Microsoft Frontpage Server Remote Application Deployment (RAD) component vulnerable to buffer overflow via malformed packet sent to server component

Overview Microsoft Frontpage Server Remote Application Deployment RAD component contains an unchecked buffer which can allow an intruder to execute arbitrary code with the privileges of IUSRmachinename or system. Description A buffer overflow in the Microsoft Frontpage Server Remote Application...

Oracle 8i contains buffer overflow in TNS Listener

Overview A vulnerability in Oracle 8i allows intruders to assume control of the database server and/or the operating system on which the database server is running, depending on the platform used. Description The COVERT labs at PGP Security have discovered a buffer overflow vulnerability in Oracl...

AT&T WinVNC server contains buffer overflow in Log.cpp

Overview A buffer overflow in the WinVNC server on Windows systems can allow an intruder to gain control of the VNC server and execute arbitrary code with the privileges of the user running the server. Description AT&T WinVNC is a free software package available from AT&T Labs Cambridge that allo...

Cisco IOS HTTP server authentication vulnerability allows remote attackers to execute arbitrary commands

Overview A problem with the HTTP server component of Cisco IOS system software allows an intruder to execute privileged commands on Cisco routers if local authentication databases are used. Description By sending a particular URL to a Cisco IOS device with the HTTP server enabled, a remote attack...

ScreamingMedia SITEware does not adequately validate user input thereby allowing arbitrary file disclosure via directory traversal

Overview A vulnerability exists in ScreamingMedia's SiteWare Editor's Desktop that allows an intruder to read arbitrary files within the SiteWare web hierarchy. Description SiteWare Editor's Desktop is a web-based administration tool for manipulating ScreamingMedia content on a SiteWare web serve...

tcpdump vulnerable to buffer overflow via parsing of AFS ACL packets

Overview Tcpdump version 3.5 contains a buffer overflow vulnerability permitting unauthorized remote root access. Description Tcpdump version 3.5 added support for handling AFS packets. Unfortunately the code responsible for printing AFS access control lists contains an unchecked buffer that can ...

Solaris Line Printer Daemon (in.lpd) vulnerable to buffer overflow via transfer job routine

Overview A buffer overflow exists in the Solaris line printer daemon in.lpd that may allow a remote intruder to execute arbitrary code with the privileges of the running in.lpd. This daemon runs with root privileges by default on all recent versions of Solaris. Description The Solaris in.lpd...

Hewlett Packard OpenView and Tivoli NetView do not adequately validate SNMP trap arguments

Overview Hewlett Packard's HP OpenView and Tivoli NetView are system management software packages. There is a vulnerability a component of these packages, ovactiond, that allows intruders to execute arbitrary commands as user bin. This may subsequently lead to a root compromise. Description HP...

Microsoft Index Server/Indexing Service used by IIS 4.0/5.0 contains unchecked buffer used when encoding double-byte characters

Overview A vulnerability exists in the Indexing services used by Microsoft IIS 4.0 and IIS 5.0 running on Windows NT, Windows 2000, and beta versions of Windows XP. Exploitations of this vulnerability allows a remote intruder to run arbitrary code on the victim machine. Description There is a...

DNS implementations vulnerable to denial-of-service attacks via malformed DNS queries

Overview Incorrect decoding of malformed DNS packets causes certain DNS implementations to hang or crash. Description RFC1035 DOMAIN NAMES, IMPLEMENTATION AND SPECIFICATION defines a mechanism for conserving bytes in a DNS query or reply packet by avoiding repetition of character strings "labels"...

man 'makewhatis' insecurely uses /tmp

Overview The 'makewhatis' script in the Linux man package allows local users to overwrite files via a symlink attack. Description The 'makewhatis' program is a Bourne shell script that ships with many Linux distributions in the 'man' package of programs. The 'makewhatis' script creates files in t...

Microsoft Internet Information Server (IIS) discloses contents of files via crafted request containing "%3F+.htr"

Overview A vulnerability exists in Microsoft Information Server IIS in which a crafted HTTP GET request may return the contents of a file on the affected server. A possible target of such a request might be a script that should only be executable not readable by unauthenticated remote users. The...

