Plone.org reports:
PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.
The proftpd development team reports that several remote buffer overflows had been found in the proftpd server.
Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop.
The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time.
No workaround is available.
For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.
For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.
An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.
An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.
A possible workaround is to only allow trusted clients to perform recursive queries.
When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.
OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
No workaround is available.
The Debian security Team reports:
Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Chris Travers discovered that the session management can be tricked into hijacking existing sessions.
Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code.
It was discovered that missing input sanitising allows execution of arbitrary Perl code.
Secunia reports:
D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
An error within the "match_rule_equal()" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus.
Secunia reports:
A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the "get_next_text()" function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file.
An undisclosed eRuby injection vulnerability had been discovered in tDiary.
Secunia reports:
Some vulnerabilities have been reported in wvWare, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.
The vulnerabilities are caused due to integer overflows within the "wvGetLFO_records()" and "wvGetLFO_PLF()" functions. These can be exploited to cause heap-based buffer overflows by e.g. tricking a user to open a specially crafted Microsoft Word document with an application using the library.
Secunia reports:
A vulnerability has been reported in wvWare wv2 Library, which potentially can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to an integer overflow error in "word_helper.h" when handling a Word document. This can be exploited to cause a buffer overflow and may allow arbitrary code execution via a specially crafted Word document.
The tnftpd port suffer from a remote stack overrun, which can lead to a root compromise.
Secunia reports:
Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending specially crafted emails to a vulnerable system.
The libxine development team reports that several vulnerabilities had been found in the libxine library. The first vulnerability is caused by improper checking of the src/input/libreal/real.c "real_parse_sdp()" function. A remote attacker could exploit this by tricking an user to connect to a preparated server potentially causing a buffer overflow. Another buffer overflow had been found in the libmms library, potentially allowing a remote attacker to cause a denial of service vulnerability, and possible remote code execution through the following functions: send_command, string_utf16, get_data and get_media_packets. Other functions might be affected as well.
Werner Koch reports:
GnuPG uses data structures called filters to process OpenPGP messages. These filters are used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable.
Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it.
We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.
The official ruby site reports:
Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).
A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.
SecurityFocus reports about libmusicbrainz:
The libmusicbrainz library is prone to multiple buffer-overflow vulnerabilities because the application fails to check the size of the data before copying it into a finite-sized internal memory buffer.
An attacker can exploit these issues to execute arbitrary code within the context of the application or to cause a denial-of-service condition.
tDiary was vulnerable to an unspecified Cross-Site Scripting vulnerability
SecurityFocus reports about ImageMagick:
ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of applications that use the ImageMagick library.
Teemu Salmela reports:
There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files.
iDefense Labs reports:
Remote exploitation of a design error in Horde's Kronolith could allow an authenticated web mail user to execute arbitrary PHP code under the security context of the running web server.
The vulnerability specifically exists due to a design error in the way it includes certain files. Specifically, the 'lib/FBView.php' file contains a function 'Kronolith_FreeBusy_View::factory' which will include local files that are supplied via the 'view' HTTP GET request parameter.
Werner Koch reports:
When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected.
FrSIRT reports:
A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command.
Secunia reports:
Doubles has discovered a vulnerability in Unzoo, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error when unpacking archives. This can be exploited via a directory traversal attack to overwrite files outside the directory, where the files are extracted to, if a user is tricked into extracting a malicious archive using Unzoo.
A Bugzilla Security Advisory reports:
- Sometimes the information put into the <h1> and <h2> tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability.
- Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited.
- attachment.cgi could leak the names of private attachments
- The "deadline" field was visible in the XML format of a bug, even to users who were not a member of the "timetrackinggroup."
- A malicious user could pass a URL to an admin, and make the admin delete or change something that he had not intended to delete or change.
- It is possible to inject arbitrary HTML into the showdependencygraph.cgi page, allowing for a cross-site scripting attack.
Secunia reports:
Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.
The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2.
Official ruby site reports:
A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition.
A vulnerability in the handling of combined UTF-8 characters in screen may allow an user-assisted attacker to crash screen or potentially allow code execution as the user running screen. To exploit this issue the user running scren must in some way interact with the attacker.
Dmitri Lenev reports a privilege escalation in MySQL. MySQL evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote and local authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.
Michal Prokopiuk reports a privilege escalation in MySQL. The vulnerability causes MySQL, when run on case-sensitive filesystems, to allow remote and local authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions.
The Serendipity Team reports:
Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript.
Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names.
Red Hat reports:
An integer overflow flaw was found in the way Qt handled pixmap images. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious web page that when viewed by a victim in the Konqueror browser would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the victim.
iDefense Labs reports:
Remote exploitation of a heap overflow vulnerability within version 9 of Opera Software's Opera Web browser could allow an attacker to execute arbitrary code on the affected host.
A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a constant size of 256 bytes is allocated to store the URL, and the tag's URL is copied into this buffer without sufficient bounds checking of its length.
Adam Boileau of Security-Assessment.com reports:
The Asterisk Skinny channel driver for Cisco SCCP phones (chan_skinny.so) incorrectly validates a length value in the packet header. An integer wrap-around leads to heap overwrite, and arbitrary remote code execution as root.
The Plone Team reports:
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the:
- changeMemberPortrait
- deletePersonalPortrait
- testCurrentPassword
methods, which allows remote attackers to modify portraits.
The Drupal Team reports:
A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.
The Drupal Team reports:
Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means.
An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in.
The Drupal Team reports:
A bug in input validation and lack of output validation allows HTML and script insertion on several pages.
Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS attack via a specially crafted RSS feed. This vulnerability exists on systems that do not use PHP's mb_string extension (to check if mb_string is being used, navigate to admin/settings and look under "String handling"). Disabling the aggregator module provides an immediate workaround.
The aggregator module, profile module, and forum module do not properly escape output of certain fields.
