6526 matches found
fetchmail -- fetchmailconf local password exposure
The fetchmail team reports: The fetchmailconf program before and excluding version 1.49 opened the run control file, wrote the configuration to it, and only then changed the mode to 0600 rw-------. Writing the file, which usually contains passwords, before making it unreadable to other users, can...
squid -- FTP server response handling denial of service
A Secunia Advisory reports: M.A.Young has reported a vulnerability in Squid, which can be exploited by malicious people to cause a DoS Denial of Service. The vulnerability is caused due to an error in handling certain FTP server responses. This can be exploited to crash Squid by visiting a...
snort -- Back Orifice preprocessor buffer overflow vulnerability
Jennifer Steffens reports: The Back Orifice preprocessor contains a stack-based buffer overflow. This vulnerability could be leveraged by an attacker to execute code remotely on a Snort sensor where the Back Orifice preprocessor is enabled. However, there are a number of factors that make remote...
netpbm -- buffer overflow in pnmtopng
Ubuntu reports: A buffer overflow was found in the "pnmtopng" conversion program. By tricking an user or automated system to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng...
lynx -- remote buffer overflow
Ulf Härnhammar reports: When Lynx connects to an NNTP server to fetch information about the available articles in a newsgroup, it will call a function called HTrjis with the information from certain article headers. The function adds missing ESC characters to certain data, to support Asian...
abiword, koffice -- stack based buffer overflow vulnerabilities
Chris Evans reports that AbiWord is vulnerable to multiple stack-based buffer overflow vulnerabilities. This is caused by improper checking of the user-supplied data before it is being copied to an too small buffer. The vulnerability is triggered when someone is importing RTF files...
gallery2 -- file disclosure vulnerability
Michael Dipper wrote: A vulnerability has been discovered in gallery, which allows remote users unauthorized access to files on the webserver. A remote user accessing gallery over the web may use specially crafted HTTP parameters to access arbitrary files located on the webserver. All files...
libwww -- multiple vulnerabilities
Mitre reports: The HTBoundaryputblock function in HTBound.c for W3C libwww w3c-libwww allows remote servers to cause a denial of service segmentation fault via a crafted multipart/byteranges MIME message that triggers an out-of-bounds read. The big2toUtf8 function in lib/xmltok.c in libexpat in...
openssl -- potential SSL 2.0 rollback
Vulnerability: Such applications are affected if they use the option SSLOPMSIESSLV2RSAPADDING. This option is implied by use of SSLOPALL, which is intended to work around various bugs in third-party software that might prevent interoperability. The SSLOPMSIESSLV2RSAPADDING option disables a...
phpmyadmin -- local file inclusion vulnerability
A phpMyAdmin security announcement reports: In libraries/grabglobals.lib.php, the $redirect parameter was not correctly validated, opening the door to a local file inclusion attack. We consider this vulnerability to be serious...
zope -- expose RestructuredText functionality to untrusted users
A Zope Hotfix Alert reports: This hotfix resolves a security issue with docutils. Affected are possibly all Zope instances that expose RestructuredText functionalies to untrusted users through the web...
libxine -- format string vulnerability
Gentoo Linux Security Advisory reports: Ulf Harnhammar discovered a format string bug in the routines handling CDDB server response contents. An attacker could submit malicious information about an audio CD to a public CDDB server or impersonate a public CDDB server. When the victim plays this CD...
xloadimage -- buffer overflows in NIFF image title handling
Ariel Berkman reports: Unlike most of the supported image formats in xloadimage, the NIFF image format can store a title name of arbitrary length as part of the image file. When xloadimage is processing a loaded image, it is creating a new Image object and then writing the processed image to it. ...
imap-uw -- mailbox name handling remote buffer vulnerability
FrSIRT reports: A vulnerability has been identified in UW-IMAP, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a stack overflow error in the "mailvalidnetparsework" src/c-client/mail.c function that does not properly handle specially crafted mailbo...
ruby -- vulnerability in the safe level settings
Ruby home page reports: The Object Oriented Scripting Language Ruby supports safely executing an untrusted code with two mechanisms: safe level and taint flag on objects. A vulnerability has been found that allows bypassing these mechanisms. By using the vulnerability, arbitrary code can be...
