6585 matches found
mksh -- TTY attachment privilege escalation
Secunia reports: The vulnerability is caused due to an error when attaching to a TTY via the -T command line switch. This can be exploited to execute arbitrary commands with the privileges of the user running mksh via characters previously written to the attached virtual console...
swfdec -- exposure of sensitive information
Secunia reports: A vulnerability has been reported in swfdec, which can be exploited by malicious people to disclose sensitive information. The vulnerability is caused due to swfdec not properly restricting untrusted sandboxes from reading local files, which can be exploited to disclose the conte...
opera -- multiple vulnerabilities
Opera Software reports of multiple security issues in Opera. All of them can lead to arbitrary code execution. Details are as the following: Newsfeed prompt can cause Opera to execute arbitrary code Resized canvas patterns can cause Opera to execute arbitrary code...
zenphoto -- XSS vulnerability
zenphoto project reports: A new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities...
IRC Services-- Denial of Service Vulnerability
Secunia reports: A vulnerability has been reported in IRC Services, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to the improper handling of overly long passwords within the "defaultencrypt" function in encrypt.c and can be exploited to...
FreeBSD -- Predictable query ids in named(8)
Problem Description: When named8 is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named8 uses a predictable query id. Impact: An attacker who can see the query id for some requests sent by named8 is likely to be able to perform DNS cache poisoning by...
findutils -- GNU locate heap buffer overrun
James Youngman reports: When GNU locate reads filenames from an old-format locate database, they are read into a fixed-length buffer allocated on the heap. Filenames longer than the 1026-byte buffer can cause a buffer overrun. The overrunning data can be chosen by any person able to control the...
FreeBSD -- heap overflow in file(1)
Problem Description: When writing data into a buffer in the fileprintf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files. Impact: An attacker who can cause file1 to be run on a maliciously constructed...
php -- multiple vulnerabilities
The PHP development team reports: Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7: Fixed CVE-2007-1001, GD wbmp used with invalid image size Fixed asciiz byte truncation inside mail Fixed a bug in mbparsestr that can be used to activate registerglobals Fixed unallocated memory...
qemu -- several vulnerabilities
The Debian Security Team reports: Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320Tavis Ormandy...
samba -- format string bug in afsacl.so VFS plugin
The Samba Team reports: NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the form...
mplayer -- buffer overflow in the code for RealMedia RTSP streams.
A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a...
vtiger -- multiple remote file inclusion vulnerabilities
Dedi Dwianto a.k.a theday reports: Input passed to the "$calpath" parameter in update.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources...
OpenSSL -- Multiple problems in crypto(3)
Problem Description: Several problems have been found in OpenSSL: During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. A buffer overflow exists in the SSLgetsharedciphers function. A NULL pointer may be dereferenced in the...
gtetrinet -- remote code execution
The Debian Security Team reports: Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remote server to execute arbitrary code...
twiki -- multiple file extensions file upload vulnerability
A TWiki Security Alert reports: The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en,...
MySQL -- SQL-injection security vulnerability
MySQL reports: An SQL-injection security hole has been found in multibyte encoding processing. An SQL-injection security hole can include a situation whereby when inserting user supplied data into a database, the user might inject his own SQL statements that the server will execute. With regards ...
libxine -- multiple buffer overflow vulnerabilities
The libxine development team reports that several vulnerabilities had been found in the libxine library. The first vulnerability is caused by improper checking of the src/input/libreal/real.c "realparsesdp" function. A remote attacker could exploit this by tricking an user to connect to a...
lifetype -- ADOdb "server.php" Insecure Test Script Security Issue
Secunia reports: A security issue has been discovered in LifeType, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. The problem is caused due to the presence of the insecure "server.php" test script...
clamav -- Multiple Vulnerabilities
Secunia reports: Some vulnerabilities have been reported in ClamAV, which potentially can be exploited by malicious people to cause a DoS Denial of Service and compromise a vulnerable system. An unspecified integer overflow error exists in the PE header parser in "libclamav/pe.c". Successful...
GnuPG does not detect injection of unsigned data
Werner Koch reports: In the aftermath of the false positive signature verfication bug announced 2006-02-15 more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of gpg for verification of signatures which are not detached...
SSH.COM SFTP server -- format string vulnerability
SSH Communications Security Corp reports a format string vulnerability in their SFTP server. This vulnerability could cause a user with SCP/SFTP access only to get permission to execute also other commands. It could also allow user A to create a special file that when accessed by user B allows us...
perl, webmin, usermin -- perl format string integer wrap vulnerability
The Perl Development page reports: Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was...
evolution -- remote format string vulnerabilities
A SITIC Vulnerability Advisory reports: Evolution suffers from several format string bugs when handling data from remote sources. These bugs lead to crashes or the execution of arbitrary assembly language code. The first format string bug occurs when viewing the full vCard data attached to an...
zlib -- buffer overflow vulnerability
Problem Description An error in the handling of corrupt compressed data streams can result in a buffer being overflowed. Impact By carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application. This may cause the application to halt,...
leafnode -- denial of service vulnerability
Matthias Andree reports: A vulnerability was found in the fetchnews program the NNTP client that may under some circumstances cause a wait for input that never arrives, fetchnews "hangs". ... As only one fetchnews program can run at a time, subsequently started fetchnews and texpire programs will...
gaim -- remote crash on some protocols
The GAIM team reports that GAIM is vulnerable to a denial-of-service vulnerability which can cause GAIM to crash: It is possible for a remote user to overflow a static buffer by sending an IM containing a very large URL greater than 8192 bytes to the Gaim user. This is not possible on all...
gzip -- directory traversal and permission race vulnerabilities
Problem Description Two problems related to extraction of files exist in gzip: The first problem is that gzip does not properly sanitize filenames containing "/" when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted...
