6526 matches found
tomcat -- XSS vulnerability in sample applications
The Apache Project reports: The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the outpu...
mod_jk -- information disclosure
Kazu Nambo reports: URL decoding the the Apache webserver prior to decoding in the Tomcat server could pypass access control rules and give access to pages on a different AJP by sending a crafted URL...
png -- DoS crash vulnerability
A Libpng Security Advisory reports: A grayscale PNG image with a malformed bad CRC tRNS chunk will crash some libpng applications. This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited...
mysql -- renaming of arbitrary tables by authenticated users
MySQL reports: The requirement of the DROP privilege for RENAME TABLE was not enforced...
samba -- multiple vulnerabilities
The Samba Team reports: A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root. When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal...
squirrelmail -- Cross site scripting in HTML filter
The SquirrelMail developers report: Multiple cross-site scripting XSS vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the 1 data: URI in an HTML e-mail attachment or 2 various non-ASCII character sets that a...
cups -- Incomplete SSL Negotiation Denial of Service
Secunia reports: CUPS is not using multiple workers to handle connections. This can be exploited to stop CUPS from accepting new connections by starting but never completing an SSL negotiation...
php -- multiple vulnerabilities
The PHP development team reports: Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7: Fixed CVE-2007-1001, GD wbmp used with invalid image size Fixed asciiz byte truncation inside mail Fixed a bug in mbparsestr that can be used to activate registerglobals Fixed unallocated memory...
qemu -- several vulnerabilities
The Debian Security Team reports: Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2007-1320Tavis Ormandy...
FreeType 2 -- Heap overflow vulnerability
Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative npoints value, which leads to an integer overflow and heap-based buffer overflow...
tomcat -- multiple vulnerabilities
Apache Project reports: The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, A small number of bug fixes and two important security fixes...
FreeBSD -- IPv6 Routing Header 0 is dangerous
Problem Description There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same links many times. Impact An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the...
clamav -- multiple vulnerabilities
Clamav had been found vulnerable to multiple vulnerabilities: Improper checking for the end of an buffer causing an unspecified attack vector. Insecure temporary file handling, which could be exploited to read sensitive information. A flaw in the parser engine which could allow a remote attacker ...
mysql -- command line client input validation vulnerability
Thomas Henlich reports: The mysql command-line client does not quote HTML special characters like in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site...
freeradius -- EAP-TTLS Tunnel Memory Leak Remote DOS Vulnerability
The freeradius development team reports: A malicious 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUEPAIR data structure, of approximately 300 bytes. If an attacker performe...
fetchmail -- insecure APOP authentication
Matthias Andree reports: The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP" which no longer should be considered secure. Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepte...
p5-Imager -- possibly exploitable buffer overflow
Imager 0.56 and all earlier versions with BMP support have a security issue when reading compressed 8-bit per pixel BMP files where either a compressed run of data or a literal run of data overflows the scan-line. Such an overflow causes a buffer overflow in a malloc allocated memory buffer,...
claws-mail -- APOP vulnerability
CVE reports: The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle MITM attacks that use crafted message IDs and MD5 collisions...
mod_perl -- remote DoS in PATH_INFO parsing
Mandriva reports: PerlRun.pm in Apache modperl 1.29 and earlier, and RegistryCooker.pm in modperl 2.x, does not properly escape PATHINFO before use in a regular expression, which allows remote attackers to cause a denial of service resource consumption via a crafted URI...
mcweject -- exploitable buffer overflow
CVE reports: Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name...
Squid -- TRACE method handling denial of service
Squid advisory 2007:1 notes: Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method. Workarounds: To work around the problem deny access to using the TRACE method by inserting the following two lines before your first httpaccess rul...
flyspray -- authentication bypass
The Flyspray Project reports: Flyspray authentication system can be bypassed by sending a carefully crafted post request. To be vulnerable, PHP configuration directive outputbuffering has to be disabled or set to a low value...
trac -- cross site scripting vulnerability
Secunia reports: The vulnerability is caused due to an error within the "download wiki page as text" function, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. Successful exploitation may require that the victim uses IE...
ktorrent -- multiple vulnerabilities
Two problems have been found in KTorrent: KTorrent does not properly sanitize file names to filter out ".." components, so it's possible for an attacker to create a malicious torrent in order to overwrite arbitrary files within the filesystem. Messages with invalid chunk indexes aren't rejected...
sql-ledger -- security bypass vulnerability
Chris Travers reports: George Theall of Tenable Security notified the LedgerSMB core team today of an authentication bypass vulnerability allowing full access to the administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused by the password checking routine failing to...
