Computer Associates MLink "mclear" command vulnerable to buffer overflow via long string of characters

Overview A locally exploitable buffer overflow exists in mclear. Description CA-MLINK is a managed data transport service. For more information about CA-MLINK, please see the product brochure. Based on a public report, it appears there is a locally exploitable buffer overflow in the mclear comman...

Computer Associates MLink "mllock" command vulnerable to buffer overflow via long string of characters

Overview A locally exploitable buffer overflow exists in mllock. Description CA-MLINK is a managed data transport service. For more information about CA-MLINK, please see the product brochure. Based on a public report, it appears there is a locally exploitable buffer overflow in the mllock comman...

Nortel Networks CVX 1800 discloses privileged information

Overview The Nortel Networks CVX 1800 Multi-Service Access Switch discloses privileged information. Description The CVX 1800 Multi-Service Access Switch is a large modem bank typically used by large carriers and ISP's. When the CVX 1800 is queried with a specially crafted snmpwalk, it will respon...

Microsoft MSN Messenger Chat Control contains a buffer overflow in "ResDLL" parameter

Overview Microsoft's MSN Chat is an ActiveX control for Microsoft Messenger, an instant messaging client. A buffer overflow exists in the ActiveX control that may permit a remote attacker to execute arbitrary code on the system with the privileges of the current user. Description A buffer overflo...

Sun Solaris cachefsd vulnerable to stack overflow in fscache_setup() function

Overview Sun's NFS/RPC cachefs daemon cachefsd is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 SPARC and Intel architectures. Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. An exploitable stack overflow exists in...

AOL Instant Messenger installer adds "http://free.aol.com" to Trusted Sites Zone in Microsoft Internet Explorer

Overview The installer for AOL Instant Messenger contains a vulnerability that weakens the security settings of Microsoft Internet Explorer. Description There is a vulnerability in the installer for AOL Instant Messenger AIM that silently adds "http://free.aol.com" to the list of Trusted Sites in...

ISC DHCPD contains format string vulnerability when logging DNS-update requests

Overview The DHCP daemon DHCPD is a server that is used to allocate network addresses and assign configuration parameters to dynamically configured hosts. A format string vulnerability may permit an intruder to execute code with the privileges of the DHCP daemon typically root. Description The...

Sun Solaris cachefsd vulnerable to heap overflow in cfsd_calloc() function via long string of characters

Overview Sun's NFS/RPC cachefs daemon cachefsd is shipped and installed by default with Sun Solaris 2.5.1, 2.6, 7, and 8 SPARC and Intel architectures. Cachefsd caches requests for operations on remote file systems mounted via the use of NFS protocol. A remotely exploitable heap overflow exists i...

rpc.rwalld contains remotely exploitable format string vulnerability

Overview rpc.rwalld is a utility that is used to send a message to all terminals of a time sharing system. A format string vulnerability may permit a remote user to execute code with the privileges of the rwall daemon. Description rpc.rwalld is a utility that listens for remote wall requests. Wal...

File Transfer Protocol allows data connection hijacking via PASV mode race condition

Overview There is a vulnerability in the File Transfer Protocol FTP that allows an attacker to hijack FTP data connections when the client connects using passive mode PASV. Description In FTP PASV mode, the client makes a control connection to the FTP server typically port 21/tcp and requests a...

sudo vulnerable to heap corruption via -p parameter

Overview Sudo is susceptible to a locally exploitable heap overflow vulnerability. Description Sudo is a common utility used to allow a system administrator to give users or groups of users rights to run certain programs as root or as another user. A locally exploitable heap overflow can lead to...

Apache HTTP Server on Win32 systems does not securely handle input passed to CGI programs

Overview A vulnerability in the Apache HTTP Server running on Win32 systems Windows 9x/Me, Windows NT/2000/XP could allow an attacker to execute commands with the privileges of the web server process. Description The Apache HTTP Server is a freely available web server that runs on a variety of...

Microsoft Internet Information Server (IIS) 4.0, 5.0, and 5.1 buffer overflow in chunked encoding transfer mechanism for ASP

Overview A buffer overflow vulnerability in IIS 4.0, 5.0, and 5.1 could allow an intruder to execute arbitrary code on an IIS server with the privileges of the ASP ISAPI extension. Description Chunked encoding is a means to transfer variable-sized units of data called chunks from a web client to ...

