 |
Summary of Security Items from January 5 through January 11, 2005
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Bugs,
Holes, & Patches
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Windows Operating Systems Only |
Vendor & Software Name |
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts |
Common Name |
Risk |
Source |
3Com
3CDaemon 2.0 revision 10 |
Multiple vulnerabilities exist: a buffer overflow vulnerability exists when a remote malicious user submits a specially crafted FTP username, which could lead to the execution of arbitrary code; a buffer overflow vulnerability exists in several FTP commands, including cd, send, ls, put, delete, rename, rmdir, literal, stat, and cwd, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user submits an FTP user command with format string characters; a format string vulnerability exists in the cd, delete, rename, rmdir, literal, stat, and cwd [and others] commands, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability exists when a malicious user connects to the TFTP service and requests an MS-DOS device name; a vulnerability exists when the directory to an MS-DOS device name or a filename is changed, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published. |
3Com 3CDaemon Multiple Remote Vulnerabilities
|
Low/Medium/ High
(Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)
|
[I.T.S] Security Research Team Advisory, January 4, 2005 |
Amp
Amp II 3D Game Engine |
A remote Denial of Service vulnerability exists due to a failure to handle exceptional conditions.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published. |
Amp II 3D Game Engine Remote Denial of Service |
Low |
Secunia Advisory, SA13754, January 7, 2005 |
Jeuce.com
Jeuce Personal Web Server 2.13 |
Multiple vulnerabilities exist: a Directory Traversal vulnerability exists due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when handling certain URLs.
No workaround or patch available at time of publishing.
Proofs of Concept exploits have been published. |
Jeuce Personal Web Server Directory Traversal & Denial of Service |
Low/Medium
(Medium if sensitive information can be obtained)
|
GSSIT - Global Security Solution IT Advisory, January 6, 2005 |
JoWood Productions
Soldner Secret Wars 30830 |
Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user submits a UDP packet that contains 1402 or more bytes; a format string vulnerability exists which could let a remote malicious user cause a Denial of Service or execute arbitrary code; and a Cross-Site Scripting vulnerability exists in the administrative web interface log display, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
An exploit script has been published. |
Soldner Secret Wars Multiple Remote Vulnerabilities |
Low/High
(High if arbitrary code can be executed)
|
SecurityTracker Alert ID, 1012790, January 6, 2005 |
Microsoft
FrontPage 2000 |
A vulnerability exists in the DATA Access Internet Publishing Service Provider Distributed Versioning and Authoring (DAV) functionality, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published. |
Microsoft FrontPage 2000 DAV File Upload |
|
SecurityFocus, December 31, 2004 |
Microsoft
Internet Explorer 6.0, SP1&SP2 |
A vulnerability exists in the DHTML Edit ActiveX control, which could let a remote malicious user inject arbitrary scripting code into a different window on the target user's system.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published. |
Microsoft Internet Explorer DHTML Edit Control Script
CVE Name:
CAN-2004-1319
|
High |
Bugtraq, December 15, 2004
US-CERT Vulnerability Note, VU#356600, January 6, 2005 |
Microsoft
Windows (XP SP2 is not affected) |
A Denial of Service vulnerability exists in the parsing of ANI files. A remote user can cause the target user's system to hang or crash. A remote user can create a specially crafted Windows animated cursor file (ANI file) that, when loaded by the target user, will cause the target system to crash. The malicious file can be loaded via HTML, for example.
Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx
A Proof of Concept exploit has been published. |
Microsoft Windows ANI File Parsing Errors
CVE Name:
CAN-2004-1305
|
Low |
VENUSTECH Security Lab, December 23, 2004
Microsoft Security Bulletin MS05-002, January 11, 2005
US-CERT Vulnerability Notes, VU#177584 & VU#697136, January 11, 2005 |
Microsoft
Windows (XP SP2 is not affected) |
An integer overflow vulnerability was reported in the LoadImage API. A remote user can execute arbitrary code. A remote user can create a specially crafted image file that, when processed by the target user, will trigger an overflow in the USER32 library LoadImage API and execute arbitrary code. The code will run with the privileges of the target user.
Updates available at: http://www.microsoft.com/technet/security/bulletin/
ms05-002.mspx
A Proof of Concept exploit has been published. |
Microsoft Windows LoadImage API Buffer Overflow
CVE Names:
CAN-2004-1049
|
High |
VENUSTECH Security Lab. December 23, 2004
Microsoft Security Bulletin MS05-002, January 11, 2005
US-CERT Vulnerability Note, VU#625856, January 11, 2005 |
Microsoft
WindowsXP SP1 & prior service packs, 2003 |
A buffer overflow vulnerability exists in the Indexing Service due to the way query validation is handled, which could let a remote malicious user cause a Denial of Service or execute arbitrary code.
Updates available at: http://www.microsoft.com/technet/security/bulletin/ms05-003.mspx
Currently we are not aware of any exploits for this vulnerability. |
Microsoft Windows Indexing Service Buffer Overflow
CVE Name:
CAN-2004-0897
|
Low/High
(High if arbitrary code can be executed)
|
Microsoft Security Bulletin MS05-003, January 11, 2005 |
Microsoft
Windows 2000 SP3 & SP4, XP SP1 & SP2, XP 64-Bit Edition SP1, XP 64-Bit Edition Version 2003, Windows Server 2003, Windows Server 2003 64-Bit Edition, Windows 98, 98SE, ME |
A cross-domain vulnerability exists in the HTML Help ActiveX control, which could let a remote malicious user execute arbitrary code.
Updates available at: http://www.microsoft.com/technet/security/bulletin/
MS05-001.mspx
Exploits have been published. |
Microsoft Windows HTML Help ActiveX Control
CVE Name:
CAN-2004-1043
|
High |
Microsoft Security Bulletin MS05-001, January 11, 2005 |
Symantec
Norton AntiVirus 2004, 2004 Professional Edition |
A remote Denial of Service vulnerability exists due to a buffer overflow in the 'CcErrDsp.ErrorDisplay.1' ActiveX object.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published. |
Symantec 'CcErrDsp.ErrorDisplay.1' ActiveX Buffer Overflow |
Low |
Bugtraq, January 6, 2005 |
Winace.com
Winace 2.5, 2.6 Beta 4 |
A Directory Traversal vulnerability exists due to an input validation error when
extracting files compressed with GZIP (.gz) or ZIP (.zip), which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
Proofs of Concept exploit scripts have been published. |
Winace Remote Directory Traversal
|
Medium |
Secunia Advisory,
SA13734, January 6, 2005 |
winace.com
WinHKI 1.4 d |
Several vulnerabilities exist: a remote Denial of Service vulnerability exists when a malicious user creates a BH compressed file with a specially crafted header; a remote Denial of Service vulnerability exists when processing LHA files; and a Directory Traversal vulnerability exists when the application processes malformed BH, CAB, and ZIP compressed files, which could let a remote malicious user modify information.