WebCalendar -- "noSet" variable overwrite vulnerability
Secunia reports: A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system. Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite...
mod_jk -- long URL stack overflow vulnerability
TippingPoint and The Zero Day Initiative reports: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability. The specific flaw exists in the URI handler fo...
mozilla -- multiple vulnerabilities
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program. MFSA 2007-08 onUnload + document.write memory corruption MFSA 2007-07 Embedded...
typo3 -- email header injection
Olivier Dobberkau, Andreas Otto, and Thorsten Kahler report: An unspecified error in the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for, e.g. sending spam messages...
snort -- DCE/RPC preprocessor vulnerability
A IBM Internet Security Systems Protection Advisory reports: Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for...
mplayer -- DMO File Parsing Buffer Overflow Vulnerability
"Moritz Jodeit reports: There's an exploitable buffer overflow in the current version of MPlayer v1.0rc1 which can be exploited with a maliciously crafted video file. It is hidden in the DMOVideoDecoder function of loader/dmo/DMOVideoDecoder.c' file...
bind -- Multiple Denial of Service vulnerabilities
Problem Description: A type ANY query response containing multiple RRsets can trigger an assertion failure. Certain recursive queries can cause the nameserver to crash by using memory which has already been freed. Impact: A remote attacker sending a type ANY query to an authoritative DNS server f...
php -- multiple vulnerabilities
Multiple vulnerabilities have been found in PHP, including: buffer overflows, stack overflows, format string, and information disclosure vulnerabilities. The session extension contained safemode and openbasedir bypasses, but the FreeBSD Security Officer does not consider these real security...
moinmoin -- multiple vulnerabilities
MoinMoin Security advisory XSS issue in login action XSS issue in AttachFile action XSS issue in RenamePage/DeletePage action XSS issue in gui editor...
libxine -- buffer overflow vulnerability
xine Team reports: A new xine-lib version is now available. This release contains a security fix array index vulnerability which may lead to a stack buffer overflow...
rar -- password prompt buffer overflow vulnerability
iDefense reports: Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code with the privileges of the user opening the archive. Unrar is prone to a stack based buffer overflow when processing specially crafted password...
xmms -- Integer Overflow And Underflow Vulnerabilities
Secunia reports: Secunia Research has discovered two vulnerabilities in XMMS, which can be exploited by malicious people to compromise a user's system. 1 An integer underflow error exists in the processing of skin bitmap images. This can be exploited to cause a stack-based buffer overflow via...
samba -- potential Denial of Service bug in smbd
The Samba Team reports: Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is...
samba -- format string bug in afsacl.so VFS plugin
The Samba Team reports: NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module. The source defect results in the name of a file stored on disk being used as the form...
zope -- cross-site scripting vulnerability
The Zope Team reports: A vulnerability has been discovered in Zope, where by certain types of misuse of HTTP GET, an attacker could gain elevated privileges. All Zope versions up to and including 2.10.2 are affected...
lighttpd -- DOS when access files with mtime 0
Lighttpd SA: Lighttpd caches the rendered string for mtime. The cache key has as a default value 0. At that point the pointer to the string are still NULL. If a file with an mtime of 0 is requested it tries to access the pointer and crashes. The bug requires that a malicious user can either uploa...
FreeBSD -- Jail rc.d script privilege escalation
Problem Description: In multiple situations the host's jail rc.d8 script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting...
opera -- multiple vulnerabilities
iDefense reports: The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially...
drupal -- multiple vulnerabilities
The Drupal security team reports: A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack...
fetchmail -- crashes when refusing a message bound for an MDA
Matthias Andree reports: When delivering messages to a message delivery agent by means of the "mda" option, fetchmail can crash by passing a NULL pointer to ferror and fflush when refusing a message. SMTP and LMTP delivery modes aren't affected...
fetchmail -- TLS enforcement problem/MITM attack/password exposure
Matthias Andree reports: Fetchmail has had several longstanding password disclosure vulnerabilities. sslcertck/sslfingerprint options should have implied "sslproto tls1" in order to enforce TLS negotiation, but did not. Even with "sslproto tls1" in the config, fetches would go ahead in plain text...
mplayer -- buffer overflow in the code for RealMedia RTSP streams.
A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a...
joomla -- multiple remote vulnerabilities
Secunia reports: Some vulnerabilities have been reported in Joomla!, where some have unknown impacts and one can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can...
cacti -- Multiple vulnerabilities
Secunia reports: rgod has discovered four vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems...
sql-ledger -- multiple vulnerabilities
The Debian security Team reports: Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems: Chris Travers...