Microsoft Internet Information Server (IIS) discloses contents of files via crafted request containing "+.htr"

Overview A vulnerability exists in Microsoft Internet Information Server IIS that could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable to remote users. Sensitive information contained in CGI-type...

AT&T WinVNC client authentication process vulnerable to man-in-the-middle attack

Overview WinVNC's challenge/response mechanism can allow an intruder to obtain legitimate credentials from a valid client in order to gain unauthorized access to the server. Description AT&T WinVNC is a free package available from AT&T Labs Cambridge that allows an existing desktop of a PC to be...

SSH1 may generate weak passphrase when using Secure RPC

Overview The secure-RPC feature of the SSH1 client in Solaris sometimes encrypts the SSH private key file with a weak passphrase, which can be determined by an attacker and used to recover the SSH private keys. Other versions of the SSH client running on non-Solaris platforms are not affected by...

Robtex Viking Web Server permits traversal out of HTTP docs root directory

Overview Viking v1.07 is a 'multi-protocol-internet-server' available from http://www.robtex.com. A vulnerability exists with this web server which allows a remote user to see any file on the server with read permissions enabled. Description Viking v1.07 does not stop requests which traverse the...

gpm creates temporary files insecurely

Overview gpm version 1.19.3, which usually runs as root, is vulnerable due to a flaw that allows a local user to exploit a race condition to corrupt files that gpm uses. Description gpm General Purpose Mouse is a program that lets you use the mouse in console mode when not using XWindows. It is...

Microsoft Internet Explorer (IE) permits modification of URL displayed in address bar

Overview A vulnerability exists in Microsoft Internet Explorer which could could enable an attacker to spoof trusted web sites. Description A vulnerability exists in Microsoft Internet Explorer. This vulnerability could enable a web page to display the URL from a different web site in the IE...

Hewlett-Packard MPE/iX linkeditor permits privilege escalation

Overview There is a problem with the MPE/iX linkeditor that may allow an attacker to gain system manager privileges. Description The problem affects HP3000 systems running MPE/iX versions 5.5 through 6.5. HP has published a security bulletin describing the solution to this vulnerability...

Hewlett-Packard MPE/iX NM Debug does not always handle breakpoints correctly

Overview There is a problem in the NM Debug facility of MPE/iX that allows users to gain unauthorized privileges. Description The problem affects HP3000 systems running MPE/iX versions 5.5 through 6.5. HP has published a security bulletin describing the solution to this vulnerability...

RIT Research Labs The Bat! does not properly parse <CR> characters not followed by a <LF> character

Overview Due to a problem parsing carriage return/line feeds in RFC822 format mail messages, The Bat! mail client may permaturely detect the end of a mail message, causing an error to occur. This error may prevent the mail user from retrieving other mail messages until the message with the error ...

Due to insecure creation of configuration files via KApplication-class, local users can create arbitrary files when running setuid root KDE programs

Overview KApplication-class, a class used to create KDE applications, creates configuration files without checking for proper ownership or prior existence. Description KApplication-class, a class used to create KDE applications, creates configuration files. These files are created in a local...

KDE KFM creates temporary files insecurely

Overview KDE's kfm creates and uses temporary cache directories insecurely. Description kfm, the KDE File Manager, creates a cache directory for each user. This directory is placed in /tmp and predictably named, based on the UID. These directories are created without checking for correct ownershi...

Linux gpm daemon allows arbitrary file removal

Overview gpm version 1.19.2 and earlier are vulnerable due to a flaw that allows a local user to delete arbitrary files. Description gpm General Purpose Mouse is the program that lets you use the mouse in console mode when not using XWindows. It is usually included in Linux distributions, and can...

Microsoft Internet Information Server (IIS) discloses contents of files via crafted request for .htr file

Overview A vulnerability exists in Microsoft Internet Information Server IIS which could disclose sensitive information contained in CGI-type files. Typically a CGI/script file on a web server should only be executable and not readable by remote users. Sensitive information contained in such a fi...