Microsoft Internet Information Server (IIS) vulnerable to heap overflow during processing of crafted ".htr" request by "ISM.DLL" ISAPI filter

Overview A buffer overflow in the HTR ISAP extension on IIS servers could permit an intruder to interrupt the normal operation of IIS or possibly execute arbitrary code with the privileges of the HTR extension. Description HTR is a server-side scripting technology for IIS which has largely been...

Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in IIS Help Files search facility

Overview Visitors to web sites that use Microsoft IIS 5.0 and 5.1 are vulnerable to cross-site scripting attacks through the IIS help facility. Description Cross-site scripting is a form of attack in which an intruder leverages the trust between a victim and a web-site the victim trusts. Quoting...

Microsoft Internet Information Server (IIS) 4.0 and 5.0 buffer overflow in chunked encoding transfer mechanism for ASP

Overview A buffer overflow vulnerability in IIS 4.0 and 5.0 could allow an intruder to execute arbitrary code on an IIS server with the privileges of the ASP ISAPI extension. Description Chunked encoding is a means to transfer variable-sized units of data called chunks from a web client to a web...

Microsoft Internet Information Server (IIS) vulnerable to DoS via malformed FTP connection status request

Overview A vulnerability in IIS could allow an intruder to disrupt ordinary operations of both FTP and Web services on vulnerable IIS servers. Description IIS includes an FTP server. An intruder who sends a malformed request for the status of an existing connection could cause the IIS server to...

Microsoft Internet Information Server (IIS) buffer overflow in server-side includes (SSI) containing long invalid file name

Overview A buffer overflow in IIS could allow an intruder to execute arbitrary code with the privileges of the ASP.DDL. Description Server-side include files SSI files are files which reside on a web server and which are included by scripts, programs, or web pages. SSI files are often used to...

Microsoft Internet Information Server (IIS) vulnerable to buffer overflow via inaccurate checking of delimiters in HTTP header fields

Overview A buffer overflow in IIS could allow an intruder to execute arbitrary code the the privileges of the ASP ISAPI extension. Description Like all web servers, IIS parses HTTP headers and decomposes them into the constituent parts. As part of this processing, IIS checks for delimiters that a...

Microsoft Internet Information Server (IIS) vulnerable to DoS when URL request exceeds maximum allowed length

Overview Intruders may be able to cause the IIS service to fail by sending a particular kind of overly-long URL. Description ISAPI is a programming interface to IIS that can be used to modify or extend the behavior of IIS. Programs written using ISAPI are known as either filters or extension,...

Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in redirect response messages

Overview Visitors to web sites that use Microsoft IIS and also issue redirect response messages are vulnerable to cross-site scripting attacks. Description Cross-site scripting is a form of attack in which an intruder leverages the trust between a victim and a web-site the victim trusts. Quoting...

Microsoft Internet Information Server (IIS) contains cross-site scripting vulnerability in HTTP error page results

Overview Visitors to web sites that use Microsoft IIS and also use the default error pages are vulnerable to cross-site scripting attacks. Description Cross-site scripting is a form of attack in which an intruder leverages the trust between a victim and a web-site the victim trusts. Quoting from...

Buffer overflow in Microsoft Windows Shell

Overview A remotely exploitable buffer overflow exists in the Microsoft Windows Shell. Description There is a buffer overflow in the Microsoft Windows Shell. The Shell provides the basic human-computer interface for Windows systems. Quoting from Microsoft Security Bulletin MS02-014:The Windows...

AOL Instant Messenger saves code embedded in image tag to conversation log which could be viewed/executed by a browser

Overview Certain Alpha versions of AOL Instant Messenger AIM, that were leaked, would log errors to a log file. By sending a crafted image file, it may be possible to execute arbitrary script/HTML on a victims browser when they view the log files. Description AOL Instant Messenger has the ability...