No workaround or patch available at time of publishing.
There is no exploit required; however, Proofs of Concept exploits have been published. |
WinHKI Multiple Remote Vulnerabilities
|
Low/Medium
(Medium if information can be modified)
|
SecurityTracker Alert ID, 1012798, January 6, 2005 |
[back to
top]
| UNIX / Linux Operating Systems Only |
Vendor & Software Name |
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts |
Common Name |
Risk |
Source |
Alexander Palmo
Simple PHP Blog 0.3.7 c |
A Directory Traversal vulnerability exists in the 'entry' parameter due to insufficient sanitization of user-supplied input data, which could let a remote malicious user obtain sensitive information.
Patch available at:
http://www.bigevilbrain.com/sphpblog/development/files/
patches_0.3.7r2.tgz
There is no exploit code required; however, a Proof of Concept exploit has been published. |
Alexander Palmo
Simple PHP Blog Remote Directory Traversal |
Medium |
Bugtraq, January 7, 2005 |
Andrew W. Rogers
pcal 0.7.1 |
Two vulnerabilities were reported in pcal. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted calendar file that, when processed by the target user with pcal, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the getline() function in 'pcalutil.c' and the get_holiday() function in 'readfile.c'.
Debian:
http://www.debian.org/security/2005/dsa-625
A Proof of Concept exploit script has been published. |
|
High |
SecurityTracker Alert ID, 1012592, December 16, 2004
Debian Security Advisory,
DSA-625-1 pcal, January 5, 2005 |
Christoph Dalitz
abctab2ps 1.6.3 |
A vulnerability was reported in abctab2ps. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ABC file that, when processed by the target user with abctab2ps, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflows reside in the write_heading() function in 'subs.cpp' and the trim_title() function in 'parse.cpp.'
Upgrade available at:
http://www.lautengesellschaft.de/cdmm/#Download
A Proof of Concept exploit script has been published. |
Christoph Dalitz abctab2ps Buffer Overflows |
High |
SecurityTracker Alert ID, 1012578, December 16, 2004
SecurityFocus, January 5, 2005 |
dillo.org
Dillo 0.8.3 a& prior |
A format string vulnerability exists in 'capi.c' in the 'a_interface_msg()' function, which could let a remote malicious user execute arbitrary code.
Update available at: http://www.dillo.org/
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-11.xml
A Proof of Concept exploit has been published. |
Dillo
'a_Interface_msg()' Format String |
High |
Gentoo Linux Security Advisory, GLSA 200501-11, January 9, 2005 |
Easy Software Products
CUPS 1.1.21, 1.1.22 rc1, 1.1.22 |
A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted HTTP GET request.
Upgrades available at:
http://www.cups.org/software.php?SOFTWARE=v1_2
A Proof of Concept exploit has been published. |
CUPS HTTP
GET Denial of Service |
Low |
SecurityTracker Alert ID, 1012811, January 7, 2005 |
GNU / GPL
Conectiva
Gentoo
Mandrake
RedHat
SuSE
Trustix
Samba 3.0.0 - 3.0.4 and 2.2.9 and prior
|
Multiple buffer overflow vulnerabilities exist in Samba that could allow a remote user to execute arbitrary code on the target system. These are caused by boundary errors when decoding base64 data and when handling 'mangling method = hash.'
Upgrade to version 3.0.5 or 2.2.10 available at: http://us2.samba.org/samba/ftp/
Conectiva:
ftp://atualizacoes.conectiva.com.br
RedHat: RedHat Enterprise Linux AS 3, ES 3, WS 3:
http://rhn.redhat.com/
Gentoo:
http://security.gentoo.org/glsa/glsa-200407-21.xml
Mandrakesoft: Mandrake Multi Network Firewall 8.x, 9.x; Mandrake Corporate Server 2.x
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:071
SuSE: SuSE Linux, Email, Database, and Enterprise Servers
http://www.suse.de/de/security/2004_22_samba.html
Trustix:
http://http.trustix.org/pub/trustix/updates/
Sun: http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=
Sun:
http://sunsolve.sun.com/search/
document.do?assetkey=1-26-57664-1&searchclause=
A working exploit has been published. |
|
High |
Samba Release Notes 3.0.5, July 20, 2004
Gentoo, RedHat, Mandrakesoft, SuSE, Trustix, Conectiva Advisories
Sun(sm) Alert Notification, 57664, October 25, 2004
Sun(sm) Alert Notification, 57664, January 26, 2005 updated |
GNU
a2ps 4.13b |
Two vulnerabilities exist in GNU a2ps, which can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges. The vulnerabilities are caused due to the fixps.in and psmandup.in scripts creating temporary files insecurely. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running a vulnerable script.
Debian:
http://security.debian.org/pool/updates/main/a/a2ps/
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml
Currently we are not aware of any exploits for these vulnerabilities. |
GNU a2ps
Two Scripts Insecure Temporary File
Creation |
Medium |
Secunia SA13641, December 27, 2004
Gentoo Linux Security Advisory, GLSA 200501-02, January 4, 2005 |
GNU
a2ps 4.13 |
A vulnerability exists that could allow a malicious user to execute arbitrary shell commands on the target system. a2ps will execute shell commands contained within filenames. A user can create a specially crafted filename that, when processed by a2ps, will execute shell commands with the privileges of the a2ps process.
A patch for FreeBSD is available at:
http://www.freebsd.org/cgi/cvsweb.cgi/~checkout~/ports/
print/a2ps-letter/files/patch-select.c?rev=1.1&content-type=text/plain
Debian:
http://www.debian.org/security/2004/dsa-612
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-02.xml
A Proof of Concept exploit has been published. |
GNU a2ps Filenames Shell Commands Execution |
|
SecurityTracker Alert ID, 1012475, December 10, 2004
Debian Security Advisory
DSA-612-1 a2ps, December 20, 2004
Gentoo GLSA 200501-02, January 5, 2005
|
GNU
MPlayer 1.0pre5 |
A vulnerability was reported in MPlayer in the processing of ASF streams. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted ASF video stream that, when viewed by the target user with MPlayer, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user.