weex -- remote format string vulnerability
Emanuel Haupt reports: Someone who controls an FTP server that weex will log in to can set up malicious data in the account that weex will use, and that will cause a format string bug that will allow remote code execution. It will only happen when weex is first run or when its cache files are...
cfengine -- arbitrary file overwriting vulnerability
A Debian Security Advisory reports: Javier Fernández-Sanguino Peña discovered several insecure temporary file uses in cfengine, a tool for configuring and maintaining networked machines, that can be exploited by a symlink attack to overwrite arbitrary files owned by the user executing cfengine,...
uim -- privilege escalation vulnerability
The uim developers reports: Masanari Yamamoto discovered that incorrect use of environment variables in uim. This bug causes privilege escalation if setuid/setgid applications was linked to libuim. This bug appears in 'immodule for Qt' enabled Qt. Normal Qt is also safe. In some distribution,...
perl, webmin, usermin -- perl format string integer wrap vulnerability
The Perl Development page reports: Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was...
phpmyfaq -- SQL injection, takeover, path disclosure, remote code execution
If magic quotes are off there's a SQL injection when sending a forgotten password. It's possible to overwrite the admin password and to take over the whole system. In some files in the admin section there are some cross site scripting vulnerabilities. In the public frontend it's possible to inclu...
firefox & mozilla -- multiple vulnerabilities
A Mozilla Foundation Security Advisory reports of multiple issues: Heap overrun in XBM image processing jackerror reports that an improperly terminated XBM image ending with space characters instead of the expected end tag can lead to a heap buffer overrun. This appears to be exploitable to insta...
clamav -- arbitrary code execution and DoS vulnerabilities
Gentoo Linux Security Advisory reports: Clam AntiVirus is vulnerable to a buffer overflow in "libclamav/upx.c" when processing malformed UPX-packed executables. It can also be sent into an infinite loop in "libclamav/fsg.c" when processing specially-crafted FSG-packed executables. By sending a...
squid -- possible denial of service condition regarding NTLM authentication
The squid patches page notes: Squid may crash with the above error FATAL: Incorrect scheme in auth header when given certain request sentences. Workaround: disable NTLM authentication...
X11 server -- pixmap allocation vulnerability
Allocating large pixmaps by a client can trigger an integer overflow in the X server, potentially leading to execution of arbitrary code with elevated root privileges...
freeradius -- multiple vulnerabilities
The freeradious development team reports: Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlmsqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues...
firefox & mozilla -- buffer overflow vulnerability
Tom Ferris reports: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host. The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in...
cvsbug -- race condition
Problem description A temporary file is created, used, deleted, and then re-created with the same name. This creates a window during which an attacker could replace the file with a link to another file. While cvsbug1 is based on the send-pr1 utility, this problem does not exist in the version of...
firefox & mozilla -- command line URL shell command injection
A Secunia Advisory reports: Peter Zelezny has discovered a vulnerability in Firefox, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to the shell script used to launch Firefox parsing shell commands that are enclosed within backticks in th...
urban -- stack overflow vulnerabilities
Several filename-related stack overflow bugs allow a local attacker to elevate its privileges to the games group, since urban is installed setgid games. Issue discovered and fixed by...
fswiki -- command injection vulnerability
There is a command injection vulnerability in admin page of fswiki...
WebCalendar -- remote file inclusion vulnerability
WebCalendar is proven vulnerable to a remote file inclusion vulnerability. The sendreminders.php does not properly verify the "includedir" parameter, giving remote attackers the possibility to include local and remote files. These files can be used by the attacker to gain access to the system...
xinetd -- ignores user and group directives for TCPMUX services
xinetd would execute configured TCPMUX services without dropping privilege to match the service configuration allowing the service to run with same privilege as the xinetd process root...
pam_ldap -- authentication bypass vulnerability
Luke Howard reports: If a pamldap client authenticates against an LDAP server that returns a passwordPolicyResponse control, but omits the optional "error" field of the PasswordPolicyResponseValue, then the LDAP authentication result will be ignored and the authentication step will always succeed...
elm -- remote buffer overflow in Expires header
Ulf Harnhammar has discovered a remotely exploitable buffer overflow in Elm e-mail client when parsing the Expires header of an e-mail message: The attacker only needs to send the victim an e-mail message. When the victim with that message in his or her inbox starts Elm or simply views the inbox ...
