lighttpd -- Remote DOS in CRLF parsing

Lighttpd SA: If the connection aborts during parsing "\r\n\r\n" the server might get into a infinite loop and use 100% of the CPU time. lighttpd still responses to other requests. This can be repeated until either the server limit for concurrent connections or file descriptors is reached. The bug...

dbus -- match_rule_equal() Weakness

Secunia reports: D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS Denial of Service. An error within the "matchruleequal" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus...

tdiary -- injection vulnerability

An undisclosed eRuby injection vulnerability had been discovered in tDiary...

w3m -- format string vulnerability

An anonymous person reports: w3m-0.5.1 crashes when using the -dump or -backend options to open a HTTPS URL with a SSL certificate where the CN contains "%n%n%n%n%n%n"...

FreeBSD -- Kernel memory disclosure in firewire(4)

Problem Description: In the FWGCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application. Impact: A user in the "operator" group can read the contents of kernel memory...

gtar -- name mangling symlink vulnerability

Problem Description: Symlinks created using the "GNUTYPENAMES" tar extension can be absolute due to lack of proper sanity checks. Impact: If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running...

clamav -- Multipart Nestings Denial of Service

Secunia reports: Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending...

ruby -- cgi.rb library Denial of Service

The official ruby site reports: Another vulnerability has been discovered in the CGI library cgi.rb that ships with Ruby which could be used by a malicious user to create a denial of service attack DoS. A specific HTTP request for any web application using cgi.rb causes CPU consumption on the...

gnupg -- remotely controllable function pointer

Werner Koch reports: GnuPG uses data structures called filters to process OpenPGP messages. These filters are used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter...

tnftpd -- Remote root Exploit

The tnftpd port suffer from a remote stack overrun, which can lead to a root compromise...

kronolith -- arbitrary local file inclusion vulnerability

iDefense Labs reports: Remote exploitation of a design error in Horde's Kronolith could allow an authenticated web mail user to execute arbitrary PHP code under the security context of the running web server. The vulnerability specifically exists due to a design error in the way it includes certa...

evince -- Buffer Overflow Vulnerability

Secunia reports: A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error within the "getnexttext" function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g...

gnupg -- buffer overflow

Werner Koch reports: When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend e.g. mailers, is not affected by this bug. Exploiting this overflow seems to be possible. gpg-agent, gpgsm,...

tdiary -- cross site scripting vulnerability

tDiary was vulnerable to an unspecified Cross-Site Scripting vulnerability...

gtar -- GNUTYPE_NAMES directory traversal vulnerability

Teemu Salmela reports: There is a tar record type, called GNUTYPENAMES an obsolete GNU extension, that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files...

ImageMagick -- SGI Image File heap overflow vulnerability

SecurityFocus reports about ImageMagick: ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer. Exploiting this issue allows attackers to execu...

proftpd -- remote code execution vulnerabilities

The proftpd development team reports that several remote buffer overflows had been found in the proftpd server...

proftpd -- Remote Code Execution Vulnerability

FrSIRT reports: A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmdbufsize" size of the buffer used to handle FTP commands...

libarchive -- Infinite loop in corrupt archives handling in libarchive

Problem Description: If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts and fails to read further data. Impact: An attacker able to cause a system to extract via "tar -x" or another...

Imlib2 -- multiple image file processing vulnerabilities

Secunia reports: Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise an application using the library. The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB,...

plone -- user can masquerade as a group

Plone.org reports: PlonePAS-using Plone releases Plone 2.5 and Plone 2.5.1 has a potential vulnerability that allows a user to masquerade as a group. Please update your sites...

wv -- Multiple Integer Overflow Vulnerabilities

Secunia reports: Some vulnerabilities have been reported in wvWare, which can be exploited by malicious people to cause a DoS Denial of Service and potentially compromise an application using the library. The vulnerabilities are caused due to integer overflows within the "wvGetLFOrecords" and...

ruby -- cgi.rb library Denial of Service

Official ruby site reports: A vulnerability has been discovered in the CGI library cgi.rb that ships with Ruby which could be used by a malicious user to create a denial of service attack DoS. The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as...

screen -- combined UTF-8 characters vulnerability

A vulnerability in the handling of combined UTF-8 characters in screen may allow an user-assisted attacker to crash screen or potentially allow code execution as the user running screen. To exploit this issue the user running scren must in some way interact with the attacker...

