CVE-2005-2002
published 2005-06-15CVE-2005-2002: SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.
PriorityP338high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
1.32%
67.3th percentile
SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mambo | mambo | — | — |
| mambo | mambo | — | — |
| mambo | mambo | — | — |
| mambo | mambo | — | — |
| mambo | mambo | — | — |
| mambo | mambo | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-3fvg-g788-h5q8: SQL injection vulnerability in content
ghsa_unreviewed·2022-05-01
CVE-2005-2002 [HIGH] GHSA-3fvg-g788-h5q8: SQL injection vulnerability in content
SQL injection vulnerability in content.php in Mambo 4.5.2.2 and earlier allows remote attackers to execute arbitrary SQL commands via the user_rating parameter.
Red Hat
tar archive path traversal issue
vendor_redhat·2003-07-21·CVSS 5.0
CVE-2005-1918 [MEDIUM] tar archive path traversal issue
tar archive path traversal issue
The original patch for a GNU tar directory traversal vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses an "incorrect optimization" that allows user-assisted attackers to overwrite arbitrary files via a crafted tar file, probably involving "/../" sequences with a leading "/".
No detection rules found.
Exploit-DB
SCO Unixware 7.1.3 - 'ptrace' Local Privilege Escalation
exploitdb·2006-02-26
CVE-2005-2934 SCO Unixware 7.1.3 - 'ptrace' Local Privilege Escalation
SCO Unixware 7.1.3 - 'ptrace' Local Privilege Escalation
---
/* SCO Unixware 7.1.3 ptrace local root exploit
* ============================================
* SCO Unixware 7.1.3 kernel allows unprivledged users
* to debug binaries. The condition can be exploited
* by an attacker when he has execute permissions to
* a file which has the suid bit set.
*
* Example.
*
* $ uname -a
* UnixWare iron 5 7.1.3 i386 x86at SCO UNIX_SVR5
* $ /linux/bin/bash
* bash-2.05$ uname -a
* Linux iron.fi.st 2.4.13 #1 Thu Oct 31 02:32:23 EST 2002 i686 unknown
* bash-2.05$ id
* uid=122(matt) gid=1(other) groups=1(other)
* bash-2.05$ ./fu /unixware/usr/lib/sendmail
* [ SCO Unixware 7.1.3 ptrace local root exploit
* [ Using 0xbfffed78
* sh-2.05# id
* uid=0(root) gid=1(other) groups=1(other)
* sh-2.05#
*
* - prdelka
Exploit-DB
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
exploitdb·2005-12-08
CVE-2005-4131 Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
Microsoft Excel 95/97/2000/2002/2003/2004 - Malformed Range Memory Corruption
---
source: https://www.securityfocus.com/bid/15780/info
Microsoft Excel is susceptible to a remote code-execution vulnerability. This issue was originally disclosed through an eBay auction that has since been terminated.
This issue is due to the application's failure to properly bounds-check user-supplied input data in the 'Named Range' definition in Excel data files. This results in the corruption of critical memory sections, allowing code execution.
The following is a proof-of-concept example segment of an Excel data file. The '*' characters represent the location of the affected value that triggers this issue. Setting these locations to '0xFF' will crash the application.
00000720 00 80 00 ff 93 02 04 00
Exploit-DB
Mambo 4.5.2.1 - Fetch Password Hash
exploitdb·2005-06-15
CVE-2005-2002 Mambo 4.5.2.1 - Fetch Password Hash
Mambo 4.5.2.1 - Fetch Password Hash
---
#!/usr/bin/php -q
Mambo 4.5.2.1 + mysql 4.1 > fetch password hash by pokleyzz
fetch password hash by pokleyzz
*content rating using sub query to select from mos_users
Requirement:
PHP 4.x with curl extension
Description:
The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.
