The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.
History of vulnerabilities analyzed by Vigil@nce:

weakness note CVE-2005-3448 CVE-2005-3449 CVE-2005-3450

Oracle Application Server: several vulnerabilities of October 2005

Synthesis of the vulnerability

Several vulnerabilities are corrected by CPU of October 2005.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 19/10/2005.
Identifiers: BID-15134, BID-15146, BID-15163, CVE-2005-3448, CVE-2005-3449, CVE-2005-3450, CVE-2005-3451, CVE-2005-3452, CVE-2005-3453, SNS Advisory No.84, VIGILANCE-VUL-5289, VU#171364, VU#210524, VU#376756, VU#512716.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

CPU (Critical Patch Update) of October 2005 corrects 14 vulnerabilities of Oracle Application Server. Oracle announce contains a detailed table, summarized below.

A local attacker can obtain information, change information or conduct a denial of service.

A HTTP attacker can obtain information, change information or conduct a denial of service.

A network attacker can conduct a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2005-3437 CVE-2005-3438 CVE-2005-3439

Oracle Database: several vulnerabilities of October 2005

Synthesis of the vulnerability

Several vulnerabilities are corrected by CPU of October 2005.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 19/10/2005.
Revision date: 20/10/2005.
Identifiers: BID-15134, CVE-2005-3437, CVE-2005-3438, CVE-2005-3439, CVE-2005-3440, CVE-2005-3441, CVE-2005-3442, CVE-2005-3443, CVE-2005-3444, CVE-2005-3445, CVE-2005-3446, CVE-2005-3447, HPSBMA01235, SSRT051055, VIGILANCE-VUL-5288, VU#210524, VU#449444.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

CPU (Critical Patch Update) of October 2005 corrects 33 vulnerabilities of Oracle Database. Oracle announce contains a detailed table, summarized below.

A local attacker can obtain information, change information or conduct a denial of service.

A SQL attacker can obtain information, change information or conduct a denial of service.

A HTTP attacker can obtain information, change information or conduct a denial of service.

A network attacker can obtain information, change information or conduct a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2005-2978

netpbm: memory corruption during PNM to PNG conversion

Synthesis of the vulnerability

When pnmtopng is called on a malicious PNM file, code can be run with user's rights.
Severity: 1/4.
Creation date: 18/10/2005.
Identifiers: BID-15128, CERTA-2005-AVI-415, CVE-2005-2978, DSA-878-1, MDKSA-2005:199, RHSA-2005:793, RHSA-2005:793-01, SUSE-SR:2005:024, VIGILANCE-VUL-5287.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Netpbm graphic utility suite converts data to PNM images.

Tool pnmtopng converts a PNM image to a PNG image. When -trans option is used, some variables are not initialized, which permits to corrupt memory.

This vulnerability permits an attacker to execute code on computer, if user opens a PNM file with pnmtopng.
Full Vigil@nce bulletin... (Free trial)

computer weakness alert CVE-2005-3252

Snort: buffer overflow of Back Orifice preprocessor

Synthesis of the vulnerability

An attacker can send a malicious packet in order to lead to an overflow in Back Orifice preprocessor.
Severity: 3/4.
Creation date: 18/10/2005.
Revisions dates: 19/10/2005, 20/10/2005, 25/10/2005, 02/11/2005.
Identifiers: 207, BID-15131, CERTA-2005-AVI-408, CVE-2005-3252, SUSE-SR:2005:026, TA05-291A, VIGILANCE-VUL-5286, VU#175500.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The bo preprocessor of snort detects network traffic used by Back Orifice (VIGILANCE-VUL-87).

When bo preprocessor analyzes an UDP packet destinated to 31337 port, an overflow occurs. This malicious packet can be spoofed and sent to a network analyzed by snort.

This overflow leads to a denial of service or to code execution.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2005-3297 CVE-2005-3298

OpenWBEM: several buffer and integer overflows

Synthesis of the vulnerability

An attacker can use several overflows of OpenWBEM in order to run code.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 18/10/2005.
Identifiers: BID-15121, CVE-2005-3297, CVE-2005-3298, SUSE-SA:2005:060, VIGILANCE-VUL-5284.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

WBEM standard (Web Based Enterprise Management) unifies system administration. OpenWBEM software is an implementation of WBEM.

Several integer overflows and buffer overflows were announced in OpenWBEM.

A network attacker can use these vulnerabilities in order to run code with root privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2005-3391

PHP: bypassing open_basedir with GD or curl

Synthesis of the vulnerability

An attacker can create a PHP program using GD or curl to bypass open_basedir restriction.
Severity: 1/4.
Creation date: 18/10/2005.
Revision date: 19/10/2005.
Identifiers: BID-15119, BID-15411, CVE-2005-3391, MDKSA-2006:035, MDKSA-2006:035-1, TLSA-2006-6, VIGILANCE-VUL-5283.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Directive open_basedir of PHP configuration file indicates directories where a PHP program can open a file.

