6526 matches found
gforge -- XSS and email flood vulnerabilities
Jose Antonio Coret reports that GForge contains multiple Cross Site Scripting vulnerabilities and an e-mail flood vulnerability: The login form is also vulnerable to XSS Cross Site Scripting attacks. This may be used to launch phising attacks by sending HTML e-mails i.e.: saying that you need to...
zlib -- buffer overflow vulnerability
Problem description A fixed-size buffer is used in the decompression of data streams. Due to erronous analysis performed when zlib was written, this buffer, which was belived to be sufficiently large to handle any possible input stream, is in fact too small. Impact A carefully constructed...
ipsec -- Incorrect key usage in AES-XCBC-MAC
Problem description A programming error in the implementation of the AES-XCBC-MAC algorithm for authentication resulted in a constant key being used instead of the key specified by the system administrator. Impact If the AES-XCBC-MAC algorithm is used for authentication in the absence of any...
openvpn -- denial of service: malicious authenticated "tap" client can deplete server virtual memory
James Yonan reports: A malicious authenticated client in "dev tap" ethernet bridging mode could theoretically flood the server with packets appearing to come from hundreds of thousands of different MAC addresses, causing the OpenVPN process to deplete system virtual memory as it expands its...
ethereal -- multiple protocol dissectors vulnerabilities
An Ethreal Security Advisories reports: Our testing program has turned up several more security issues: The LDAP dissector could free static memory and crash. The AgentX dissector could crash. The 802.3 dissector could go into an infinite loop. The PER dissector could abort. The DHCP dissector...
proftpd -- format string vulnerabilities
The ProFTPD release notes states: sean found two format string vulnerabilities, one in modsql's SQLShowInfo directive, and one involving the 'ftpshut' utility. Both can be considered low risk, as they require active involvement on the part of the site administrator in order to be exploited. These...
vim -- vulnerabilities in modeline handling: glob, expand
Georgi Guninski discovered a way to construct Vim modelines that execute arbitrary shell commands. The vulnerability can be exploited by including shell commands in modelines that call the glob or expand functions. An attacker could trick an user to read or edit a trojaned file with modelines...
nbsmtp -- format string vulnerability
When nbsmtp is executed in debug mode, server messages will be printed to stdout and logged via syslog. Syslog is used insecurely and user-supplied format characters are directly fed to the syslog function, which results in a format string vulnerability. Under some circumstances, an SMTP server m...
jabberd -- 3 buffer overflows
There are 3 buffer overflows in jid.c that are triggered during parsing of JID strings when components user, host or resource are too long. jid.c, line 103: overflow in str' buffer through strcpy when "user" part is too long. jid.c, line 115: overflow in str' buffer through strcpy when "host" par...
apache -- http request smuggling
A Watchfire whitepaper reports an vulnerability in the Apache webserver. The vulnerability can be exploited by malicious people causing cross site scripting, web cache poisoining, session hijacking and most importantly the ability to bypass web application firewall protection. Exploiting this...
clamav -- multiple remote buffer overflows
An Secunia Advisory reports: Neel Mehta and Alex Wheeler have reported some vulnerabilities in Clam AntiVirus, which can be exploited by malicious people to cause a DoS Denial of Service or compromise a vulnerable system. Two integer overflow errors in "libclamav/tnef.c" when processing TNEF file...
squid -- Denial Of Service Vulnerability in sslConnectTimeout
The squid patches page notes: After certain slightly odd requests Squid crashes with a segmentation fault in sslConnectTimeout...
libgadu -- multiple vulnerabilities
Wojtek Kaniewski reports: Multiple vulnerabilities have been found in libgadu, a library for handling Gadu-Gadu instant messaging protocol. It is a part of ekg, a Gadu-Gadu client, but is widely used in other clients. Also some of the user contributed scripts were found to behave in an insecure...
fetchmail -- denial of service/crash from malicious POP3 server
In fetchmail 6.2.5.1, the remote code injection via POP3 UIDL was fixed, but a denial of service attack was introduced: Two possible NULL-pointer dereferences allow a malicious POP3 server to crash fetchmail by respondig with UID lines containing only the article number but no UID in violation of...
dnrd -- remote buffer and stack overflow vulnerabilities
Natanael Copa reports that dnrd is vulnerable to a remote buffer overflow and a remote stack overflow. These vulnerabilities can be triggered by sending invalid DNS packets to dnrd. The buffer overflow could potentially be used to execute arbitrary code with the permissions of the dnrd daemon. No...
devfs -- ruleset bypass
Problem description Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions. Impact Jailed process...
fetchmail -- remote root/code injection from malicious POP3 server
fetchmail's POP3/UIDL code does not truncate received UIDs properly. A malicious or compromised POP3 server can thus corrupt fetchmail's stack and inject code when fetchmail is using UIDL, either through configuration, or as a result of certain server capabilities. Note that fetchmail is run as...
kdebase -- Kate backup file permission leak
A KDE Security Advisory explains: Kate / Kwrite create a file backup before saving a modified file. These backup files are created with default permissions, even if the original file had more strict permissions set. Depending on the system security settings, backup files might be readable by othe...