acroread -- plug-in buffer overflow vulnerability
A Adobe Security Advisory reports: The identified vulnerability is a buffer overflow within a core application plug-in, which is part of Adobe Acrobat and Adobe Reader. If a malicious file were opened it could trigger a buffer overflow as the file is being loaded into Adobe Acrobat and Adobe...
pear-XML_RPC -- remote PHP code injection vulnerability
A Hardened-PHP Project Security Advisory reports: When the library parses XMLRPC requests/responses, it constructs a string of PHP code, that is later evaluated. This means any failure to properly handle the construction of this string can result in arbitrary execution of PHP code. This new...
tor -- diffie-hellman handshake flaw
A tor advisory reports Tor clients can completely loose anonymity, confidentiality, and data integrity if the first Tor server in their path is malicious. Specifically, if the Tor client chooses a malicious Tor server for her first hop in the circuit, that server can learn all the keys she...
evolution -- remote format string vulnerabilities
A SITIC Vulnerability Advisory reports: Evolution suffers from several format string bugs when handling data from remote sources. These bugs lead to crashes or the execution of arbitrary assembly language code. The first format string bug occurs when viewing the full vCard data attached to an...
xpdf -- disk fill DoS vulnerability
xpdf is vulnerable to a denial of service vulnerability which can cause xpdf to create an infinitely large file, thereby filling up the /tmp partition, when opening a specially crafted PDF file. Note that several applications contains an embedded version of xpdf, therefor making them the vulnerab...
awstats -- arbitrary code execution vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of an input validation vulnerability in AWStats allows remote attackers to execute arbitrary commands. The problem specifically exists because of insufficient input filtering before passing user-supplied data to an eval function. As part ...
gaim -- AIM/ICQ non-UTF-8 filename crash
The GAIM team reports: A remote user could cause Gaim to crash on some systems by sending the Gaim user a file whose filename contains certain invalid characters. It is unknown what combination of systems are affected, but it is suspected that Windows users and systems with older versions of GTK+...
gaim -- AIM/ICQ away message buffer overflow
The GAIM team reports: A remote AIM or ICQ user can cause a buffer overflow in Gaim by setting an away message containing many AIM substitution strings such as %t or %n...
openvpn -- denial of service: client certificate validation can disconnect unrelated clients
James Yonan reports: DoS attack against server when run with "verb 0" and without "tls-auth". If a client connection to the server fails certificate verification, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error...
openvpn -- multiple TCP clients connecting with the same certificate at the same time can crash the server
James Yonan reports: If two or more client machines try to connect to the server at the same time via TCP, using the same client certificate, and when --duplicate-cn is not enabled on the server, a race condition can crash the server with "Assertion failed at mtcp.c:411"...
squid -- Possible Denial Of Service Vulnerability in store.c
The squid patches page notes: Squid crashes with the above assertion failure assertion failed: store.c:523: "e-storestatus == STOREPENDING" in certain conditions involving aborted requests...
unzip -- permission race vulnerability
Imran Ghory reports a vulnerability within unzip. The vulnerability is caused by a race condition between extracting an archive and changing the permissions of the extracted files. This would give an attacker enough time to remove a file and hardlink it to another file owned by the user running...
pcre -- regular expression buffer overflow
The pcre library is vulnerable to a buffer overflow vulnerability due to insufficient validation of quantifier values. This could lead execution of arbitrary code with the permissions of the program using pcre by way of a specially crated regular expression...
opera -- image dragging vulnerability
A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks and retrieve a user's files. The vulnerability is caused due to Opera allowing a user to drag e.g. an image, which is actually a...
opera -- download dialog spoofing vulnerability
A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to trick users into executing malicious files. The vulnerability is caused due to an error in the handling of extended ASCII codes in the download dialog. This can be...
openvpn -- denial of service: undecryptable packet from authorized client can disconnect unrelated clients
James Yonan reports: If the client sends a packet which fails to decrypt on the server, the OpenSSL error queue is not properly flushed, which can result in another unrelated client instance on the server seeing the error and responding to it, resulting in disconnection of the unrelated client...