Gentoo:
http://www.gentoo.org/security/en/glsa
/glsa-200412-21.xml
Conectiva:
http://distro.conectiva.com.br/atualizacoes/
index.php?id=a&anuncio=000910
A Proof of Concept exploit script has been published. |
GNU MPlayer ASF Streams Processing Buffer Overflow |
High |
SecurityTracker Alert ID, 1012562, December 16, 2004
Gentoo GLSA 200412-21 / MPlayer, December 12, 2004
Conectiva Advisory, CLSA-2005:910, January 5, 2005 |
GNU
Vim 6.x, GVim 6.x |
Multiple vulnerabilities exist which can be exploited by local malicious users to gain escalated privileges. The vulnerabilities are caused due to some errors in the modelines options. This can be exploited to execute shell commands when a malicious file is opened. Successful exploitation can lead to escalated privileges but requires that modelines is enabled.
Apply patch for vim 6.3: f
tp://ftp.vim.org/pub/vim/patches/6.3/6.3.045
Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-10.xml
Red Hat:
http://rhn.redhat.com/errata/RHSA-2005-010.html
Mandrake:
http://www.mandrakesoft.com/security/advisories
Currently we are not aware of any exploits for these vulnerabilities.
|
GNU Vim / Gvim Modelines Command Execution Vulnerabilities
CVE Name:
CAN-2004-1138
|
Medium |
Gentoo Linux Security Advisory, GLSA 200412-10 / vim, December 15, 2004
Red Hat Advisory RHSA-2005:010-05, January 5, 2005
Mandrakelinux Security Update Advisory, MDKSA-2005:003, January 6, 2005 |
GNU
xine prior to 0.99.3 |
Multiple vulnerabilities exist that could allow a remote user to execute arbitrary code on the target user's system. There is a buffer overflow in pnm_get_chunk() in the processing of the RMF_TAG, DATA_TAG, PROP_TAG, MDPR_TAG, and CONT_TAG parameters.
The vendor has issued a fixed version of xine-lib (1-rc8), available at: http://xinehq.de/index.php/releases
A patch is also available at:
http://cvs.sourceforge.net/viewcvs.py/xine/
xine-lib/src/input/pnm.c?r1=
1.20&r2=1.21
Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-07.xml
A Proof of Concept exploit has been published. |
|
High |
iDEFENSE Security Advisory 12.21.04
Gentoo, GLSA 200501-07, January 6, 2005 |
GNU
xine-lib 1.x |
Multiple vulnerabilities with unknown impacts exist due to errors in the PNM and Real RTSP clients.
Update to version 1-rc8:
http://xinehq.de/index.php/download
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-07.xml
Currently we are not aware of any exploits for these vulnerabilities. |
GNU xine-lib
Unspecified PNM &
Real RTSP Clients Vulnerabilities
CVE Name:
CAN-2004-1300
|
Not Specified |
Secunia Advisory, SA13496, December 16, 2004
Gentoo Linux Security Advisory, GLSA 200501-07, January 6, 2005 |
GNU
Xpdf prior to 3.00pl2 |
A buffer overflow vulnerability exists that could allow a remote user to execute arbitrary code on the target user's system. A remote user can create a specially crafted PDF file that, when viewed by the target user, will trigger an overflow and execute arbitrary code with the privileges of the target user.
A fixed version (3.00pl2) is available at: http://www.foolabs.com/xpdf/download.html
A patch is available:
ftp://ftp.foolabs.com/pub/xpdf/
xpdf-3.00pl2.patch
KDE:
http://www.kde.org/info/security/advisory-20041223-1.txt
Gentoo:
http://security.gentoo.org/glsa/glsa-200412-24.xml
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/
Mandrakesoft (update for koffice):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:165
Mandrakesoft (update for kdegraphics): http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:163
Mandrakesoft (update for gpdf):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:162
Mandrakesoft (update for xpdf):
http://www.mandrakesoft.com/security
/advisories?name=MDKSA-2004:161
Mandrakesoft (update for tetex):
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:166
Debian:
http://www.debian.org/security/2004/dsa-619
Fedora (update for tetex):
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates/
Fedora: http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/3/
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-13.xml
Currently we are not aware of any exploits for this vulnerability. |
GNU Xpdf Buffer Overflow in doImage()
CVE Name:
CAN-2004-1125 |
High |
iDEFENSE Security Advisory 12.21.04
KDE Security Advisory, December 23, 2004
Mandrakesoft, MDKSA-2004:161,162,163,165, 166, December 29, 2004
Fedora Update Notification,
FEDORA-2004-585, January 6, 2005
Gentoo Linux Security Advisory, GLSA 200501-13, January 10, 2005
|
Info-ZIP
Zip 2.3 |
A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/z/zip/
Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/
Gentoo:
http://security.gentoo.org/glsa/
glsa-200411-16.xml
Mandrake:
http://www.mandrakesecure.net/en/ftp.php
SUSE:
ftp://ftp.SUSE.com/pub/SUSE
Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-634.html
Debian:
http://www.debian.org/security/2005/dsa-624
Currently we are not aware of any exploits for this vulnerability.
|
Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow
CVE Name:
CAN-2004-1010
|
High |
Bugtraq, November 3, 2004
Ubuntu Security Notice, USN-18-1, November 5, 2004
Fedora Update Notification,
FEDORA-2004-399 & FEDORA-2004-400, November 8 & 9, 2004
Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004
Mandrakelinux Security Update Advisory, MDKSA-2004:141, November 26, 2004
SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004
Red Hat Advisory, RHSA-2004:634-08, December 16, 2004
Debian DSA-624-1, January 5, 2005
|
J Whitham
HTGET 0.93 |
A buffer overflow vulnerability was reported in HTGET. A remote malicious user can cause arbitrary code to be executed. A remote user can create a specially crafted URL that, when loaded by the target user, will trigger a buffer overflow and execute arbitrary code.
Debian:
http://www.debian.org/security/2004/dsa-611
An exploit script has been published. |
|
High |
Debian Security Advisory
DSA-611-1 htget, December 20, 2004
PacketStorm, January 6, 2005 |
KDE
KDE 3.x, 2.x |
A vulnerability exists in kio_ftp, which can be exploited by malicious people to conduct FTP command injection attacks.
The vulnerability has been fixed in the CVS repository.
Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:160
Debian:
http://security.debian.org/pool/updates/main/k/kdelibs/
Currently we are not aware of any exploits for this vulnerability. |
KDE kio_ftp FTP Command Injection Vulnerability
CVE Name:
CAN-2004-1165
|
Medium |
KDE Advisory Bug 95825, December 26, 2004
Debian Security Advisory, DSA 631-1, January 10, 2005 |
KDE
Konqueror prior to 3.32 |
Two vulnerabilities exist in KDE Konqueror, which can be exploited by malicious people to compromise a user's system.The vulnerabilities are caused due to some errors in the restriction of certain Java classes accessible via applets and Javascript. This can be exploited by a malicious applet to bypass the sandbox restriction and read or write arbitrary files.
Update to version 3.3.2:
http://kde.org/download/
Apply patch for 3.2.3:
ftp://ftp.kde.org/pub/kde/security_
patches/post-3.2.3-kdelibs-khtml-java.tar.bz2
Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:154
Currently we are not aware of any exploits for these vulnerabilities. |
KDE Konqueror
Java Sandbox Vulnerabilities
CVE Name:
CAN-2004-1145
|
High |
KDE Security Advisory, December 20, 2004
Mandrakesoft MDKSA-2004:154, December 22, 2004
US-CERT Vulnerability Note, VU#420222, January 5, 2005 |
Larry Wall
Perl 5.8.3 |
A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.
Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/
Gentoo:
http://security.gentoo.org/glsa/glsa-200412-04.xml
Debian:
http://security.debian.org/pool/updates/main/p/perl/
There is no exploit code required. |
|
Medium |
Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004
Ubuntu Security Notice, USN-16-1, November 3, 2004
Gentoo Linux Security Advisory, GLSA 200412-04, December 7, 2004
Debian Security Advisory, DSA 620-1, December 30, 2004 |
LGPL
NASM 0.98.38 |
A vulnerability was reported in NASM. A remote malicious user can cause arbitrary code to be executed by the target user. A remote user can create a specially crafted asm file that, when processed by the target user with NASM, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the error() function in 'preproc.c.'
Gentoo:
http://www.gentoo.org/security/en/
glsa/glsa-200412-20.xml
Debian:
http://www.debian.org/security/2005/dsa-623
Mandrake:
http://www.mandrakesoft.com/security/advisories
A Proof of Concept exploit script has been published. |
|
High |
Secunia Advisory ID, SA13523, December 17, 2004
Debian Security Advisory
DSA-623-1 nasm, January 4, 2005
Mandrakelinux Security Update Advisory, MDKSA-2005:004, January 6, 2005 |
libtiff.org
LibTIFF 3.6.1
Avaya MN100 (All versions), Avaya Intuity LX (version 1.1-5.x), Avaya Modular Messaging MSS (All versions)
|
Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code.
Debian:
http://security.debian.org/pool/updates/main/t/tiff/
Gentoo:
http://security.gentoo.org/glsa/glsa-200410-11.xml
Fedora:
http://download.fedora.redhat.com/pub/fedora/
linux/core/updates/2/
OpenPKG:
ftp://ftp.openpkg.org/release/
Trustix:
ftp://ftp.trustix.org/pub/trustix/updates/
Mandrake:
http://www.mandrakesecure.net/en/ftp.php
SuSE:
ftp://ftp.suse.com/pub/suse/
RedHat:
http://rhn.redhat.com/errata/RHSA-2004-577.html
Slackware:
ftp://ftp.slackware.com/pub/slackware/
Conectiva:
ftp://atualizacoes.conectiva.com.br/
KDE: Update to version 3.3.2:
http://kde.org/download/
Apple Mac OS X:
http://www.apple.com/swupdates/
Gentoo: KDE kfax:
http://www.gentoo.org/security
/en/glsa/glsa-200412-17.xml
Avaya: No solution but workarounds available at: http://support.avaya.com/elmodocs2/security/ASA-2005-002_RHSA-2004-577.pdf
Proofs of Concept exploits have been published.
|
|
Low/High
(High if arbitrary code can be execute)
|
Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004
Fedora Update Notification,
FEDORA-2004-334, October 14, 2004
OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004
Debian Security Advisory, DSA 567-1, October 15, 2004
Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004
Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004
SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004
RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004
Slackware Security Advisory, SSA:2004-305-02, November 1, 2004
Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004
US-CERT Vulnerability Notes VU#687568 & VU#948752, December 1, 2004
Gentoo Linux Security Advisory, GLSA 200412-02, December 6, 2004
KDE Security Advisory, December 9, 2004
Apple Security Update SA-2004-12-02
Gentoo Security Advisory, GLSA 200412-17 / kfax, December 19, 2004
Avaya Advisory ASA-2005-002, January 5, 2005
Conectiva Linux Security Announcement, CLA-2005:914, January 6, 2005 |
Little Igloo
LinPopUp 1.2.0 |
A buffer overflow vulnerability exists that could allow a remote malicious user to execute arbitrary code on the target system. A remote user can send a specially crafted message to LinPopUp to trigger a buffer overflow in strexpand() in 'string.c' and execute arbitrary code. The code will run with the privileges of the LinPopUp process.
Debian:
http://security.debian.org/pool/updates/main/l/linpopup/
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-01.xml
A Proof of Concept exploit script has been published. |
Little Igloo LinPopUp strexpand() Buffer Overflow |
High |
SecurityTracker Alert ID, 1012542, December 16, 2004
Gentoo GLSA 200501-01, January 5, 2005
Debian Security Advisory, DSA 632-1, January 10, 2005 |
MIT
Kerberos 5 krb5-1.3.5 and prior |
A buffer overflow exists in the libkadm5srv administration library. A remote malicious user may be able to execute arbitrary code on an affected Key Distribution Center (KDC) host. There is a heap overflow in the password history handling code.
A patch is available at:
http://web.mit.edu/kerberos/advisories/
2004-004-patch_1.3.5.txt
Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200501-05.xml
Currently we are not aware of any exploits for this vulnerability. |
|
High |
SecurityTracker Alert ID, 1012640, December 20, 2004
Gentoo GLSA 200501-05, January 5, 2005
|
Mozilla.org
Mozilla Browser 1.7, rc1-rc3, beta, alpha, 1.7.1-1.7.3, 1.8 Alpha 1-4, Firefox Preview Release
Mozilla Firefox 0.9, rc, 0.9.1-0.9.3, 0.10, 0.10.1, Thunderbird 0.6, 0.7-0.7.3, 0.8 |
A vulnerability exists in the 'Open with' option because the software saves the file in the '/tmp' directory with world-readable permissions, which could let a malicious user obtain sensitive information.
Fixes are available in the CVS repository.
