buffer cache invalidation implementation issues

Programming errors in the implementation of the msync2 system call involving the MSINVALIDATE operation lead to cache consistency problems between the virtual memory system and on-disk contents. In some situations, a user with read access to a file may be able to prevent changes to that file from...

xine-lib arbitrary file overwrite

From the xinehq advisory: By opening a malicious MRL in any xine-lib based media player, an attacker can write arbitrary content to an arbitrary file, only restricted by the permissions of the user running the application. The flaw is a result of a feature that allows MRLs media resource locator...

phpBB IP address spoofing

The common.php script always trusts the X-Forwarded-For' header in the client's HTTP request. A remote user could forge this header in order to bypass any IP address access control lists ACLs...

ident2 double byte buffer overflow

Jack of RaptureSecurity reported a double byte buffer overflow in ident2. The bug may allow a remote attacker to execute arbitrary code within the context of the ident2 daemon. The daemon typically runs as user-ID nobody', but with group-ID wheel'...

CVS path validation errors

Two programming errors were discovered in which path names handled by CVS were not properly validated. In one case, the CVS client accepts absolute path names from the server when determining which files to update. In another case, the CVS server accepts relative path names from the client when...

neon format string vulnerabilities

Greuff reports that the neon WebDAV client library contains several format string bugs within error reporting code. A malicious server may exploit these bugs by sending specially crafted PROPFIND or PROPPATCH responses. Although several applications include neon, such as cadaver and subversion, t...

mozilla -- security icon spoofing

Under certain situations it is possible for the security icon which Mozilla displays when connected to a site using SSL to be spoofed. This could be used to make so-called "phishing attacks" more difficult to detect...

xchat remotely exploitable buffer overflow (Socks5)

A straightforward stack buffer overflow exists in XChat's Socks5 proxy support. The XChat developers report that tsifra' discovered this issue. NOTE: XChat Socks5 support is disabled by support in the FreeBSD Ports Collection...

racoon fails to verify signature during Phase 1

Ralf Spenneberg discovered a serious flaw in racoon. When using Phase 1 main or aggressive mode, racoon does not verify the client's RSA signature. Any installations using X.509 authentication are strongly urged to upgrade. Installations using pre-shared keys are believed to be unaffected...

Incorrect cross-realm trust handling in Heimdal

Heimdal does not correctly validate the transited' field of Kerberos tickets when computing the authentication path. This could allow a rogue KDC with which cross-realm relationships have been established to impersonate any KDC in the authentication path...

racoon remote denial of service vulnerability (ISAKMP header length field)

When racoon receives an ISAKMP header, it will attempt to allocate sufficient memory for the entire ISAKMP message according to the header's length field. If an attacker crafts an ISAKMP header with a ridiculously large value in the length field, racoon may exceed operating system resource limits...

mplayer heap overflow in http requests

A remotely exploitable heap buffer overflow vulnerability was found in MPlayer's URL decoding code. If an attacker can cause MPlayer to visit a specially crafted URL, arbitrary code execution with the privileges of the user running MPlayer may occur. A visit' might be caused by social engineering...

setsockopt(2) IPv6 sockets input validation error

From the FreeBSD Security Advisory: A programming error in the handling of some IPv6 socket options within the setsockopt2 system call may result in memory locations being accessed without proper validation. It may be possible for a local attacker to read portions of kernel memory, resulting in...

mysql -- GRANT access restriction problem

When a user is granted access to a database with a name containing an underscore and the underscore is not escaped then that user might also be able to access other, similarly named, databases on the affected system. The problem is that the underscore is seen as a wildcard by MySQL and therefore ...

Critical SQL injection in phpBB

Anyone can get admin's username and password's md5 hash via a single web request. A working example is provided in the advisory...

MySQL insecure temporary file creation (mysqlbug)

Shaun Colley reports that the script mysqlbug' included with MySQL sometimes creates temporary files in an unsafe manner. As a result, an attacker may create a symlink in /tmp so that if another user invokes mysqlbug' and quits without making any changes, an arbitrary file may be overwritten with...

