6526 matches found
ipfw -- IP fragment denial of service
Problem description: The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized. Impact: An attacker can cause the firewall...
ee -- temporary file privilege escalation
Problem description The ispellop function used by ee1 while executing spell check operations employs an insecure method of temporary file generation. This method produces predictable file names based on the process ID and fails to confirm which path will be over written with the user. It should b...
texindex -- temporary file privilege escalation
Problem description The "sortoffline" function used by texindex1 employs the "maketempname" function, which produces predictable file names and fails to validate that the paths do not exist. Impact These predictable temporary file names are problematic because they allow an attacker to take...
cpio -- multiple vulnerabilities
Problem description: A number of issues has been discovered in cpio: When creating a new file, cpio closes the file before setting its permissions. CVE-2005-1111 When extracting files cpio does not properly sanitize file names to filter out ".." components, even if the --no-absolute-filenames...
cacti -- ADOdb "server.php" Insecure Test Script Security Issue
Secunia reports: Cacti have a security issue, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system. The problem is caused due to the presence of the insecure "server.php" test script...
clamav -- possible heap overflow in the UPX code
The Zero Day Initiative reports: This vulnerability allows remote attackers to execute arbitrary code on vulnerable Clam AntiVirus installations. Authentication is not required to exploit this vulnerability. This specific flaw exists within libclamav/upx.c during the unpacking of executable files...
milter-bogom -- headerless message crash
Juan J. MarÃtnez reports: The milter crashes while processing a headerless message Impact: bogom crashes and sendmail moves it to error state...
rxvt-unicode -- restore permissions on tty devices
A rxvt-unicode changelog reports: SECURITY FIX: on systems using openpty, permissions were not correctly updated on the tty device and were left as world-readable and world-writable likely in original rxvt, too, and were not restored properly. Affected are only systems where non-unix ptys were us...
sge -- local root exploit in bundled rsh executable
Sun Microsystems reports: The SGE 6.0u71 release fixes a security bug which can allow malicious users to gain root access...
mediawiki -- hardcoded placeholder string security bypass vulnerability
The mediawiki development team reports a vulnerability within the mediawiki application. The vulnerability is caused by improper checking of inline style attributes. This could result in the execution of arbitrary javascript code in Microsoft Internet Explorer. It appears that other browsers are...
scponly -- local privilege escalation exploits
Max Vozeler reports: If ALL the following conditions are true, administrators using scponly-4.1 or older may be at risk of a local privilege escalation exploit: the chrooted setuid scponlyc binary is installed regular non-scponly users have interactive shell access to the box a user executable...
nbd-server -- buffer overflow vulnerability
Kurt Fitzner reports a buffer overflow vulnerability within nbd. This could potentially allow the execution of arbitrary code on the nbd server...
wordpress -- full path disclosure
Dedi Dwianto reports: A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker...
tkdiff -- temporary file symlink privilege escalation
Javier Fernández-Sanguino Peña reports a vulnerability in tkdiff which allows local users to gain priveleges of the user running tkdiff due to insecure temporary file creation...
fetchmail -- null pointer dereference in multidrop mode with headerless email
The fetchmail team reports: Fetchmail contains a bug that causes an application crash when fetchmail is configured for multidrop mode and the upstream mail server sends a message without headers. As fetchmail does not record this message as "previously fetched", it will crash with the same messag...
rssh -- privilege escalation vulnerability
Pizzashack reports: Max Vozeler has reported a problem whereby rssh can allow users who have shell access to systems where rssh is installed and rsshchroothelper is installed SUID to gain root access to the system, due to the ability to chroot to arbitrary locations. There are a lot of potentiall...
mantis -- "view_filters_page.php" cross-site scripting vulnerability
r0t reports: Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "targetfield" parameter in "viewfilterspage.php" isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL tha...
mantis -- "view_filters_page.php" cross site scripting vulnerability
r0t reports: Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "targetfield" parameter in "viewfilterspage.php" is not properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL th...
nag -- Cross site scripting vulnerabilities in several of the tasklist name and task data fields
Announce of Nag H3 2.0.4 final: This 2.0.4 is a security release that fixes cross site scripting vulnerabilities in several of the tasklist name and task data fields. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of Nag 2.0.3...