Note: XSS attacks may lead to administrator access if certain conditions are met.
The Horde team reports a vulnerability within Ingo, the filter management suite. The vulnerability is caused due to inadequete escaping, possibly allowing a local user to execute arbitrary shell commands via procmail.
Rapid7 reports:
The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is included with this advisory.
The NVIDIA drivers for Solaris and FreeBSD are also likely to be vulnerable.
Disabling Render acceleration in the "nvidia" driver, via the "RenderAccel" X configuration option, can be used as a workaround for this issue.
Secunia reports:
Two vulnerabilities have been reported in Clam AntiVirus, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
1) An unspecified error in the CHM unpacker in chmunpack.c can be exploited to cause a DoS.
2) An unspecified error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow.
Javier Fernández-Sanguino Peña reports a vulnerability in tkdiff which allows local users to gain priveleges of the user running tkdiff due to insecure temporary file creation.
Dedi Dwianto a.k.a the_day reports:
Input passed to the "$calpath" parameter in update.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources.
JAAScois reports:
While processing KML/KMZ data Google Earth fails to verify its size prior to copying it into a fixed-sized buffer. This can be exploited as a buffer-overflow vulnerability to cause the application to crash and/or to execute arbitrary code.
Steven Roddis reports that User-Agent string is not properly escaped when handled by torrentflux. This allows for arbitrary code insertion.
Benjamin C. Wiley Sittler reports:
I discovered a [buffer overrun in repr() for unicode strings]. This causes an unpatched non-debug wide (UTF-32/UCS-4) build of python to abort.
Ubuntu security team reports:
If an application uses repr() on arbitrary untrusted data, this [bug] could be exploited to execute arbitrary code with the privileges of the python application.
Stefan Esser reports:
The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.
It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity.
The successful exploitation of this integer overflow will result in arbitrary code execution.
James Bercegay reports:
Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function.
Omid reports:
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe other versions):
- When a user edits a content, the "id" parameter is not checked properly in /components/com_content/content.php, which can cause 2 sql injections.
- The "limit" parameter in the administration section is not checked. This affects many pages of administration section
- In the administration section, while editing/creating a user, the "gid" parameter is not checked properly.
Urs Janssen and Aleksey Salow report possible buffer overflows in tin versions 1.8.0 and 1.8.1.
OpenPKG project elaborates there is an allocation off-by-one bug in version 1.8.0 which can lead to a buffer overflow.
Howard Chu reports:
An ACL of the form 'access to dn.subtree="ou=groups, dc=example,dc=com" attr=member by * selfwrite' is intended to only allow users to add/delete their own DN to the target attribute. Currently it allows any DNs to be modified.
Sebastian Krahmer reports:
Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Under some circumstances, a local attacker could also exploit this to inject arbitrary code into running Mono processes.
Stefan Esser reports:
PHP's open_basedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed.
Obviously there is a little span of time between the check and the actual open call. During this time span the checked path could have been altered and point to a file that is forbidden to be accessed due to open_basedir restrictions.
Because the open_basedir restrictions often not call PHP functions but 3rd party library functions to actually open the file it is impossible to close this time span in a general way. It would only be possible to close it when PHP handles the actual opening on it's own.
While it seems hard to change the path during this little time span it is very simple with the use of the symlink() function combined with a little trick. PHP's symlink() function ensures that source and target of the symlink operation are allowed by open_basedir restrictions (and safe_mode). However it is possible to point a symlink to any file by the use of mkdir(), unlink() and at least two symlinks.
Secunia reports:
ShAnKaR has discovered a vulnerability in phpBB, which can be exploited by malicious users to compromise a vulnerable system.
Input passed to the "avatar_path" parameter in admin/admin_board.php is not properly sanitised before being used as a configuration variable to store avatar images. This can be exploited to upload and execute arbitrary PHP code by changing "avatar_path" to a file with a trailing NULL byte.
Successful exploitation requires privileges to the administration section.
ISS X-Force reports:
PostNuke is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the admin section using the hits parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
SecurityTracker reports:
A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted font file that, when loaded by the target user's system, will trigger an integer underflow or integer overflow and crash the application or execute arbitrary code on the target system.
Chris Evans reported these vulnerabilities.
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Secunia reports:
Will Drewry has reported some vulnerabilities in Cscope, which potentially can be exploited by malicious people to compromise a vulnerable system.
Various boundary errors within the parsing of file lists or the expansion of environment variables can be exploited to cause stack-based buffer overflows when parsing specially crafted "cscope.lists" files or directories.
A boundary error within the parsing of command line arguments can be exploited to cause a stack-based buffer overflow when supplying an overly long "reffile" argument.
Successful exploitation may allow execution of arbitrary code.
Secunia reports:
A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forge PKCS #1 v1.5 signatures signed with that key.
Secunia reports:
Arai has reported a vulnerability in Movable Type and Movable Type Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks.
Some unspecified input passed via the search functionality isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
phpMyAdmin team reports:
We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work.
It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link.
The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924]
A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051]
An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924]
The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051]
The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5).
There is no workaround for the second issue.
Secunia reports:
rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "TARGET_FN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory traversal attacks in combination with DokuWiki's file upload feature to execute arbitrary PHP code.
CVE Mitre reports:
Direct static code injection vulnerability in doku.php in DokuWiki before 2006-03-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php.
Unrestricted file upload vulnerability in lib/exe/media.php in DokuWiki before 2006-03-09c allows remote attackers to upload executable files into the data/media folder via unspecified vectors.
DokuWiki before 2006-03-09c enables the debug feature by default, which allows remote attackers to obtain sensitive information by calling doku.php with the X-DOKUWIKI-DO HTTP header set to "debug".
