Summary of Security Items from November 10 through November 16, 2004
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to items appearing in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Bugs,
Holes, & Patches
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name |
face="Arial, Helvetica, sans-serif">Risk |
face="Arial, Helvetica, sans-serif">Source |
NetNote Server 2.2 (build 230) | A vulnerability exists which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to input validation errors when handling malformed traffic. No workaround or patch available at time of publishing. An exploit script has been published. | NetNote Server Remote Denial of Service | Low | Secunia Advisory ID, SA13195, November 15, 2004 |
Cisco Security Agent (CSA) prior to 4.0.3 build 728 | A vulnerability exists that could allow a remote malicious user to conduct buffer overflow attacks against the target system that will not be detected by CSA. The vendor reported that a properly timed attack can evade the CSA attack detection mechanism, where the second of two buffer overflow attacks will not be detected. An authenticated user must be logged in or the hidden GUI option must be in effect for the attack to be successful. Update to version 4.0.3 build 728 available at: Currently we are not aware of any exploits for this vulnerability. | Cisco Security Agent Specially Timed Buffer Overflow | High | Cisco Security Advisory Document ID, 63326, November 11, 2004 |
MIMEsweeper for SMTP 5.x | A vulnerability exists which potentially can be exploited by malware to bypass the scanning functionality. The problem is that emails containing encrypted data (e.g. password-protected zip files) erroneously are marked as 'Clean' instead of 'Encrypted.' The vulnerability only affects versions that have been upgraded from: Apply hotfix: Currently we are not aware of any exploits for this vulnerability. | Clearswift MIMEsweeper for SMTP Encrypted Emails Misclassification | Medium | MIMEsweeper Technical Documentation, November 2004 |
Google Desktop Search | A remote malicious user can create a specially crafted URL that, when loaded by a target user that has Google Desktop Search installed, will cause arbitrary scripting code to be executed by the target user's browser. The code will originate from the Google site and will run in the security context of that site. The vendor has issued a fix. A Proof of Concept exploit has been published. | Google Desktop Search Input Validation | High | SecurityTracker Alert ID, 1011928, October 26, 2004, SecurityTracker Alert ID,1012081, November 10, 2004 |
Merak Mail Server 7.5.2 and 7.6.0 with Icewarp Web Mail | Multiple vulnerabilities exist in Merak Mail Server with IceWarp Web Mail. A remote malicious user can conduct Cross-Site Scripting attacks and a remote authenticated user can rename and delete files on the target system. Among other errors, several scripts do not properly validate user-supplied input, including send.html, attachment.html, and folderitem.html. Upgrades available at: http://www.icewarp.com/Download/ A Proof of Concept exploit has been published. | IceWarp Merak Mail Server Multiple Remote Vulnerabilities | Medium | SecurityTracker Alert ID, 1012099, November 5, 2004 SecurityFocus, November 5, 2004 |
Infuseum's ASP Message Board (AMB) 2.2.1c | Multiple input validation vulnerabilities exists that could permit a remote malicious user to inject SQL commands and conduct Cross-Site Scripting attacks. A remote user can supply specially crafted input to execute SQL commands on the underlying database. A remote user can also cause arbitrary scripting code to be executed by the target user's browser. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for these vulnerabilities. | Infuseum Input Validation Vulnerabilities | High | SecurityTracker Alert ID,1012139, November 8, 2004 |
IMail 8.13 | A buffer overflow vulnerability exists in the 'DELETE' command due to insufficient boundary checks, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. An exploit script has been published. | Ipswitch IMail Server Remote Buffer Overflow | High | Securiteam, November 15, 2004 |
Kerio Personal Firewall 4.1.2 and prior | A vulnerability exists that could permit a remote malicious user to cause Denial of Service conditions. There is a packet processing flaw that can trigger 100% CPU utilization on the target system. The vendor has issued a fixed version (4.1.2), available at: http://www.kerio.com/kpf_download.html An exploit script has been published | Kerio Personal Firewall Remote Denial of Service | Low | SecurityTracker Alert ID, 1012116, November 8, 2004 PacketStorm, November 12, 2004 |
Internet Explorer 6.0 | A vulnerability exists that can be exploited by malicious sites to detect the presence of local files. This is because an 'Access is Denied' error will be returned if a site in the 'Internet' zone tries to open an existing local file in the search window using the 'res:' URI handler. This can be exploited to determine the presence of specific programs or files in the system directories and on the desktop. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Microsoft Internet Explorer 'res:' URI Handler File Identification | Medium | Secunia Advisory,: SA13124, November 9, 2004 |
ISA Server 2000, Proxy Server 2.0 | A spoofing vulnerability exists that could enable a malicious user to spoof trusted Internet content. Users could believe they are accessing trusted Internet content when in reality they are accessing malicious Internet content, for example a malicious website. Updates available at: http://www.microsoft.com/technet/ V2.0 (November 9, 2004): Bulletin updated to reflect the release of an updated ISA Server 2000 security update for the German language only. This issue does not affect any other language version of this security update. The Security Update Replacement section has also been revised. V3.0 (November 16, 2004): Bulletin updated to reflect the release of updated ISA Server 2000 security updates for all languages. These issues affected customers using ISA Server 2000 Service Pack 1 or using Windows 2000 Service Pack 3. The Security Update Replacement section has also been revised. Currently we are not aware of any exploits for this vulnerability. | Microsoft Server Spoofing CVE Name: | Medium | Microsoft Security Bulletin, MS04-039 2.0 & 3.0, November 9 & 16, 2004 (Updated)
|
Internet Explorer 5.01, Internet Explorer 6, Internet Explorer 6.0 for Windows Server 2003, Internet Explorer 6.0 for Windows XP Service Pack 2, Windows 98, Windows 98 SE, Windows ME, Internet Explorer 5.5; Avaya DefinityOne Media Servers, IP600 Media Servers, Modular Messaging (MSS) 1.1, (MSS) 2.0, | Multiple vulnerabilities are corrected with Microsoft Security Update MS04-038. These vulnerabilities include: Cascading Style Sheets (CSS) Heap Memory Corruption Vulnerability; Similar Method Name Redirection Cross Domain Vulnerability; Install Engine Vulnerability; Drag and Drop Vulnerability; Address Bar Spoofing on Double Byte Character Set Locale Vulnerability; Plug-in Navigation Address Bar Spoofing Vulnerability; Script in Image Tag File Download Vulnerability; SSL Caching Vulnerability. These vulnerabilities could allow remote code execution. A vulnerability exists in the Microsoft MSN 'heartbeat.ocx' component, used by Internet Explorer on some MSN gaming sites Updates available at: href="http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx">http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx Avaya: Customers are advised to follow Microsoft's guidance for applying patches. Please see the referenced Avaya advisory at the following location for further details: Updated the ActiveX control name from "Heartbeat.ocx" to "Hrtbeat.ocx", added GUID information to the Security Update Information section. Currently we are not aware of any exploits for these vulnerabilities. | Microsoft Internet Explorer Security Update CVE Names:
href="http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0842">CAN-2004-0842 | High | Microsoft Security Bulletin, MS04-038, October 12, 2004 US-CERT Cyber Security Alert SA04-286A, October 12, 2004 US-CERT Vulnerability Notes VU#637760, October 13, 2004, VU#625616, October 15, 2004, VU#431576, VU#630720, & VU#291304, October 18, 2004, VU#673134 & VU#795720, October 19, 2004 SecurityFocus, October 18, 2004 Microsoft Security Bulletin, MS04-038, November 9, 2004 |
Internet Explorer 6, Microsoft Outlook Express 6 | A vulnerability exists which can be exploited by malicious people to trick users into visiting a malicious website by obfuscating URLs. This vulnerability was confirmed in SP1 but not SP2. Update to Windows XP SP2. Proofs of Concept exploit scripts have been published. | Internet Explorer Flash Content Status Bar Spoofing | Medium | Secunia Advisory ID, SA13156, November 10, 2004 |
Windows 2000 Advanced Server, SP1-SP4, 2000 Datacenter Server, SP1-SP4, 2000 Professional, SP1-SP4, 2000 Server, SP1-SP4, XP Home, SP1&SP2, XP Professional, SP1&SP2 | A buffer overflow vulnerability exists in the 'ddeshare.exe' utility, which could possibly let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Microsoft Windows DDEShare Buffer Overflow | High | Bugtraq, November 9, 2004 |
Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition, Windows Server 2003 Web Edition, Exchange Server 2003 | A remote code execution vulnerability exists in the Windows Server 2003 SMTP component due to the way Domain Name System (DNS) lookups are handled. A malicious user could exploit the vulnerability by causing the server to process a particular DNS response that could potentially allow remote code execution. The vulnerability also exists in the Microsoft Exchange Server 2003 Routing Engine component when installed on Microsoft Windows 2000 Service Pack 3 or on Microsoft Windows 2000 Service Pack 4. Updates available at: href="http://www.microsoft.com/technet/security/bulletin/MS04-035.mspx">http://www.microsoft.com/technet/security/bulletin/MS04-035.mspx Bulletin updated to clarify restart requirement for Windows Server 2003 and Windows XP 64-Bit. Currently we are not aware of any exploits for this vulnerability. | High | Microsoft Security Bulletin, MS04-035, October 12, 2004 US-CERT Cyber Security Alert, SA04-286A, October 12, 2004 US-CERT Vulnerability Note VU#394792, October 15, 2004 Microsoft Security Bulletin MS04-035, November 9, 2004 | |
Hired Team: Trial 2.0 / 2.200 & prior | Several vulnerabilities exist: a format string vulnerability exists when a remote malicious user joins a game and then submits a specially crafted message, which could cause a Denial of Service or potentially the execution of arbitrary code; a vulnerability exists when a remote malicious user submits data to one of the server-assigned UDP ports that causes the match to be interrupted; a remote Denial of Service vulnerability exists when the statue command is invoked; and several flaws exist in the Shine engine (which is which the game is based on).
No workaround or patch available at time of publishing. Currently we are not aware of any exploits for these vulnerabilities. | Hired Team: Trial Format String | Low/High (High if arbitrary code can be executed) | SecurityTracker Alert ID, 1012238, November 15, 2004 |
Hotfoon 4.0 | A vulnerability exists that could allow a remote malicious user on the Hotfoon chat feature to send an arbitrary URL to the target user to cause the target user's Hotfoon application to open the link without first asking or alerting the target user. No solution is available at this time. A Proof of Concept exploit has been published. | Hotfoon Dialer Chat Open Arbitrary URLs | Medium | SecurityTracker Alert ID, 1012188, November 11, 2004 |
StarForce Professional 3.0 | A vulnerability exists in the drivers that may permit a local user to obtain elevated privileges. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Protection Technology StarForce Professional Elevated Privileges | Medium | SecurityTracker Alert ID, 1012206, November 12, 2004 |
unarj 2.x | An input validation vulnerability was reported in unarj, which could permit a remote user to create a malicious archive that, when expanded by a target user, will write or overwrite arbitrary files on the target user's system. Fedora: http://download.fedora.redhat.com/pub/fedora/ A Proof of Concept exploit has been published. | Unarj Input Validation | High | SecurityTracker Alert ID, 1011610, October 11, 2004 Fedora Update Notification, |
Secure Network Messenger 1.4.2 and prior versions | A vulnerability exists which could permit a remote user to cause the application to crash. A remote user can connect to the target system on port 6144 and send 10 or more carriage return characters, then disconnect, then connect again and send a carriage return to cause the target service to crash. No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | SecureAction Research Secure Network Messenger Denial of Service | Low | SecurityTracker Alert ID, 1012214, November 12, 2004 |
Skype for Windows 1.0.*.95 through 1.0.*.98 | A vulnerability exists which can be exploited by malicious people to execute arbitrary code. The vulnerability is caused due to a boundary error within the handling of command line arguments. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into visiting a malicious web site, which passes an overly long string (more than 4096 bytes) to the 'callto:' URI handler. Update to version 1.0.0.100: http://www.skype.com/products/skype/windows/ Currently we are not aware of any exploits for this vulnerability. | Skype 'callto:' URI Handler Buffer Overflow | High | Secunia Advisory ID, SA13191, November 15, 2004 |
04WebServer 1.42 | Multiple vulnerabilities exist that could allow a remote malicious user to inject arbitrary characters into the log file, conduct Cross-Site Scripting attacks, or cause a Denial of Service. The default 404 Not Found response (Response_default.html) does not properly filter HTML code before displaying the originally requested URL. A remote malicious user can also inject arbitrary characters into the log file or request a MS-DOS device name to prevent the server from restarting properly. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Soft3304 04WebServer Input Validation Vulnerabilities | Low/High (High if arbitrary code can be executed) | SIG^2 Vulnerability Research Advisory, November 11, 2004 |
Army Men RTS 1.x | A format string vulnerability exists which could let a remote malicious user cause a Denial of Service or execute arbitrary code. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Army Men RTS Format String | Low/High (High if arbitrary code can be executed) | Secunia Advisory, SA13186, November 15, 2004 |
Spy Sweeper Enterprise 1.5.1.3698 | A vulnerability exists that can be exploited by malicious, local users to disclose sensitive information. The problem is that the administrative password used for overriding settings from client systems is stored in clear text in a location in the registry, which is readable by all users. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | Spy Sweeper Enterprise Password Disclosure | Medium | Secunia Advisory ID, SA13198, November 15, 2004 |
SlimFTPd 3.15 and prior | A buffer overflow vulnerability exists in SlimFTPd which could allow a remote authenticated malicious user to execute arbitrary code on the target system. A remote authenticated user, including an anonymous user, can supply a specially crafted command (e.g., CWD, STOR, MKD, STAT) to trigger a buffer overflow. The vendor has issued a fixed version (3.16), available at: http://www.whitsoftdev.com/files/slimftpd.zip An exploit script has been published. | WhitSoft Development SlimFTPd FTP Command Buffer Overflow | High | WhitSoft Development Security Alert, November 10, 2004 |
CCProxy 6.0 | A vulnerability exists which could allow the execution of arbitrary code. The vulnerability is caused due to a boundary error within the handling of HTTP requests. This can be exploited to cause a buffer overflow by sending an overly long HTTP GET request. Update to version 6.2: http://www.youngzsoft.net/ccproxy/ An exploit script has been published. | CCProxy HTTP Request Processing Buffer Overflow | High | Secunia Advisory ID, SA13085, November 11, 2004 |
Zinf 2.2.1 | A buffer overflow vulnerability exists when processing malformed playlist files, which could let a remote malicious user obtain unauthorized access. Debian: http://security.debian.org/pool/updates/ An exploit script has been published. | Zinf Malformed Playlist File Remote Buffer Overflow CVE Name: | Medium | Bugtraq, September 24, 2004 Debian Security Advisory, DSA 587-1, November 8, 2004 |
IMsecure and IMsecure Pro prior to 1.5 | A vulnerability exists which can be exploited by malicious people to bypass certain security restrictions. The vulnerability is caused due to a canonicalization error in the Active Link filter, which blocks URLs in IM messages. This can be exploited to bypass the filter by using encoded representations for various characters. Update to version 1.5 or later: Currently we are not aware of any exploits for this vulnerability. | Zone Labs IMsecure Active Link Filter Bypass | Medium | Secunia Advisory I, SA13169, November 11, 2004 |
| UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
Apache 2.0.35-2.0.52 | A vulnerability exists when the 'SSLCipherSuite' directive is used in a directory or location context to require a restricted set of cipher suites, which could let a remote malicious user bypass security policies and obtain sensitive information. OpenPKG: href="ftp://ftp.openpkg.org/release/">ftp://ftp.openpkg.org/release/ Gentoo:
href="http://security.gentoo.org/glsa/glsa-200410-21.xml"> Slackware: href="ftp://ftp.slackware.com/pub/slackware/">ftp://ftp.slackware.com/pub/slackware/ Conectiva: ftp://atualizacoes.conectiva.com.br/ Mandrake: Fedora: http://download.fedora.redhat.com/pub/fedora RedHat: There is no exploit code required. | Medium | OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004 Gentoo Linux Security Advisory, GLSA 200410-21, October 22, 2004 Slackware Security Advisory, SSA:2004-299-01, October 26, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:122, November 2, 2004 Conectiva Linux Security Announcement, CLA-2004:885, November 4, 2004 Fedora Update Notification, RedHat Security Advisory, RHSA-2004:562-11, November 12, 2004 | |
UNARJ 2.62-2.65
| A buffer overflow vulnerability exists due to insufficient bounds checking on user-supplied strings prior to processing, which could let a remote malicious user execute arbitrary code.
