6525 matches found
xshisen -- local buffer overflows
Steve Kemp has found buffer overflows in the handling of the command line flag -KCONV and the XSHISENLIB environment variable. Ulf Härnhammer has detected an unbounded copy from the GECOS field to a char array. All overflows can be exploited to gain group games privileges...
hylafax -- unauthorized login vulnerability
A flaw in HylaFAX may allow an attacker to bypass normal authentication by spoofing their DNS PTR records...
squid -- no sanity check of usernames in squid_ldap_auth
The LDAP authentication helper did not strip leading or trailing spaces from the login name. According to the squid patches page: LDAP is very forgiving about spaces in search filters and this could be abused to log in using several variants of the login name, possibly bypassing explicit access...
squid -- denial of service with forged WCCP messages
The squid patches page notes: WCCPISEEYOU messages contain a 'number of caches' field which should be between 1 and 32. Values outside that range may crash Squid if WCCP is enabled, and if an attacker can spoof UDP packets with the WCCP router's IP address...
tiff -- tiffdump integer overflow vulnerability
Dmitry V. Levin found a potential integer overflow in the tiffdump utility which could lead to execution of arbitrary code. This could be exploited by tricking an user into executing tiffdump on a specially crafted tiff image...
xpdf -- makeFileKey2() buffer overflow vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer included in multiple Unix and Linux distributions could allow for arbitrary code execution as the user viewing a PDF file. The vulnerability specifically exists due to insufficient...
exim -- two buffer overflow vulnerabilities
The function hostaton can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spabase64tobits, which is part of the code for SPA authentication...
kstars -- exploitable set-user-ID application fliccd
A KDE Security Advisory explains: Overview KStars includes support for the Instrument Neutral Distributed Interface INDI. The build system of this extra 3rd party software contained an installation hook to install fliccd part of INDI as SUID root application. Erik Sjölund discovered that the code...
horde -- XSS vulnerabilities
A Hyperdose Security Advisory reports: Horde contains two XSS attacks that can be exploited through GET requests. Once exploited, these requests could be used to execute any javascript commands in the context of that user, potentially including but not limited to reading and deleting email, and...
mod_dosevasive -- insecure temporary file creation
An LSS Security Advisory reports: When a denial of service attack is detected, moddosevasive will, among other things, create a temporary file which it will use to trace actions from the offensive IP address. This file is insecurely created in /tmp and it's name is easily predictable. It is then...
imap-uw -- authentication bypass when CRAM-MD5 is enabled
The CRAM-MD5 authentication support of the University of Washington IMAP and POP3 servers contains a vulnerability that may allow an attacker to bypass authentication and impersonate arbitrary users. Only installations with CRAM-MD5 support configured are affected...
dillo -- format string vulnerability
dillo contains a format string vulnerability which could lead to execution of arbitrary code simply by viewing a web page or opening a HTML file...
tomcat -- Tomcat Manager cross-site scripting
Oliver Karow discovered cross-site scripting issues in the Apache Jakarta Tomcat manager. The developers refer to the issues as minor...
mailman -- directory traversal vulnerability
A directory traversal vulnerability in mailman allow remote attackers to read arbitrary files due to inadequate input sanitizing. This could, among other things, lead remote attackers to gaining access to the mailman configuration database which contains subscriber email addresses and passwords o...
mpg123 -- buffer overflow vulnerability
Yuri D'Elia has found a buffer overflow vulnerability in mpg123's parsing of frame headers in input streams. This vulnerability can potentially lead to execution of arbitrary code with the permissions of the user running mpg123, if the user runs mpg123 on a specially crafted MP2 or MP3 file...
cups-base -- CUPS server remote DoS vulnerability
Kenshi Muto discovered that the CUPS server would enter an infinite loop when processing a URL containing /...
perl -- File::Path insecure file/directory permissions
Jeroen van Wolffelaar reports that the Perl module File::Path contains a race condition wherein traversed directories and files are temporarily made world-readable/writable...
mozilla -- heap overflow in NNTP handler
Maurycy Prodeus reports a critical vulnerability in Mozilla-based browsers: Mozilla browser supports NNTP urls. Remote side is able to trigger news:// connection to any server. I found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code o...
a2ps -- insecure temporary file creation
A Secunia Security Advisory reports that Javier Fernández-Sanguino Peña has found temporary file creation vulnerabilities in the fixps and psmandup scripts which are part of a2ps. These vulnerabilities could lead to an attacker overwriting arbitrary files with the credentials of the user running...
curl -- authentication buffer overflow vulnerability
Two iDEFENSE Security Advisories reports: An exploitable stack-based buffer overflow condition exists when using NT Lan Manager NTLM authentication. The problem specifically exists within Curlinputntlm defined in lib/httpntlm.c. Successful exploitation allows remote attackers to execute arbitrary...
squid -- confusing results on empty acl declarations
Applying an empty ACL list results in unexpected behavior: anything will match an empty ACL list. For example, The meaning of the configuration gets very confusing when we encounter empty ACLs such as acl something src "/path/to/emptyfile.txt" httpaccess allow something somewhere gets parsed with...
