moinmoin -- ACL group bypass

The moinmoin package contains two bugs with ACLs and anonymous users. Both bugs may permit anonymous users to gain access to administrative functions; for example the delete function. There is no known workaround, the vulnerability exists regardless if a site is using ACLs or not...

Mozilla / Firefox user interface spoofing vulnerability

The Mozilla project's family of browsers contain a design flaw that can allow a website to spoof almost perfectly any part of the Mozilla user interface, including spoofing web sites for phishing or internal elements such as the "Master Password" dialog box. This achieved by manipulating "chrome"...

apache13-modssl -- format string vulnerability in proxy support

A OpenPKG Security Advisory reports: Triggered by a report to Packet Storm from Virulent, a format string vulnerability was found in modssl, the Apache SSL/TLS interface to OpenSSL, version up to and including 2.8.18 for Apache 1.3. The modssl in Apache 2.x is not affected. The vulnerability coul...

Multiple Potential Buffer Overruns in Samba

Evgeny Demidov discovered that the Samba server has a buffer overflow in the Samba Web Administration Tool SWAT on decoding Base64 data during HTTP Basic Authentication. Versions 3.0.2 through 3.0.4 are affected. Another buffer overflow bug has been found in the code used to support the "mangling...

mozilla -- insecure permissions for some downloaded files

In a Mozilla bug report, Daniel Kleinsinger writes: I was comparing treatment of attachments opened directly from emails on different platforms. I discovered that Linux builds save attachments in /tmp with world readable rights. This doesn't seem like a good thing. Couldn't someone else logged on...

mozilla -- NULL bytes in FTP URLs

When handling FTP URLs containing NULL bytes, Mozilla will interpret the file content as HTML. This may allow unexpected execution of Javascript when viewing plain text or other file types via FTP...

php -- strip_tags cross-site scripting vulnerability

Stefan Esser of e-matters discovered that PHP's striptags function would ignore certain characters during parsing of tags, allowing these tags to pass through. Select browsers could then parse these tags, possibly allowing cross-site scripting attacks...

apache2 -- SSL remote DoS

The Apache HTTP Server 2.0.51 release notes report that the following issues have been fixed: A segfault in modssl which can be triggered by a malicious remote server, if proxying to SSL servers has been configured. CAN-2004-0751 A potential infinite loop in modssl which could be triggered given...

php -- memory_limit related vulnerability

Stefan Esser of e-matters discovered a condition within PHP that may lead to remote execution of arbitrary code. The memorylimit facility is used to notify functions when memory contraints have been met. Under certain conditions, the entry into this facility is able to interrupt functions such as...

multiple vulnerabilities in ethereal

Issues have been discovered in multiple protocol dissectors...

cyrus-sasl -- potential buffer overflow in DIGEST-MD5 plugin

The Cyrus SASL DIGEST-MD5 plugin contains a potential buffer overflow when quoting is required in the output...

MySQL authentication bypass / buffer overflow

By submitting a carefully crafted authentication packet, it is possible for an attacker to bypass password authentication in MySQL 4.1. Using a similar method, a stack buffer used in the authentication mechanism can be overflowed...

Pavuk HTTP Location header overflow

When pavuk sends a request to a web server and the server sends back the HTTP status code 305 Use Proxy, pavuk copies data from the HTTP Location header in an unsafe manner. This leads to a stack-based buffer overflow with control over EIP...

mozilla -- built-in CA certificates may be overridden

Under some situations, Mozilla will automatically import a certificate from an email message or web site. This behavior can be used as a denial-of-service attack: if the certificate has a distinguished name DN identical to one of the built-in Certificate Authorities CAs, then Mozilla will no long...