Fedora: Currently we are not aware of any exploits for this vulnerability. | ARJ Software UNARJ Remote Buffer Overflow CVE Name: | High | SecurityTracker Alert I,: 1012194, November 11, 2004 |
Cyrus SASL 1.5.24, 1.5.27, 1.5.28, 2.1.9-2.1.18 | Several vulnerabilities exist: a buffer overflow vulnerability exists in 'digestmda5.c,' which could let a remote malicious user execute arbitrary code; and an input validation vulnerability exists in the 'SASL_PATH' environment variable, which could let a malicious user execute arbitrary code. Fedora: Gentoo: http://security.gentoo.org/glsa/glsa-200410-05.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php RedHat: http://rhn.redhat.com/errata/RHSA-2004-546.html Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ Debian: http://security.debian.org/pool/updates/ Conectiva: ftp://atualizacoes.conectiva.com.br/ Currently we are not aware of any exploits for these vulnerabilities. | Cyrus SASL Buffer Overflow & Input Validation CVE Name: | High | SecurityTracker Alert ID: 1011568, October 7, 2004 Debian Security Advisories DSA 563-2, 563-3, & 568-1, October 12 , 14, & 16, 2004 Conectiva Linux Security Announcement, CLA-2004:889, November 11, 2004 |
up-imapproxy, 1.2.2 | Multiple vulnerabilities exist: several remote Denial of Service vulnerabilities exist due to the way literal values are processed; and a vulnerability exists because literal value sizes are stored in signed integer format, which could let a remote malicious user on 64-bit systems obtain sensitive information. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for these vulnerabilities. | Up-IMAPProxy Multiple Remote Vulnerabilities | Low/ Medium (Medium if sensitive information can be obtained) | Bugtraq, November 7, 2004 |
FreeRADIUS 0.2-0.5, 0.8, 0.8.1, 0.9-0.9.3. 1.0 | A remote Denial of Service vulnerability exists in 'radius.c' and 'eap_tls.c' due to a failure to handle malformed packets. Upgrades available at: Gentoo: http://security.gentoo.org/glsa/glsa-200409-29.xml Fedora: http://download.fedora.redhat.com/pub/ RedHat: http://rhn.redhat.com/errata/ There is no exploit code required. | FreeRADIUS Access-Request Denial of Service CVE Names: | Low | Gentoo Linux Security Advisory, GLSA 200409-29, September 22, 2004 US-CERT Vulnerability Note VU#541574, October 11, 2004 Fedora Update Notification, RedHat Security Advisory, RHSA-2004:609-06, November 12, 2004 |
gdlib 2.0.23, 2.0.26-2.0.28 | A vulnerability exists in the 'gdImageCreateFromPngCtx()' function when processing PNG images due to insufficient sanity checking on size values, which could let a remote malicious user execute arbitrary code.
OpenPKG: ftp://ftp.openpkg.org/release/ Ubuntu: Gentoo: Debian: Fedora: http://download.fedora.redhat.com/pub/ An exploit script has been published. | GD Graphics Library Remote Integer Overflow CVE Name: | High | Secunia Advisory, Gentoo Linux Security Advisory, GLSA 200411-08, November 3, 2004 Ubuntu Security Notice, USN-21-1, November 9, 2004 Debian Security Advisories, DSA 589-1 & 591-1, November 9, 2004 Fedora Update Notifications, |
glibc 2.0-2.0.6, 2.1, 2.1.1 -6, 2.1.1, 2.1.2, 2.1.3 -10, 2.1.3, 2.1.9 & greater, 2.2-2.2.5, 2.3-2.3.4, 2.3.10 | A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files. Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-19.xml">http://security.gentoo.org/glsa/glsa-200410-19.xml Ubuntu: http://security.ubuntu.com/ubuntu/ Fedora: http://download.fedora.redhat.com/pub/ There is no exploit code required. | Medium | Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004 Gentoo Linux Security Advisory, GLSA 200410-19, October 21, 2004 Ubuntu Security Notice, USN-4-1 October 27, 2004 Fedora Update Notification, | |
jwhois 3.2.2 | A double free vulnerability exists when an attempt is made to process whois requests that result in more than one redirection, which could possibly let a remote malicious user execute arbitrary code.
Fedora: Currently we are not aware of any exploits for this vulnerability. | JWhois Double Free Memory Corruption | High | Fedora Update Notification, FEDORA-2004-406, November 11, 2004 |
| GNU
GNATS 3.0 02, 3.2, 3.14 b, 3.113 .1_6, 3.113, 3.113.1, 4.0 | A format string vulnerability exists in ‘misc.c,’ which could let a malicious user execute arbitrary code.
Debian: Currently we are not aware of any exploits for this vulnerability. | GNU GNATS Format String | High | Zone-h Security Advisory, ZH2004-11SA, June 25, 2004 Debian Security Advisory, DSA 590- , November 9, 2004 |
OpenSkat 1.1-1.9, 2.0 | A weak encryption key generation vulnerability exists due to a design error, which could let a remote malicious user obtain sensitive information.
Upgrades available at: Currently we are not aware of any exploits for this vulnerability. | Heiko Stamer OpenSkat Weak Encryption Key Generation | Medium | SecurityTracker Alert ID, 1012181, November 11, 2004 |
Zip 2.3 | A buffer overflow vulnerability exists due to a boundary error when doing recursive compression of directories with 'zip,' which could let a remote malicious user execute arbitrary code.
