CVE-2005-0700
published 2005-03-07CVE-2005-0700: The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie.
PriorityP423medium5CVSS 2.0
AVNACLAuNCPINAN
EXPLOIT
EPSS
2.48%
82.6th percentile
The export_index action in myadmin.php for Aztek Forum 4.0 allows remote attackers to obtain database files, possibly by setting the ATK_ADMIN cookie.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| aztek_forum | aztek_forum | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Bugzilla
CVE-2005-3662 netpbm off by one error
bugzilla·2005-11-16·CVSS 4.6
CVE-2005-3662 [MEDIUM] CVE-2005-3662 netpbm off by one error
CVE-2005-3662 netpbm off by one error
Netpbm off my one error
The latest release of pnmtopng fixed an off by one error in the
alphas_of_color[] array.
--- pnmtopng-2.38/pnmtopng.c 2002-06-16 17:38:48.000000000 -0700
+++ pnmtopng-2.39/pnmtopng.c 2005-11-12 19:40:45.000000000 -0800
@@ -389,8 +419,8 @@
int alpha_rows;
int alpha_cols;
int alpha_trans;
- gray *alphas_of_color[MAXCOLORS];
- int alphas_of_color_cnt[MAXCOLORS];
+ gray *alphas_of_color[MAXCOLORS+1];
+ int alphas_of_color_cnt[MAXCOLORS+1];
int alphas_first_index[MAXCOLORS+1];
int mapping[MAXCOLORS]; /* mapping[old_index] = new_index */
int colors;
This issue also affects RHEL2.1
Discussion:
The fix is now applied in both 3 and 2.1.
The patch isn't cleanly applicable though.
---
An advisory has been issued which should help
Bugzilla
CVE-2005-4886 Fix ipv6 exthdr bug causing Oops
bugzilla·2005-06-10·CVSS 7.8
CVE-2005-4886 [HIGH] CVE-2005-4886 Fix ipv6 exthdr bug causing Oops
CVE-2005-4886 Fix ipv6 exthdr bug causing Oops
Escalated to Bugzilla from IssueTracker
[SELINUX]: Fix ipv6_skip_exthdr() invocation causing OOPS.
author Herbert Xu
Mon, 25 Apr 2005 03:16:19 +0000 (20:16 -0700)
committer David S. Miller
Mon, 25 Apr 2005 03:16:19 +0000 (20:16 -0700)
The SELinux hooks invoke ipv6_skip_exthdr() with an incorrect
length final argument. However, the length argument turns out
to be superfluous.
I was just reading ipv6_skip_exthdr and it occured to me that we can
get rid of len altogether. The only place where len is used is to
check whether the skb has two bytes for ipv6_opt_hdr. This check
is done by skb_header_pointer/skb_copy_bits anyway.
Now it might appear that we've made the code slower by deferring
the check to skb_copy_bits. However, this check should
Bugzilla
CVE-2005-1111 Race condition in cpio
bugzilla·2005-04-22·CVSS 4.7
CVE-2005-1111 [MEDIUM] CVE-2005-1111 Race condition in cpio
CVE-2005-1111 Race condition in cpio
Race condition in cpio 2.6 and earlier allows local users to modify permissions
of arbitrary files via a hard link attack on a file while it is being
decompressed, whose permissions are changed by cpio after the decompression is
complete.
http://marc.theaimsgroup.com/?l=bugtraq&m=111342664116120&w=2
Discussion:
This issue should also affect RHEL2.1 and RHEL3.
---
Created attachment 113839
Proposed patch from Steve Grubb
---
Created attachment 116230
I suggest to use this patch.
Steve's patch doesn't solve race condition on directories. My fix use mode 0700
for dir creation, which close some more holes.
---
We have not released an update for this issue on RHEL2.1 yet. RHEL3 and RHEL4
were fixed in RHSA-2005:378
---
The RHEL 2.1 bug in being
2005-03-07
Published