Remote code injection in phpMyAdmin

This vulnerability would allow remote user to inject PHP code to be executed by eval function. This vulnerability is only exploitable if variable $cfg'LeftFrameLight' is set to FALSE in file config.inc.php...

distcc -- incorrect parsing of IP access control rules

Fix bug that might cause IP-based access control rules not to be interpreted correctly on 64-bit platforms...

isc-dhcp3-server buffer overflow in logging mechanism

A buffer overflow exists in the logging functionality of the DHCP daemon which could lead to Denial of Service attacks and has the potential to allow attackers to execute arbitrary code...

gnats -- format string vulnerability

Gnats suffers from a format string bug, which may enable an attacker to execute arbitary code...

rssh -- file name disclosure bug

rssh expands command line paramters before invoking chroot. This could result in the disclosure to the client of file names outside of the chroot directory. A posting by the rssh author explains: The cause of the problem identified by Mr. McCaw is that rssh expanded command-line arguments prior t...

sup -- format string vulnerability

Debian Security Advisory reports: [email protected] discovered a format string vulnerability in sup, a set of programs to synchronize collections of files across a number of machines, whereby a remote attacker could potentially cause arbitrary code to be executed with the privileges of the...

Remote Denial of Service of HTTP server and client

giFT-FastTrack is susceptible to a remote Denial of Service attack which could allow a remote attacker to render HTTP services unusable. According to the developers, no code execution is possible; however, they recommend an immediate upgrade...

Linux binary compatibility mode input validation error

A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. It may be possible for a local attacker to read and/or overwrite portions of kernel memory, resulting in disclosure of sensitive information or potential privile...

apache -- heap overflow in mod_proxy

A buffer overflow exists in modproxy which may allow an attacker to launch local DoS attacks and possibly execute arbitrary code...

mozilla -- users may be lured into bypassing security dialogs

According to the Mozilla project: An attacker who could lure users into clicking in particular places, or typing specific text, could cause a security permission or software installation dialog to pop up under the user's mouse click, clicking on the grant or install button...

mysql -- mysql_real_connect buffer overflow vulnerability

The mysqlrealconnect function doesn't properly handle DNS replies by copying the IP address into a buffer without any length checking. A specially crafted DNS reply may therefore be used to cause a buffer overflow on affected systems. Note that whether this issue can be exploitable depends on the...

Gallery 1.4.3 and ealier user authentication bypass

A flaw exists in Gallery versions previous to 1.4.3-pl1 and post 1.2 which may give an attacker the potential to log in under the "admin" account. Data outside of the gallery is unaffected and the attacker cannot modify any data other than the photos or photo albums...

Arbitrary code execution via a format string vulnerability in jftpgw

The log functions in jftpgw may allow remotely authenticated user to execute arbitrary code via the format string specifiers in certain syslog messages...

bmon -- unsafe set-user-ID application

Jon Nistor reported that the FreeBSD port of bmon was installed set-user-ID root, and executes commands using relative paths. This could allow local user to easily obtain root privileges...

"Content-Type" XSS vulnerability affecting other webmail systems

Roman Medina-Heigl Hernandez did a survey which other webmail systems where vulnerable to a bug he discovered in SquirrelMail. This advisory summarizes the results...

libxine -- multiple buffer overflows in RTSP

A xine security announcement states: Multiple vulnerabilities have been found and fixed in the Real-Time Streaming Protocol RTSP client for RealNetworks servers, including a series of potentially remotely exploitable buffer overflows. This is a joint advisory by the MPlayer and xine teams as the...

cvs -- numerous vulnerabilities

A number of vulnerabilities were discovered in CVS by Stefan Esser, Sebastian Krahmer, and Derek Price. Insufficient input validation while processing "Entry" lines. CVE-2004-0414 A double-free resulting from erroneous state handling while processing "Argumentx" commands. CVE-2004-0416 Integer...

Buffer overflow in Squid NTLM authentication helper

Remote exploitation of a buffer overflow vulnerability in the NTLM authentication helper routine of the Squid Web Proxy Cache could allow a remote attacker to execute arbitrary code. A remote attacker can compromise a target system if the Squid Proxy is configured to use the NTLM authentication...

neon date parsing vulnerability

Stefan Esser reports: A vulnerability within a libneon date parsing function could cause a heap overflow which could lead to remote code execution, depending on the application using libneon. The vulnerability is in the function nerfc1036parse, which is in turn used by the function nehttpdatepars...