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-03.xml
There is no exploit code required. |
Mozilla Temporary File Insecure Permissions Information Disclosure |
Medium |
Secunia Advisory,
SA12956, October 25, 2004
Gentoo Linux Security Advisor, GLSA 200501-03, January 5, 2005 |
Multiple Vendors
Linux kernel 2.6.10, 2.6.9 |
A Denial of Service vulnerability exists in the 'mlockall()' system call due to a failure to properly enforce defined limits.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published. |
Linux Kernel Local RLIMIT_MEMLOCK Bypass Denial
of Service |
Low |
Bugtraq, January 7, 2005 |
Multiple Vendors
Exim 4.43 & prior |
Multiple vulnerabilities exist that could allow a local user to obtain elevated privileges. There are buffer overflows in the host_aton() function and the spa_base64_to_bits() functions. It may be possible to execute arbitrary code with the privileges of the Exim process.
The vendor has issued a fix in the latest snapshot:
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/
Testing/exim-snapshot.tar.gz.sig
Also, patches for 4.43 are available at:
http://www.exim.org/mail-archives/
exim-announce/2005/msg00000.html
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/
Currently we are not aware of any exploits for these vulnerabilities.
|
|
High |
SecurityTracker Alert ID: 1012771, January 5, 2005 |
Multiple Vendors
Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3 |
A vulnerability exists which could let a malicious user obtain sensitive information.
Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
Currently we are not aware of any exploits for this vulnerability. |
Linux Kernel
SYSENTER Thread Information Pointer
Local Information Disclosure
|
Medium |
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005 |
Multiple Vendors
Linux kernel 2.,6 -test9-CVS, -test1-test11,
Linux kernel 2.6.1, rc1&rc2, 2.6.2-2.6.9, 2.6.10 rc2;
RedHat Fedora Core2 & Core3 |
A vulnerability exists in the SCM system due to a failure to properly call defined security module functions, which could let a malicious user bypass security measures.
Upgrades available at:
http://www.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
Currently we are not aware of any exploits for this vulnerability. |
Linux Kernel Local
File Descriptor Passing Security Module
Bypass
|
Medium |
Fedora Update Notifications
FEDORA-2004-581 & 582, January 3, 2005 |
Multiple Vendors
Perl |
A race condition vulnerability was reported in the 'File::Path::rmtree()' function. A remote user may be able to obtain potentially sensitive information. A remote user may be able to obtain potentially sensitive information or modify files.
The vendor has released Perl version 5.8.4-5 to address this vulnerability. Customers are advised to contact the vendor for information regarding update availability.
Debian:
http://security.debian.org/pool/updates/main/p/perl/
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main/p/perl/
Currently we are not aware of any exploits for this vulnerability. |
Multiple Vendors Perl File::Path::rmtree() Permission
Modification
Vulnerability
CVE Name:
CAN-2004-0452 |
Medium |
Ubuntu Security Notice, USN-44-1, December 21, 2004
Debian Security Advisory, DSA 620-1, December 30, 2004 |
Multiple Vendors
Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha;
Gentoo Linux;
LibTIFF LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1;
RedHat Fedora Core2& Core 3;
Ubuntu Ubuntu Linux 4.1 ppc, ia64, ia32 |
A vulnerability exists in the tiffdump utility, which could let a remote malicious user execute arbitrary code.
Debian:
http://security.debian.org/pool/updates/main/t/tiff/
Fedora:
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-06.xml
Mandrake:
http://www.mandrakesecure.net/en/ftp.php
SuSE:
ftp://ftp.suse.com/pub/suse/i386/update/
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/universe/t/tiff/
Currently we are not aware of any exploits for this vulnerability. |
LibTIFF TIFFDUMP Heap Corruption
Integer Overflow
CVE Name:
CAN-2004-1183
|
High |
SecurityTracker Alert ID, 1012785, January 6, 2005 |
Multiple Vendors
Linux Kernel |
A vulnerability exists in the Linux kernel io_edgeport driver. A local user with a USB dongle can cause the kernel to crash or may be able to gain elevated privileges on the target system. The flaw resides in the edge_startup() function in 'drivers/usb/serial/io_edgeport.c'.
Red Hat:
https://bugzilla.redhat.com/bugzilla
/attachment.cgi?id=107493&action=view
Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/
Currently we are not aware of any exploits for this vulnerability. |
Multiple Vendors Linux Kernel
USB io_edgeport
Driver Integer Overflow
CVE Name:
CAN-2004-1017
|
Low/ Medium
(Medium if elevated privileges can be obtained)
|
SecurityTracker Alert ID: 1012477, December 10, 2004
Fedora Update Notifications,
FEDORA-2004-581 & 582, January 3, 2005 |
Multiple Vendors
Linux kernel 2.2-2.2.25, 2.3, 2.3.99, pre1-pre7, 2.4 .0, test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.5 .0-2.5.65 |
Multiple buffer overflow vulnerabilities exist in the 'drivers/char/moxa.c' file due to insufficient bounds checks prior to copying user-supplied data to fixed-size memory buffers, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for these vulnerabilities. |
Linux Kernel Multiple Local MOXA Serial Driver Buffer Overflows |
High |
Bugtraq, January 7, 2005 |
Multiple Vendors
Linux kernel 2.4 .0-test1-test12, 2.4-2.4.27 |
A vulnerability exists in the 'AF_UNIX' address family due to a serialization error, which could let a malicious user obtain elevated privileges or possibly execute arbitrary code.
Upgrades available at:
http://kernel.org/pub/linux/kernel/
v2.4/linux-2.4.28.tar.bz2
SUSE:
ftp://ftp.SUSE.com/pub/SUSE
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main
Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-504.html
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates
Currently we are not aware of any exploits for this vulnerability.
|
Multiple Vendors Linux Kernel AF_UNIX Arbitrary Kernel
Memory Modification
CVE Name:
CAN-2004-1068
|
Medium/ High
(High if arbitrary code can be executed)
|
Bugtraq, November 19, 2004
SUSE Security Summary Report, SUSE-SR:2004:003, December 7, 2004
SecurityFocus, December 14, 2004
Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 |
Multiple Vendors
Linux kernel 2.4, 2.4 .0 test1-test 12, 2.4-2.4.28, 2.4.29 -rc2, 2.6 .10, 2.6, test1-test11, 2.6.1-2.6.10, 2.6.10 rc2 |
An integer overflow vulnerability exists in the 'random.c' kernel driver due to insufficient sanitization of the 'poolsize_strategy' function, which could let a malicious user cause a Denial of Service or execute arbitrary code.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published.
|
Linux Kernel Random Poolsize SysCTL Handler Integer
Overflow |
Low/High
(High if arbitrary code can be executed)
|
Bugtraq, January 7, 2005 |
Multiple Vendors
Linux Kernel 2.4.0 test1-test12, 2.4-2.4.28, 2.4.29 -rc2, 2.6, test1-test11, 2.6.1, rc1-rc2, 2.6.2-2.6.9, 2.6.10 rc2 |
A vulnerability exists in the 'load_elf_library()' function in 'binfmt_elf.c' because memory segments are properly processed, which could let a remote malicious user execute arbitrary code with root privileges.
