6583 matches found
PowerDNS -- Denial of Service Vulnerability
The PowerDNS Team reports: Using well crafted UDP packets, one or more PowerDNS servers could be made to enter a tight packet loop, causing temporary denial of service...
FreeBSD -- pam_ssh() does not validate service names
Problem Description: Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an...
unbound -- denial of service vulnerabilities from nonstandard redirection and denial of existence
Unbound developer reports: Unbound crashes when confronted with a non-standard response from a server for a domain. This domain produces duplicate RRs from a certain type and is DNSSEC signed. Unbound also crashes when confronted with a query that eventually, and under specific circumstances,...
kdeutils4 -- Directory traversal vulnerability
Tim Brown from Nth Dimention reports: I recently discovered that the Ark archiving tool is vulnerable to directory traversal via malformed. When attempts are made to view files within the malformed Zip file in Ark's default view, the wrong file may be displayed due to incorrect construction of th...
FreeBSD -- Buffer overflow in handling of UNIX socket addresses
Problem Description: When a UNIX-domain socket is attached to a location using the bind2 system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structu...
stunnel -- heap corruption vulnerability
Michal Trojnara reports: Version 4.42, 2011.08.18, urgency: HIGH: Fixed a heap corruption vulnerability in versions 4.40 and 4.41. It may possibly be leveraged to perform DoS or remote code execution attacks...
OTRS -- Vulnerabilities in OTRS-Core allows read access to any file on local file system
OTRS Security Advisory reports: An attacker with valid session and admin permissions could get read access to any file on the servers local operating system. For this it would be needed minimum one installed OTRS package...
Subversion -- multiple vulnerabilities
Subversion team reports: Subversion's moddavsvn Apache HTTPD server module will dereference a NULL pointer if asked to deliver baselined WebDAV resources. This can lead to a DoS. An exploit has been tested, and tools or users have been observed triggering this problem in the wild. Subversion's...
sudo -- Secure path vulnerability
Todd Miller reports: Most versions of the C library function getenv return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell bash, do their own environment parsing and may choose the last instance of a variable rather than the...
ziproxy -- atypical huge picture files vulnerability
Ziproxy 3.0.1 release fixes a security vulnerability related to atypical huge picture files 4GB of size once expanded...
mediawiki -- authenticated CSRF vulnerability
A MediaWiki security announcement reports: MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website. If the wiki is configured to allow user scripts, say with...
drupal -- cross site scripting
Drupal Security Team reports: When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input. Certain byte...
drupal6-cck -- cross-site scripting
Drupal CCK plugin developer reports: The Node reference and User reference sub-modules, which are part of the Content Construction Kit CCK project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate...
trac -- potential DOS vulnerability
Trac development team reports: 0.11.2 is a new stable maintenance release. It contains several security fixes and everyone is recommended to upgrade their installations. Bug fixes: Fixes potential DOS vulnerability with certain wiki markup...
habari -- Cross-Site Scripting Vulnerability
Secunia reports: Input passed via the "habariusername" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site...
mantis -- session hijacking vulnerability
The mantis Team reports: When configuring a web application to use only ssl e. g. by forwarding all http-requests to https, a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Else t...
emacs -- run-python vulnerability
Emacs developers report: The Emacs command run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line: import emacs which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typicall...
FreeBSD -- Remote kernel panics on IPv6 connections
Problem Description: In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination. Impact: When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet T...
py-pylons -- Path traversal bug
Pylons team reports: The error.py controller uses paste.fileapp to serve the static resources to the browser. The default error.py controller uses os.path.join to combine the id from Routes with the media path. Routes prior to 1.8 double unquoted the PATHINFO, resulting in FileApp returning files...
cdf3 -- Buffer overflow vulnerability
NASA Goddard Space Flight Center reports: The libraries for the scientific data file format, Common Data Format CDF version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted invalid CDF files. If successful, this could trigger execution of...
gnupg -- memory corruption vulnerability
Secunia reports: A vulnerability has been reported in GnuPG, which can potentially be exploited to compromise a vulnerable system. The vulnerability is caused due to an error when importing keys with duplicated IDs. This can be exploited to cause a memory corruption when importing keys via...
coppermine -- multiple vulnerabilities
The coppermine development team reports two vulnerabilities with the coppermine application. These vulnerabilities are caused by improper checking of the log variable in "viewlog.php" and improper checking of the referer variable in "mode.php". This could allow local file inclusion, potentially...
wordpress -- remote sql injection vulnerability
Alexander Concha reports: While testing WordPress, it has been discovered a SQL Injection vulnerability that allows an attacker to retrieve remotely any user credentials from a vulnerable site, this bug is caused because of early database escaping and the lack of validation in query string like...
irc/bitchx -- multiple vulnerabilities
bannedit reports: Stack-based buffer overflow in BitchX 1.1 Final allows remote IRC servers to execute arbitrary code via a long string in a MODE command, related to the pmode variable. Nico Golde reports: There is a security issue in ircii-pana in bitchx' hostname command. The ehostname function...