mnemo -- Cross site scripting vulnerabilities in several of the notepad name and note data fields
Announce of Mnemo H3 2.0.3 final: This 2.0.3 is a security release that fixes cross site scripting vulnerabilities in several of the notepad name and note data fields. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of Mnemo 2.0...
kronolith -- Cross site scripting vulnerabilities in several of the calendar name and event data fields
Announce of Kronolith H3 2.0.6 final: This 2.0.6 is a security release that fixes cross site scripting vulnerabilities in several of the calendar name and event data fields. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of...
turba -- Cross site scripting vulnerabilities in several of the address book name and contact data fields
Announce of Turba H3 2.0.5 final: This 2.0.5 is a security release that fixes cross site scripting vulnerabilities in several of the address book name and contact data fields. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of...
horde -- Cross site scripting vulnerabilities in several of Horde's templates
Announce of Horde H3 3.0.8 final: This 3.0.8 is a security release that fixes cross site scripting vulnerabilities in several of Horde's templates. None of the vulnerabilities can be exploited by unauthenticated users; however, we strongly recommend that all users of Horde 3.0.7 upgrade to 3.0.8 ...
phpmyadmin -- register_globals emulation "import_blacklist" manipulation
Secunia reports: Stefan Esser has reported a vulnerability in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system. The vulnerability is caused due to an error in the registerglobals...
curl -- URL buffer overflow vulnerability
A Project cURL Security Advisory reports: libcurl's URL parser function can overflow a malloced buffer in two ways, if given a too long URL. 1 - pass in a URL with no protocol like "http://" prefix, using no slash and the string is 256 bytes or longer. This leads to a single zero byte overflow of...
trac -- search module SQL injection vulnerability
Secunia reports: A vulnerability has been reported in Trac, which can be exploited by malicious people to conduct SQL injection attacks. Some unspecified input passed in the search module isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by...
phpmyadmin -- XSS vulnerabilities
A phpMyAdmin security advisory reports: It was possible to conduct an XSS attack via the HTTPHOST variable; also, some scripts in the libraries directory that handle header generation were vulnerable to XSS...
drupal -- multiple vulnerabilities
Secunia reports: Some vulnerabilities have been reported in Drupal, which can be exploited by malicious people to bypass certain security restrictions, and conduct script insertion and HTTP response splitting attacks. 1 An input validation error in the filtering of HTML code can be exploited to...
ffmpeg -- libavcodec buffer overflow vulnerability
Secunia reports: Simon Kilvington has reported a vulnerability in FFmpeg libavcodec, which can be exploited by malicious people to cause a DoS Denial of Service and potentially to compromise a user's system. The vulnerability is caused due to a boundary error in the "avcodecdefaultgetbuffer"...
horde -- Cross site scripting vulnerabilities in MIME viewers
Announce of Horde 3.0.7 final: This 3.0.7 is a security release that fixes cross site scripting vulnerabilities in two of Horde's MIME viewers. These holes could for example be exploited by an attacker sending specially crafted emails to Horde's webmail client IMP. The attack could be used to ste...
opera -- command line URL shell command injection
An Opera Advisory reports: Opera for UNIX uses a wrapper shell script to start up Opera. This shell script reads the input arguments, like the file names or URLs that Opera is to open. It also performs some environment checks, for example whether Java is available and if so, where it is located...
mambo -- "register_globals" emulation layer overwrite vulnerability
A Secunia Advisory reports: peter MC tachatte has discovered a vulnerability in Mambo, which can be exploited by malicious people to manipulate certain information and compromise a vulnerable system. The vulnerability is caused due to an error in the "registerglobals" emulation layer in...
opera -- multiple vulnerabilities
Opera reports: It is possible to make a form input that looks like an image link. If the form input has a "title" attribute, the status bar will show the "title". A "title" which looks like a URL can mislead the user, since the title can say http://nice.familiar.com/, while the form action can be...
phpmyadmin -- HTTP Response Splitting vulnerability
A phpMyAdmin security advisory reports: Some scripts in phpMyAdmin are vulnerable to an HTTP Response Splitting attack. Severity: We consider these vulnerabilities to be serious. However, they can only be triggered on systems running with registerglobals = on...