Ubuntu: Fedora: http://download.fedora.redhat.com/pub Gentoo: http://security.gentoo.org/glsa/ Currently we are not aware of any exploits for this vulnerability. | Info-ZIP Zip Remote Recursive Directory Compression Buffer Overflow CVE Name: | High | Bugtraq, November 3, 2004 Ubuntu Security Notice, USN-18-1, November 5, 2004 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200411-16, November 9, 2004 |
Media Player 0.4.2, 0.4.3 b, 0.4.3, 0.5 rc1 | A buffer overflow vulnerability exists in the processing of Content-Type headers in the 'http_open()' function in 'http.c' due to insufficient boundary checks on user-supplied strings prior to copying them into finite stack-based buffers, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Gentoo: A Proof of Concept exploit has been published. | Kaffeine Media Player Remote Buffer Overflow | Low/High (High if arbitrary code can be executed) | Securiteam, October 26, 2004 Gentoo Linux Security Advisory, GLSA 200411-14:01, November 7, 2004 |
LibTIFF 3.6.1 | Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code. Debian: Gentoo: Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/ OpenPKG: Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/ RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-577.html">http://rhn.redhat.com/errata/RHSA-2004-577.html Slackware: Conectiva: ftp://atualizacoes.conectiva.com.br/ Proofs of Concept exploits have been published. | LibTIFF Buffer Overflows CVE Name: | Low/High (High if arbitrary code can be execute) | Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004 Fedora Update Notification, OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004 Debian Security Advisory, DSA 567-1, October 15, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:109 & MDKSA-2004:111, October 20 & 21, 2004 SuSE Security Announcement, SUSE-SA:2004:038, October 22, 2004 RedHat Security Advisory, RHSA-2004:577-16, October 22, 2004 Slackware Security Advisory, SSA:2004-305-02, November 1, 2004 Conectiva Linux Security Announcement, CLA-2004:888, November 8, 2004 |
GD Graphics Library gdlib 1.8.4, 2.0.1, 2.0.20-2.0.23, 2.0.26-2.0.28 | Multiple buffer overflow vulnerabilities exist due to insufficient bounds checking prior to processing user-supplied strings, which could let ak remote malicious user execute arbitrary code. Fedora: Ubuntu: Currently we are not aware of any exploits for these vulnerabilities. | GD Graphics Library Multiple Remote Buffer Overflows CVE Name: | High | SecurityTracker, 1012195, November 11, 2004 |
Gentoo Linux;
| A remote Denial of Service vulnerability exists in 'ms_fnmatch()' function due to insufficient input validation. Patch available at: Gentoo: Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php SuSE: ftp://ftp.suse.com/pub/suse/i386/update/ Ubuntu: There is no exploit code required. | Samba Remote Wild Card Denial of Service CVE Name: | Low | SecurityFocus, November 15, 2004 |
Angus Mackay ez-ipupdate 3.0.11 b8, 3.0.11 b5; | A format string vulnerability exists in the 'show_message()' function, which could let a remote malicious user execute arbitrary code. Debian: Gentoo: http://security.gentoo.org/glsa/glsa-200411-20.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php SuSE: Currently we are not aware of any exploits for this vulnerability. | EZ-IPupdate Remote Format String CVE Name: | High | Securiteam, November 15, 2004 |
Davfs Davfs2 0.2 .0-0.2.2; | A vulnerability exists in WEB-DAV Linux File System (dav2fs) because temporary .pid files are creates insecurely, which could let a malicious user obtain elevated privileges. Davfs: Gentoo: There is no exploit code required. | Davfs2 Insecure Temporary File Creation | Medium | Secunia Advisory, SA13184, November 12, 2004 |
Debian Linux 3.0, sparc, s/390, ppc, mipsel, mips, m68k, ia-64, ia-32, hppa, arm, alpha; | Several integer overflow vulnerabilities exist in 'pdftops/Catalog.cc' and 'pdftops/XRef.cc,' which could let a remote malicious user execute arbitrary code. Debian: Fedora: Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-20.xml">http://security.gentoo.org/glsa/glsa-200410-20.xml KDE: Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Ubuntu:
href="http://security.ubuntu.com/ubuntu/pool/main/c/cupsys/"> Conectiva: ftp://atualizacoes.conectiva.com.br/ Currently we are not aware of any exploits for these vulnerabilities.
| High | SecurityTracker Alert ID, 1011865, October 21, 2004 Conectiva Linux Security Announcement, CLA-2004:886, November 8, 2004 | |
Gentoo Linux; | A vulnerability exists due a failure to verify the existence of a file before writing to it, which could let a malicious user overwrite arbitrary files with the privileges of the user running the utility.
Upgrades available at: Gentoo: There is no exploit code required. | MTink Insecure Temporary File Creation | Medium | SecurityFocus, November 9, 2004 |
Linux Kernel 2.4-2.4.27, 2.6-2.6.8 | Multiple vulnerabilities exist due to various errors in the 'load_elf_binary' function of the 'binfmt_elf.c' file, which could let a malicious user obtain elevated privileges and potentially execute arbitrary code.
Patch available at: Proofs of Concept exploit scripts have been published. | Linux Kernel BINFMT_ELF Loader Multiple Vulnerabilities | Medium/ High (High if arbitrary code can be executed) | Bugtraq, November 11, 2004 |
LVM Logical Volume Management Utilities 1.0.4, 1.0.7, 1.0.8 | A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.
Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ Ubuntu: Debian: Gentoo: There is no exploit code required. | Trustix LVM Utilities Insecure Temporary File Creation CVE Name: | Medium | Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004 Ubuntu Security Notice, USN-15-1, November 1, 2004 Debian Security Advisory, DSA 583-1, November 3, 2004 Gentoo Linux Security Advisory, GLSA 200411-22, November 11, 2004 |
OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux Enterprise Server 9, 8; | Multiple vulnerabilities exist: a stack overflow vulnerability exists in 'xpmParseColors()' in 'parse.c' when a specially crafted XPMv1 and XPMv2/3 file is submitted, which could let a remote malicious user execute arbitrary code; a stack overflow vulnerability exists in the 'ParseAndPutPixels()' function in -create.c' when reading pixel values, which could let a remote malicious user execute arbitrary code; and an integer overflow vulnerability exists in the colorTable allocation in 'xpmParseColors()' in 'parse.c,' which could let a remote malicious user execute arbitrary code. Debian: href="http://security.debian.org/pool/updates/main/i/imlib/">http://security.debian.org/pool/updates/main/i/imlib/ Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php" OpenBSD: SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/ X.org: http://x.org/X11R6.8.1/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-34.xml">http://security.gentoo.org/glsa/glsa-200409-34.xml IBM: href="http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp">http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-478.html">http://rhn.redhat.com/errata/RHSA-2004-478.html Avaya:
href="http://support.avaya.com/japple/css/japple?temp.groupID=128450&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=203389&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate()">http://support.avaya.com/japple/css/japple? Sun:
href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57652-1&searchclause=">http://sunsolve.sun.com/search/document.do Mandrake: HP: Proofs of Concept exploits have been published. | High | X.Org Foundation Security Advisory, September 16, 2004 US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, 2004 SecurityFocus, October 4, 2004 SecurityFocus, October 18, 2004 Sun(sm) Alert Notification, 5765, October 18, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:124, November 2, 2004 HP Security Bulletin, HPSBTU01093 , November 11, 2004 | |
OpenSSL 0.9.6, 0.9.6 a-0.9.6 m, 0.9.7c | A vulnerability exists due to the insecure creation of temporary files, which could possibly let a malicious user overwrite arbitrary files.
Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ Gentoo: Ubuntu: There is no exploit code required. | OpenSSL CVE Name: | Medium | Trustix Secure Linux Bugfix Advisory, TSL-2004-0050, September 30, 2004 Gentoo Linux Security Advisory, GLSA 200411-15, November 8, 2004 Ubuntu Security Notice, USN-24-1, November 11, 2004 |
phpBB 2.0.0-2.0.10 | A vulnerability exists in the 'urldecode' function due to insufficient input validation, which could let a remote malicious user execute arbitrary PHP script.
No workaround or patch available at time of publishing. There is no exploit code required. | PHPBB Remote URLDecode Input Validation | High | Bugtraq, November 13, 2004 |
zgv Image Viewer 5.5 | Several vulnerabilities exist due to various integer overflows when processing images, which could let a remote malicious user execute arbitrary code. Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | ZGV Image Viewer Multiple Remote Integer Overflow | High | Bugtraq, October 26, 2004 Gentoo Linux Security Advisory, GLSA 200411-12:01, November 7, 2004 |
Samhain 1.8.9, 2.0.1
| Several vulnerabilities exist: a buffer overflow vulnerability exists when in 'update' mode in the 'sh_hash_compdata()' function, which could let a malicious user execute arbitrary code; and a vulnerability exists in the 'sh_hash_compdata()' function due to a potential null pointer dereference, which could let a malicious user execute arbitrary code. Upgrades available at: Currently we are not aware of any exploits for these vulnerabilities. | samhain sh_hash_compdata() Buffer Overflows | High | SecurityTracker Alert ID, 1012142, November 9, 2004 |
USB Driver 1.0, 1.1, 1.2 , beta1-beta3, 1.3 | A format string vulnerability exists because the 'modem_run,' 'pppoa2,' and 'pppoa3' functions make an unsafe 'syslog()' call due to insufficient sanitization, which could let a malicious user execute arbitrary code. Upgrades available at: Gentoo: http://security.gentoo.org/glsa/glsa-200411-04.xml Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Currently we are not aware of any exploits for this vulnerability. | High | SecurityFocus, October 21, 2004 Gentoo Linux Security Advisory, GLSA 200411-04, November 2, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:130, November 11, 2004 | |
Postfix Greylisting Service 1.1.1, 1.1.3 | A vulnerability exists due to insufficient sanitization of sender and recipient emails before being used in a SQL query, which could let a remote malicious user manipulate SQL queries.
Upgrade available at: There is no exploit code required. | SQLgrey Postfix Greylisting Service SQL Injection | Medium | Secunia Advisory, SA13135, November 9, 2004 |
iPlanet Messaging Server 5.2; | A vulnerability exists in the webmail functionality when processing emails, which could let a remote malicious user obtain unauthorized access. Patches available at: Currently we are not aware of any exploits for this vulnerability. | Sun One/IPlanet Messaging Server Webmail Hijack | Medium | Sun(sm) Alert Notification, 57665, November 8, 2004 |
Java 2 Runtime Environment 1.4.2, 1.5 | A remote Denial of Service vulnerability exists in the 'InitialDirContext' environment variable due to a failure to keep track of DNS requests. No workaround or patch available at time of publishing. There is no exploit code required. | Sun Java Runtime Environment InitialDirContext Remote Denial of Service | Low | iKu Advisory, November 8, 2004 |
Technote
| A vulnerability exists in the 'main.cgi' script due to insufficient validation of user-supplied input in the 'filename' parameter, which could let a remote malicious user execute arbitrary commands.
No workaround or patch available at time of publishing. An exploit script has been published. | Technote 'main.cgi' Input Validation | High | SecurityTracker Alert I,: 1012117, November 8, 2004 PacketStorm, November 13, 2004 |
BNC 2.2.4, 2.4.6, 2.4.8, 2.6, 2.6.2, 2.8.8, 2.8.9 | A buffer overflow vulnerability exists in ' getnickuserhost' when a malformed IRC server response is handled by the proxy, which could let a remote malicious user execute arbitrary code.
Upgrades available at: Currently we are not aware of any exploits for this vulnerability. | BNC Remote Buffer Overflow | High | LSS Security Advisory #LSS-2004-11-3, November 10, 2004 |
BNC 2.2.4, 2.4.6, 2.4.8, 2.6, 2.6.2, 2.8.8, 2.8.9, 2.9 .0 | A vulnerability exists due to code modifications after the recent release (BNC 2.9.0), which could let a malicious user bypass authentication.
Upgrades available at: There is no exploit code required.
| BNC IRC Server Proxy Authentication Bypass | Medium | SecurityFocus, November 10, 2004 |
Fcron 2.x | Multiple vulnerabilities exist: a vulnerability exists in the 'fcronsighup' utility due to a design error, which could let a malicious user obtain sensitive information; a vulnerability exists because the 'fcronsighup' utility can bypass access restrictions, which could let a malicious user supply arbitrary configuration settings; an input validation vulnerability exists in the 'fcronsighup' utility, which could let a malicious user delete arbitrary files; and a vulnerability exists because a malicious user can view the contents of the 'fcron.allow' and 'fcron.deny' files due to a file descriptor leak. Update available at: http://fcron.free.fr/download.php Currently we are not aware of any exploits for these vulnerabilities. | Thibault Godouet Fcron Multiple Vulnerabilities CVE Names: | Medium | iDEFENSE Security Advisory, November 15, 2004 |
Sudo 1.5.6-1.5.9, 1.6-1.6.8 | A vulnerability exists due to an error in the environment cleaning, which could let a malicious user execute arbitrary commands. Patch available at: There is no exploit code required. | Sudo Restricted Command Execution Bypass | High | Secunia Advisory, SA13199, November 15, 2004 |
TWiki 20030201 | A vulnerability exists in 'Search.pn' due to an input validation error when handling search requests, which could let a remote malicious user execute arbitrary commands. Hotfix available at: There is no exploit code required; however, a Proof of Concept exploit has been published. | TWiki Search Shell Metacharacter Remote Arbitrary Command Execution | High | Securiteam, November 15, 2004 |
Libxml2 2.6.12-2.6.14 | Multiple buffer overflow vulnerabilities exist: a vulnerability exists in the 'xmlNanoFTPScanURL()' function in 'nanoftp.c' due to a boundary error, which could let a remote malicious user execute arbitrary code; a vulnerability exists in the 'xmlNanoFTPScanProxy()' function in 'nanoftp.c,' which could let a remote malicious user execute arbitrary code; and a vulnerability exists in the handling of DNS replies due to various boundary errors, which could let a remote malicious user execute arbitrary code. Upgrades available at: OpenPKG: Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ Fedora: http://download.fedora.redhat.com/pub/ Gentoo: Mandrake: OpenPKG: ftp://ftp.openpkg.org/release/ Trustix: Ubuntu: RedHat: An exploit script has been published. | Libxml2 Multiple Remote Stack Buffer Overflows CVE Name: | High | SecurityTracker Alert I, : 1011941, October 28, 2004 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200411-05, November 2,2 004 Mandrakelinux Security Update Advisory, MDKSA-2004:127, November 4, 2004 OpenPKG Security Advisory, OpenPKG-SA-2004.050, November 1, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0055, November 1, 2004 Ubuntu Security Notice, USN-10-1, November 1, 2004 RedHat Security Advisory, RHSA-2004:615-11, November 12, 2004 |
Ruby 1.6, 1.8 | A vulnerability exists in the CGI session management component due to the way temporary files are processed, which could let a malicious user obtain elevated privileges. Upgrades available at: Gentoo: http://security.gentoo.org/glsa/glsa-200409-08.xml RedHat: http://rhn.redhat.com/errata/RHSA-2004-441.html Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Fedora: http://download.fedora.redhat.com/pub/ Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Currently we are not aware of any exploits for this vulnerability. | Ruby CGI Session Management Unsafe Temporary File CVE Name: | Medium | Debian Security Advisory, DSA 537-1, August 16, 2004 Gentoo Linux Security Advisory, GLSA 200409-08, September 3, 2004 RedHat Security Advisory, RHSA-2004:441-18, September 30, 2004 Fedora Update Notification, Mandrakelinux Security Update Advisory, MDKSA-2004:128, November 8, 2004 Fedora Update Notification, |
Ruby 1.8.x | A remote Denial of Service vulnerability exists due to an input validation error in 'cgi.rb.' Debian: http://security.debian.org/pool/updates/main/r/ruby Mandrake: Ubuntu: http://security.ubuntu.com/ubuntu/ Fedora: http://download.fedora.redhat.com/ Currently we are not aware of any exploits for this vulnerability. | Ruby Infinite Loop Remote Denial of Service CVE Name: | Low | Secunia Advisory, Ubuntu Security Notice, USN-20-1, November 9, 2004 Fedora Update Notification, |
| Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
SpeedTouch Pro With Firewall ADSL Router | A DNS poisoning vulnerability exists, which could let a remote malicious user spoof addresses, carry out man-in-the-middle attacks, and trigger potential Denial of Service conditions. No workaround or patch available at time of publishing. An exploit script is not required. | Alcatel Speed Touch Pro With Firewall ADSL Router DNS Poisoning | Low/ Medium (Low if a DoS) | Bugtraq, November 12, 2004 |
2650 Multiservice Platform, 2650XM Multiservice Platform, 2651 Multiservice Platform, 2651XM Multiservice Platform, | A remote Denial of Service vulnerability exists when a malicious user submits specially crafted DHCP packets that will remain in the queue.