Microsoft Index Server contains buffer overflow

Overview A buffer overflow exists in Microsoft Index Server 2.0, which may allow remote attackers to execute code with administrarive privileges. Description Microsoft Index Server 2.0 is a tool for building an index of a web site to permit efficient searches. An intruder who can authenticate to...

gpm-root fails to correctly release GID 0 membership for user defined menus

Overview gpm-root does not properly drop group privileges. Local users can gain group privileges by starting a utility from gpm-root. The gpm package is usually included in Linux distributions, and can be started from the command line or in the startup script /etc/rc.d/rc.local. Description gpm...

Oliver Debon Flash plug-in vulnerable to buffer overflow processing incorrectly formatted sound file

Overview When passed an incorrectly formatted sound file, the Oliver Debon freeware Flash plug-in is reportedly vulnerable to a buffer overflow. Description The DefineSound tag in a sound file passes data to a Flash plug-in. If this tag specifies fewer samples than are actually present in the dat...

Internet Explorer incorrectly validates certificates when CRL checking is enabled

Overview Microsoft Internet Explorer IE fails to properly validate certificates when CRL checking is enabled. As a result, sensitive information may be exposed. Description Digital certificates are small documents used to authenticate and encrypt information transmitted over the Internet. One ver...

Microsoft Windows 2000 Kerberos service vulnerable to DoS via repeated invalid requests

Overview A core service of Microsoft Windows 2000 domain controllers fails to correctly handle certain invalid requests. After receiving a number of invalid requests, the domain controller may have to be rebooted to return it to correct operation. A disabled domain controller can interfere with t...

ld.so fails to unset LD_PRELOAD before executing suid root programs

Overview ld.so fails to unset LDPRELOAD before executing suid root programs, allowing loading of insecure or malicious libraries. Description ld.so, the UNIX/LINUX dynamic loader, fails in some conditions and some operating system releases to unset LDPRELOAD before loading suid root programs for...

glibc unsetenv fails to properly handle environment variables passed more than once to a program

Overview The glibc implementation of unsetenv fails to properly remove one of two successive occurrences of the same environment variable if the variable is redundently passed to a program. Description The glibc implementation of unsetenv, if called to remove an environment variable that occurs t...

Macromedia Flash plug-in contains buffer overflow

Overview Incorrectly formatted sound wave SWF files may cause a buffer overflow in the Macromedia Flash plug-in. Description If the length fields in an SWF file specify fewer data than are actually present in the file, processing the file may cause a buffer overflow in the Macromedia Flash plug-i...

KDE2 kdesu 'keep password' option does not verify socket listener potentially exposing su password

Overview kdesu is a interactive interface to the substitute user su command for the KDE environment. To pass authentication information, it creates a file that may be read by unauthorized users. Description kdesu communicates with su using a socket, implemented as a file in /tmp with a predictabl...

SEDUM HTTP server permits directory traversal

Overview The SEDUM web server permits intruders to access files outside the web root. Description The SEDUM Web Server permits intruders to access files outside the web root using a GET request containing ".." dot dot. This can expose files including files with sensitive information to exposure b...

IIS decodes filenames superfluously after applying security checks

Overview Microsoft IIS decodes filenames after applying security checks, allowing an attacker to execute commands. Description To accomodate complex URIs, RFC 2396 specifies a means to encode arbitrary octets using hexadecimal characters and the percent sign %. Quoting from RFC 2396: An escaped...

glibc does not check SUID bit on libraries in /etc/ld.so.cache

Overview The GNU libc library fails to perform a check for the SETUID bit for cached libraries in the /etc/ld.so.cache file. As a result, malicious users may create or modify privileged files. Description The GNU libc library allows preloading libraries via the LDPRELOAD environment variable,...

Lotus Notes Java VM leaks file existence through timing difference in ECLs

Overview Lotus Notes JVM leaks information about the existence of a file. Description A malicious Java applet run in the Lotus Notes web browser can determine if a local file exists. Notes' preferences must be set to browse the web using the Notes browser, with execution of Java applets...