XFree86 opens a chooserFd TCP socket even when DisplayManager.requestPort is 0

When the IPv6 code was added to xdm a critical test to disable xdmcp was accidentally removed. This caused xdm to create the chooser socket regardless if DisplayManager.requestPort was disabled in xdm-config or not...

subversion date parsing vulnerability

Stefan Esser reports: Subversion versions up to 1.0.2 are vulnerable to a date parsing vulnerability which can be abused to allow remote code execution on Subversion servers and therefore could lead to a repository compromise. NOTE: This vulnerability is similar to the date parsing issue that...

lha -- numerous vulnerabilities when extracting archives

Source code reviews of lha by Lukasz Wojtow, Thomas Biege, and others uncovered a number of vulnerabilities affecting lha: Buffer overflows when handling archives and filenames. CVE-2004-0694 Possible command execution via shell meta-characters when built with NOMKDIR. CVE-2004-0745 Buffer overfl...

mailman -- password disclosure

Barry Warsaw reports: Today I am releasing Mailman 2.1.5, a bug fix release ... This version also contains a fix for an exploit that could allow 3rd parties to retrieve member passwords. It is thus highly recommended that all existing sites upgrade to the latest version...

multiple vulnerabilities in ethereal

Issues have been discovered in multiple protocol dissectors...

URI handler vulnerabilities in several browsers

Karol Wiesek and Greg MacManus reported via iDEFENSE that the Opera web browser contains a flaw in the handling of certain URIs. When presented with these URIs, Opera would invoke external commands to process them after some validation. However, if the hostname component of a URI begins with a -'...

Cyrus IMSPd multiple vulnerabilities

The Cyrus team reported multiple vulnerabilities in older versions of Cyrus IMSPd: These releases correct a recently discovered buffer overflow vulnerability, as well as clean up a significant amount of buffer handling throughout the code...

exim buffer overflow when verify = header_syntax is used

A remote exploitable buffer overflow has been discovered in exim when verify = headersyntax is used in the configuration file. This does not affect the default configuration...

heimdal kadmind remote heap buffer overflow

An input validation error was discovered in the kadmind code that handles the framing of Kerberos 4 compatibility administration requests. The code assumed that the length given in the framing was always two or more bytes. Smaller lengths will cause kadmind to read an arbitrary amount of data int...

Several vulnerabilities found in PHPNuke

Janek Vind "waraxe" reports that several issues in the PHPNuke software may be exploited via carefully crafted URL requests. These URLs will permit the injection of SQL code, cookie theft, and the readability of the PHPNuke administrator account...

MoinMoin administrative group name privilege escalation vulnerability

A serious flaw exists in the MoinMoin software which may allow a malicious user to gain access to unauthorized privileges...

cvs pserver remote heap buffer overflow

Due to a programming error in code used to parse data received from the client, malformed data can cause a heap buffer to overflow, allowing the client to overwrite arbitrary portions of the server's memory. A malicious CVS client can exploit this to run arbitrary code on the server at the...

libpng denial-of-service

Steve Grubb reports a buffer read overrun in libpng's pngformatbuffer function. A specially constructed PNG image processed by an application using libpng may trigger the buffer read overrun and possibly result in an application crash...

lha buffer overflows and path traversal issues

Ulf Härnhammar discovered several vulnerabilities in LHa for UNIX's path name handling code. Specially constructed archive files may cause LHa to overwrite files or execute arbitrary code with the privileges of the user invoking LHa. This could be particularly harmful for automated systems that...

Midnight Commander buffer overflows, format string bugs, and insecure temporary file handling

Jakub Jelinek reports several security related bugs in Midnight Commander, including: Multiple buffer overflows CVE-2004-0226 Insecure temporary file handling CVE-2004-0231 Format string bug CVE-2004-0232...

mozilla -- automated file upload

A malicious web page can cause an automated file upload from the victim's machine when viewed with Mozilla with Javascript enabled. This is due to a bug permitting default values for type="file" elements in certain situations...

rsync path traversal issue

When running rsync in daemon mode, no checks were made to prevent clients from writing outside of a module's path' setting...