wordpress -- multiple vulnerabilities
A Gentoo Linux Security Advisory reports: Due to a lack of input validation, WordPress is vulnerable to SQL injection and XSS attacks. An attacker could use the SQL injection vulnerabilities to gain information from the database. Furthermore the cross-site scripting issues give an attacker the...
openoffice -- DOC document heap overflow vulnerability
AD-LAB reports that a heap-based buffer overflow vulnerability exists in OpenOffice's handling of DOC documents. When reading a DOC document 16 bit from a 32 bit integer is used for memory allocation, but the full 32 bit is used for further processing of the document. This can allow an attacker t...
mysql-server -- multiple remote vulnerabilities
SecurityFocus reports: MySQL is reported prone to an insecure temporary file creation vulnerability. Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE' privileges on an affected installation may leverage this vulnerability to corrupt files with the privileges of the MySQL process...
phpbb -- multiple vulnerabilities
phpBB is vulnerable to remote exploitation of an input validation vulnerability allows attackers to read the contents of arbitrary system files under the privileges of the webserver. This also allows remote attackers to unlink arbitrary system files under the privileges of the webserver...
putty -- pscp/psftp heap corruption vulnerabilities
Simon Tatham reports: This version fixes a security hole in previous versions of PuTTY, which can allow a malicious SFTP server to attack your client. If you use either PSCP or PSFTP, you should upgrade. Users of the main PuTTY program are not affected. However, note that the server must have...
unace -- multiple vulnerabilities
Ulf Härnhammar reports: There are buffer overflows when extracting, testing or listing specially prepared ACE archives. There are directory traversal bugs when extracting ACE archives. There are also buffer overflows when dealing with long 17000 characters command line arguments. Secunia reports:...
postgresql -- multiple buffer overflows in PL/PgSQL parser
The PL/PgSQL parser in postgresql is vulnerable to several buffer overflows. These could be exploited by a remote attacker to execute arbitrary code with the permissions of the postgresql server by running a specially crafted query...
squirrelmail -- XSS and remote code injection vulnerabilities
A SquirrelMail Security Advisory reports: SquirrelMail 1.4.4 has been released to resolve a number of security issues disclosed below. It is strongly recommended that all running SquirrelMail prior to 1.4.4 upgrade to the latest release. Remote File Inclusion Manoel Zaninetti reported an issue in...
mysql-scripts -- mysqlaccess insecure temporary file creation
The Debian Security Team reports: Javier Fernández-Sanguino Peña from the Debian Security Audit Project discovered a temporary file vulnerability in the mysqlaccess script of MySQL that could allow an unprivileged user to let root overwrite arbitrary files via a symlink attack and could also coul...
helvis -- arbitrary file deletion problem
The setuid root elvprsv utility, used to preserve recovery helvis files, can be abused by local users to delete with root privileges. The problem is that elvprsv deletes files when it thinks they have become corrupt. When elvprsv is pointed to a normal file then it will almost always think the fi...
zip -- long path buffer overflow
A HexView security advisory reports: When zip performs recursive folder compression, it does not check for the length of resulting path. If the path is too long, a buffer overflow occurs leading to stack corruption and segmentation fault. It is possible to exploit this vulnerability by embedding ...
cyrus-sasl -- dynamic library loading and set-user-ID applications
The Cyrus SASL library, libsasl, contains functions which may load dynamic libraries. These libraries may be loaded from the path specified by the environmental variable SASLPATH, which in some situations may be fully controlled by a local attacker. Thus, if a set-user-ID application such as chsh...
libxine -- DVD subpicture decoder heap overflow
A xine security announcement states: A heap overflow has been found in the DVD subpicture decoder of xine-lib. This can be used for a remote heap overflow exploit, which can, on some systems, lead to or help in executing malicious code with the permissions of the user running a xine-lib based med...
samba3 DoS attack
Code found in nmbd and smbd may allow a remote attacker to effectively crash the nmbd server or use the smbd server to exhaust the system memory...
courier-imap -- format string vulnerability in debug mode
An iDEFENSE security advisory describes a format string vulnerability that could be exploited when Courier-IMAP is run in debug mode DEBUGLOGIN set...
squid -- NTLM authentication denial-of-service vulnerability
A remote attacker is able to cause a denial-of-service situation, when NTLM authentication is enabled in squid. NTLM authentication uses two functions which lack correct offset checking...
MoinMoin administrative group name privilege escalation vulnerability
A serious flaw exists in the MoinMoin software which may allow a malicious user to gain access to unauthorized privileges...
lha buffer overflows and path traversal issues
Ulf Härnhammar discovered several vulnerabilities in LHa for UNIX's path name handling code. Specially constructed archive files may cause LHa to overwrite files or execute arbitrary code with the privileges of the user invoking LHa. This could be particularly harmful for automated systems that...
squid -- HTTP response splitting cache pollution attack
According to a whitepaper published by Sanctum, Inc., it is possible to mount cache poisoning attacks against, among others, squid proxies by inserting false replies into the HTTP stream. The squid patches page notes: This patch additionally strengthens Squid from the HTTP response attack describ...
metamail format string bugs and buffer overflows
Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile, PrintHeader, and ShareThisHeader. These vulnerabilities could be triggered by a maliciously formatted email message if metamail' or splitmail' is used to proce...
L2TP, ISAKMP, and RADIUS parsing vulnerabilities in tcpdump
Jonathan Heusser discovered vulnerabilities in tcpdump's L2TP, ISAKMP, and RADIUS protocol handlers. These vulnerabilities may be used by an attacker to crash a running tcpdump' process...
mailman XSS in create script
From the 2.1.3 release notes: Closed a cross-site scripting exploit in the create cgi script...