Updates and workarounds available at: An exploit script is not required. | Cisco IOS DHCP Input Queue Blocking Remote Denial of Service | Low | Cisco Security Advisory, 63312, November 10, 2004 US-CERT Vulnerability Note VU#630104, November 11, 2004 Technical Cyber Security Alert ,TA04-316A, November 11, 2004 |
WebCalendar 0.9.8, 0.9.11, 0.9.15, 0.9.16, 0.9.19-0.9.44 | Multiple vulnerabilities exist: a Cross-Site Scripting vulnerability exists due to insufficient sanitization of input passed to some parameters in various scripts, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists in 'login.php' because input passed to the 'return_path' parameter can inject malicious characters into HTTP headers, which could let a remote malicious user execute arbitrary HTML and script code and perform web cache poisoning; a vulnerability exists in 'init.php' due to insufficient verification of input passed to the 'user_inc' parameter, which could let a remote malicious user include arbitrary files from local resources; a vulnerability exists in 'upcoming.php' because some internal variables in 'view_entry.php' can be overwritten by external parameters, which could let a remote malicious user bypass security restrictions; and a vulnerability exists in 'validate.php' when accessed with an empty 'encoded_login' parameter, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | Craig Knudsen WebCalendar Multiple Remote Vulnerabilities | Medium/ High (High if arbitrary code can be executed) | Bugtraq, November 9, 2004 |
chacmool Private Message System 1.1.3 | Several vulnerabilities exist in the Private Messaging System (PMS) 3rd party add-on for punBB, which could let a remote malicious user obtain sensitive information and execute arbitrary code.
No workaround or patch available at time of publishing. An exploit script is not required; however, a Proof of Concept exploit has been published. | David Djurback Chacmool Private Message System Multiple Vulnerabilities | Medium/ High (High if arbitrary code can be executed) | SecurityTracker Alert ID, 1012215, November 12, 2004 |
DUgallery | A vulnerability exists which could let a remote malicious user download the database and obtain the administrative password. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | DUgallery Database Disclosure | High | SecurityTracker Alert ID, 1012201, November 12, 2004 |
Aztek Forum 4.0 | Cross-Site Scripting vulnerabilities exist in 'forum_2.php' in the 'return' and 'title' variables, in the 'search' parameter in 'search.php,' and the 'email' parameter in 'subscribe.php' due to insufficient input sanitization, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. An exploit script is not required; however, a Proof of Concept exploit has been published. | Aztek Forum Multiple Cross-Site Scripting | High | SecurityTracker Alert ID, 1012213, November 12, 2004 |
Mantis prior to 0.19.1 | Several vulnerabilities exist: a vulnerability exists in the 'All Projects' summary, which could let a remote malicious user obtain sensitive information; and a vulnerability exists because it is possible to monitor filed bugs even when you have been removed from the project, which could let a remote malicious user obtain sensitive information. Update available at: There is no exploit code required. | Mantis Access Control Information Disclosure | Medium | SecurityFocus, November 8, 2004 |
Thefacebook | Multiple Cross-Site Scripting vulnerabilities exists due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. An exploit script is not required; however, Proofs of Concept exploits have been published. | Mark Zuckerberg Thefacebook Multiple Cross-Site Scripting | High | Bugtraq, November 13, 2004 |
miniBB prior to 1.7f | A vulnerability exists in the 'index.php' script due to insufficient validation of the 'user' parameter, which could let a remote malicious user obtain sensitive information.
Update available at: A Proof of Concept exploit has been published. | miniBB 'user' Parameter Input Validation | Medium | SecurityTracker Alert ID, 1012164, November 16, 2004 |
Firefox 0.8, 0.9-0.9.3, 0.10, 0.10.1 | Multiple vulnerabilities exist: a vulnerability exists because web sites may include images from local resources, which could let a malicious user obtain sensitive information, cause a Denial of Service, and potentially steal passwords from Windows systems; a vulnerability exists in the file download dialog box because filenames are truncated, which could let a malicious user spoof downloaded file names; and a vulnerability exists on MacOSx because Firefox is installed with world-writable permissions, which could let a malicious user obtain elevated privileges.
Upgrades available at: An exploit script is not required | Mozilla Firefox Multiple Vulnerabilities | Low/ Medium (Low if a DoS) | Secunia Advisory, SA13144, November 10, 2004 |
Archive::Zip 1.13, | Remote exploitation of an exceptional condition error in multiple vendors' anti-virus software allows malicious users to bypass security protections by evading virus detection. The problem specifically exists in the parsing of .zip archive headers. This vulnerability affects multiple anti-virus vendors including McAfee, Computer Associates, Kaspersky, Sophos, Eset and RAV. Instructions for Computer Associates, Eset, Kaspersky, McAfee, Sophos, and RAV are available at: http://www.idefense.com/application/poi/display?id Gentoo: Mandrakelinux 10.1 and Mandrakelinux 10.1/X86_64: A fix for F-Secure is available at:: Proofs of Concept exploits have been published. | Multiple Vendor Anti-Virus Software Detection Evasion CVE Names:
| High | iDEFENSE Security Advisory, October 18, 2004 Secunia Advisory ID: SA13038, November 1, 2004 SecurityFocus, Bugtraq ID: 11448, November 2, 2004 SecurityTracker Alert ID: 1012057, November 3, 2004 US-CERT Vulnerability Note VU#492545, November 12, 2004 |
Axis Communications 2100 Network Camera 2.0-2.03, 2.12, 2.30-2.34, 2.40, 2.41, 2110 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2120 Network Camera 2.12, 2.30-2.32, 2.34, 2.40, 2.41, 2400+ Video Server 3.11, 3.12, 2401 Video Server 3.12, 2420 Network Camera 2.12, 2.30-2.34, 2.40, 2.41, 2460 Digital Video Recorder 3.12; | A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted DNS response that contains a spoofed source address.