No workaround or patch available at time of publishing.
A Proof of Concept exploit script has been published. |
|
High |
iSEC Security Research Advisory, January 7, 2005 |
Multiple Vendors
Linux Kernel 2.6 - 2.6.10 rc2 |
The Linux kernel is prone to a local Denial of Service vulnerability. This vulnerability is reported to exist when 'CONFIG_SECURITY_NETWORK=y' and 'CONFIG_SECURITY_SELINUX=y' options are set in the Linux kernel. A local attacker may exploit this vulnerability to trigger a kernel panic and effectively deny service to legitimate users.
Ubuntu:
http://security.ubuntu.com/ubuntu/pool/main
Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates
Currently we are not aware of any exploits for this vulnerability. |
Multiple Vendors Linux Kernel Sock_DGram_SendMsg Local Denial of Service
CVE Name:
CAN-2004-1069
|
Low |
Ubuntu Security Notice USN-38-1 December 14, 2004
Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 |
Multiple Vendors
Linux Kernel 2.6 - 2.6.9, 2.4 - 2.4.28 |
Integer overflow vulnerabilities exist that could allow a local user to cause Denial of Service conditions. These overflows exist in ip_options_get() and vc_resize() and a memory leak in ip_options_get().
The vendor has issued a fix in 2.6.10rc3bk5 and possibly also in the 2.4 release candidate.
Ubuntu:
http://security.ubuntu.com/ubuntu/
pool/main/l/linux-source-2.6.8.1/
Fedora:
http://download.fedora.redhat.com/
pub/fedora/linux/core/updates
A Proof of Concept exploit has been published. |
Multiple Vendors Linux Kernel ip_options_get() and vc_resize() Integer Overflows |
Low |
Georgi Guninski Security Advisory #72, December 15, 2004
Fedora Update Notifications, FEDORA-2004-581 & 582, January 4, 2005 |
Multiple Vendors
Linux Kernel 2.6 .10, 2.6, test-test11, 2.6.1-2.6.10, 2.6.10 rc2 |
An integer overflow vulnerability exists in the 'scsi_ioctl.c' kernel driver due to insufficient sanitization of the 'sg_scsi_ioctl' function, which could let a malicious user execute arbitrary code.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability. |
Linux Kernel
SCSI IOCTL Integer Overflow |
High |
Bugtraq, January 7, 2005 |
Multiple Vendors
Samba 2.2.9, 3.0.8 and prior |
An integer overflow vulnerability in all versions of Samba's smbd 0.8 could allow an remote malicious user to cause controllable heap corruption, leading to execution of arbitrary commands with root privileges.
Patches available at:
http://www.samba.org/samba/ftp/patches/
security/samba-3.0.9-CAN-2004-1154.patch
Red Hat:
http://rhn.redhat.com/errata/RHSA-2004-670.html
Gentoo:
http://www.gentoo.org/security/en/glsa/glsa-200412-13.xml
Trustix:
http://www.trustix.net/errata/2004/0066/
Red Hat (Updated):
http://rhn.redhat.com/errata/RHSA-2004-670.html
Fedora:
http://download.fedora.redhat.com/pub
/fedora/linux/core/updates/
SUSE:
http://www.novell.com/linux/security/
advisories/2004_45_samba.html
Mandrakesoft:
http://www.mandrakesoft.com/security/
advisories?name=MDKSA-2004:158
Conectiva:
ftp://atualizacoes.conectiva.com.br/
RedHat:
http://rhn.redhat.com/errata/RHSA-2005-020.html
Currently we are not aware of any exploits for this vulnerability. |
Multiple Vendors Samba smbd Security
Descriptor
CVE Name:
CAN-2004-1154
|
|
iDEFENSE Security Advisory 12.16.04
Red Hat Advisory, RHSA-2004:670-10, December 16, 2004
Gentoo Security Advisory, GLSA 200412-13 / Samba, December 17, 2004
US-CERT, Vulnerability Note VU#226184, December 17, 2004
Trustix Secure Linux Advisory #2004-0066, December 17, 2004
Red Hat, RHSA-2004:670-10, December 16, 2004
SUSE, SUSE-SA:2004:045, December 22, 2004
RedHat Security Advisory, RHSA-2005:020-04, January 5, 2005
Conectiva Linux Security Announcement, CLA-2005:913,January 6, 2005 |
MySQL
Eventum 1.3.1 |
Multiple vulnerabilities exist which can be exploited by malicious people to conduct Cross-Site Scripting and script insertion attacks and potentially bypass certain security restrictions. 1) Input passed to the 'email' parameter in 'index.php' and 'forgot_password.php,' and the 'title' and 'outgoing_sender_name' parameters in 'projects.php' is not properly sanitized before being returned to users. 2) Input passed to the 'full_name,' 'sms_email,' 'list_refresh_rate,' and 'emails_refresh_rate' parameters in 'preferences.php' is not properly sanitized 3) Eventum has a undocumented default administrator account.
Upgrades available at:
http://dev.mysql.com/get/Downloads/
eventum/eventum-1.4.tar.gz/from/pick
Currently we are not aware of any exploits for theses vulnerabilities. |
MySQL Eventum
Multiple Vulnerabilities |
High |
CIRT-200404 and CIRT-200405: December 28, 2004
SecurityFocus, January 5, 2005
|
Namazu Project
Namazu 2.0.13 and prior |
A vulnerability exists which can be exploited by malicious people to conduct Cross-Site Scripting attacks. Input passed to 'namazu.cgi' isn't properly sanitized before being returned to the user if the query begins from a tab ('%09'). This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Update to version 2.0.14:
http://namazu.org/#download
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
Debian:
http://security.debian.org/pool/updates
/main/n/namazu2/
Currently we are not aware of any exploits for this vulnerability. |
Namazu Cross-Site Scripting Vulnerability
CVE Name:
CAN-2004-1318
|
High |
Namazu Security Advisory, December 15, 2004
Debian Security Advisory, DSA 627-1, January 6, 2005 |
Nuclear Elephant.com
mod_dosevasive 1.9 and prior |
A vulnerability exists in 'mod_dosevasive' for Apache that could allow a local user to obtain elevated privileges. The software creates unsafe temporary files. A local user can create a symbolic link (symlink) from a non-existent file on the system to a predictably named temporary file in the '/tmp' directory. When mod_dosevasive is run, the symlinked file will be created with the privileges of the web service.
