kdelibs3 -- konqueror FTP command injection vulnerability

Albert Puigsech Galicia reports that Konqueror more specifically kioftp and Microsoft Internet Explorer are vulnerable to a FTP command injection vulnerability which can be exploited by tricking an user into clicking a specially crafted FTP URI. It is also reported by Ian Gulliver and Emanuele...

rssh & scponly -- arbitrary command execution

Jason Wies identified both rssh & scponly have a vulnerability that allows arbitrary command execution. He reports: The problem is compounded when you recognize that the main use of rssh and scponly is to allow file transfers, which in turn allows a malicious user to transfer and execute entire...

viewcvs -- information leakage

The hidecvsroot and forbidden configuration options are not properly honored by viewcvs when exporting to a tar file which can lead to information leakage...

jdk/jre -- Security Vulnerability With Java Plugin

The Sun Java Plugin capability in Java 2 Runtime Environment JRE 1.4.201, 1.4.204, and possibly earlier versions, does not properly restrict access between Javascript and Java applets during data transfer, which allows remote attackers to load unsafe classes and execute arbitrary code...

helvis -- arbitrary file deletion problem

The setuid root elvprsv utility, used to preserve recovery helvis files, can be abused by local users to delete with root privileges. The problem is that elvprsv deletes files when it thinks they have become corrupt. When elvprsv is pointed to a normal file then it will almost always think the fi...

helvis -- information leak vulnerabilities

Once a recovery file has been preserved by the setuid root elvprsv utility it is placed in a worldreadable directory with worldreadable permissions. This possibly allows sensitive information to leak. In addition to this information leak, it is possible for users to recover files that belong to...

jabberd -- remote buffer overflow vulnerability

Caused by improper bounds-checking of username and password in the C2S module, it is possible for an attacker to cause a remote buffer overflow. The server directly handles the userinput with SQL backend functions - malicious input may lead to buffer overflow...

Open DC Hub -- remote buffer overflow vulnerability

Donato Ferrante reported an exploitable buffer overflow in this software package. Any user that can login with 'admin' privileges can abuse it, trough the $RedirectAll command, to execute arbitrary code...

xpdf -- buffer overflow vulnerability

An iDEFENSE Security Advisory reports: Remote exploitation of a buffer overflow vulnerability in the xpdf PDF viewer, as included in multiple Linux distributions, could allow attackers to execute arbitrary code as the user viewing a PDF file. The offending code can be found in the Gfx::doImage...

squid -- possible information disclosure

The squid-2.5 patches pages notes: In certain conditions Squid returns random data as error messages in response to malformed host name, possibly leaking random internal information which may come from other requests...

ProZilla -- server response buffer overflow vulnerabilities

Buffer overflow vulnerabilities have been reported to exist in this software package. The vulnerabilities can be triggered by a remote server and can be used to inject malicious code in the ProZilla process...

opera -- multiple vulnerabilities in Java implementation

Marc Schoenefeld reports: Opera 7.54 is vulnerable to leakage of the java sandbox, allowing malicious applets to gain unacceptable privileges. This allows them to be used for information gathering spying of local identity information and system configurations as well as causing annoying crash...

phpMyAdmin -- cross-site scripting vulnerabilities

Multiple cross-site scripting vulnerabilities, caused by improper input parameter sanitizing, were detected in phpMyAdmin, which may enable an attacker to do cross-site scripting attacks...

phpbb -- arbitrary command execution and other vulnerabilities

The ChangeLog for phpBB 2.0.11 states: Changes since 2.0.10 Fixed vulnerability in highlighting code very high severity, please update your installation as soon as possible Fixed unsetting global vars - Matt Kavanagh Fixed XSS vulnerability in username handling - AnthraX101 Fixed not confirmed sq...

up-imapproxy -- multiple vulnerabilities

Timo Sirainen reports: There are various bugs in up-imapproxy which can crash it. Since up-imapproxy runs in a single process with each connection handled in a separate thread, any crash kills all the connections and stops listening for new ones. In 64bit systems it might be possible to make it...

fcron -- multiple vulnerabilities

An iDEFENSE Security Advisory states: Multiple vulnerabilities have been found in Fcron. File contents disclosure Configuration Bypass Vulnerability File Removal and Empty File Creation Vulnerability Information Disclosure Vulnerability...

smbd -- buffer-overrun vulnerability

Caused by improper bounds checking of certain trans2 requests, there is a possible buffer overrun in smbd. The attacker needs to be able to create files with very specific Unicode filenames on the share to take advantage of this issue...