Axis: DNRD: Don Moore: Posadis: Currently we are not aware of any exploits for this vulnerability.
| Multiple Vendor DNS Remote Denial of Service CVE Name: | Low | SecurityFocus, November 9, 2004 |
Eudora Qpopper 3.1.2; Ipswitch IMail 6.0.6; ProFTPD Project ProFTPD 1.2-1.2.9; RhinoSoft Serv-U 3.0; | A vulnerability exists due to a server response splitting weakness, which could let a remote malicious user have attacker-specified data echoed back to the computer that the request originated from.
No workaround or patch available at time of publishing. An exploit script is not required. | Multiple Vendor Server Response Filtering | Medium | SecurityFocus, November 10, 2004 |
Gentoo Linux; | Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the digest authentication handler due to some boundary errors which could let a remote malicious user execute arbitrary code; a buffer overflow vulnerability exists when processing HTTP header information, which could let a remote malicious user execute arbitrary code; and several buffer overflow vulnerabilities exists due to unspecified boundary errors, which could let a remote malicious user execute arbitrary code. Update available at: Gentoo: Currently we are not aware of any exploits for these vulnerabilities. | Pavuk Multiple Remote Buffer Overflows CVE Name: | High | SecurityTracker Alert ID, 1012131, November 8, 2004 |
Microsoft Internet Explorer 6.0, SP1&SP2; Mozilla Firefox 0.8, 0.9 rc, 0.9-0.9.3, 0.10, 0.10.1; | Multiple vulnerabilities exist in the image handling functionality through the <IMG> tag, which could let a remote malicious user cause a Denial of Service, and obtain sensitive information. Mozilla: A Proof of Concept exploit has been published. | Multiple Browser IMG Tag Multiple Vulnerabilities | Low/ Medium (Medium if sensitive information can be obtained) | SecurityFocus, November 10, 2004 |
DG834 ADSL Firewall Router | Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists due to an error in the connection handling for the administrative web interface; and a vulnerability exists in the content filtering functionality, which could let a remote malicious user bypass access restrictions. No workaround or patch available at time of publishing. There is no exploit code required. | Netgear DG834 ADSL Firewall Router Multiple Vulnerabilities | Low/ Medium (Medium if access restrictions can by bypassed) | Secunia Advisory, SA13138, November 9, 2004 |
Nucleus CMS 3.1 | Multiple vulnerabilities exist: a vulnerability exists due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code; and a vulnerability exists due to insufficient sanitization of user-supplied input before being used in a SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing. Currently we are not aware of any exploits for these vulnerabilities. | Nucleus CMS Multiple Input Validation | High | Positive Technologies Advisory, November 8, 2004 |
NuKed-KlaN | A Cross-Site Scripting vulnerability exists due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | NuKed-KlaN Cross-Site Scripting | High | SecurityTracker Alert ID, 1012237, November 15, 2004 |
GFHost 0.2 | Multiple Cross-Site Scripting vulnerabilities exist in the 'label.php' and 'dl.php' scripts due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. An exploit script is not required; however, Proofs of Concept exploits have been published. | Pablo Hernandez GFHost Cross-Site Scripting & Server-Side Script Execution | High | SecurityTracker Alert ID, 1012112, November 8, 2004 |
AudienceConnect RemoteEditor prior to 0.1.6 | A vulnerability exists in the IP address-access control feature, which could let a remote malicious user obtain unauthorized access. Update available at: Currently we are not aware of any exploits for this vulnerability. | AudienceConnect RemoteEditor Unauthorized Access | Medium | SecurityTracker Alert ID:,1012148, November 9,2 004 |
AudienceConnect RemoteEditor prior to 0.1.1 | A vulnerability exists when a remote malicious user submits a form with content that exceeds the CONTENT_MAX value. The impact was not specified. Update available at: Currently we are not aware of any exploits for this vulnerability. | AudienceConnect RemoteEditor Oversized Submission | Not Specified | SecurityTracker Alert, 1012147, November 9, 2004 |
Phorum 5.0.3 BETA, 5.0.7 BETA, 5.0.9-5.0.12 | An input validation vulnerability exists in 'follow.php' due to insufficient validation of user-supplied input in the 'forum_id' parameter, which could let a remote malicious user execute arbitrary SQL commands. Upgrades available at: A Proof of Concept exploit script has been published. | Phorum 'follow.php' Input Validation | High | waraxe-2004-SA#037 Advisory, November 12, 2004 |
phpWebsite 0.7.3, 0.8.2, 0.8.3, 0.9.3, -1-4 | A vulnerability exists in the 'index.php' script due to insufficient validation of user-supplied input in several parameters, which could let a remote malicious user execute arbitrary HTML and script code.
Patches available at: An exploit script is not required; however, a Proof of Concept exploit has been published. | phpWebSite HTTP Response Splitting | High | Secunia Advisory, SA13172, November 12, 2004 |
PowerPortal 1.3 | A vulnerability exists in the 'index.php' script due to insufficient validation of the 'index_page' variable, which could let a remote malicious user execute arbitrary SQL commands. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | PowerPortal 'index_page' Input Validation | High | SecurityTracker Alert ID, 1012227, November 14,2004 |
PvPGN 1.6.0-1.6.6 | A buffer overflow vulnerability exists due to insufficient boundary checks performed on 'gamereport' packets, which could let a remote malicious user execute arbitrary code.
Update available at: Currently we are not aware of any exploits for this vulnerability. | PvPGN GameReport Packet Handler Remote Buffer Overflow | High | SecurityFocus, November 9, 2004 |
JAF CMS 1.0, 1.5, 2.0, 2.0.5, 2.1 .0, 2.5, 3.0 RC | A Directory Traversal vulnerability exists in 'config.php' due to insufficient input validation of the 'show' parameter, which could let a remote malicious user obtain sensitive information. Update available at: http://sourceforge.net/project/showfiles.php? There is no exploit code required. | JAF CMS Directory Traversal | Medium | SecurityTracker Alert ID: 1012128, November 8, 2004 |
Samba 3.0 - 3.0.7 | A buffer overflow vulnerability exists in the 'QFILEPATHINFO' request handler when constructing 'TRANSACT2_QFILEPATHINFO' responses, which could let a remote malicious user execute arbitrary code. Update available at: http://www.samba.org/samba/download/ Currently we are not aware of any exploits for this vulnerability. | Samba 'QFILEPATHINFO' Buffer Overflow CVE Name: | High | e-matters GmbH Security Advisory, November 14, 2004 |
SquirrelMail 1.x | A Cross-Site Scripting vulnerability exists in the 'decodeHeader()' function in 'mime.php' when processing encoded text in headers due to insufficient input validation, which could let a remote malicious user execute arbitrary HTML and script code. Patch available at: An exploit script is not required. | SquirrelMail Cross-Site Scripting | High | Secunia Advisory, SA13155, November 11, 2004 |
Speed Touch Pro ADSL | A vulnerability exists in the modem line, which could let a remote malicious user poison DNS entries via DHCP.