ImageMagick -- PSD handler heap overflow vulnerability
An iDEFENSE Security Advisory reports: Remote exploitation of a buffer overflow vulnerability in The ImageMagick's Project's ImageMagick PSD image-decoding module could allow an attacker to execute arbitrary code. Exploitation may allow attackers to run arbitrary code on a victim's computer if th...
groff -- pic2graph and eqn2graph are vulnerable to symlink attack through temporary files
The eqn2graph and pic2graph scripts in groff 1.18.1 allow local users to overwrite arbitrary files via a symlink attack on temporary files...
tiff -- directory entry count integer overflow vulnerability
In an iDEFENSE Security Advisory infamous41md reports: Remote exploitation of a heap-based buffer overflow vulnerability within the LibTIFF package could allow attackers to execute arbitrary code. The vulnerability specifically exists due to insufficient validation of user-supplied data when...
php -- multiple vulnerabilities
Secunia reports: Multiple vulnerabilities have been reported in PHP, which can be exploited to gain escalated privileges, bypass certain security restrictions, gain knowledge of sensitive information, or compromise a vulnerable system...
mailman -- generated passwords are poor quality
Florian Weimer wrote: Mailman 2.1.5 uses weak auto-generated passwords for new subscribers. These passwords are assigned when members subscribe without specifying their own password either by email or the web frontend. Knowledge of this password allows an attacker to gain access to the list archi...
pcal -- buffer overflow vulnerabilities
Danny Lungstrom has found two buffer overflow vulnerabilities in pcal which can lead to execution of arbitrary code by making a user run pcal on a specially crafted calendar file...
greed -- insecure GRX file processing
A buffer overflow vulnerability has been detected in the greed URL handling code. This bug can especially be a problem when greed is used to process GRX GetRight files that originate from untrusted sources. The bug finder, Manigandan Radhakrishnan, gave the following description: Here are the bug...
mpg123 -- playlist processing buffer overflow vulnerability
A buffer overflow vulnerability exists in the playlist processing of mpg123. A specially crafted playlist entry can cause a stack overflow that can be used to inject arbitrary code into the mpg123 process. Note that a malicious playlist, demonstrating this vulnerability, was released by the bug...
tnftp -- mget does not check for directory escapes
When downloading a batch of files from an FTP server the mget command does not check for directory escapes. A specially crafted file on the FTP server could then potentially overwrite an existing file of the user...
yamt -- arbitrary command execution vulnerability
Manigandan Radhakrishnan discovered a security vulnerability in YAMT which can lead to execution of arbitrary commands with the privileges of the user running YAMT when sorting based on MP3 tags. The problem exist in the id3tagsort routine which does not properly sanitize the artist tag from the...
cups-base -- HPGL buffer overflow vulnerability
Ariel Berkman has discovered a buffer overflow vulnerability in CUPS's HPGL input driver. This vulnerability could be exploited to execute arbitrary code with the permission of the CUPS server by printing a specially crated HPGL file...
unrtf -- buffer overflow vulnerability
Yosef Klein and Limin Wang have found a buffer overflow vulnerability in unrtf that can allow an attacker to execute arbitrary code with the permissions of the user running unrtf, by running unrtf on a specially crafted rtf document...
libxine -- buffer-overflow vulnerability in aiff support
Due to a buffer overflow in the openaifffile function in demuxaiff.c, a remote attacker is able to execute arbitrary code via a modified AIFF file...
ethereal -- multiple vulnerabilities
An Ethreal Security Advisories reports: Issues have been discovered in the following protocol dissectors: Matthew Bing discovered a bug in DICOM dissection that could make Ethereal crash. An invalid RTP timestamp could make Ethereal hang and create a large temporary file, possibly filling availab...
phpmyadmin -- file disclosure vulnerability
A phpMyAdmin security announcement reports: File disclosure: on systems where the UploadDir mecanism is active, readdump.php can be called with a crafted form; using the fact that the sqllocalfile variable is not sanitized can lead to a file disclosure. Enabling PHP safe mode on the server can be...