No workaround or patch available at time of publishing.
A Proof of Concept exploit has been published. |
Nuclear Elephant mod_dosevasive Symlink Flaw |
Medium |
LSS Security Advisory #LSS-2005-01-01, January 4, 2005 |
Nullsoft
SHOUTcast 1.9.4 |
A format string vulnerability exists that could allow a remote user to execute arbitrary code on the target system. A remote user can supply a specially crafted request to the target server containing format string characters to cause the target service to crash or execute arbitrary code.
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-04.xml
Currently we are not aware of any exploits for this vulnerability. |
Nullsoft SHOUTcast Format String Flaw |
High |
SecurityTracker Alert ID: 1012675, December 24, 2004
Gentoo GLSA 200501-04, January 5, 2005
|
Patric Müller
Vilistextum 2.6.6 |
A vulnerability was reported in Vilistextum that could allow a remote malicious user to cause arbitrary code to be executed by the target user. A remote user can create a specially crafted HTML file that, when processed by the target user with Vilistextum, will execute arbitrary code on the target user's system. The code will run with the privileges of the target user. The buffer overflow resides in the get_attr() function in 'html.c.'
Gentoo:
http://security.gentoo.org/glsa/glsa-200501-10.xml
A Proof of Concept exploit script has been published. |
Patric Müller
Vilistextum get_attr()
Buffer Overflow
CVE Name:
CAN-2004-1299
|
High |
SecurityTracker Alert ID, 1012558, December 16, 2004
Gentoo Linux Security Advisor, GLSA 200501-10, January 6, 2005 |
PHPGroupWare
PHPGroupWare 0.9.16.03 |
PHPGroupWare contains multiple input validation vulnerabilities; it is prone to multiple SQL injection and Cross-Site Scripting issues. These issues are all due to a failure of the application to properly sanitize user-supplied input. A malicious user could exploit these vulnerabilities to execute arbitrary code.
Upgrade available at: http://download.phpgroupware.org/now
A Proof of Concept exploit has been published. |
PHPGroupWare
Multiple Cross-Site Scripting and SQL Injection |
High |
GulfTech Security Research December 14th, 2004
SecurityFocus, January 6, 2005 |
Redhat
GNOME VFS
Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64;
Red Hat Linux Advanced Workstation 2.1 - ia64;
Red Hat Enterprise Linux ES version 2.1 - i386;
Red Hat Enterprise Linux WS version 2.1 - i386;
Red Hat Enterprise Linux AS version 3 - i386, ia64, ppc, s390, s390x, x86_64
Red Hat Desktop version 3 - i386, x86_64;
Red Hat Enterprise Linux ES version 3 - i386, ia64, x86_64;
Red Hat Enterprise Linux WS version 3 - i386, ia64, x86_64 |
Multiple vulnerabilities exist in several of the GNOME VFS extfs backend scripts. Red Hat Enterprise Linux ships with vulnerable scripts, but they are not used by default. A malicious user who is able to influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts.
Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date
For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/
Fedora:
http://download.fedora.redhat.com/pub/
fedora/linux/core/updates/
SUSE:
http://www.suse.com/en/private/download/
updates/92_i386.html
Avaya:
http://support.avaya.com/japple/css/japple?temp.groupID=
128450&temp.selectedFamily=128451&temp.selectedProduct=
154235&temp.selectedBucket=126655&temp.feedbackState=
askForFeedback&temp.documentID=198525&PAGE=
avaya.css.CSSLvl1Detail&executeTransaction= avaya.css.UsageUpdate()
SGI:
ftp://patches.sgi.com/support/free/security
/patches/ProPack/3/
RedHat:
http://rhn.redhat.com/errata/RHSA-2004-464.html
We are not aware of any exploits for these vulnerabilities. |
Red Hat GNOME VFS updates address
extfs vulnerability
CVE Name:
CAN-2004-0494 |
High |
Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004
Fedora Update Notification
FEDORA-2004-272 & 273, September 1, 2004
SecurityFocus, Bugtraq ID: 10864, December 7, 2004
RedHat Security Advisory, RHSA-2004:464-09, January 5, 2005 |
Remote Sensing
LibTIFF 3.x |
A vulnerability exists potentially can be exploited by malicious people to execute arbitrary code on the target system. The vulnerability is caused due to an unspecified integer overflow in the tiffdump utility.
Gentoo:
http://www.gentoo.org/security/en/glsa/
glsa-200501-06.xml
Currently we are not aware of any exploits for this vulnerability.
|
Remote Sensing LibTIFF Integer Overflow Vulnerability
in tiffdump |
High |
Secunia SA13728, January 6, 2005 |
Russell Marks
zgv Image Viewer 5.5 |
Several vulnerabilities exist due to various integer overflows when processing images, which could let a remote malicious user execute arbitrary code.
Gentoo:
http://security.gentoo.org/glsa/glsa-200411-12.xml
Debian:
http://www.debian.org/security/2004/dsa-608
The vendor has issued a patch, available at:
| http://www.svgalib.org/rus/zgv
/zgv-5.8-integer-overflow-fix.diff
Gentoo:
http://security.gentoo.org/glsa/
glsa-200501-09.xml
Currently we are not aware of any exploits for these vulnerabilities. |
|
High |
Bugtraq, October 26, 2004
Gentoo Linux Security Advisory, GLSA 200411-12:01, November 7, 2004
Debian Security Advisory, DSA-608-1 zgv, December 14, 2004
SecurityTracker Alert ID: 1012546, December 16, 2004
Gentoo Linux Security Advisory, GLSA 200501-09, January 6, 2005 |
Squid-cache.org
Squid 2.x |
A remote Denial of Service vulnerability exists in the NTLM fakeauth_auth helper when running under a high load or for a long period of time, and a specially crafted NTLM type 3 message is submitted.
Patch available at:
http://www.squid-cache.org/Versions/v2/2.5/bugs/squid-2.5.STABLE7-fakeauth_auth.patch
Currently we are not aware of any exploits for this vulnerability. |
Squid NTLM fakeauth_auth Helper Remote Denial of Service |
Low |
Secunia Advisory,
SA13789, January 11, 2005 |
Virtual Hosting Control System
Virtual Hosting Control System 2.2 |
A vulnerability exists due to a file include vulnerability, which could let a remote malicious user execute arbitrary PHP code.
