MAX PRESENCE,TP3106,TP3206 Security Vulnerabilities

Microsoft SQL Server 2000 contains denial-of-service vulnerability in SQL Server Resolution Service

Overview Microsoft SQL Server 2000 contains a vulnerability that allows remote attackers to create a denial-of-service condition between two Microsoft SQL servers. Description The SQL Server Resolution Service (SSRS) was introduced in Microsoft SQL Server 2000 to provide referral services for...

Microsoft Windows domain name resolver service accepts responses from non-queried DNS servers by default

Overview Systems running Microsoft Windows 98, NT, Windows 2000, or Windows XP DNS resolvers accept DNS replies from any IP address, not just the ones being sent DNS requests. This may lead to domain information spoofing or DNS cache poisoning. Description Microsoft Windows systems use a caching...

@stake Advisory: Multiple Vulnerabilities with Pingtel xpressa SIP Phones

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 @stake Inc. www.atstake.com Security Advisory Advisory Name: Multiple Vulnerabilities with Pingtel xpressa SIP Phones Release Date: 07/12/2002 Hardware: Pingtel xpressa SIP...

Icecast list_directory Function Traversal File/Directory Enumeration

The remote server does not return the same error codes when it is requested a nonexistent directory and an existing one. An attacker may use this flaw to deduct the presence of several key directory on the remote server, and therefore gain further knowledge about...

Web Server Directory Enumeration

This plugin attempts to determine the presence of various common directories on the remote web server. By sending a request for a directory, the web server response code indicates if it is a valid directory or...

YaBB 1 - Invalid Topic Error Page Cross-Site Scripting

...

YaBB 1 - Invalid Topic Error Page Cross-Site Scripting

YaBB 1 - Invalid Topic Error Page Cross-Site...

nCipher Advisory #4: Console Java apps can leak passphrases on Windows

nCipher[TM] Security Advisory No. 4 Console Java applications can leak passphrases on Windows SUMMARY In certain circumstances, Java[TM] applications using the standard nCipher ConsoleCallBack class on Windows NT/2000 can be made to leak smart card passphrases to the current user's shell. One...

Imatix Xitami 2.5 - GSL Template Cross-Site Scripting

Imatix Xitami 2.5 - GSL Template Cross-Site...

Imatix Xitami 2.5 - GSL Template Cross-Site Scripting

...

remote DoS in Mozilla 1.0

Author Tom Vogt <[email protected]> http://web.lemuria.org/ Affected Mozilla 1.0 and earlier verified on Linux and Solaris, other Unixes most likely affected as well. Effect System becomes unuseable or X windows crashes (varies depending on system configuration) Description When loading pages w...

Marcus Xenakis directory.php Execute Arbitrary Commands

The 'directory.php' file is installed. 1. This tool allows anybody to read any directory. 2. It is possible to execute arbitrary code with the rights of the HTTP...

Three possible DoS attacks against some IOS versions.

There are three possible unreported DoS conditions in certain versions of IOS I could get my hands on. When scanning all 65535 ports from a single host using nmap (full connect/half connect/null/fin/ack/xmas) through a Cisco 2611 running C2600-IO3-M, Version 12.1(6.5)the router crashes. Same...

JRun Multiple Sample Files Remote Information Disclosure

This host is running the Allaire JRun web server and has sample files installed. Several of the sample files that come with JRun contain serious security flaws. An attacker can use these scripts to relay web requests from this machine to another one or view sensitive configuration information as...

Microsoft IIS Potentially Compromised Host Detection

One or more files were found on this host that indicate a possible...

SNMP Request Cisco Router Information Disclosure

It is possible to determine the model of the remote CISCO system by sending SNMP requests with the OID 1.3.6.1.4.1.9.1. An attacker may use this information to gain more knowledge about the remote...

ping.asp CGI Arbitrary Command Execution

The 'ping.asp' CGI is installed. Some versions allow an attacker to launch a ping flood against the targeted machine or another by entering '127.0.0.1 -l 65000 -t' in the Address...

YoungZSoft CMailServer overflow, PATCH + WAREZ!@#!