Secunia reports:
Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
Input passed to the "w" and "h" parameters in lib/exec/fetch.php is not properly sanitised before being passed as resize parameters to the "convert" application. This can be exploited to cause a DoS due to excessive CPU and memory consumption by passing very large numbers, or to inject arbitrary shell commands by passing specially crafted strings to the "w" and "h" parameter.
Successful exploitation requires that the "$conf[imconvert]" option is set.
Secunia reports:
Thomas Pollet has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "highlight" parameter in tiki-searchindex.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
rgod has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the "jhot.php" script not correctly verifying uploaded files. This can e.g. be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the "img/wiki" directory.
CVE Mitre reports:
PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to admin_options.php with an avatars_dir parameter ending in %00. NOTE: this issue was originally disputed by the vendor, but the dispute was withdrawn on 20060926.
Secunia reports:
Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service).
An error in the "generic_handle_player_attribute_chunk()" function in common/packets.c can be exploited to crash the service via a specially crafted PACKET_PLAYER_ATTRIBUTE_CHUNK packet sent to the server.
An error in the "handle_unit_orders()" function in server/unithand.c can be exploited to crash the service via a specially crafted packet.
Secunia reports:
Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of the packet length in "common/packets.c". This can be exploited to crash the Freeciv server via a specially- crafted packet with the size set to "0xffff".
Secunia reports:
A vulnerability has been reported in Plans, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "evt_id" parameter in "plans.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that SQL database support has been enabled in "plans_config.pl" (the default setting is flat files).
Some vulnerabilities have been reported in Plans, which can be exploited by malicious people to conduct cross-site scripting attacks or gain knowledge of sensitive information.
Input passed to various unspecified parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
An unspecified error can be exploited to gain knowledge of the MySQL password.
eyeOS team reports:
[EyeOS 0.9.1] release fixes two XSS security bugs, so we recommend all users to upgrade to this new version in order to have the best security. These two bugs were discovered by Jose Carlos Norte, who is a new eyeOS developer.
Secunia reports:
A vulnerability has been reported in Zope, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the use of the docutils module to parse and render "restructured" text. This can be exploited to disclose certain information via the "csv_table" reStructuredText directive.
Mitre CVE reports:
Stack-based buffer overflow in libmms, as used by (a) MiMMS 0.0.9 and (b) xine-lib 1.1.0 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions.
Opera reports:
A specially crafted digital certificate can bypass Opera's certificate signature verification. Forged certificates can contain any false information the forger chooses, and Opera will still present it as valid. Opera will not present any warning dialogs in this case, and the security status will be the highest possible (3). This defeats the protection against "man in the middle", the attacks that SSL was designed to prevent.
There is a flaw in OpenSSL's RSA signature verification that affects digital certificates using 3 as the public exponent. Some of the certificate issuers that are on Opera's list of trusted signers have root certificates with 3 as the public exponent. The forged certificate can appear to be signed by one of these.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
- MFSA 2006-63 JavaScript execution in mail via XBL
- MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
- MFSA 2006-61 Frame spoofing using document.open()
- MFSA 2006-60 RSA Signature Forgery
- MFSA 2006-59 Concurrency-related vulnerability
- MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
- MFSA 2006-57 JavaScript Regular Expression Heap Corruption
The Apple Security Team reports that there are multiple vulnerabilities within QuickTime (one of the plugins for win32-codecs). A remote attacker capable of creating a malicious SGI image, FlashPix, FLC movie, or a QuickTime movie can possibly lead to execution of arbitrary code or cause a Denial of Service (application crash).
Users who have QuickTime (/win32-codecs) as a browser plugin may be vulnerable to remote code execution by visiting a website containing a malicious SGI image, FlashPix, FLC movie or a QuickTime movie.
The PHP development team reports:
- Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
- Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
- Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache.
- Fixed overflow in GD extension on invalid GIF images.
- Fixed a buffer overflow inside sscanf() function.
- Fixed an out of bounds read inside stripos() function.
- Fixed memory_limit restriction on 64 bit system.
The Drupal Project reports:
It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user.
Adobe reports:
Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588)
These updates include changes to prevent circumvention of the "allowScriptAccess" option. (CVE-2006-4640)
Secunia reports:
Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service).
1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL.
Successful exploitation may trick an administrator into visiting a malicious web site.
2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service).
3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Kefka reports multiple cross site scripting vulnerabilities within hlstats. The vulnerabilities are caused due to improper checking of variables, allowing an attacker to perform cross site scripting.
The Debian Security Team reports:
Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remote server to execute arbitrary code
The Joomla development team reports multiple vulnerabilities within the joomla application. Joomla is vulnerable to the following vulnerabilities:
While processing Link Control Protocol (LCP) configuration options received from the remote host, sppp(4) fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer.
An attacker able to send LCP packets, including the remote end of a sppp(4) connection, can cause the FreeBSD kernel to panic. Such an attacker may also be able to obtain sensitive information or gain elevated privileges.
No workaround is available, but systems which do not use sppp(4) are not vulnerable.
Secunia reports:
Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.
- Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site.
- Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The Globus Alliance reports:
The proxy generation tool (grid-proxy-init) creates the file, secures the file to provide access only to owner and writes proxy to the file. A race condition exists between the opening of the proxy credentials file, and making sure it is safe file to write to. The checks to ensure this file is accessible only to the owner take place using the filename after the file is opened for writing, but before any data is written.
Various components of the toolkit use files in shared directories to store information, some being sensitive information. For example, the tool to create proxy certificates, stores the generated proxy certificate by default in /tmp. Specific vulnerabilities in handling such files were reported in myproxy-admin-adduser, grid-ca-sign and grid-security-config.
Ludwig Nussel reports that x11vnc is vulnerable to an authentication bypass vulnerability. The vulnerability is caused by an error in auth.c. This could allow a remote attacker to gain unauthorized and unauthenticated access to the system.
