phpmyadmin -- XSS vulnerabilities

phpMyAdmin security announcement: It was possible to conduct an XSS attack with a direct call to some scripts under the themes directory...

clamav -- Multiple Vulnerabilities

Secunia reports: Some vulnerabilities have been reported in ClamAV, which potentially can be exploited by malicious people to cause a DoS Denial of Service and compromise a vulnerable system. An unspecified integer overflow error exists in the PE header parser in "libclamav/pe.c". Successful...

kaffeine -- buffer overflow vulnerability

The KDE team reports: Kaffeine can produce a buffer overflow in httppeek while creating HTTP request headers for fetching remote playlists, which under certain circumstances could be used to crash the application and/or execute arbitrary code...

openvpn -- LD_PRELOAD code execution on client through malicious or compromised server

Hendrik Weimer reports: OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old...

dia -- XFig Import Plugin Buffer Overflow

Secunia reports: Some vulnerabilities have been reported in Dia, which potentially can be exploited by malicious people to compromise a user's system. The vulnerabilities are caused due to boundary errors within the XFig import plugin. This can be exploited to cause buffer overflows and may allow...

samba -- Exposure of machine account credentials in winbind log files

Samba Security Advisory: The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding...

mysql -- database suid privilege escalation

Dmitri Lenev reports a privilege escalation in MySQL. MySQL evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote and local authenticated users to gain privileges through a routine that has been made available...

mplayer -- Multiple integer overflows

Secunia reports: The vulnerabilities are caused due to integer overflow errors in "libmpdemux/asfheader.c" within the handling of an ASF file, and in "libmpdemux/aviheader.c" when parsing the "indx" chunk in an AVI file. This can be exploited to cause heap-based buffer overflows via a malicious A...

horde -- remote code execution vulnerability in the help viewer

Horde 3.1.1 release announcement: Major changes compared to Horde 3.1 are: Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team...

mediawiki -- cross site scripting vulnerability

The mediawiki development team reports that there is an site scripting vulnerability within mediawiki. The vulnerability is caused by improper checking of encoded links which could allow the injection of html in the output generated by mediawiki. This could lead to cross site scripting attacks...

linux-realplayer -- heap overflow

iDefense Reports: Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's RealPlayer could allow the execution of arbitrary code in the context of the currently logged in user. In order to exploit this vulnerability, an attacker would need to entice a user to follow a link to a...

linux-realplayer -- buffer overrun

Secunia Advisories Reports: A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system...

OPIE -- arbitrary password change

Problem Description The opiepasswd1 program uses getlogin2 to identify the user calling opiepasswd1. In some circumstances getlogin2 will return "root" even when running as an unprivileged user. This causes opiepasswd1 to allow an unpriviled user to configure OPIE authentication for the root user...

sendmail -- race condition vulnerability

Problem Description A race condition has been reported to exist in the handling by sendmail of asynchronous signals. Impact A remote attacker may be able to execute arbitrary code with the privileges of the user running sendmail, typically root. Workaround There is no known workaround other than...

ipsec -- reply attack vulnerability

Problem Description IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fastipsec4 implementation results in the sequence number associated...

freeradius -- EAP-MSCHAPv2 Authentication Bypass

Freeradius Security Contact reports: Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result i...

jabberd -- SASL Negotiation Denial of Service Vulnerability

Secunia reports: A vulnerability has been reported in jabberd, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an error within the handling of SASL negotiation. This can be exploited to cause a crash by sending a "response" stanza...

curl -- TFTP packet buffer overflow vulnerability

A Project cURL Security Advisory reports: libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check. This overflow happens if you pass in a URL with a TFTP protocol prefix "tftp://", using a val...

xorg-server -- privilege escalation

Daniel Stone of X.Org reports: During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root...

phpmyadmin -- 'set_theme' Cross-Site Scripting

Secunia reports: A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks. Input passed to the "settheme" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTM...

horde -- "url" disclosure of sensitive information vulnerability

Secunia advisory SA19246: Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Input passed to the "url" parameter in "services/go.php" isn't properly verified, before it is used in a "readfile" call. This can be exploit...

linux-flashplugin -- arbitrary code execution vulnerability

Adobe reports: Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these...

drupal -- multiple vulnerabilities

Drupal reports: Mail header injection vulnerability. Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email. This could lead to Drupal sites being used to send unwanted email. Session fixation...