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CMailServer 3.30 uses sprintf() without any previous bounds checking while testing for the presence of the passed USER argument's home directory within 'mail'.. sprintf(%s\mail\%s, CMail path ptr, USER arg ptr) you know how the story goes, we can...

Microsoft IIS / Site Server codebrws.asp Arbitrary Source Disclosure

Microsoft's IIS 5.0 web server is shipped with a set of sample files to demonstrate different features of the ASP language. One of these sample files allows a remote user to view the source of any file in the web root with the extension .asp, .inc, .htm, or...

Youngzsoft CMailServer 3.30/4.0 - Remote Buffer Overflow (1)

...

Youngzsoft CMailServer 3.304.0 - Remote Buffer Overflow (1)

Youngzsoft CMailServer 3.304.0 - Remote Buffer Overflow...

Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd)

-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-11 Heap Overflow in Cachefs Daemon (cachefsd) Original release date: May 06, 2002 Last revised: Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sun Solaris 2.5.1, 2.6, 7, and 8...

Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters

Overview Sun's NFS/RPC cachefs daemon (cachefsd) is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 (SPARC and Intel architectures). Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow...

Solaris rpc.rwalld Remote Format String Arbitrary Code Execution

The rpc.walld RPC service is running. Some versions of this server allow an attacker to gain root access remotely, by consuming the resources of the remote host then sending a specially formed packet with format strings to this host. Solaris 2.5.1, 2.6, 7, 8 and 9 are vulnerable to this issue....

ACME Labs thttpd 2.20 - Cross-Site Scripting

...

ACME Labs thttpd 2.20 - Cross-Site Scripting

ACME Labs thttpd 2.20 - Cross-Site...

CGIscript.net - csMailto.cgi - Remote Command Execution

CGIscript.net - csMailto.cgi - Remote Command Execution Name : CGIscript.net - csMailto.cgi - Remote Command Execution Date : April 23, 2002 Product : csMailto Vuln Type : Access Validation Error Severity : HIGH RISK Vendor : WWW.CGIscript.NET, LLC. Homepage :...

Restricted Shells

I have recently realized a security issue in some of the restricted shells on *NIX systems. I am not sure if I am the first one to discover the problem I am going to discuss but I am sure that it has not been posted yet, atleast not that I know of. Basically this is the issue: Affected Systems:...

Apache on Windows < 1.3.24 / 2.0.x < 2.0.34 DOS Batch File Arbitrary Command Execution

Apache for Win32 prior to 1.3.24 and 2.0.x prior to 2.0.34-beta is shipped with a default script, '/cgi-bin/test-cgi.bat', that allows an attacker to remotely execute arbitrary commands on the host subject to the permissions of the affected application. An attacker can send a pipe character '|'...

Microsoft IIS Multiple Vulnerabilities (MS02-018)

This IIS Server appears to be vulnerable to one of the cross-site scripting attacks described in MS02-018. The default '404' file returned by IIS uses scripting to output a link to the top level domain part of the url requested. By crafting a particular URL, it is possible to insert arbitrary...

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Overview The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network. Description As defined in RFC 1631, Network Address Translation (NAT) provides a means to translate a...

EFTP Multiple Command Traversal Arbitrary Directory Listing

The version of EFTP installed on the remote host can be used to determine if a given file exists on the remote host or not, by adding dot-dot-slashes in front of them. For instance, it is possible to determine the presence of '\autoexec.bat' by using the command SIZE or MDTM with the argument...

csSearch csSearch.cgi setup Parameter Arbitrary Command Execution

The version of csSearch running on the remote host has a command execution vulnerability. Input to the 'print' parameter of 'csSearch.cgi' is not properly sanitized. A remote attacker could exploit this by executing arbitrary system commands with the privileges of the web...

Bypassing content filtering

There are common methods allowing to bypass almost any content filtering software (antiviral products, CVP firewalls, mail attachment filters, etc). I believe multiple products are vulnerable. Contents: I. Bypassing attachment detection or invalid detection of attachment type. Encoded...

CVE-2001-0631

Centrinity First Class Internet Services 5.50 allows for the circumventing of the default 'spam' filters via the presence of '&lt;@&gt;' in the 'From:' field, which allows remote attackers to send spoofed email with the identity of local...