>From content.php (components\com_content\content.php)
function recordVote ( $url, $user_rating, $cid, $database ){
$cid = intval( $cid );
if ( ( $user_rating >= 1 ) and ( $user_rating setQuery( $query );
$votesdb = NULL;
if ( !( $database->loadObject( $votesdb ) ) ) {
$query = "INSERT INTO #__content_rating ( content_id, lastip, rating_sum, rating_count )"
. "\n VALUES ( '$cid', '$currip', '$user_rating'
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
exploitdb·2005-04-22
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
Microsoft Jet Database - 'msjet40.dll' Code Execution (Reverse Shell) (2)
---
##################################################################
# #
# Microsoft Jet (msjet40.dll) Reverse Shell Exploit #
# #
# #
# #
# #
# Based on the exploit written by S.Pearson and #
# Python version by coded by Tal zeltzer #
# #
# XP/sp2 fixed version by Jean Luc #
# #
##################################################################
import sys
import struct
# Addresses are compatible with Windows XP Service Pack 1 and Service Pack 2
# EIP = "\x47\xAD\x05\x30"; # Use this one for MSAccess 2003 (jmp edx)
EIP = "\xF7\x69\x05\x30"; # Use this one MSAccess 2002 (jmp edx)
# EIP = "\xFf\xf7\x07\x30"; # Use this one MSAccess 2000 (jmp edx)
# Reverse Connect Shellcode (From metasploit)
Shellcode_p1 = "\x3
Exploit-DB
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
exploitdb·2005-04-11
CVE-2005-0944 Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
Microsoft Jet Database - 'msjet40.dll' DB File Buffer Overflow
---
/*
* --------------------------------------
*
* Microsoft Jet (msjet40.dll) Exploit
*
* --------------------------------------
*
* Author:
* ----------
* S.Pearson
* Computer Terrorism (UK)
* www.computerterrorism.com
* 11/04/2005
*
*
* Credits:
* ----------
* Hexview (original advisory)
*
*
* Tested on:
* -------------
* Windows 2000 SP4 (english)
* Windows XP SP0 (english)
* Windows XP SP1 (english)
*
*
* Requires:
* ------------
* MSAccess offset for stable jmp edx (could use others)
*
* 0x3005AD47 (Microsoft Access 2003)
* 0x300569F7 (Microsoft Access 2002) * DEFAULT *
* 0x3007F7FF (Microsoft Access 2000)
*
*
* Tech Overview:
* ------------------
* Simple exploit based upon Hexview's advisory
* released 01/04/2005.
*
Exploit-DB
BadBlue 2.5 - Easy File Sharing Remote Buffer Overflow
exploitdb·2005-02-27
CVE-2005-0595 BadBlue 2.5 - Easy File Sharing Remote Buffer Overflow
BadBlue 2.5 - Easy File Sharing Remote Buffer Overflow
---
/*
BadBlue, Easy File Sharing Remote BOverflow
Homepage: badblue.com
Affected version: v2.5 (2.60 and below not tested)
Patched version: v2.61
Link: badblue.com/bbs98.exe
Date: 27 February 2005
Application Risk: Severely High
Internet Risk: Low
Dicovery Credits: Andres Tarasco (atarasco _at_ sia.es)
Exploit Credits : class101 & metasploit.com
Hole History:
26-2-2005: BOF flaw published by Andres Tarasco of sia.es
27-2-2002: Hat-Squad.com releases an exploit
28-2-2005: haxorcitos releases a dupe with fake date :>
or you sux doing private stuffs.
Notes:
-6 bad chars, 0x00, 0x26, 0x20, 0x0A, 0x8C, 0x3C, badly interpreted by
BadBlue
-using offsets from ext.dll, universal.
-use findjmp2 to quick search into ext.dll to see
if th
Exploit-DB
3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
exploitdb·2005-02-18
CVE-2005-0277 3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
3Com 3CDaemon FTP - Unauthorized 'USER' Remote Buffer Overflow
---
/* Added " on line 86 /str0ke */
/*
3com 3CDaemon FTP Unauthorized "USER" Remote BOverflow
The particularity of this exploit is to exploits a FTP server
without the need of any authorization.
Homepage: www.3com.com
version: 3CDaemon v2.0 rev10
Link: ftp://ftp.3com.com/pub/utilbin/win32/3cdv2r10.zip
Application Risk: Severely High
Internet Risk: Low
Hole History:
14-4-2002: BOF flaw found by skyrim
15-4-2002: crash exploit done. securiteam.com/exploits/5NP050A75A.html
04-1-2005: Updated advisory by Sowhat securitytracker.com/id?1012768
17-2-2005: lame exploit released milw0rm.com/id.php?id=825
18-2-2005: proper exploit released hat-squad.com, class101.org, class101.hat-squad.com
Notes:
-4 bad bytes, 0x00, 0x25, 0x0
Bugzilla
A number of tomcat issues
bugzilla·2007-05-09·CVSS 5.0
CVE-2005-3164 [MEDIUM] A number of tomcat issues
A number of tomcat issues
A number of issues affected tomcat 4.0.6 as distributed with Stronghold. Most
of these are minor severity, all need triaging:
http://tomcat.apache.org/security-4.html
Information disclosure CVE-2005-3164
Information disclosure CVE-2005-2090
Directory traversal CVE-2007-0450
Cross-site scripting CVE-2007-1358
Cross-site scripting CVE-2006-7196
Directory listing CVE-2006-3835
Cross-site scripting CVE-2005-4838
Denial of service CVE-2005-3510
Denial of service CVE-2003-0866
Information disclosure CVE-2002-2006
Discussion:
closing; Stronghold has reached end of life.