Luigi Auriemma reports three vulnerabilities within alsaplayer:
- The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location's field received from the server into the redirect buffer of only 1024 bytes declared in http_open.
- A buffer-overflow exists in the functions which add items to the playlist when the GTK interface is used (so the other interfaces are not affected by this problem): new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp.
- AlsaPlayer automatically queries the CDDB server specified in its configuration (by default freedb.freedb.org) when the user choices the CDDA function for playing audio CDs. The function which queries the server uses a buffer of 20 bytes and one of 9 for storing the category and ID strings received from the server while the buffer which contains this server's response is 32768 bytes long. Naturally for exploiting this bug the attacker must have control of the freedb server specified in the AlsaPlayer's configuration.
These vulnerabilities could allow a remote attacker to execute arbitrary code, possibly gaining access to the system.
The PostgreSQL development team reports:
An attacker able to submit crafted strings to an application that will embed those strings in SQL commands can use invalidly-encoded multibyte characters to bypass standard string-escaping methods, resulting in possible injection of hostile SQL commands into the database. The attacks covered here work in any multibyte encoding.
The widely-used practice of escaping ASCII single quote "'" by turning it into "\'" is unsafe when operating in multibyte encodings that allow 0x5c (ASCII code for backslash) as the trailing byte of a multibyte character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An application that uses this conversion while embedding untrusted strings in SQL commands is vulnerable to SQL-injection attacks if it communicates with the server in one of these encodings. While the standard client libraries used with PostgreSQL have escaped "'" in the safe, SQL-standard way of "''" for some time, the older practice remains common.
Multiple vulnerabilities had been reported in various versions of PostgreSQL:
Jean-David Maillefer reports a Denial of Service vulnerability
within MySQL. The vulnerability is caused by improper checking
of the data_format routine, which cause the MySQL server to
crash. The crash is triggered by the following code:
"SELECT date_format('%d%s', 1);
The SquirrelMail developers report:
A logged in user could overwrite random variables in compose.php, which might make it possible to read/write other users' preferences or attachments.
The Ruby on Rails blog reports:
With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.
Clamav team reports:
A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code.
The problem is specifically located in the PE file rebuild function used by the UPX unpacker.
Relevant code from libclamav/upx.c:
memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf); cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); return 1;
Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block.
The Drupal project reports:
A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link.
Author reports:
Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be exploted for a DoS; remote code execution is not entirely impossible.
Secunia reports:
Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions.
- An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level.
- An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams.
The Apache Software Foundation and The Apache HTTP Server Project reports:
An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
- The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
- The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2006-56 chrome: scheme loading remote content
- MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
- MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
- MFSA 2006-53 UniversalBrowserRead privilege escalation
- MFSA 2006-52 PAC privilege escalation using Function.prototype.call
- MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
- MFSA 2006-50 JavaScript engine vulnerabilities
- MFSA 2006-49 Heap buffer overwrite on malformed VCard
- MFSA 2006-48 JavaScript new Function race condition
- MFSA 2006-47 Native DOM methods can be hijacked across domains
- MFSA 2006-46 Memory corruption with simultaneous events
- MFSA 2006-45 Javascript navigator Object Vulnerability
- MFSA 2006-44 Code execution through deleted frame reference
Zope team reports:
Unspecified vulnerability in (Zope2) allows local users to obtain sensitive information via unknown attack vectors related to the docutils module and "restructured text".
The Drupal team reports:
Vulnerability: XSS Vulnerability in taxonomy module
It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().
Goober's advisory reports reports that shoutcast is vulnerable to an arbitrary file reading vulnerability:
Impact of the vulnerability depends on the way the product was installed. In general, the vulnerability allows the attacker to read any file which can be read by the Shoutcast server process.
The Samba Team reports:
The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations.
A TWiki Security Alert reports:
The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.
This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this.
The Trac 0.9.6 Release Notes reports:
Fixed reStructuredText breach of privacy and denial of service vulnerability found by Felix Wiemann.
The discovered vulnerability requires docutils to be installed and enabled. Systems that do not have docutils installed or enabled are not vulnerable. As of this version version 0.3.9 or greater of docutils is required for using reStructuredText markup in Trac.
Horde 3.1.2 release announcement:
Security Fixes:
- Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen.
- Removed unused image proxy code from dereferrer.
The Team Mambo reports that two SQL injection
vulnerabilities have been found in Mambo. The
vulnerabilities exists due to missing sanitation of the
title and catid parameters in the
weblinks.php page and can lead to execution of
arbitrary SQL code.
phpmyadmin Site reports:
It was possible to craft a request that contains XSS by attacking the "table" parameter.
The webmin development team reports:
An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.
SecurityFocus reports:
Mutt is prone to a remote buffer-overflow vulnerability. This issue is due to the application's failure to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
This issue may allow remote attackers to execute arbitrary machine code in the context of the affected application. Failed exploit attempts will likely crash the application, denying further service to legitimate users.
Joomla Site reports:
- Secured "Remember Me" functionality against SQL injection attacks
- Secured "Related Items" module against SQL injection attacks
- Secured "Weblinks" submission against SQL injection attacks
- Secured SEF from XSS vulnerability
- Hardened frontend submission forms against spoofing
- Secured mosmsg from misuse
- Hardened mosgetparam by setting variable type to integer if default value is detected as numeric
- Secured com_messages from XSS vulnerability
- Secured getUserStateFromRequest() from XSS vulnerability
Andreas Seltenreich reports that hashcash is prone to a heap overflow vulnerability. This vulnerability is caused by improper checking of memory allocations within the "array_push()" function. An attacker could trigger this vulnerability by passing a lot of "-r" or "-j" flags from the command line, this only applies when the application is configured to allow command line options, or by passing a lot of resource names when the application was started with the "-m" flag set. This could lead to a Denial or Service or could allow remote access to the targeted system.