CVE-2001-0631

Centrinity First Class Internet Services 5.50 allows for the circumventing of the default 'spam' filters via the presence of '&lt;@&gt;' in the 'From:' field, which allows remote attackers to send spoofed email with the identity of local...

MS02-006: Malformed SNMP Management Request Remote Overflow (314147)

A buffer overrun is present in the SNMP service on the remote host. By sending a malformed management request, an attacker could cause a denial of service and possibly cause code to run on the system in the LocalSystem...

Microsoft Security Bulletin MS02-005

Title: 11 February 2002 Cumulative Patch for Internet Explorer Date: 11 February 2002 Software: Internet Explorer Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS02-005 Microsoft encourages customers to review the Security Bulletin at: ...

MS01-059: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise (315000)

Using a specially crafted NOTIFY directive, a remote attacker can cause code to run in the context of the Universal Plug and Play (UPnP) subsystem or possibly launch a denial of service attack against the affected host. Note that, under Windows XP, the UPnP subsystem operates with SYSTEM...

Cgisecurity Paper #4: Header Based Exploitation: Web Statistical Software Threats

Hello, Below is a paper I wrote on some threats that web statistical software faces in regards to header manipulation. I've decided to include 1 product affected by this to show that this is very possible. Product: w3perl Vendor: http://www.w3perl.com Patch: http://www.w3perl.com/download/...

PIX 'established' and 'conduit' command may have unexpected interactions

Overview A somewhat common configuration of Cisco PIX firewalls may permit a window of opportunity in which an intruder can bypass the firewall. This problem was first publicly described in July, 1998. Description Cisco PIX firewalls protecting servers which offer service to the internet-at-large.....

[RHSA-2001:164-08] Updated secureweb packages available

Red Hat, Inc. Red Hat Security Advisory Synopsis: Updated secureweb packages available Advisory ID: RHSA-2001:164-08 Issue date: 2001-12-05 Updated on: 2001-12-07 Product: Red Hat Secure Web Server Keywords: secureweb directory listing Cross...

Security Bulletin MS01-050

Title: Malformed Excel or PowerPoint Document Can Bypass Macro Security Date: 04 October 2001 Software: Microsoft Excel or PowerPoint for Windows or Macintosh Impact: Run Code Of Attacker's Choice Bulletin: MS01-050 Microsoft encourages customers to review the...

Nimda Worm Infected HTML File Detection

The remote web server appears to have been compromised by the Nimda mass mailing worm. It uses various known IIS vulnerabilities to compromise the server. Visitors to such a compromised web server may be prompted to download an .eml (Outlook Express) email file, which contains the worm as an...

Apache UserDir Directive Username Enumeration

When configured with the 'UserDir' option, requests to URLs containing a tilde followed by a username will redirect the user to a given subdirectory in the user home. For instance, by default, requesting /~root/ displays the HTML contents from /root/public_html/. If the username requested does not....

VNC HTTP Server Detection

The remote host is running VNC (Virtual Network Computing), which uses the RFB (Remote Framebuffer) protocol to provide remote access to graphical user interfaces and thus permits a console on the remote host to be displayed on...

CVE-2001-0631

Centrinity First Class Internet Services 5.50 allows for the circumventing of the default 'spam' filters via the presence of '&lt;@&gt;' in the 'From:' field, which allows remote attackers to send spoofed email with the identity of local...

SuSE Support Data Base sbsearch.cgi Arbitrary Command Execution

SuSE CGI 'sdbsearch.cgi' is installed. This CGI allows a local (and possibly remote) user to execute arbitrary commands with the privileges of the HTTP...

OmniHTTPd Encoded Space Request Script Source Disclosure

OmniHTTPd is affected by a vulnerability that permits malicious users to get the full source code of scripting files. By appending an ASCII/Unicode space char '%20' to a script's suffix, the web server will no longer interpret it and instead send it back as a simple document in the same manner as.....

NetCode NC Book book.cgi current Parameter Arbitrary Command Execution

The CGI 'book.cgi' is installed. This CGI has a well known security flaw that lets an attacker execute arbitrary commands with the privileges of the http...