GnuPG does not detect injection of unsigned data

Werner Koch reports: In the aftermath of the false positive signature verfication bug announced 2006-02-15 more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of gpg for verification of signatures which are not detached...

freeciv -- Packet Parsing Denial of Service Vulnerability

Secunia reports: Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an error within the handling of the packet length in "common/packets.c". This can be exploited to crash the...

mod_pubcookie -- cross site scripting vulnerability

Nathan Dors of the Pubcookie Project reports: Non-persistent XSS vulnerabilities were found in the Pubcookie Apache module modpubcookie and ISAPI filter. These components mishandle untrusted data when printing responses to the browser. This makes them vulnerable to carefully crafted requests...

pubcookie-login-server -- cross site scripting vulnerability

Nathan Dors of the Pubcookie Project reports: Multiple non-persistent XSS vulnerabilities were found in the Pubcookie login server's compiled binary "index.cgi" CGI program. The CGI program mishandles untrusted data when printing responses to the browser. This makes the program vulnerable to...

openssh -- remote denial of service

Problem description: Because OpenSSH and OpenPAM have conflicting designs one is event- driven while the other is callback-driven, it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is...

nfs -- remote denial of service

Problem description: A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC...

crossfire-server -- denial of service and remote code execution vulnerability

FRSIRT reports: A vulnerability has been identified in CrossFire, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service. This flaw is due to a buffer overflow error in the "oldsocketmode" module that fails to properly handle overly large requests,...

squirrelmail -- multiple vulnerabilities

Multiple vulnerabilities has been discovered since 1.4.5, including IMAP injection as well as some XSS issues...

thunderbird -- javascript execution

Renaud Lifchitz reports a vulnerability within thunderbird. The vulnerability is caused by improper checking of javascript scripts. This could lead to javascript code execution which can lead to information disclosure or a denial of service application crash. This vulnerability is present even if...

gtar -- invalid headers buffer overflow

GNU tar is vulnerable to a buffer overflow, caused by improper bounds checking of the PAX extended headers. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user...

zoo -- stack based buffer overflow

Jean-Sébastien Guay-Leroux report a vulnerability within the zoo archiver. The vulnerability which is present in the fullpath function from the misc.c file is caused by improper checking of user supplied data. The data returned to the buffer can be up to 512 bytes, while the buffer is created to...

bugzilla -- multiple vulnerabilities

Some vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose sensitive information and conduct script insertion attacks...

coppermine -- File Inclusion Vulnerabilities

Secunia reports: Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious people and by malicious users to compromise a vulnerable system. 1 Input passed to the "lang" parameter in include/init.inc.php isn't properly verified, before it is used to include files. This can...

mplayer -- heap overflow in the ASF demuxer

The Mplayer team reports: A potential buffer overflow was found in the ASF demuxer. Arbitrary remote code execution is possible under the user ID running the player when streaming an ASF file from a malicious server or local code execution under the user ID running the player if a malicious ASF...

tin -- buffer overflow vulnerabilities

Urs Janssen and Aleksey Salow report possible buffer overflows in tin versions 1.8.0 and 1.8.1. OpenPKG project elaborates there is an allocation off-by-one bug in version 1.8.0 which can lead to a buffer overflow...

gnupg -- false positive signature verification

Werner Koch reports: The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification e.g. by scripts and mail programs, false positive signature verification of detached signatures may occur. This problem affects the too...

postgresql81-server -- SET ROLE privilege escalation

The PostgreSQL team reports: Due to inadequate validity checking, a user could exploit the special case that SET ROLE normally uses to restore the previous role setting after an error. This allowed ordinary users to acquire superuser status, for example...

SSH.COM SFTP server -- format string vulnerability

SSH Communications Security Corp reports a format string vulnerability in their SFTP server. This vulnerability could cause a user with SCP/SFTP access only to get permission to execute also other commands. It could also allow user A to create a special file that when accessed by user B allows us...

phpicalendar -- file disclosure vulnerability

The phpicalendar team reports that there is an unspecified vulnerability within phpicalendar. This seems to be a file disclosure vulnerability caused by improper checking of the template parsing function. This would allow an attacker to disclose any file readable by the user under which the...

heimdal -- Multiple vulnerabilities

A Project heimdal Security Advisory reports: The telnet client program in Heimdal has buffer overflows in the functions slcaddreply and envoptadd, which may lead to remote code execution. The telnetd server program in Heimdal has buffer overflows in the function getterminaltype, which may lead to...

kpdf -- heap based buffer overflow

The KDE team reports: kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code...

FreeBSD -- Infinite loop in SACK handling

Problem description: When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop. Impact: By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service...

pf -- IP fragment handling panic

Problem description: A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant. Impact: By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub...

FreeBSD -- Local kernel memory disclosure

Problem description: A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. CVE-2006-0379 A logic error in computing a buffer length may allow too much data to be copied into userland. CVE-2006-0380 Impact: Portions of kernel memory may be...

fetchmail -- crash when bouncing a message

Matthias Andree reports: Fetchmail contains a bug that causes itself to crash when bouncing a message to the originator or to the local postmaster. The crash happens after the bounce message has been sent, when fetchmail tries to free the dynamic array of failed addresses, and calls the free...

IEEE 802.11 -- buffer overflow

Problem description: An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer. Impact: An attacker able broadcast a carefully crafted beacon or probe response frame may be...

tor -- malicious tor server can locate a hidden service

Roger Dingledine reports: If you offer a Tor hidden service, an adversary who can run a fast Tor server and who knows some basic statistics can find the location of your hidden service in a matter of minutes to hours...