Extension GD creates or edit images in PHP. Functions imagegif(), imagepng() and imagejpeg() create an image:
  imagegif($contents, "directory/file.gif");
Second parameter indicates filename. However, this file name is not restricted to open_basedir. An attacker can thus create a file on system. This image can contain PHP code.

Extension curl downloads a document. Function curl_init() initializes resources:
  $res = curl_init('http://server/page.html');
First parameter indicates url of document to download. However, an attacker can use 'file:/...' to access a local file located outside open_basedir. An attacker can therefore read a system file.

These vulnerabilities therefore permit an attacker, allowed to upload a PHP script on server, to create or read system files.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2005-3251

Gallery: file reading

Synthesis of the vulnerability

A network attacker can use Gallery to read files located on server.
Severity: 2/4.
Creation date: 17/10/2005.
Identifiers: BID-15108, CVE-2005-3251, VIGILANCE-VUL-5282.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Gallery program displays images as an album on a web server.

Variable g2_itemId from script main.php is used to construct a relative path to a cache file. For example:
  ./directory/$g2_itemId/cache.file

However, g2_itemId:
 - can contain "../" to go up in directory tree
 - can contain "%00" to truncate string before cache file

An attacker not authenticated can therefore use a malicious g2_itemId value in order to read a file located on server.
Full Vigil@nce bulletin... (Free trial)

threat alert CVE-2005-3120

lynx: buffer overflow of NNTP

Synthesis of the vulnerability

A malicious NNTP server can return data leading to an overflow in lynx.
Severity: 2/4.
Creation date: 17/10/2005.
Identifiers: 20051003-01-U, 20051003-02-U, BID-15117, CVE-2005-3120, DSA-1085-1, DSA-874-1, DSA-876-1, FEDORA-2005-993, FEDORA-2005-994, FLSA:152832, FLSA-2005:152832, MDKSA-2005:186, RHSA-2005:803, RHSA-2005:803-01, SSA:2005-310-03, SUSE-SR:2005:025, VIGILANCE-VUL-5281.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Program lynx is a text web browser. It supports NNTP protocol to read newsgroups.

NNTP protocol defines HEAD command to obtain messages headers. When lynx detects that subject in headers contains Asian characters, HTrjis() function adds escaping characters in subject. While adding characters, subject's length augments, and it can thus overflow.

An attacker can therefore setup a malicious NNTP server, and invite lynx user to connect to it, in order to execute code on his computer.
Full Vigil@nce bulletin... (Free trial)

weakness announce CVE-2005-2972

AbiWord: several buffer overflow

Synthesis of the vulnerability

Several buffer overflow of AbiWord permit an attacker to run code during RTF import.
Severity: 3/4.
Creation date: 17/10/2005.
Identifiers: BID-15096, CVE-2005-2972, DSA-894-1, FEDORA-2005-989, VIGILANCE-VUL-5280.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Software AbiWord is a text processing software.

When AbiWord imports a malicious RTF file, several overflows can occur. These vulnerabilities seem to be different than VIGILANCE-VUL-5256.

These overflows lead to code execution.

These vulnerabilities therefore permit an attacker to run code with rights of AbiWord users opening a malicious RTF file.
Full Vigil@nce bulletin... (Free trial)

cybersecurity weakness CVE-2005-3402

Thunderbird: clear network password retrieval

Synthesis of the vulnerability

Even if CRAM-MD5 or TLS is used, an attacker can act as a "Man in the middle" to obtain password.
Severity: 1/4.
Creation date: 14/10/2005.
Revision date: 27/10/2005.
Identifiers: BID-15106, CVE-2005-3402, VIGILANCE-VUL-5279.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Thunderbird can connect to a mail server tunneling its session in TLS/SSL. It can also use CRAM-MD5 algorithm which hashes password during authentication.

However, an attacker acting as a "Man in the middle" can return an error message when TLS or CRAM-MD5 is used. Thunderbird then retries by sending the clear text password. There are several attacks variants.

This vulnerability permits an attacker to capture user password.
Full Vigil@nce bulletin... (Free trial)

   

Direct access to page 1 21 41 61 81 101 121 141 161 181 201 221 241 261 281 301 321 341 361 381 401 421 441 461 481 499 500 501 502 503 504 505 506 507 509 511 512 513 514 515 516 517 518 519 521 541 561 581 601 621 641 661 681 701 721 741 761 781 801 821 841 861 881 901 921 941 961 981 1001 1021 1041 1061 1081 1101 1121 1141 1161 1181 1201 1221 1241 1261 1281 1301 1321 1341 1361 1381 1401 1421 1441 1461 1481 1501 1521 1541 1561 1581 1601 1621 1641 1661 1681 1701 1721 1741 1761 1781 1801 1821 1841 1861 1881 1901 1921 1941 1961 1981 2001 2021 2041 2061 2081 2101 2121 2141 2161 2181 2201 2221 2241 2261 2281 2301 2321 2341 2361 2381 2401 2421 2441 2461 2481 2501 2521 2541 2561 2581 2601 2621 2641 2661 2681 2701 2721 2741 2761 2781 2801 2821 2841 2861 2881 2901 2921 2924