phpmyadmin -- command execution vulnerability
A phpMyAdmin security announcement reports: Command execution: since phpMyAdmin 2.6.0-pl2, on a system where external MIME-based transformations are activated, an attacker can put into MySQL data an offensive value that starts a shell command when browsed. Enabling PHP safe mode on the server can...
fd_set -- bitmap index overflow in multiple applications
3APA3A reports: If programmer fails to check socket number before using select or fdset macros, it's possible to overwrite memory behind fdset structure. Very few select based application actually check FDSETSIZE value. ... Depending on vulnerable application it's possible to overwrite portions o...
opera -- kfmclient exec command execution vulnerability
Giovanni Delvecchio reports: Opera for linux uses "kfmclient exec" as "Default Application" to handle saved files. This could be used by malicious remote users to execute arbitrary shell commands on a target system...
cups-lpr -- lppasswd multiple vulnerabilities
D. J. Bernstein reports that Bartlomiej Sieka has discovered several security vulnerabilities in lppasswd, which is part of CUPS. In the following excerpt from Bernstein's email, CVE names have been added for each issue: First, lppasswd blithely ignores write errors in fputsline,outfile at lines...
mplayer -- multiple vulnerabilities
iDEFENSE and the MPlayer Team have found multiple vulnerabilities in MPlayer: Potential heap overflow in Real RTSP streaming code Potential stack overflow in MMST streaming code Multiple buffer overflows in BMP demuxer Potential heap overflow in pnm streaming code Potential buffer overflow in...
vim -- vulnerabilities in modeline handling
Ciaran McCreesh discovered news ways in which a VIM modeline can be used to trojan a text file. The patch by Bram Moolenaar reads: Problem: Unusual characters in an option value may cause unexpected behavior, especially for a modeline. Ciaran McCreesh Solution: Don't allow setting termcap options...
wget -- multiple vulnerabilities
Jan Minar reports that there exists multiple vulnerabilities in wget: Wget erroneously thinks that the current directory is a fair game, and will happily write in any file in and below it. Malicious HTTP response or malicious HTML file can redirect wget to a file that is vital to the system, and...
web browsers -- window injection vulnerabilities
A Secunia Research advisory reports: Secunia Research has reported a vulnerability in multiple browsers, which can be exploited by malicious people to spoof the content of websites. The problem is that a website can inject content into another site's window if the target name of the window is...
imlib -- xpm heap buffer overflows and integer overflows
Pavel Kankovsky reports: Imlib affected by a variant of CAN-2004-0782 too. I've discovered more vulnerabilities in Imlib 1.9.13. In particular, it appears to be affected by a variant of Chris Evans' libXpm flaw 1 CAN-2004-0782, see http://scary.beasts.org/security/CESA-2004-003.txt. Look at the...
krb5 -- heap buffer overflow vulnerability in libkadm5srv
A MIT krb5 Security Advisory reports: The MIT Kerberos 5 administration library libkadm5srv contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center KDC host. The overflow occurs during a password change of a...
samba -- integer overflow vulnerability
Greg MacManus, iDEFENSE Labs reports: Remote exploitation of an integer overflow vulnerability in the smbd daemon included in Samba 2.0.x, Samba 2.2.x, and Samba 3.0.x prior to and including 3.0.9 could allow an attacker to cause controllable heap corruption, leading to execution of arbitrary...
bugzilla -- cross-site scripting vulnerability
A Bugzilla advisory states: This advisory covers a single cross-site scripting issue that has recently been discovered and fixed in the Bugzilla code: If a malicious user links to a Bugzilla site using a specially crafted URL, a script in the error page generated by Bugzilla will display the URL...
mc -- multiple vulnerabilities
Andrew V. Samoilov reported several vulnerabilities that were corrected in MidnightCommand 4.6.0: Format string issues CVE-2004-1004 Buffer overflows CVE-2004-1005 Denial-of-service, infinite loop CVE-2004-1009 Denial-of-service, corrupted section header CVE-2004-1090 Denial-of-service, null...
kdelibs3 -- konqueror FTP command injection vulnerability
Albert Puigsech Galicia reports that Konqueror more specifically kioftp and Microsoft Internet Explorer are vulnerable to a FTP command injection vulnerability which can be exploited by tricking an user into clicking a specially crafted FTP URI. It is also reported by Ian Gulliver and Emanuele...