PowerDNS -- LDAP backend fails to escape all queries
The LDAP backend in PowerDNS has issues with escaping queries which could cause connection errors. This would make it possible for a malicious user to temporarily blank domains. This is known to affect all releases prior to 2.9.18...
squirrelmail -- _$POST variable handling allows for various attacks
A Squirrelmail Advisory reports: An extract$POST was done in optionsidentities.php which allowed for an attacker to set random variables in that file. This could lead to the reading and possible writing of other people's preferences, cross site scripting or writing files in webserver-writable...
firefox & mozilla -- multiple vulnerabilities
The Mozilla Foundation reports of multiple security vulnerabilities in Firefox and Mozilla: MFSA 2005-56 Code execution through shared function objects MFSA 2005-55 XHTML node spoofing MFSA 2005-54 Javascript prompt origin spoofing MFSA 2005-53 Standalone applications can run arbitrary code throu...
heartbeat -- insecure temporary file creation vulnerability
Eric Romang reports a temporary file creation vulnerability within heartbeat. The vulnerability is caused by hardcoded temporary file usage. This can cause an attacker to create an arbitrary symlink causing the application to overwrite the symlinked file with the permissions of the user executing...
apache -- Certificate Revocation List (CRL) off-by-one vulnerability
Marc Stern reports an off-by-one vulnerability in within modssl. The vulnerability lies in modssl's Certificate Revocation List CRL. If Apache is configured to use a CRL this could allow an attacker to crash a child process causing a Denial of Service...
bugzilla -- multiple vulnerabilities
A Bugzilla Security Advisory reports: Any user can change any flag on any bug, even if they don't have access to that bug, or even if they can't normally make bug changes. This also allows them to expose the summary of a bug. Bugs are inserted into the database before they are marked as private, ...
pear-XML_RPC -- information disclosure vulnerabilities
The pear-XMLRPC release notes reports that the following issues has been fixed: Eliminate path disclosure vulnerabilities by suppressing error messages when eval'ing. Eliminate path disclosure vulnerability by catching bogus parameters submitted to XMLRPCValue::serializeval...
zlib -- buffer overflow vulnerability
Problem Description An error in the handling of corrupt compressed data streams can result in a buffer being overflowed. Impact By carefully crafting a corrupt compressed data stream, an attacker can overwrite data structures in a zlib-using application. This may cause the application to halt,...
ekg -- insecure temporary file creation
Eric Romang reports that ekg creates temporary files in an insecure manner. This can be exploited by an attacker using a symlink attack to overwrite arbitrary files and possibly execute arbitrary commands with the permissions of the user running ekg...
phppgadmin -- "formLanguage" local file inclusion vulnerability
A Secunia Advisory reports: A vulnerability has been reported in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information. Input passed to the "formLanguage" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited...
acroread -- buffer overflow vulnerability
An Adobe Security Advisory reports: A vulnerability within Adobe Reader has been identified. Under certain circumstances, remote exploitation of a buffer overflow in Adobe Reader could allow an attacker to execute arbitrary code. If exploited, it could allow the execution of arbitrary code under...
net-snmp -- remote DoS vulnerability
A Net-SNMP release announcement reports: A security vulnerability has been found in Net-SNMP releases that could allow a denial of service attack against Net-SNMP agent's which have opened a stream based protocol EG, TCP but not UDP; it should be noted that Net-SNMP does not by default open a TCP...
clamav -- cabinet file handling DoS vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of an input validation error in Clam AntiVirus ClamAV allows attackers to cause a denial of service condition. The vulnerability specifically exists due to insufficient validation on cabinet file header data. The ENSUREBITS macro fails to...
clamav -- MS-Expand file handling DoS vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of an input validation error in Clam AntiVirus ClamAV allows attackers to cause a denial of service condition. The vulnerability specifically exists due to improper behavior during exceptional conditions. Successful exploitation allows...