If GnuPG processes a userid with a very long packet length, GnuPG can crash due to insufficient bounds check. This can result in a denial-of-service condition or potentially execution of arbitrary code with the privileges of the user running GnuPG.
FrSIRT advisory ADV-2006-2356 reports:
Multiple vulnerabilities have been identified in Horde Application Framework, which may be exploited by attackers to execute arbitrary scripting code. These flaws are due to input validation errors in the "test.php" and "templates/problem/problem.inc" scripts that do not validate the "url", "name", "email", "subject" and "message" parameters, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
Secunia reports:
socsam has discovered a vulnerability in WebCalendar, which can be exploited by malicious people to bypass certain security restrictions and disclose sensitive information.
Input passed to the "includedir" parameter isn't properly verified, before it is used in an "fopen()" call. This can be exploited to load an arbitrary setting file from an external web site.
This can further be exploited to disclose the content of arbitrary files by defining the "user_inc" variable in a malicious setting file.
Successful exploitation requires that "register_globals" is enabled.
A suitably malformed multipart MIME message can cause sendmail to exceed predefined limits on its stack usage.
An attacker able to send mail to, or via, a server can cause queued messages on the system to not be delivered, by causing the sendmail process which handles queued messages to crash. Note that this will not stop new messages from entering the queue (either from local processes, or incoming via SMTP).
No workaround is available, but systems which do not receive email from untrusted sources are not vulnerable.
Multiple vulnerabilities have been reported within dokuwiki. dokuwiki is proven vulnerable to:
A Secunia Advisory reports:
Federico L. Bossi Bonin has discovered a weakness in xine-lib, which can be exploited by malicious people to crash certain applications on a user's system.
The weakness is cause due to a heap corruption within the "xineplug_inp_http.so" plugin when handling an overly large reply from the HTTP server. This can be exploited to crash an application that uses the plugin (e.g. gxine).
smbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..\' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory.
When inside a chroot environment which resides on a smbfs mounted file-system it is possible for an attacker to escape out of this chroot to any other directory on the smbfs mounted file-system.
Mount the smbfs file-systems which need to be used with chroot on top, in a way so the chroot directory is exactly on the mount point and not a sub directory
There are two documented methods of restricting access to NIS maps through ypserv(8): through the use of the /var/yp/securenets file, and through the /etc/hosts.allow file. While both mechanisms are implemented in the server, a change in the build process caused the "securenets" access restrictions to be inadvertantly disabled.
ypserv(8) will not load or process any of the networks or hosts specified in the /var/yp/securenets file, rendering those access controls ineffective.
One possible workaround is to use /etc/hosts.allow for access control, as shown by examples in that file.
Another workaround is to use a firewall (e.g., ipfw(4), ipf(4), or pf(4)) to limit access to RPC functions from untrusted systems or networks, but due to the complexities of RPC, it might be difficult to create a set of firewall rules which accomplish this without blocking all access to the machine in question.
The freeradious development team reports:
Multiple issues exist with version 1.0.4, and all prior versions of the server. Externally exploitable vulnerabilities exist only for sites that use the rlm_sqlcounter module. Those sites may be vulnerable to SQL injection attacks, similar to the issues noted below. All sites that have not deployed the rlm_sqlcounter module are not vulnerable to external exploits.
The issues are:
SQL Injection attack in the rlm_sqlcounter module.
Buffer overflow in the rlm_sqlcounter module, that may cause a server crash.
Buffer overflow while expanding %t, that may cause a server crash.
The freeradius development team reports:
A validation issue exists with the EAP-MSCHAPv2 module in all versions from 1.0.0 (where the module first appeared) to 1.1.0. Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing
The SquirrelMail Project Team reports:
A security issue has been uncovered in functions/plugin.php that could allow a remote user to access local files on the server without requiring login. This issue manifests itself if register_globals is enabled, and magic_quotes_gpc is disabled.
Stefan Esser reports:
During the evaluation of DokuWiki for a german/korean wiki of mine a flaw in DokuWiki's spellchecker was discovered, that allows injecting arbitrary PHP commands, by requesting a spellcheck on PHP commands in 'complex curly syntax'.
Because the spellchecker is written as part of the AJAX functionality of DokuWiki, it can be directly called by any website visitor, without the need for a wiki account.
The Drupal team reports:
Vulnerability: SQL injection
A security vulnerability in the database layer allowed certain queries to be submitted to the database without going through Drupal's query sanitizer.
Vulnerability: Execution of arbitrary files
Certain -- alas, typical -- configurations of Apache allows execution of carefully named arbitrary scripts in the files directory. Drupal now will attempt to automatically create a .htaccess file in your "files" directory to protect you.
MySQL reports:
An SQL-injection security hole has been found in multibyte encoding processing. An SQL-injection security hole can include a situation whereby when inserting user supplied data into a database, the user might inject his own SQL statements that the server will execute. With regards to this vulnerability discovered, when character set unaware escaping is used (e.g., addslashes() in PHP), it is possible to bypass it in some multibyte character sets (e.g., SJIS, BIG5 and GBK). As a result, a function like addslashes() is not able to prevent SQL injection attacks. It is impossible to fix this on the server side. The best solution is for applications to use character set aware escaping offered in a function like mysql_real_escape().
Workarounds:
One can use NO_BACKSLASH_ESCAPES mode as a workaround for a bug in mysql_real_escape_string(), if you cannot upgrade your server for some reason. It will enable SQL standard compatibility mode, where backslash is not considered a special character.
Secunia reports:
MySQL have some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system.
1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process.
2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution.
3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages.