Buffer overflows and format string bugs in Emil

Ulf Härnhammar reports multiple buffer overflows in Emil, some of which are triggered during the parsing of attachment filenames. In addition, some format string bugs are present in the error reporting code. Depending upon local configuration, these vulnerabilities may be exploited using speciall...

mysql -- FTS request denial of service vulnerability

A special crafted MySQL FTS request can cause the server to crash. Malicious MySQL users can abuse this bug in a denial of service attack against systems running an affected MySQL daemon. Note that because this bug is related to the parsing of requests, it may happen that this bug is triggered...

multiple vulnerabilities in ethereal

Stefan Esser of e-matters Security discovered a baker's dozen of buffer overflows in Ethereal's decoders, including: NetFlow IGAP EIGRP PGM IRDA BGP ISUP TCAP UCP In addition, a vulnerability in the RADIUS decoder was found by Jonathan Heusser. Finally, there is one uncredited vulnerability...

mysql -- erroneous access restrictions applied to table renames

A Red Hat advisory reports: Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked the CREATE/INSERT rights of the old table instead of the new one. Table access restrictions, on the affected MySQL servers, may accidently or intentially be bypassed due to this bug...

multiple vulnerabilities in phpBB

Users with admin rights can severly damage an phpBB installation, potentially triggered by viewing a page with a malicious link sent by an attacker...

insecure temporary file creation in xine-check, xine-bugreport

Some scripts installed with xine create temporary files insecurely. It is recommended that these scripts xine-check, xine-bugreport not be used. They are not needed for normal operation...

isakmpd payload handling denial-of-service vulnerabilities

Numerous errors in isakmpd's input packet validation lead to denial-of-service vulnerabilities. From the Rapid7 advisory: The ISAKMP packet processing functions in OpenBSD's isakmpd daemon contain multiple payload handling flaws that allow a remote attacker to launch a denial of service attack...

OpenSSL ChangeCipherSpec denial-of-service vulnerability

A remote attacker could cause an application using OpenSSL to crash by performing a specially crafted SSL/TLS handshake...

tcpdump ISAKMP payload handling remote denial-of-service

Chad Loder has discovered vulnerabilities in tcpdump's ISAKMP protocol handler. During an audit to repair these issues, Bill Fenner discovered some related problems. These vulnerabilities may be used by an attacker to crash a running tcpdump' process. They can only be triggered if the -v' command...

Apache 1.3 IP address access control failure on some 64-bit platforms

Henning Brauer discovered a programming error in Apache 1.3's modaccess that results in the netmasks in IP address access control rules being interpreted incorrectly on 64-bit, big-endian platforms. In some cases, this could cause a deny from' IP address access control rule including a netmask to...

phpBB session table exhaustion

The includes/sessions.php unnecessarily adds session item into session table and therefore vulnerable to a denial-of-service attack...

GNU Anubis buffer overflows and format string vulnerabilities

Ulf Härnhammar discovered several vulnerabilities in GNU Anubis. Unsafe uses of sscanf'. The %s' format specifier is used, which allows a classical buffer overflow. auth.c Format string bugs invoking syslog'. log.c, errs.c, ssl.c Ulf notes that these vulnerabilities can be exploited by a maliciou...

oftpd denial-of-service vulnerability (PORT command)

Philippe Oechslin reported a denial-of-service vulnerability in oftpd. The oftpd server can be crashed by sending a PORT command containing an integer over 8 bits long over 255...

squid -- HTTP response splitting cache pollution attack

According to a whitepaper published by Sanctum, Inc., it is possible to mount cache poisoning attacks against, among others, squid proxies by inserting false replies into the HTTP stream. The squid patches page notes: This patch additionally strengthens Squid from the HTTP response attack describ...

uudeview buffer overflows

The authors of UUDeview report repairing two buffer overflows in their software...

squid ACL bypass due to URL decoding bug

From the Squid advisory: Squid versions 2.5.STABLE4 and earlier contain a bug in the "%xx" URL decoding function. It may insert a NUL character into decoded URLs, which may allow users to bypass urlregex ACLs...