pear-XML_RPC -- arbitrary remote code execution
GulfTech Security Research Team reports: PEAR XMLRPC is vulnerable to a very high risk php code injection vulnerability due to unsanatized data being passed into an eval call...
kernel -- TCP connection stall denial of service
Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Secon...
drupal -- PHP code execution vulnerabilities
Kuba Zygmunt discovered a flaw in the input validation routines of Drupal's filter mechanism. An attacker could execute arbitrary PHP code on a target site when public comments or postings are allowed...
kernel -- ipfw packet matching errors with address tables
Problem Description The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be...
acroread -- insecure temporary file creation
Secunia Research reports: Secunia has discovered a security issue in Adobe Reader for Linux, which can be exploited by malicious, local users to gain knowledge of sensitive information. The problem is caused due to temporary files being created with permissions based on a user's umask in the "/tm...
wordpress -- multiple vulnerabilities
GulfTech Security Research reports: There are a number of vulnerabilities in WordPress that may allow an attacker to ultimately run arbitrary code on the vulnerable system. These vulnerabilities include SQL Injection, Cross Site Scripting, and also issues that may aid an attacker in social...
phpbb -- remote PHP code execution vulnerability
FrSIRT Advisory reports: A vulnerability was identified in phpBB, which may be exploited by attackers to compromise a vulnerable web server. This flaw is due to an input validation error in the "viewtopic.php" script that does not properly filter the "highlight" parameter before calling the...
Macromedia flash player -- swf file handling arbitrary code
A Secunia Advisory reports: A vulnerability has been reported in Macromedia Flash Player, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to missing validation of the frame type identifier that is read from a SWF file. This value is used a...
WebCalendar -- unauthorized access vulnerability
SecurityFocus reports that WebCalendar is affected by an unauthorized access vulnerability. The vulnerability is caused by improper checking of the authentication mechanism before access is being permitted to the "assistantedit.php" file...
linux-realplayer -- RealText parsing heap overflow
An iDEFENSE Security Advisory reports: Remote exploitation of a heap-based buffer overflow vulnerability in the RealText file format parser within various versions of RealNetworks Inc.'s RealPlayer could allow attackers to execute arbitrary code...
ruby -- arbitrary command execution on XMLRPC server
Nobuhiro IMAI reports: the default value modification on Modulepublicinstancemethods from false to true breaks s.addhandlerXMLRPC::iPIMethods"sample", MyHandler.new style security protection. This problem could allow a remote attacker to execute arbitrary commands on XMLRPC server of libruby...
cacti -- multiple vulnerabilities
Stefan Esser reports: Wrongly implemented user input filters lead to multiple SQL Injection vulnerabilities which can lead f.e. to disclosure of the admin password hash. Wrongly implemented user input filters allows injection of user input into executed commandline. Alberto Trivero posted his...
cacti -- potential SQL injection and cross site scripting attacks
iDEFENSE security group disclosed potential SQL injection attacks from unchecked user input and two security holes regarding potential cross site scripting attacks...
sudo -- local race condition vulnerability
Todd C. Miller reports: A race condition in Sudo's command pathname handling prior to Sudo version 1.6.8p9 that could allow a user with Sudo privileges to run arbitrary commands. Exploitation of the bug requires that the user be allowed to run one or more commands via Sudo and be able to create...
trac -- file upload/download vulnerability
Stefan Esser reports: Trac's wiki and ticket systems allows to add attachments to wiki entries and bug tracker tickets. These attachments are stored within directories that are determined by the id of the corresponding ticket or wiki entry. Due to a missing validation of the id parameter it is...
razor-agents -- denial of service vulnerability
A Secunia security advisory reports: Two vulnerabilities have been reported in Razor-agents, which can be exploited by malicious people to cause a DoS Denial of Service. An unspecified error in the preprocessing of certain HTML messages can be exploited to crash the application. A bug in the...
opera -- redirection cross-site scripting vulnerability
A Secunia Advisory reports: Secunia Research has discovered a vulnerability in Opera, which can be exploited by malicious people to conduct cross-site scripting attacks against users. The vulnerability is caused due to input not being sanitised, when Opera generates a temporary page for displayin...
tor -- information disclosure
Roger Dingledine reports: The Tor 0.1.0.10 release from a few days ago includes a fix for a bug that might allow an attacker to read arbitrary memory maybe even keys from an exit server's process space. We haven't heard any reports of exploits yet, but hey...