Esteban Martinez Fayo reports:
The FrontPage Server Extensions 2002 (included in Windows Sever 2003 IIS 6.0 and available as a separate download for Windows 2000 and XP) has a web page /_vti_bin/_vti_adm/fpadmdll.dll that is used for administrative purposes. This web page is vulnerable to cross site scripting attacks allowing an attacker to run client-side script on behalf of an FPSE user. If the victim is an administrator, the attacker could take complete control of a Front Page Server Extensions 2002 server.
To exploit the vulnerability an attacker can send a specially crafted e-mail message to a FPSE user and then persuade the user to click a link in the e-mail message.
In addition, this vulnerability can be exploited if an attacker hosts a malicious website and persuade the user to visit it.
Jason Duell reports:
Cscope contains an alarming number of buffer overflow vulnerabilities. By a rough count, there are at least 48 places where we blindly sprintf() a file name into a fixed-length buffer of size PATHLEN without checking to see if the file's name is <= PATHLEN. We do similar things with environment variable values.
Secunia reports:
Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to an error in the handling of file uploads where a filename has multiple file extensions. This can be exploited to upload malicious script files inside the web root (e.g. a PHP script).
Successful exploitation may allow execution of script code depending on the HTTP server configuration (it requires e.g. an Apache server with the "mod_mime" module installed).
Secunia reports:
Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious people to disclose sensitive information.
Input passed to the "file" parameter in "index.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
Example: http://[host]/index.php?file=.//././/././/././/./[file]%00
Successful exploitation requires that "magic_quotes_gpc" is disabled.
Secunia reports:
Coppermine Photo Gallery have a vulnerability, which can be exploited by malicious people and by malicious users to compromise a vulnerable system.
1) Input passed to the "lang" parameter in include/init.inc.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources. The vulnerability can be further exploited by users who are allowed to upload image files to execute arbitrary PHP code.
2) Input passed to the "f" parameter in docs/showdoc.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources on the Windows platform, and remote files from Windows shared folders.
phpMyAdmin security team reports:
It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link.
Such issue is quite common in many PHP applications and users should take care what links they follow. We consider these vulnerabilities to be quite dangerous.
RealVNC is susceptible to an authentication-bypass vulnerability. A malicious VNC client can cause a VNC server to allow it to connect without any authentication regardless of the authentication settings configured in the server. Exploiting this issue allows attackers to gain unauthenticated, remote access to the VNC servers.
Secunia reports:
phpLDAPadmin have some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
1) Some input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
2) Input passed to the "Container DN", "Machine Name", and "UID Number" parameters in "template_engine.php" isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
JVN reports:
FreeStyleWiki has XSS vulnerability.
Stefano Di Paola reports:
An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow.
To take advantage of these flaws an attacker should have direct access to MySQL server communication layer (port 3306 or unix socket). But if used in conjuction with some web application flaws (i.e. php code injection) an attacker could use socket programming (i.e. php sockets) to gain access to that layer.
OS Reviews reports:
If the update of the stats via web front-end is allowed, a remote attacker can execute arbitrary code on the server using a specially crafted request involving the migrate parameter. Input starting with a pipe character ("|") leads to an insecure call to Perl's open function and the rest of the input being executed in a shell. The code is run in the context of the process running the AWStats CGI.
Arbitrary code can be executed by uploading a specially crafted configuration file if an attacker can put a file on the server with chosen file name and content (e.g. by using an FTP account on a shared hosting server). In this configuration file, the LogFile directive can be used to execute shell code following a pipe character. As above, an open call on unsanitized input is the source of this vulnerability.
Secunia reports:
phpWebFTP have a vulnerability, which can be exploited by malicious people to disclose sensitive information.
Input passed to the "language" parameter in index.php isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from local resources.
Successful exploitation requires that "magic_quotes_gpc" is disabled.
A Mozilla Foundation Security Advisory reports for deleted object reference when designMode="on"
Martijn Wargers and Nick Mott each described crashes that were discovered to ultimately stem from the same root cause: attempting to use a deleted controller context when designMode was turned on. This generally results in crashing the browser, but in theory references to deleted objects can be abused to run malicious code.
"splices" reported the same crash at the fan site MozillaZine and on Bugtraq, incorrectly describing it as a buffer overflow.
Secunia reports:
A vulnerability has been reported, which can be exploited by malicious people to conduct script insertion attacks.
Input passed using the wiki macro isn't properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious user data is viewed.
Secunia reports:
A vulnerability has been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the HTTP client in the Freshclam command line utility. This can be exploited to cause a stack-based buffer overflow when the HTTP headers received from a web server exceeds 8KB.
Successful exploitation requires that Freshclam is used to download virus signature updates from a malicious mirror web server e.g. via DNS poisoning.
Secunia reports:
A vulnerability has been reported in jabberd, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of SASL negotiation. This can be exploited to cause a crash by sending a "response" stanza before an "auth" stanza.
Secunia reports:
Cacti have a security issue, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system.
The problem is caused due to the presence of the insecure "server.php" test script.
Secunia reports:
Amaya have two vulnerabilities, which can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors within the parsing of various attribute values. This can be exploited to cause stack-based buffer overflows when a user opens a specially crafted HTML document containing certain tags with overly long attribute values.
Successful exploitation allows execution of arbitrary code.
Secunia reports:
A security issue has been discovered in LifeType, which can be exploited by malicious people to execute arbitrary SQL code and potentially compromise a vulnerable system.
The problem is caused due to the presence of the insecure "server.php" test script.
Secunia reports:
Multiple vulnerabilities have been reported in Ethereal, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
The vulnerabilities are caused due to various types of errors including boundary errors, an off-by-one error, an infinite loop error, and several unspecified errors in a multitude of protocol dissectors.
Successful exploitation causes Ethereal to stop responding, consume a large amount of system resources, crash, or execute arbitrary code.
Emmanouel Kellenis reports a denial of service vulnerability within asterisk. The vulnerability is caused by a buffer overflow in "format_jpeg.c". A large JPEG image could trigger this bug, potentially allowing a local attacker to execute arbitrary code.