Darwin Streaming Server denial-of-service vulnerability

An attacker can cause an assertion to trigger by sending a long User-Agent field in a request...

hsftp format string vulnerabilities

Ulf Härnhammar discovered a format string bug in hsftp's file listing code may allow a malicious server to cause arbitrary code execution by the client...

lbreakout2 vulnerability in environment variable handling

Ulf Härnhammar discovered an exploitable vulnerability in lbreakout2's environmental variable handling. In several instances, the contents of the HOME environmental variable are copied to a stack or global buffer without range checking. A local attacker may use this vulnerability to acquire...

Apache 2 mod_ssl denial-of-service

Joe Orton reports a memory leak in Apache 2's modssl. A remote attacker may issue HTTP requests on an HTTPS port, causing an error. Due to a bug in processing this condition, memory associated with the connection is not freed. Repeated requests can result in consuming all available memory...

jailed processes can attach to other jails

A programming error has been found in the jailattach2 system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jailattach system call would fail only after changing the...

metamail format string bugs and buffer overflows

Ulf Härnhammar reported four bugs in metamail: two are format string bugs and two are buffer overflows. The bugs are in SaveSquirrelFile, PrintHeader, and ShareThisHeader. These vulnerabilities could be triggered by a maliciously formatted email message if metamail' or splitmail' is used to proce...

many out-of-sequence TCP packets denial-of-service

FreeBSD does not limit the number of TCP segments that may be held in a reassembly queue. A remote attacker may conduct a low-bandwidth denial-of-service attack against a machine providing services based on TCP there are many such services, including HTTP, SMTP, and FTP. By sending many...

wu-ftpd ftpaccess `restricted-uid'/`restricted-gid' directive may be bypassed

Glenn Stewart reports a bug in wu-ftpd's ftpaccess restricted-uid'/restricted-gid' directives: Users can get around the restriction to their home directory by issuing a simple chmod command on their home directory. On the next ftp log in, the user will have '/' as their root directory. Matt...

file disclosure in phpMyAdmin

Lack of proper input validation in phpMyAdmin may allow an attacker to obtain the contents of any file on the target system that is readable by the web server...

mnGoSearch buffer overflow in UdmDocToTextBuf()

Jedi/Sector One reported the following on the full-disclosure list: Every document is stored in multiple parts according to its sections description, body, etc in databases. And when the content has to be sent to the client, UdmDocToTextBuf concatenates those parts together and skips metadata...

mozilla -- hostname spoofing bug

When processing URIs that contain an unqualified host name-- specifically, a domain name of only one component-- Mozilla will perform matching against the first component of the domain name in SSL certificates. In other words, in some situations, a certificate issued to "www.example.com" will be...

Buffer overflow in Mutt 1.4

Mutt 1.4 contains a buffer overflow that could be exploited with a specially formed message, causing Mutt to crash or possibly execute arbitrary code...

Buffer overflows in XFree86 servers

A number of buffer overflows were recently discovered in XFree86, prompted by initial discoveries by iDEFENSE. These buffer overflows are present in the font alias handling. An attacker with authenticated access to a running X server may exploit these vulnerabilities to obtain root privileges on...

Samba 3.0.x password initialization bug

From the Samba 3.0.2 release notes: Security Announcement: It has been confirmed that previous versions of Samba 3.0 are susceptible to a password initialization bug that could grant an attacker unauthorized access to a user account created by the mksmbpasswd.sh shell script...

ModSecurity for Apache 2.x remote off-by-one overflow

When the directive "SecFilterScanPost" is enabled, the Apache 2.x version of ModSecurity is vulnerable to an off-by-one overflow...

clamav remote denial-of-service

clamav will exit when a programming assertion is not met. A malformed uuencoded message can trigger this assertion, allowing an attacker to trivially crash clamd or other components of clamav...

libxml2 stack buffer overflow in URI parsing

Yuuichi Teranishi reported a crash in libxml2's URI handling when a long URL is supplied. The implementation in nanohttp.c and nanoftp.c uses a 4K stack buffer, and longer URLs will overwrite the stack. This could result in denial-of-service or arbitrary code execution in applications using libxm...

Apache-SSL optional client certificate vulnerability

From the Apache-SSL security advisory: If configured with SSLVerifyClient set to 1 or 3 client certificates optional and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate. All the attacker needed ...