Bugzilla
Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
bugzilla·2006-03-02·CVSS 5.0
CVE-2005-1918 [MEDIUM] Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
Multiple tar issues (CVE-2005-1918, CVE-2006-0300)
There are two separate issues that affect different subsets of our products.
I. RHL 7.3, RHL 9, FC1 & FC2: tar archive path traversal issue
CVE-2005-1918: "The original patch for a GNU tar directory traversal
vulnerability (CVE-2002-0399) in Red Hat Enterprise Linux 3 and 2.1 uses
an 'incorrect optimization' that allows user-complicit attackers to over-
write arbitrary files via a crafted tar file, probably involving '/../'
sequences with a leading '/'."
This vulnerability appears to only affect tar-1.13.25 releases, which
these four distros use.
Red Hat issued RHSA-2006:0195-01 for RHEL 2.1 and RHEL 3:
"In 2002, a path traversal flaw was found in the way GNU tar extracted
archives. A malicious user could create a tar archive that cou
Bugzilla
CVE-2002-2185 IGMP DoS (ipf)
bugzilla·2005-12-02·CVSS 4.9
CVE-2002-2185 [MEDIUM] CVE-2002-2185 IGMP DoS (ipf)
CVE-2002-2185 IGMP DoS (ipf)
+++ This bug was initially created as a clone of Bug #174807 +++
http://www.cs.ucsb.edu/~krishna/igmp_dos/
With IGMP version 1 and 2 it is possible to inject a unicast report to a client
which will make it ignore multicast reports sent later by the router.
The fix is to only accept the report if is was sent to a multicast or unicast
address. Fix from David Stevens at IBM and will be made upstream shortly.
-- Additional comment from [email protected] on 2005-12-02 08:53 EST --
Created an attachment (id=121751)
proposed upstream patch
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the
Bugzilla
CVE-2002-2185 IGMP DoS
bugzilla·2005-12-02·CVSS 4.9
CVE-2002-2185 [MEDIUM] CVE-2002-2185 IGMP DoS
CVE-2002-2185 IGMP DoS
+++ This bug was initially created as a clone of Bug #174807 +++
http://www.cs.ucsb.edu/~krishna/igmp_dos/
With IGMP version 1 and 2 it is possible to inject a unicast report to a client
which will make it ignore multicast reports sent later by the router.
The fix is to only accept the report if is was sent to a multicast or unicast
address. Fix from David Stevens at IBM and will be made upstream shortly.
-- Additional comment from [email protected] on 2005-12-02 08:53 EST --
Created an attachment (id=121751)
proposed upstream patch
Discussion:
This is apparently an accidental dup entry of bug 174808.
*** This bug has been marked as a duplicate of 174808 ***
Bugzilla
CVE-2002-2185 IGMP DoS
bugzilla·2005-12-02·CVSS 4.9
CVE-2002-2185 [MEDIUM] CVE-2002-2185 IGMP DoS
CVE-2002-2185 IGMP DoS
+++ This bug was initially created as a clone of Bug #174807 +++
http://www.cs.ucsb.edu/~krishna/igmp_dos/
With IGMP version 1 and 2 it is possible to inject a unicast report to a client
which will make it ignore multicast reports sent later by the router.
The fix is to only accept the report if is was sent to a multicast or unicast
address. Fix from David Stevens at IBM and will be made upstream shortly.
-- Additional comment from [email protected] on 2005-12-02 08:53 EST --
Created an attachment (id=121751)
proposed upstream patch
Discussion:
*** Bug 174809 has been marked as a duplicate of this bug. ***
---
A fix for this problem has just been committed to the RHEL3 E7
patch pool this evening (in kernel version 2.4.21-37.0.1.EL).
---
An advisory has been i
Bugzilla
CVE-2002-2185 IGMP DoS
bugzilla·2005-12-02·CVSS 4.9
CVE-2002-2185 [MEDIUM] CVE-2002-2185 IGMP DoS
CVE-2002-2185 IGMP DoS
+++ This bug was initially created as a clone of Bug #174807 +++
http://www.cs.ucsb.edu/~krishna/igmp_dos/
With IGMP version 1 and 2 it is possible to inject a unicast report to a client
which will make it ignore multicast reports sent later by the router.
The fix is to only accept the report if is was sent to a multicast or unicast
address. Fix from David Stevens at IBM and will be made upstream shortly.
-- Additional comment from [email protected] on 2005-12-02 08:53 EST --
Created an attachment (id=121751)
proposed upstream patch
Discussion:
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updat
Bugzilla
CVE-2005-3662 netpbm off by one error
bugzilla·2005-11-16·CVSS 4.6
CVE-2005-3662 [MEDIUM] CVE-2005-3662 netpbm off by one error
CVE-2005-3662 netpbm off by one error
Netpbm off my one error
The latest release of pnmtopng fixed an off by one error in the
alphas_of_color[] array.