Gentoo reports:
Andrea Barisani of Gentoo Linux discovered xzgv and zgv allocate insufficient memory when rendering images with more than 3 output components, such as images using the YCCK or CMYK colour space. When xzgv or zgv attempt to render the image, data from the image overruns a heap allocated buffer.
An attacker may be able to construct a malicious image that executes arbitrary code with the permissions of the xzgv or zgv user when attempting to render the image.
FRSIRT reports:
A vulnerability has been identified in CrossFire, which could be exploited by remote attackers to execute arbitrary commands or cause a denial of service. This flaw is due to a buffer overflow error in the "oldsocketmode" module that fails to properly handle overly large requests, which could be exploited by a malicious client to crash or compromise a vulnerable system.
Javier Fernández-Sanguino Peña reports:
The DBI library, the Perl5 database interface, creates a temporary PID file in an insecure manner. This can be exploited by a malicious user to overwrite arbitrary files owned by the person executing the parts of the library.
Dedi Dwianto reports:
A remote user can access the file directly to cause the system to display an error message that indicates the installation path. The resulting error message will disclose potentially sensitive installation path information to the remote attacker.
c0ntexb reports:
There are 2 format string bugs in the latest version of Xine that could be exploited by a malicious person to execute code on the system of a remote user running the media player against a malicious playlist file. By passing a format specifier in the path of a file that is embedded in a remote playlist, it is possible to trigger this bug.
Unspecified vulnerability in the CMU Cyrus Simple Authentication and Security Layer (SASL) library, has unknown impact and remote unauthenticated attack vectors, related to DIGEST-MD5 negotiation.
On "7th generation" and "8th generation" processors manufactured by AMD, including the AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, and Sempron, the fxsave and fxrstor instructions do not save and restore the FOP, FIP, and FDP registers unless the exception summary bit (ES) in the x87 status word is set to 1, indicating that an unmasked x87 exception has occurred.
This behaviour is consistent with documentation provided by AMD, but is different from processors from other vendors, which save and restore the FOP, FIP, and FDP registers regardless of the value of the ES bit. As a result of this discrepancy remaining unnoticed until now, the FreeBSD kernel does not restore the contents of the FOP, FIP, and FDP registers between context switches.
On affected processors, a local attacker can monitor the execution path of a process which uses floating-point operations. This may allow an attacker to steal cryptographic keys or other sensitive information.
No workaround is available, but systems which do not use AMD Athlon, Duron, Athlon MP, Athlon XP, Athlon64, Athlon64 FX, Opteron, Turion, or Sempron processors are not vulnerable.
Secunia reports:
The vulnerability is caused due to missing security declarations in "changeMemberPortrait" and "deletePersonalPortrait". This can be exploited to manipulate or delete another user's portrait via the "member_id" parameter.
A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2006-29 Spoofing with translucent windows
- MFSA 2006-28 Security check of js_ValueToFunctionObject() can be circumvented
- MFSA 2006-26 Mail Multiple Information Disclosure
- MFSA 2006-25 Privilege escalation through Print Preview
- MFSA 2006-24 Privilege escalation using crypto.generateCRMFRequest
- MFSA 2006-23 File stealing by changing input type
- MFSA 2006-22 CSS Letter-Spacing Heap Overflow Vulnerability
- MFSA 2006-20 Crashes with evidence of memory corruption (rv:1.8.0.2)
- MFSA 2006-19 Cross-site scripting using .valueOf.call()
- MFSA 2006-18 Mozilla Firefox Tag Order Vulnerability
- MFSA 2006-17 cross-site scripting through window.controllers
- MFSA 2006-16 Accessing XBL compilation scope via valueOf.call()
- MFSA 2006-15 Privilege escalation using a JavaScript function's cloned parent
- MFSA 2006-14 Privilege escalation via XBL.method.eval
- MFSA 2006-13 Downloading executables with "Save Image As..."
- MFSA 2006-12 Secure-site spoof (requires security warning dialog)
- MFSA 2006-11 Crashes with evidence of memory corruption (rv:1.8)
- MFSA 2006-10 JavaScript garbage-collection hazard audit
- MFSA 2006-09 Cross-site JavaScript injection using event handlers
Secunia reports:
A vulnerability has been reported in Mailman, which can be exploited by malicious people to conduct cross-site scripting attacks.
Unspecified input passed to the private archive script is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
Javier Fernández-Sanguino Peña reports two temporary file vulnerability within f2c. The vulnerabilities are caused due to weak temporary file handling. An attacker could create an symbolic link, causing a local user running f2c to overwrite the symlinked file. This could give the attacker elevated privileges.
Secunia reports:
The vulnerabilities are caused due to integer overflow errors in "libmpdemux/asfheader.c" within the handling of an ASF file, and in "libmpdemux/aviheader.c" when parsing the "indx" chunk in an AVI file. This can be exploited to cause heap-based buffer overflows via a malicious ASF file, or via a AVI file with specially-crafted "wLongsPerEntry" and "nEntriesInUse" values in the "indx" chunk.
The KDE team reports:
Kaffeine can produce a buffer overflow in http_peek() while creating HTTP request headers for fetching remote playlists, which under certain circumstances could be used to crash the application and/or execute arbitrary code.
Renaud Lifchitz reports a vulnerability within thunderbird. The vulnerability is caused by improper checking of javascript scripts. This could lead to javascript code execution which can lead to information disclosure or a denial of service (application crash). This vulnerability is present even if javascript had been disabled in the preferences.
phpMyAdmin security announcement:
It was possible to conduct an XSS attack with a direct call to some scripts under the themes directory.
Secunia reports:
A vulnerability has been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "set_theme" parameter isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Secunia reports:
Some vulnerabilities have been reported in ClamAV, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.