Serendipity -- XSS Vulnerabilities

The Serendipity Team reports: Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript. Additionally...

plone -- unprotected MembershipTool methods

The Plone Team reports: Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the: changeMemberPortrait deletePersonalPortrait testCurrentPassword methods, which allows remote attackers to modify portraits...

drupal -- HTML attribute injection

The Drupal Team reports: A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail...

ingo -- local arbitrary shell command execution

The Horde team reports a vulnerability within Ingo, the filter management suite. The vulnerability is caused due to inadequete escaping, possibly allowing a local user to execute arbitrary shell commands via procmail...

drupal -- cross site request forgeries

The Drupal Team reports: Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal sit...

drupal -- multiple XSS vulnerabilities

The Drupal Team reports: A bug in input validation and lack of output validation allows HTML and script insertion on several pages. Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS attack via a specially crafted RSS feed. This...

asterisk -- remote heap overwrite vulnerability

Adam Boileau of Security-Assessment.com reports: The Asterisk Skinny channel driver for Cisco SCCP phones chanskinny.so incorrectly validates a length value in the packet header. An integer wrap-around leads to heap overwrite, and arbitrary remote code execution as root...

opera -- URL parsing heap overflow vulnerability

iDefense Labs reports: Remote exploitation of a heap overflow vulnerability within version 9 of Opera Software's Opera Web browser could allow an attacker to execute arbitrary code on the affected host. A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a consta...

NVIDIA UNIX driver -- arbitrary root code execution vulnerability

Rapid7 reports: The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely via a remote X client or an X client which visits a malicious web page. A working proof-of-conce...

bugzilla -- multiple vulnerabilities

A Bugzilla Security Advisory reports: Sometimes the information put into the and tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability. Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS...

clamav -- CHM unpacker and PE rebuilding vulnerabilities

Secunia reports: Two vulnerabilities have been reported in Clam AntiVirus, which potentially can be exploited by malicious people to cause a DoS Denial of Service or compromise a vulnerable system. 1 An unspecified error in the CHM unpacker in chmunpack.c can be exploited to cause a DoS. 2 An...

kdelibs -- integer overflow in khtml

Red Hat reports: An integer overflow flaw was found in the way Qt handled pixmap images. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious web page that when viewed by a victim in...

google-earth -- heap overflow in the KML engine

JAAScois reports: While processing KML/KMZ data Google Earth fails to verify its size prior to copying it into a fixed-sized buffer. This can be exploited as a buffer-overflow vulnerability to cause the application to crash and/or to execute arbitrary code...

vtiger -- multiple remote file inclusion vulnerabilities

Dedi Dwianto a.k.a theday reports: Input passed to the "$calpath" parameter in update.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources...

mono -- "System.CodeDom.Compiler" Insecure Temporary Creation

Sebastian Krahmer reports: Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program...

mod_pubcookie -- Empty Authentication Security Advisory

Nathan Dors, Pubcookie Project reports: An Abuse of Functionality vulnerability in the Pubcookie authentication process was found. This vulnerability allows an attacker to appear as if he or she were authenticated using an empty userid when such a userid isn't expected. Unauthorized access to web...

php -- open_basedir Race Condition Vulnerability

Stefan Esser reports: PHP's openbasedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed. Obviously there is a little span of time...

torrentflux -- User-Agent XSS Vulnerability

Steven Roddis reports that User-Agent string is not properly escaped when handled by torrentflux. This allows for arbitrary code insertion...

php -- _ecalloc Integer Overflow Vulnerability

Stefan Esser reports: The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch. It was discovered that such an integer overflo...

postnuke -- admin section SQL injection

ISS X-Force reports: PostNuke is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the admin section using the hits parameter, which could allow the attacker to view, add, modify or delete information in the back-end database...

OpenSSL -- Multiple problems in crypto(3)

Problem Description: Several problems have been found in OpenSSL: During the parsing of certain invalid ASN1 structures an error condition is mishandled, possibly resulting in an infinite loop. A buffer overflow exists in the SSLgetsharedciphers function. A NULL pointer may be dereferenced in the...

phpmyadmin -- XSRF vulnerabilities

phpMyAdmin team reports: We received a security advisory from Stefan Esser [email protected] and we wish to thank him for his work. It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link...

MT -- Search Unspecified XSS

Secunia reports: Arai has reported a vulnerability in Movable Type and Movable Type Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks. Some unspecified input passed via the search functionality isn't properly sanitised before being returned to the user...

dokuwiki -- multiple vulnerabilities

Secunia reports: Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS Denial of Service or potentially compromise a vulnerable system. Input passed to the "w" and "h" parameters in lib/exec/fetch.php is not properly sanitised before being...

openssh -- multiple vulnerabilities

Problem Description The CRC compensation attack detector in the sshd8 daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. CVE-2006-4924 A race condition exists in a signal handler used by the sshd8 daemon to handle the LoginGraceTime option,...

eyeOS -- multiple XSS security bugs

eyeOS team reports: EyeOS 0.9.1 release fixes two XSS security bugs, so we recommend all users to upgrade to this new version in order to have the best security. These two bugs were discovered by Jose Carlos Norte, who is a new eyeOS developer...