vulnerability exists in the DHCP daemon due to insufficient sanitization of user-supplied input that is passed with the 'DHCP HOSTNAME' option, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
Network Everywhere Router Remote Script Injection
High
Secunia Advisory, SA12393, August 27, 2004
Novell
iChain Server 2.3
Multiple vulnerabilities exist: a vulnerability exists due to Insufficient validation of overly long UTF-8 encodings, which could let a remote malicious user bypass access control rules; a vulnerability exists due to insufficient sanitization of user-supplied input passed to the web server, which could let a remote malicious user execute arbitrary HTML and script code; a remote Denial of Service vulnerability exists when a remote malicious user submits a specially crafted URL; a vulnerability exists in the 'VIA' header, which could let a remote malicious user obtain sensitive information; and a vulnerability exists due to the insecure transmission of password and username credentials, which could let a remote malicious user obtain sensitive information.
GreyMagic Security Advisory GM#009-OP, August 17, 2004
PhotoADay.net
PhotoADay
A Cross-Site Scripting vulnerability exists in the 'PhotoADay' PHP-Nuke module due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
SecurityTracker Alert ID, 1011027, August 23, 2004
PScript
PForum 1.24, 1.25
A Cross-Site Scripting vulnerability exists due to insufficient sanitization of the 'IRC Server' and 'AIM ID' fields, which could let a remote malicious user execute arbitrary HTML and script code.
We are not aware of any exploits for this vulnerability.
PvPGN Information Disclosure
Medium
PvPGN Security Advisory, PSA-20040823, August 23, 2004
TikiWiki Project
TikiWiki 1.8-1.8.3
Two vulnerabilities exist: a vulnerability exists because individual wiki page permissions can be bypassed, which could let a remote malicious user obtain unauthorized access; and a vulnerability exists in 'smarty_tiki' which could let a remote malicious user obtain sensitive information.