No workaround or patch available at time of publishing. Currently we are not aware of any exploits for this vulnerability. | Thomson Speed Touch Pro ADSL Remote DNS Modification | Medium | SecurityTracker Alert ID, 1012221, November 13, 2004 |
VBulletin 3.0.1-3.0.3 | An input validation vulnerability exists in 'last.php' due to insufficient validation of user-supplied input in the 'fsel' parameter, which could let a remote malicious user execute arbitrary code. Note: The script is a 3rd party product and is not part of the vBulletin product. No workaround or patch available at time of publishing. A Proof of Concept exploit has been published. | VBulletin 'last.php' Input Validation | High | SecurityTracker Alert ID, 1012197, November 12, 2004 |
YPOPs! 0.x | Several buffer overflow vulnerabilities exist in the POP3 and SMTP services, which could let a remote malicious user execute arbitrary code. No workaround or patch available at time of publishing. Another exploit script has been published. | YPOPs! Buffer Overflows | High | Hat-Squad Advisory, September 27, 2004 PacketStorm, November 12, 2004 |
Recent Exploit Scripts/Techniques
The table below contains a sample of exploit scripts and "how to" guides identified during this period. The "Workaround or Patch Available" column indicates if vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have published workarounds or patches.
Note: At times, scripts/techniques may contain names or content that may be considered offensive.
Date of Script | Script name | Workaround or Patch Available | Script Description |
| November 15, 2004 | NetworkMessengerDOS.pl | No | Perl script that exploits the Secure Network Messenger Remote Denial of Service vulnerability. |
| November 13, 2004 | 101_netn.cpp | No | Script that exploits the AlShare Software NetNote Server Remote Denial of Service vulnerability. |
| November 13, 2004 | CCProxy_exp.c | Yes | Script that exploits the CCProxy HTTP Request Processing Buffer Overflow vulnerability. |
| November 13, 2004 | grams.html | N/A | Full analysis of the Win32.Grams trojan. |
| November 13, 2004 | IMail-8.13-DELETE.pm | No | Exploit script for the Ipswitch IMail Server Delete Command Remote Buffer Overflow vulnerability. |
| November 13, 2004 | lkbackdoor.tar.gz | N/A | Paper that describes how to add a quick backdoor into the setuid code for the Linux 2.4 kernel series. |
| November 13, 2004 | netnote_exp.c | No | Script that exploits the AlShare Software NetNote Server Remote Denial of Service vulnerability. |
| November 13, 2004 | Shadow_Software_Attack.pdf | N/A | Whitepaper written to demonstrate that a shadow software attack is still possible. |
| November 13, 2004 | technote.pl | No | Exploit for the Technote 'main.cgi' Input Validation vulnerability. |
| November 13, 2004 | waraxe-2004-SA037.txt | Yes | Proof of Concept exploit for the Phorum 'follow.php' Input Validation vulnerability. |
| November 12, 2004 | 101_slim.cpp | No | Script that exploits the WhitSoft Development SlimFTPd Remote Buffer Overflow vulnerability. |
| November 12, 2004 | binfmt_elf.txt | Yes | Script that exploits the Linux Kernel BINFMT_ELF Loader vulnerability. |
| November 12, 2004 | HOD-kerio-firewall-DoS-expl.c | Yes | Script that exploits the Kerio Personal Firewall IP Options Denial of Service vulnerability. |
| November 12, 2004 | pop_exp2.py | No | Script that exploits the YPOPs! Buffer Overflows vulnerability. |
| November 12, 2004 | Scan6.zip | N/A | Port scanner for Windows 2k/XP that is functional for both IPv4 and IPv6 networks. Binary, source code, and more information included in the archive. |
| November 12, 2004 | status.htm xcellent.html | No | Exploits for the Microsoft Internet Explorer Flash Content Status Bar Spoofing Weakness vulnerability |
| November 11, 2004 | binfmt_elf_dump.c | Yes | Script that exploits the Linux Kernel BINFMT_ELF Loader vulnerability. |
| November 10, 2004 | 101_mini.cpp | No | Exploit for the MiniShare Buffer Overflow vulnerability. |
| November 10, 2004 | slimFTPDCommandBObyclass101.c | No | Script that exploits the WhitSoft Development SlimFTPd Remote Buffer Overflow vulnerability. |
| November 8, 2004 | IEnumerate.txt | No | Exploit for the Microsoft Internet Explorer 'res:' URI Handler File Identification vulnerability. |
name=trends>Trends
- Security events in the third quarter jumped 150 percent over the same period last year, fueled by more sophisticated hackers writing better code who are more interested in dollars than creating computer disasters, said Internet security firm VeriSign Tuesday. For more information, see
http://www.verisign.com/static/017574.pdf.
name=viruses id="viruses">Viruses/Trojans Top Ten Virus Threats
A list of high threat viruses, as reported to various anti-virus vendors and virus incident reporting organizations, has been ranked and categorized in the table below. For the purposes of collecting and collating data, infections involving multiple systems at a single location are considered a single infection. It is therefore possible that a virus has infected hundreds of machines but has only been counted once. With the number of viruses that appear each month, it is possible that a new virus will become widely distributed before the next edition of this publication. To limit the possibility of infection, readers are reminded to update their anti-virus packages as soon as updates become available. The table lists the viruses by ranking (number of sites affected), common virus name, type of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on number of infections reported since last week), and approximate date first found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trends |
face="Arial, Helvetica, sans-serif">Date |
1 | Netsky-P | Win32 Worm | Stable | March 2004 |
2 | Zafi-B | Win32 Worm | Stable | June 2004 |
3 | Netsky-Z | Win32 Worm | Stable | April 2004 |
4 | Netsky-D | Win32 Worm | Stable | March 2004 |
5 | Bagle-AA | Win32 Worm | Stable | April 2004 |
6 | Netsky-B | Win32 Worm | Stable | February 2004 |
7 | Netsky-Q | Win32 Worm | Stable | March 2004 |
8 | Bagle-Z | Win32 Worm | Stable | April 2004 |
9 | Bagle.AT | Win32 Worm | Stable | October 2004 |
10 | Netsky-C | Win32 Worm | Stable | February 2004 |
10 | Bagle-AI | Win32 Worm | Stable | July 2004 |
Viruses or Trojans Considered to be a High Level of Threat
- Troj/Banker-AJ: Security experts have issued a red alert over a previously undocumented Trojan designed to help criminals break into the accounts of UK internet banking customers. The Banker-AJ Trojan (Troj/Banker-AJ) targets users of online banks including Abbey, Barclays, Egg, HSBC, Lloyds TSB, Nationwide, and NatWest, according to security firm Sophos. Banker-AJ has been coded to lie dormant in the background on infected Windows PCs, waiting for users to visit legitimate online banking websites. Once the user visits one of a number of banking websites the malicious code is triggered into action, capturing passwords and taking screenshots. This information is then relayed to remote hackers who can use it to break into the bank accounts of innocent users and steal money, (Vnunet.com, November 11, 2004).
- Large numbers of Bofra.E@mm and Mydoom.AK@mm worm infections are being reported. They exploit the malformed IFRAME Remote Buffer Overflow Vulnerability in Microsoft Internet Explorer. For more information on this vulnerability see US-CERT Vulnerability Note VU#842160.
The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.
NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.