No workaround or patch available at time of publishing.
There is no exploit code required. |
Virtual Hosting Control System SQL.PHP Remote File Include
|
High |
SecurityFocus, January 6, 2005 |
[back to
top]
| Multiple Operating Systems - Windows / UNIX / Linux / Other |
Vendor & Software Name |
Vulnerability - Impact
Patches - Workarounds
Attacks Scripts |
Common Name |
Risk |
Source |
All Enthusiast, Inc.
PhotoPost PHP Pro 4.x |
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks. 1) Input passed to the "page", "cat", and "si" parameters in "showgallery.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" and "ppuser" parameters in "showgallery.php" isn't sanitized properly before being used in a SQL query.
Update to version 4.86:
http://www.photopost.com/
An exploit script has been published. |
All Enthusiast PhotoPost PHP Pro Cross-Site Scripting and SQL Injection |
High |
GulfTech Security Research Team, January 3, 2005
PacketStorm, January 5, 2005 |
All Enthusiast, Inc.
ReviewPost PHP Pro 2.x |
Multiple vulnerabilities exist which can be exploited by malicious people to conduct cross-site scripting and SQL injection attacks, and compromise a vulnerable system. 1) Input passed to the "si" parameter in "showcat.php", "cat" and "page" parameters in "showproduct.php", and "report" parameter in "reportproduct.php" isn't properly sanitized before being returned to the user. 2) Input passed to the "cat" parameter in "showcat.php" and "product" parameter in "addfav.php" isn't properly sanitized before being used in a SQL query. 3) An error in the handling of file uploads for filenames with multiple extensions (e.g. "test.jpg.php.jpg.php") can be exploited.
Update to version 2.84:
http://www.photopost.com/
An exploit script has been published. |
All Enthusiast ReviewPost PHP Pro Multiple Vulnerabilities |
High |
GulfTech Security Research Team, January 3, 2005
PacketStorm, January 5, 2005 |
Apache Software Foundation
Tomcat 5.x |
A Cross-Site Scripting vulnerability exists due to insufficient sanitization of various input passed to the 'Tomcat Manager,' which could let a remote malicious user execute arbitrary HTML and script code.
Patch available at:
http://www.mail-archive.com/tomcat-dev@
jakarta.apache.org/msg66978.html
Proofs of Concept exploits have been published. |
Apache Tomcat 'Tomcat Manager' Cross-Site Scripting |
High |
Secunia Advisory,
SA13737, January 6, 2005 |
Apple
AirPort Express Firmware 6.1, AirPort Extreme Firmware 5.5 |
A remote Denial of Service vulnerability exists when used in the Wireless Distribution System (WDS) mode. This issue could allow a remote attacker to cause the base station to stop processing traffic.
Upgrades available at:
http://www.apple.com/support/downloads/
There is no exploit code required. |
Apple AirPort Wireless Distribution System Remote Denial of Service
|
Low |
SecurityFocus January 3, 2004 |
b2evolution.net
b2evolution 0.8.2 .2, 0.8.2, 0.8.6 .2, 0.8.6 .1, 0.8.6, 0.8.7, 0.8.9, 0.9 .0.11, 0.9 .0.10, 0.9 .0.09, 0.9 .0.0, 0.9 .0.05, 0.9 .0.03 |
A vulnerability exists the '_class_itemlist.php' script due to insufficient sanitization of 'title' parameter, which could let a remote malicious user execute arbitrary code.
Workaround available at:
http://forums.b2evolution.net/viewtopic.php?t=2695
There is no exploit code required. |
b2evolution '_class_itemlist.php' Script Input Validation |
High |
Securiteam, January 9, 2005 |
Ben3W
2Bgal 2.4 and 2.5.1 |
A vulnerability exists that can be exploited by malicious people to conduct SQL injection attacks. Input passed to the "id_album" parameter is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Upgrade available at:
http://www.ben3w.com/multimedia/
dlcounter.php?selfile=2bgal.zip
A Proof of Concept exploit has been published. |
Ben3W 2Bgal "id_album" SQL Injection Vulnerability |
High |
Secunia SA13620, December 23, 2004
Packetstorm, December 31, 2004
SecurityFocus, January 7, 2005 |
Cisco Systems
IOS 12.2 ZA, SY, SXB, SXA, (17a) SXA, (14)ZA2, (14)ZA, (14)SY |
A remote Denial of Service vulnerability exists when processing Internet Key Exchange (IKE) packets.
Revision 1.2: Updated the 12.2(14)SY03 Release Notes URL in the Software Fixes and Versions section.
Updates available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml
Currently we are not aware of any exploits for this vulnerability.
|
Cisco IOS Malformed IKE Packet Remote
Denial of Service
|
Low |
Cisco Security Advisory 50430, April 8, 2004
Cisco Security Advisory 50430 Rev. 1.2, January 5, 2005 |
Cisco Systems
IOS R12.x, 12.x
|
A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.
Revision 2.4: Updated availability information for IOS releases. Corrected fixed software version for 12.1E Maintenance release.
Potential workarounds available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040827-
telnet.shtml
Currently we are not aware of any exploits for this vulnerability. |
Cisco IOS Telnet Service Remote Denial of Service |
Low |
Cisco Security Advisory, cisco-sa-20040827, August 27, 2004
US-CERT Vulnerability Note VU#384230
Cisco Security Advisory, 61671 Rev 2.2, October 20, 2004
Cisco Security Advisory, 61671 Rev 2.3, October 31, 2004
Cisco Security Advisory, 61671 Rev 2.4, December 31, 2004 |
David Barrett
QwikiWiki 1.4.1 |
A Directory Traversal vulnerability exists due to insufficient validation of the 'page' parameter, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published. |
David Barrett QwikiWiki Remote Directory Traversal |
Medium |
Securiteam, January 5, 2005 |
IBM
DB2 Universal Database for AIX 7.0-7.2, 8.0, 8.1, DB2 Universal Database for HP-UX 7.0-7.2. 8.0, 8.1, DB2 Universal Database for Linux 7.0-7.2, 8.0, 8.1, DB2 Universal Database for Solaris 7.0-7.2, 8.0, 8.1, IBM DB2 Universal Database for Windows 7.0-7.2, 8.0, 8.1 |
A vulnerability exists in the XMLVarcharFromFile and XMLClobFromFile functions, which could let a remote malicious user corrupt | |
| |