Overflow error in fetch

An integer overflow condition in fetch1 in the processing of HTTP headers can result in a buffer overflow. A malicious server or CGI script can respond to an HTTP or HTTPS request in such a manner as to cause arbitrary portions of the client's memory to be overwritten, allowing for arbitrary code...

sudoscript -- signal delivery vulnerability

If non-root access is enabled in sudoscript, any member of the ssers group can send a SIGHUP signal to any process...

twiki -- arbitrary shell command execution

Hans Ulrich Niedermann reports: The TWiki search function uses a user supplied search string to compose a command line executed by the Perl backtick operator. The search string is not checked properly for shell metacharacters and is thus vulnerable to search string containing quotes and shell...

sudo -- privilege escalation with bash scripts

A Sudo Security Alerts reports: A flaw in exists in sudo's environment sanitizing prior to sudo version 1.6.8p2 that could allow a malicious user with permission to run a shell script that utilized the bash shell to run arbitrary commands...

ez-ipupdate -- format string vulnerability

Data supplied by a remote server is used as the format string instead of as parameters in a syslog call. This may lead to crashes or potential running of arbitrary code. It is only a problem when running in daemon mode very common and when using some service types...

cscope -- buffer overflow vulnerabilities

Jason Duell reports: Cscope contains an alarming number of buffer overflow vulnerabilities. By a rough count, there are at least 48 places where we blindly sprintf a file name into a fixed-length buffer of size PATHLEN without checking to see if the file's name is = PATHLEN. We do similar things...

golddig -- local buffer overflow vulnerabilities

Two buffer overflow vulnerabilities where detected. Both issues can be used by local users to gain group games privileges on affected systems. The first overflow exists in the map name handling and can be triggered when a very long name is given to the program during command-line execution The...

bnc -- remotely exploitable buffer overflow in getnickuserhost

A LSS Security Advisory reports: There is a buffer overflow vulnerability in getnickuserhost function that is called when BNC is processing response from IRC server. Vulnerability can be exploited if attacker tricks user to connect to his fake IRC server that will exploit this vulnerability. If t...

unarj -- long filename buffer overflow

Ludwig Nussel has discovered a buffer overflow vulnerability in unarj's handling of long filenames which could potentially lead to execution of arbitrary code with the permissions of the user running unarj...

isc-dhcpd -- format string vulnerabilities

The ISC DHCP programs are vulnerable to several format string vulnerabilities which may allow a remote attacker to execute arbitrary code with the permissions of the DHCP programs, typically root for the DHCP server...

Cyrus IMAPd -- FETCH command out of bounds memory corruption

The argument parser of the fetch command suffers a bug very similiar to the partial command problem. Arguments like "bodyp", "binaryp" or "binaryp" will be wrongly detected and the bufferposition can point outside of the allocated buffer for the rest of the parsing process. When the parser trigge...

Cyrus IMAPd -- IMAPMAGICPLUS preauthentification overflow

When the option imapmagicplus is activated on a server the PROXY and LOGIN commands suffer a standard stack overflow, because the username is not checked against a maximum length when it is copied into a temporary stack buffer. This bug is especially dangerous because it can be triggered before a...

Cyrus IMAPd -- PARTIAL command out of bounds memory corruption

Due to a bug within the argument parser of the partial command an argument like "bodyp" will be wrongly detected as "body.peek". Because of this the bufferposition gets increased by 10 instead of 5 and could therefore point outside the allocated memory buffer for the rest of the parsing process. ...

ruby -- CGI DoS

The Ruby CGI.rb module contains a bug which can cause the CGI module to go into an infinite loop, thereby causing a denial-of-service situation on the web server by using all available CPU time...