phpSysInfo -- "register_globals" emulation layer overwrite vulnerability
A Secunia Advisory reports: Christopher Kunz has reported a vulnerability in phpSysInfo, which can be exploited by malicious people to manipulate certain information. The vulnerability is caused due to an error in the "registerglobals" emulation layer where certain arrays used by the system can b...
p5-Mail-SpamAssassin -- long message header denial of service
A Secunia Advisory reports: A vulnerability has been reported in SpamAssassin, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to the use of an inefficient regular expression in "/SpamAssassin/Message.pm" to parse email headers. This ca...
pear-PEAR -- PEAR installer arbitrary code execution vulnerability
Gregory Beaver reports: A standard feature of the PEAR installer implemented in all versions of PEAR can lead to the execution of arbitrary PHP code upon running the "pear" command or loading the Web/Gtk frontend. To be vulnerable, a user must explicitly install a publicly released malicious...
apache -- mod_imap cross-site scripting flaw
The Apache HTTP Server Project reports: A flaw in modimap when using the Referer directive with image maps. In certain site configurations a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers...
openvpn -- potential denial-of-service on servers in TCP mode
James Yonan reports: If the TCP server accept call returns an error status, the resulting exception handler may attempt to indirect through a NULL pointer, causing a segfault. Affects all OpenVPN 2.0 versions...
PHP -- multiple vulnerabilities
A Secunia Advisory reports: Some vulnerabilities have been reported in PHP, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system...
openvpn -- arbitrary code execution on client through malicious or compromised server
James Yonan reports: A format string vulnerability in the foreignoption function in options.c could potentially allow a malicious or compromised server to execute arbitrary code on the client. Only non-Windows clients are affected. The vulnerability only exists if a the client's TLS negotiation...
mantis -- "t_core_path" file inclusion vulnerability
Secunia Research reports: Input passed to the "tcorepath" parameter in "bugsponsorshiplistviewinc.php" isn't properly verified, before it used to include files. This can be exploited to include arbitrary files from external and local resources...
flyspray -- cross-site scripting vulnerabilities
A Secunia Advisory reports: Lostmon has reported some vulnerabilities in Flyspray, which can be exploited by malicious people to conduct cross-site scripting attacks. Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script...
sudo -- arbitrary command execution
Tavis Ormandy reports: The bash shell uses the value of the PS4 environment variable after expansion as a prefix for commands run in execution trace mode. Execution trace mode xtrace is normally set via bash's -x command line option or interactively by running "set -o xtrace". However, it may als...
base -- PHP SQL injection vulnerability
A Secunia Advisory reports: Remco Verhoef has discovered a vulnerability in Basic Analysis and Security Engine BASE, which can be exploited by malicious users to conduct SQL injection attacks...
phpicalendar -- cross site scripting vulnerability
Francesco Ongaro reports that phpicalendar is vulnerable for a cross site scripting attack. The vulnerability is caused by improper validation of the index.php file allowing attackers to include an arbitrary file with the .php extension...
skype -- multiple buffer overflow vulnerabilities
A Secunia Advisory reports: Some vulnerabilities have been reported in Skype, which can be exploited by malicious people to cause a DoS or to compromise a user's system...
phpbb -- multiple vulnerabilities
Multiple vulnerabilities have been reported within phpbb. phpbb is proven vulnerable to: script insertion, bypassing of protetion mechanisms, multiple cross site scripting vulnerabilities, SQL injection, arbitrary code execution...
bogofilter -- heap corruption through excessively long words
Matthias Andree reports: Bogofilter's/bogolexer's input handling in version 0.96.2 was not keeping track of its output buffers properly and could overrun a heap buffer if the input contained words whose length exceeded 16,384 bytes, the size of flex's input buffer. A "word" here refers to a...
bogofilter -- heap corruption through malformed input
Matthias Andree reports: When using Unicode databases default in more recent bogofilter installations, upon encountering invalid input sequences, bogofilter or bogolexer could overrun a malloc'd buffer, corrupting the heap, while converting character sets. Bogofilter would usually be processing...