ISC BIND 8.2.2-P6 vulnerable to DoS when processing SRV records, aka the "srv bug"

Overview There is a denial-of-service vulnerability in several versions of the Internet Software Consortium's ISC BIND software. This vulnerability is referred to by the ISC as the "srv bug" and affects ISC BIND versions 8.2 through 8.2.2-P6. Description This vulnerability can cause affected DNS...

AT&T WinVNC allows user access to passwords and configuration via weak registry permissions

Overview The default installation of WinVNC on certain Microsoft Windows systems permits unauthenticated access to the WinVNC service. Description AT&T WinVNC is a free package available from AT&T Labs Cambridge that allows an existing desktop of a PC to be available on the desktop of a remote...

Cisco IOS vulnerable to DoS via unrecognized transitive attribute in BGP UPDATE

Overview There is a denial-of-service vulnerability in several specific but common configurations of Cisco IOS. Description There is a problem involving BGP updates on Cisco routers with BGP4 Prefix Filtering and Inbound Route Maps enabled. A route update with an unrecognized transitive attribute...

Microsoft Windows 2000 Service Control Manager creates predictably named pipes

Overview A vulnerability exists in the Microsoft Windows 2000 Service Control Manager which could allow local users to gain control of the system. Description A vulnerability exists in the Service Control Manager SCM function. This function creates named pipes for system services. More informatio...

SGI IRIX Embedded Support Partner (ESP) service rpc.espd contains buffer overflow

Overview There is a remotely-accessible buffer overflow in SGI IRIX systems running rpc.espd that may allow remote attackers to execute arbitrary code. The Embedded Support Partner daemon rpc.espd is enabled by default on all IRIX versions since 6.5.5. Description The Embedded Support Partner...

Sun Solaris sadmind buffer overflow in amsl_verify when requesting NETMGT_PROC_SERVICE

Overview The sadmind program can be used to perform distributed system administration operations remotely using RPC. A stack buffer overflow in sadmind may be exploited by a remote attacker to execute arbitrary instructions and gain root access. Description The sadmind program is installed by...

Dallas Semiconductor iButton DS1991 vulnerable to dictionary attack

Overview The Dallas Semiconductor iButton DS1991 is vulnerable to a dictionary attack, allowing an intruder to recover passwords. Description The Dallas Semiconductor iButton DS1911 stores 1 kilobyte of data in 3 separate password-protected areas. It includes functionality intended to prevent...

Sun Solaris SNMP proxy agent /opt/SUNWssp/bin/snmpd contains buffer overflow

Overview The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Description The Sun Enterprise 10000 is monitored and controlled by a systems called ...

NewsDaemon does not adequately filter user input to $user_username

Overview NewsDaemon prior to version 0.21b contains a vulnerability allowing remote attackers to gain administrative access to the web site. Description NewsDaemon is a PHP-based tool used to allow readers to submit and comments on news items and stories over the web. It also allows for...

Sun Solaris mailx contains buffer overflow via -F option

Overview A buffer overflow in the mailx program on Solaris systems can allow an intruder to execute code with the privileges of the mail group. Description A buffer overflow in the -F option of the mailx program on Solaris systems may allow an intruder to execute code with the privileges of the...

Hewlett Packard HP-UX text editors contain buffer overflow

Overview A buffer overflow in the text editor on certain Hewlett-Packard systems could compromise system availability. Description Various text editing programs on HP systems that rely upon the same facilities, including e, ex, vi, edit, view, and vedit, contain a buffer overflow that could...

Microsoft Visual Studio VB-TSQL debugger object vbsdicli.exe contains buffer overflow via NewSPID method

Overview A vulnerability in an object included with Visual Studio 6.0 Enterprise Edition may allow an attacker to execute code with the privileges of an interactively logged in user. Description The VB-TSQL debugger object included in Visual Studio 6.0 Enterprise Edition contains a buffer overflo...