--- pnmtopng-2.38/pnmtopng.c 2002-06-16 17:38:48.000000000 -0700
+++ pnmtopng-2.39/pnmtopng.c 2005-11-12 19:40:45.000000000 -0800
@@ -389,8 +419,8 @@
int alpha_rows;
int alpha_cols;
int alpha_trans;
- gray *alphas_of_color[MAXCOLORS];
- int alphas_of_color_cnt[MAXCOLORS];
+ gray *alphas_of_color[MAXCOLORS+1];
+ int alphas_of_color_cnt[MAXCOLORS+1];
int alphas_first_index[MAXCOLORS+1];
int mapping[MAXCOLORS]; /* mapping[old_index] = new_index */
int colors;
This issue also affects RHEL2.1
Discussion:
The fix is now applied in both 3 and 2.1.
The patch isn't cleanly applicable though.
---
An advisory has been issued which should help
CWE
Failure to Handle Incomplete Element
mitre_cwe·CVSS 5.0
CVE-2002-1532 [MEDIUM] CWE-239 Failure to Handle Incomplete Element
CWE-239: Failure to Handle Incomplete Element
The product does not properly handle when a particular element is not completely specified.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Integrity, Other. Impact: Varies by Context, Unexpected State.
Observed Examples:
CVE-2002-1532: HTTP GET without \r\n\r\n CRLF sequences causes product to wait indefinitely and prevents other users from accessing it.
CVE-2003-0195: Partial request is not timed out.
CVE-2005-2526: MFV. CPU exhaustion in printer via partial printing request then early termination of connection.
CVE-2002-1906: CPU consumption by sending incomplete HTTP requests and leaving the connections open.
CWE
Improper Preservation of Permissions
mitre_cwe·CVSS 7.8
[HIGH] CWE-281 Improper Preservation of Permissions
CWE-281: Improper Preservation of Permissions
The product does not preserve permissions or incorrectly preserves permissions when copying, restoring, or sharing objects, which can cause them to have less restrictive permissions than intended.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Phase: Operation
Common Consequences:
Scope: Confidentiality, Integrity. Impact: Read Application Data, Modify Application Data.
Observed Examples:
CVE-2002-2323: Incorrect ACLs used when restoring backups from directories that use symbolic links.
CVE-2001-1515: Automatic modification of permissions inherited from another file system.
CVE-2005-1920: Permissions on backup file are created with defaults,
CWE
Path Equivalence: 'filename.' (Trailing Dot)
mitre_cwe·CVSS 5.0
CVE-2000-1114 [MEDIUM] CWE-42 Path Equivalence: 'filename.' (Trailing Dot)
CWE-42: Path Equivalence: 'filename.' (Trailing Dot)
The product accepts path input in the form of trailing dot ('filedir.') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locations or access arbitrary files.
Modes of Introduction:
Phase: Implementation
Common Consequences:
Scope: Access Control. Impact: Bypass Protection Mechanism.
Observed Examples:
CVE-2000-1114: Source code disclosure using trailing dot
CVE-2002-1986: Source code disclosure using trailing dot
CVE-2004-2213: Source code disclosure using trailing dot
CVE-2005-3293: Source code disclosure using trailing dot
CVE-2004-0061: Bypass directory access restrictions using trailing dot in URL
CVE-2000-1133: Bypass directory access rest
CWE
Behavioral Change in New Version or Environment
mitre_cwe·CVSS 2.1
CVE-2002-1976 [LOW] CWE-439 Behavioral Change in New Version or Environment
CWE-439: Behavioral Change in New Version or Environment
A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.
Modes of Introduction:
Phase: Architecture and Design
Phase: Implementation
Common Consequences:
Scope: Other. Impact: Quality Degradation, Varies by Context.
Observed Examples:
CVE-2002-1976: Linux kernel 2.2 and above allow promiscuous mode using a different method than previous versions, and ifconfig is not aware of the new method (alternate path property).
CVE-2005-1711: Product uses defunct method from another product that does not return an error code and allows detection avoidance.
CVE-2003-0411: chain: Code was ported from a case-sensitive Unix platform to a case-insensitive Windows platform where
http://mamboforge.net/frs/download.php/6153/CHANGELOGhttp://marc.info/?l=bugtraq&m=111885974124936&w=2http://secunia.com/advisories/15710http://securitytracker.com/id?1014222http://www.osvdb.org/17323http://www.securityfocus.com/bid/13966http://mamboforge.net/frs/download.php/6153/CHANGELOGhttp://marc.info/?l=bugtraq&m=111885974124936&w=2http://secunia.com/advisories/15710http://securitytracker.com/id?1014222http://www.osvdb.org/17323http://www.securityfocus.com/bid/13966
2005-06-15
Published