Cyrus IMAPd -- APPEND command uses undefined programming construct

To support MULTIAPPENDS the cmdappend handler uses the global stage array. This array is one of the things that gets destructed when the fatal function is triggered. When the Cyrus IMAP code adds new entries to this array this is done with the help of the postfix increment operator in combination...

squirrelmail -- cross site scripting vulnerability

A SquirrelMail Security Notice reports: There is a cross site scripting issue in the decoding of encoded text in certain headers. SquirrelMail correctly decodes the specially crafted header, but doesn't sanitize the decoded strings...

proxytunnel -- format string vulnerability

A Gentoo Linux Security Advisory reports: Florian Schilhabel of the Gentoo Linux Security Audit project found a format string vulnerability in Proxytunnel. When the program is started in daemon mode -a port, it improperly logs invalid proxy answers to syslog. A malicious remote server could send...

apache2 multiple space header denial-of-service vulnerability

It is possible for remote attackers to cause a denial-of-service scenario on Apache 2.0.52 and earlier by sending an HTTP GET request with a MIME header containing multiple lines full of whitespaces...

rockdodger -- buffer overflows

The environment variable HOME is copied without regard to buffer size, which can be used to gain elevated privilege if the binary is installed setgid games, and a string is read from the high score file without bounds check. The port installs the binary without setgid, but with a world-writable...

wzdftpd -- remote DoS

wzdftpd contains a potential remote Denial-of-Service...

quake2 -- multiple critical vulnerabilities

An advisory published by Richard Stanway describes numerous critical vulnerabilities in the Quake II engine: Due to unchecked input at various stages in the server, remote users are able to cause the server to crash, reveal sensitive information or potentially execute arbitrary code...

putty -- buffer overflow vulnerability in ssh2 support

There is a bug in SSH2 support that allows a server to execute malicious code on a connecting PuTTY client. This attack can be performed before host key verification happens, so a different machine -- man in the middle attack -- could fake the machine you are connecting to...

gd -- integer overflow

infamous41md reports about the GD Graphics Library: There is an integer overflow when allocating memory in the routine that handles loading PNG image files. This later leads to heap data structures being overwritten. If an attacker tricked a user into loading a malicious PNG image, they could...

libxml -- remote buffer overflows

infamous41md reports that libxml contains multiple buffer overflows in the URL parsing and DNS name resolving functions. These vulnerabilities could lead to execution of arbitrary code...

zgv -- exploitable heap overflows

infamous41md reports: zgv uses malloc frequently to allocate memory for storing image data. When calculating how much to allocate, user supplied data from image headers is multiplied and/or added without any checks for arithmetic overflows. We can overflow numerous calculations, and cause small...

xtrlock -- X display locking bypass

The X display locking program xtrlock contains an integer overflow bug. It is possible for an attacker with physical access to the system to bypass the display lock...

ImageMagick -- EXIF parser buffer overflow

There exists a buffer overflow vulnerability in ImageMagick's EXIF parsing code which may lead to execution of arbitrary code...

rssh -- format string vulnerability

There is a format string bug in rssh that enables an attacker to execute arbitrary code from an account configured to use rssh. On FreeBSD it is only possible to compromise the rssh running account, not root...

apache mod_include buffer overflow vulnerability

There is a buffer overflow in a function used by modinclude that may enable a local user to gain privileges of a httpd child. Only users that are able to create SSI documents can take advantage of that vulnerability...

awstats -- remote command execution vulnerability

An iDEFENSE Security Advisory reports: Remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the web server. The problem specifically exists when the application is running as a CGI script on a web server. The...

xpdf -- integer overflow vulnerabilities

Chris Evans discovered several integer arithmetic overflows in the xpdf 2 and xpdf 3 code bases. The flaws have impacts ranging from denial-of-service to arbitrary code execution...

gaim -- MSN denial-of-service vulnerabilities

The Gaim team discovered denial-of-service vulnerabilities in the MSN protocol handler: After accepting a file transfer request, Gaim will attempt to allocate a buffer of a size equal to the entire filesize, this allocation attempt will cause Gaim to crash if the size exceeds the amount of...

gaim -- buffer overflow in MSN protocol support

Due to a buffer overflow in the MSN protocol support for gaim 0.79 to 1.0.1, it is possible for remote clients to do a denial-of-service attack on the application. This is caused by an unbounded copy operation, which writes to the wrong buffer...