ACROS Security: HTML Injection in BEA WebLogic Server Console (ASPR #2008-03-11-1)

=====BEGIN-ACROS-REPORT===== PUBLIC ========================================================================= ACROS Security Problem Report 2008-03-11-1 ------------------------------------------------------------------------- ASPR 2008-03-11-1: HTML Injection in BEA WebLogic Server Console...

ACROS Security: Session Fixation Vulnerability in WebLogic Administration Console (#2008-03-11-2)

=====BEGIN-ACROS-REPORT===== PUBLIC ========================================================================= ACROS Security Problem Report 2008-03-11-2 ------------------------------------------------------------------------- ASPR 2008-03-11-2: Session Fixation Vulnerability in WebLogic...

Remotely Anywhere 'Accept-Charset'字符NULL指针拒绝服务漏洞

BUGTRAQ ID: 28175 CNCAN ID:CNCAN-2008031103 Remotely Anywhere是一款远程管理软件。 Remotely Anywhere不正确处理特殊构建的HTTP请求，远程攻击者可以利用漏洞对应用程序进行拒绝服务攻击。 提交包含非法Accept-Charset参数的HTTP请求，可导致NULL指针引用而导致应用程序崩溃，造成拒绝服务攻击。 RemotelyAnywhere RemotelyAnywhere Workstation Edition 8.0.668 RemotelyAnywhere RemotelyAnywhere Server...

Henri Lindberg - Smilehouse Oy

Louhi Networks Security Advisory Advisory: Checkpoint VPN-1 UTM Edge cross-site scripting Release Date: 2008/03/06 Last Modified: 2008/03/06 Authors: Henri Lindberg, Associate of ISC [email protected] Application: Checkpoint VPN-1 Edge W Embedded NGX 7.0.48x patched in version 7.5.48 Device...

SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 4990)

Cross-site scripting XSS vulnerability in example JSP applications. CVE-2006-7196 - Handling of cookies containing a ' character. CVE-2007-3382 - Handling of ' in cookies. CVE-2007-3385 - tomcat path traversal / information leak. CVE-2007-5641 - directory traversal. CVE-2007-1860 - tomcat https...

CVE-2008-0870

Bea WebLogic Portal 10.0 and 9.2 up to Maintenance Pack 2 has a vulnerability that can redirect the Portal Administration Console from HTTPS to HTTP, enabling remote attackers to sniff sessions. This is documented in CVE-2008-0870 with a CVSS v2 base score of 7.5 ( HIGH ) and network attack vecto...

Cisco Unified Communications Manager key参数SQL注入漏洞

BUGTRAQ ID: 27775 CVECAN ID: CVE-2008-0026 Cisco Unified Communications Manager（CUCM，之前被称为CallManager）是Cisco IP电话解决方案中的呼叫处理组件。 CUCM的管理员和用户界面页面的key参数存在SQL注入漏洞，远程攻击者可能利用此漏洞获取敏感信息。 攻击者可以在管理员或用户界面页面的key参数中输入特制值触发SQL注入漏洞，可通过Web界面使用http或https协议来执行攻击，成功攻击可以终止SQL调用，强制到后端数据库的连接，导致泄露敏感信息，如用户名和口令哈希。 Cisco...

F5 BIG-IP Web Management Multiple XSS

The F5 BIG-IP web management interface on the remote host is susceptible to cross-site scripting attacks. %NASLMINLEVEL 70300 bigipwebxss.nasl Notes: - Some pages are way bigger than 8K and BIG-IP does not use Content-Length. The script uses custom httpsendrecvlength to retrieve the entire page...

Debian Security Advisory DSA 1468-1 (tomcat5.5)

The remote host is missing an update to tomcat5.5 announced via advisory DSA 1468-1. OpenVAS Vulnerability Test $Id: deb14681.nasl 6616 2017-07-07 12:10:49Z cfischer $ Description: Auto-generated from advisory DSA 1468-1 tomcat5.5 Authors: Thomas Reinke Copyright: Copyright c 2008 E-Soft Inc...

Debian DSA-1468-1 : tomcat5.5 - several vulnerabilities

Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2008-0128 Olaf Kock discovered that HTTPS encryption was insufficiently enforced for single-sign-on cookies, which...

CVE-2008-0128

The SingleSignOn Valve org.apache.catalina.authenticator.SingleSignOn in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie...

Code injection

The SingleSignOn Valve org.apache.catalina.authenticator.SingleSignOn in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie...

CVE-2008-0128

The SingleSignOn Valve org.apache.catalina.authenticator.SingleSignOn in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie...

CVE-2008-0128

The SingleSignOn Valve org.apache.catalina.authenticator.SingleSignOn in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie...

DSA-1468-1 tomcat5.5

Bulletin has no description...

Debian: Security Advisory (DSA-1380-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Debian Security Advisory DSA 181-1 (libapache-mod-ssl)

The remote host is missing an update to libapache-mod-ssl announced via advisory DSA 181-1. SPDX-FileCopyrightText: 2008 E-Soft Inc. Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only...

Debian: Security Advisory (DSA-807-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2008 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Anon Proxy Server Software Detection

The remote service is a proxy server named Anon Proxy Server, which can operate either as a normal HTTP / HTTPS / Socks proxy or a P2P anonymous proxy. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. include'deprecatednasllevel.inc'; include"compat.inc"; if description scriptid29703;...

Authentication flaw

The proxy server in Kerio WinRoute Firewall before 6.4.1 does not properly enforce authentication for HTTPS pages, which has unknown impact and attack vectors. NOTE: it is not clear whether this issue crosses privilege boundaries...