rar -- password prompt buffer overflow vulnerability
iDefense reports: Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code with the privileges of the user opening the archive. Unrar is prone to a stack based buffer overflow when processing specially crafted password...
tdiary -- cross site scripting vulnerability
tDiary was vulnerable to an unspecified Cross-Site Scripting vulnerability...
mono -- "System.CodeDom.Compiler" Insecure Temporary Creation
Sebastian Krahmer reports: Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program...
wv2 -- Integer Overflow Vulnerability
Secunia reports: A vulnerability has been reported in wvWare wv2 Library, which potentially can be exploited by malicious people to compromise an application using the library. The vulnerability is caused due to an integer overflow error in "wordhelper.h" when handling a Word document. This can b...
squirrelmail -- plugin.php local file inclusion vulnerability
The SquirrelMail Project Team reports: A security issue has been uncovered in functions/plugin.php that could allow a remote user to access local files on the server without requiring login. This issue manifests itself if registerglobals is enabled, and magicquotesgpc is disabled...
samba -- Exposure of machine account credentials in winbind log files
Samba Security Advisory: The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding...
linux-realplayer -- buffer overrun
Secunia Advisories Reports: A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system...
nfs -- remote denial of service
Problem description: A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC...
rxvt-unicode -- restore permissions on tty devices
A rxvt-unicode changelog reports: SECURITY FIX: on systems using openpty, permissions were not correctly updated on the tty device and were left as world-readable and world-writable likely in original rxvt, too, and were not restored properly. Affected are only systems where non-unix ptys were us...
rssh -- privilege escalation vulnerability
Pizzashack reports: Max Vozeler has reported a problem whereby rssh can allow users who have shell access to systems where rssh is installed and rsshchroothelper is installed SUID to gain root access to the system, due to the ability to chroot to arbitrary locations. There are a lot of potentiall...
mantis -- "view_filters_page.php" cross-site scripting vulnerability
r0t reports: Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "targetfield" parameter in "viewfilterspage.php" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL tha...
proftpd -- format string vulnerabilities
The ProFTPD release notes states: sean found two format string vulnerabilities, one in modsql's SQLShowInfo directive, and one involving the 'ftpshut' utility. Both can be considered low risk, as they require active involvement on the part of the site administrator in order to be exploited. These...
heartbeat -- insecure temporary file creation vulnerability
Eric Romang reports a temporary file creation vulnerability within heartbeat. The vulnerability is caused by hardcoded temporary file usage. This can cause an attacker to create an arbitrary symlink causing the application to overwrite the symlinked file with the permissions of the user executing...
mysql-server -- insecure temporary file creation
A Zataz advisory reports that MySQL contains a security flaw which could allow a malicious local user to inject arbitrary SQL commands during the initial database creation process. The problem lies in the mysqlinstalldb script which creates temporary files based on the PID used by the script...
junkbuster -- heap corruption vulnerability and configuration modification vulnerability
A Debian advisory reports: James Ranson discovered that an attacker can modify the referrer setting with a carefully crafted URL by accidently overwriting a global variable. Tavis Ormandy from the Gentoo Security Team discovered several heap corruptions due to inconsistent use of an internal...
typespeed -- arbitrary code execution
Debian reports: Ulf Härnhammar from the Debian Security Audit Project discovered a problem in typespeed, a touch-typist trainer disguised as game. This could lead to a local attacker executing arbitrary code...
proxytunnel -- format string vulnerability
A Gentoo Linux Security Advisory reports: Florian Schilhabel of the Gentoo Linux Security Audit project found a format string vulnerability in Proxytunnel. When the program is started in daemon mode -a port, it improperly logs invalid proxy answers to syslog. A malicious remote server could send...
jabberd -- denial-of-service vulnerability
José Antonio Calvo discovered a bug in the Jabber 1.x server. According to Matthias Wimmer: Without this patch, it is possible to remotly crash jabberd14, if there is access to one of the following types of network sockets: Socket accepting client connections Socket accepting connections from oth...
php -- vulnerability in RFC 1867 file upload processing
Stefano Di Paola discovered an issue with PHP that could allow someone to upload a file to any directory writeable by the httpd process. Any sanitizing performed on the prepended directory path is ignored. This bug can only be triggered if the $FILES element name contains an underscore...
xv -- exploitable buffer overflows
In a Bugtraq posting, infamous41mdathotpop.com reported: there are at least 5 exploitable buffer and heap overflows in the image handling code. this allows someone to craft a malicious image, trick a user into viewing the file in xv, and upon viewing that image execute arbitrary code under...
multiple vulnerabilities in ethereal
Issues have been discovered in multiple protocol dissectors...
hsftp format string vulnerabilities
Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client...
Buffer overflow in Mutt 1.4
Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code...
ChiTeX/ChiLaTeX unsafe set-user-id root
Niels Heinen reports that ChiTeX installs set-user-id root executables that invoked system3 without setting up the environment, trivially allowing local root compromise...
nap allows arbitrary file access
According to the author: Fixed security loophole which allowed remote clients to access arbitrary files on our system...
Roundcube Webmail -- Multiple vulnerabilities
The Roundcube Webmail project reports: See link for details. No CVE numbers available at the moment...