AOL Instant Messenger vulnerable to DoS via crafted GIF file

Overview AOL Instant Messenger AIM is an application that allows one peer to communicate with another. A vulnerability exists that can crash the client of a victim. Description AIM allows users to send image files to one another. By sending a crafted GIF image, an attacker can cause the victim's...

AOL Instant Messenger vulnerable to denial of service via crafted file name

Overview AOL Instant Messenger AIM 4.1 and prior are vulnerable to a denial of service vulnerability. A denial of service occurs when filenames that contain a "%s" are sent to a victim. Description AOL Instant Messenger AIM is a program for communicating with other users over the Internet. AIM...

AOL Instant Messenger contains buffer overflows in parsing of AIM URI handler requests

Overview AOL Instant Messenger AIM is an application that allows one peer to communicate with another. A buffer overflow vulnerability exists that can manipulate the configuration of the victim's client. Description AIM installs a URI handler that permits the use of the "aim:" protocol on the...

ibrow NewsDesk does not securely handle input passed to open()

Overview A vulnerability in ibrow NewsDesk allows an attacker to view files and execute operating system commands with the privileges of the web server. Description ibrow NewsDesk is a Perl CGI script that is designed to create and display news articles on a web site. The code for NewsDesk is...

IBM AIX Parallel Systems Support Program (PSSP) contains vulnerability in File Collections subsystem allowing arbitrary access to sensitive configuration files

Overview IBM AIX Parallel Systems Support Programs PSSP contains a vulnerability allowing unauthorized access to files in valid file collections. Description IBM PSSP software is used to provide a central point of management control for a cluster of RS/6000 SP nodes and IBM pSeries and IBM RS/600...

Linux kernel IP Masquerading "destination loose" (DLOOSE) configuration passes arbitrary UDP traffic

Overview The default configuration of the IP Masquerade feature of certain Linux 2.2 kernels may allow unsolicited inbound UDP packets to traverse a NAT gateway and reach a translated network. Description As defined in RFC 1631, Network Address Translation NAT provides a means to translate a loca...

Lotus Notes does not adequately secure databases thereby permitting arbitrary user to extract file attachments via NSFDbReadObject function call

Overview Lotus Domino Servers 5.x, 4.6x, and 4.5x allow users to associate objects with documents in a database. While these objects appear to be a part of the document, they are actually stored as separate files. A vulnerability exist by which an intruder could view these objects regardless of t...

Microsoft scriptlet.typlib ActiveX object unsafe for scripting from Internet Explorer

Overview The ActiveX control "scriptlet.typlib" is incorrectly marked "safe for scripting" in Internet Explorer IE versions 4.0 and 5.0, when it is actually unsafe for scripting. Description There exists a vulnerability in the default installation of an ActiveX control named "scriptlet.typlib,"...

Microsoft Internet Explorer does not adequately evaluate malformed URLs

Overview Microsoft Internet Explorer contains a serious vulnerability in its handling of zone determination. Description Microsoft Internet Explorer contains a vulnerability in the way in which it handles zone determination. Specifically, HTML scripts stored in cookies should be executed in the...

GnuPG contains format-string vulnerability in handling of encrypted data filename

Overview Some versions of Gnu Privacy Guard GPG contain a format-string vulnerability from improper handling of filenames when decrypting files. Description GPG is an OpenPGP-compliant alternative to PGP to protect electronic communications using public-key cryptography. Versions of GPG prior to...

Jana Server does not adequately validate user input thereby allowing directory traversal

Overview Jana Server contains a directory traversal vulnerability. Description Versions 1.4x of Jana Server, a web server for Windows developed by T. Hauck, do not properly filter requests for hexadecimal encodings of ".." dot-dot and allows directory traversal out of the HTTP document root...

Apache Web Server vulnerable to DoS via crafted HTTP request

Overview Some versions of the Apache Web server are vulnerable to denial-of-service attacks by crafted HTTP requests. Description A vulnerability exists in some versions the Apache Web HTTPD Server running on Windows 98SE, Windows 2000 SP1, and OS/2. The vulnerability appears to be a bounds...

Netwin Surge FTP Server does not adequately validate user input thereby allowing directory traversal

Overview Surge FTP Server 2.0a contains a directory traversal vulnerability. Description Surge FTP Server 2.0a allows remote users to list files outside the FTP root directory. --- Impact Attackers may list files from directories to which access was not granted. --- Solution Upgrade to version...

Microsoft Internet Explorer Permits Remote Command Execution Through <OBJECT> Tag

Overview Microsoft Internet Explorer IE permits the remote execution of arbitrary commands via the tag. Description A vulnerability exists in the way that Microsoft Internet Explorer IE handles tags. If the CLASSID CLSID is unrecognized, then Internet Explorer will execute arbitrary commands...

ypbind contains buffer overflow

Overview The daemon ypbind on Solaris and SunOS contains a buffer overflow vulnerability. Description A buffer overflow vulnerability has been discovered in ypbind, a daemon that runs on all client and server machines running Solaris and SunOS and set up to use a Network Information Server NIS. -...

HP-UX kernel specifies incorrect arguments for setrlimit()

Overview A problem exists in some versions of the HP-UX kernel allowing an intruder to cause kernel panics. Description Certain versions of HP-UX setrlimit system call contain a vulnerability that permits an intruder to cause kernel panics or compromise the system. Quoting from HP Security Bullet...

Microsoft SQL Server contains buffer overflows in openrowset and opendatasource macros

Overview Microsoft SQL Server contains several buffer overflows in "functions that are associated with connecting to remote data sources through 'ad hoc names.'" Description Microsoft SQL Server versions 7.0 and 2000 contain buffer overflows in the openrowset and opendatasource macros. By calling...

XDMCP leaks sensitive information by default configuration

Overview An information leakage vulnerability exists in the default configuration of the X Display Management Console Protocol XDMCP daemon. Description On some operating systems, the X Display Manager Control Protocol XDMCP daemon is set to permit remote access to the local machine from any host...

Oracle9i Application Server PL/SQL Gateway web administration interface uses null authentication by default

Overview A vulnerability exists in the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle 9i Application Server iAS. In its default configuration, the PL/SQL module grants unauthenticated access to the PL/SQL gateway web-based administration interface. Description...

Oracle9i Application Server Apache PL/SQL module vulnerable to buffer overflow via HTTP Location header

Overview A buffer overflow vulnerability exists in the Apache Procedural Language/Structured Query Language PL/SQL module used by Oracle9i Application Server iAS. This vulnerability could allow an unauthenticated remote attacker to cause a denial of service or execute arbitrary code on the system...

Oracle 9iAS allows anonymous remote users to view sensitive Apache services by default

Overview Oracle Application Server 9iAS allows remote users to access several Apache services without authentication. Description Oracle Application Server 9iAS includes the Apache Web server and several Apache services. In the default install configuration, many of these services, including...

Oracle 9iAS SOAP components allow anonymous users to deploy applications by default

Overview Oracle Application Server 9iAS installs with Simple Object Access Protocol SOAP enabled by default and allows unauthenticated remote users to deploy and undeploy SOAP services and providers. Description Oracle Application Server 9iAS supports Simple Object Access Protocol SOAP, an...

Double Free Bug in zlib Compression Library Corrupts malloc's Internal Data Structures

Overview There is a bug in the zlib compression library that may manifest itself as a vulnerability in programs that are linked with zlib. This may allow an attacker to conduct a denial-of-service attack, gather information, or execute arbitrary code. It is important to note that the CERT/CC has...

Oracle9i Application Server OWA_UTIL procedures expose sensitive information

Overview Oracle9i Application Server iAS provides a Procedural Language/Structured Query Language PL/SQL application package called OWAUTIL that provides web access to a number of stored procedures. These procedures could be used by an attacker to view the source code of PL/SQL applications, obta...

OpenSSH contains a one-off overflow of an array in the channel handling code

Overview OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server. Description OpenSSH versions 2.0 - 3.0.2 contain a one-off overflow of an array in the code that handl...

Oracle 9iAS default configuration allows arbitrary users to view sensitive configuration files

Overview It is possible to read the "XSQLConfig.xml" and "soapConfig.xml" configuration files from an Oracle 9i Application Server under the default installation without any authorization. This can lead to an intruder gaining access to sensitive information about the server and potentially...