An unspecified integer overflow error exists in the PE header parser in "libclamav/pe.c". Successful exploitation requires that the ArchiveMaxFileSize option is disabled.
Some format string errors in the logging handling in "shared/output.c" may be exploited to execute arbitrary code.
An out-of-bounds memory access error in the "cli_bitset_test()" function in "ibclamav/others.c" may be exploited to cause a crash.
The mediawiki development team reports a vulnerability within the mediawiki application. The vulnerability is caused by improper checking of inline style attributes. This could result in the execution of arbitrary javascript code in Microsoft Internet Explorer. It appears that other browsers are not affected by this vulnerability.
Ubuntu reports:
A buffer overflow was found in the "pnmtopng" conversion program. By tricking an user (or automated system) to process a specially crafted PNM image with pnmtopng, this could be exploited to execute arbitrary code with the privileges of the user running pnmtopng.
Jean-Sébastien Guay-Leroux report a vulnerability within the zoo archiver. The vulnerability which is present in the fullpath() function (from the misc.c file) is caused by improper checking of user supplied data. The data returned to the buffer can be up to 512 bytes, while the buffer is created to hold 256 bytes. This could result in a buffer overflow which could allow remote code execution.
The mediawiki development team reports that there is an site scripting vulnerability within mediawiki. The vulnerability is caused by improper checking of encoded links which could allow the injection of html in the output generated by mediawiki. This could lead to cross site scripting attacks against mediawiki installations.
Secunia reports:
Some vulnerabilities have been reported in Dia, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to boundary errors within the XFig import plugin. This can be exploited to cause buffer overflows and may allow arbitrary code execution when a specially-crafted FIG file is imported.
Hendrik Weimer reports:
OpenVPN clients are a bit too generous when accepting configuration options from a server. It is possible to transmit environment variables to client-side shell scripts. There are some filters in place to prevent obvious nonsense, however they don't catch the good old LD_PRELOAD trick. All we need is to put a file onto the client under a known location (e.g. by returning a specially crafted document upon web access) and we have a remote root exploit. But since the attack may only come from authenticated servers, this threat is greatly reduced.
Samba Security Advisory:
The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users and groups.
The winbindd daemon writes the clear text of server's machine credentials to its log file at level 5. The winbindd log files are world readable by default and often log files are requested on open mailing lists as tools used to debug server misconfigurations.
This affects servers configured to use domain or ads security and possibly Samba domain controllers as well (if configured to use winbindd).
Nathan Dors of the Pubcookie Project reports:
Non-persistent XSS vulnerabilities were found in the Pubcookie Apache module (mod_pubcookie) and ISAPI filter. These components mishandle untrusted data when printing responses to the browser. This makes them vulnerable to carefully crafted requests containing script or HTML. If an attacker can lure an unsuspecting user to visit carefully staged content, the attacker can use it to redirect the user to a vulnerable Pubcookie application server and attempt to exploit the XSS vulnerabilities.
These vulnerabilities are classified as *high* due to the nature and purpose of Pubcookie application servers for user authentication and Web Single Sign-on (SSO). An attacker who injects malicious script through the vulnerabilities might steal private Pubcookie data including a user's authentication assertion ("granting") cookies and application session cookies.
Nathan Dors of the Pubcookie Project reports:
Multiple non-persistent XSS vulnerabilities were found in the Pubcookie login server's compiled binary "index.cgi" CGI program. The CGI program mishandles untrusted data when printing responses to the browser. This makes the program vulnerable to carefully crafted requests containing script or HTML. If an attacker can lure an unsuspecting user to visit carefully staged content, the attacker can use it to redirect the user to his or her local Pubcookie login page and attempt to exploit the XSS vulnerabilities.
These vulnerabilities are classified as *critical* due to the nature and purpose of the Pubcookie login server for user authentication and Web Single Sign-on (SSO). Specific threats include:
- An attacker who injects malicious script through the vulnerabilities might steal senstive user data including a user's authentication credentials (usernames and passwords);
- An attacker who injects malicious script through the vulnerabilities might steal private Pubcookie data including a user's authentication assertion ("granting") cookies and SSO ("login") session cookies;
- An attacker who injects HTML tags through the vulnerabilities might deface a site's Pubcookie login page for a single visit by a single user (i.e. a non-persistent defacement).
At the heart of these threats lies a violation of the user's trust in the Pubcookie login server.
Freeradius Security Contact reports:
Insufficient input validation was being done in the EAP-MSCHAPv2 state machine. A malicious attacker could manipulate their EAP-MSCHAPv2 client state machine to potentially convince the server to bypass authentication checks. This bypassing could also result in the server crashing.
Horde 3.1.1 release announcement:
Major changes compared to Horde 3.1 are:
- Fix for remote code execution vulnerability in the help viewer, discovered by Jan Schneider from the Horde team.
Secunia Advisories Reports:
A boundary error when processing SWF files can be exploited to cause a buffer overflow. This may allow execution of arbitrary code on the user's system.
iDefense Reports:
Remote exploitation of a heap-based buffer overflow in RealNetwork Inc's RealPlayer could allow the execution of arbitrary code in the context of the currently logged in user.
In order to exploit this vulnerability, an attacker would need to entice a user to follow a link to a malicious server. Once the user visits a website under the control of an attacker, it is possible in a default install of RealPlayer to force a web-browser to use RealPlayer to connect to an arbitrary server, even when it is not the default application for handling those types, by the use of embedded object tags in a webpage. This may allow automated exploitation when the page is viewed.
A race condition has been reported to exist in the handling by sendmail of asynchronous signals.
A remote attacker may be able to execute arbitrary code with the privileges of the user running sendmail, typically root.
There is no known workaround other than disabling sendmail.
The opiepasswd(1) program uses getlogin(2) to identify the user calling opiepasswd(1). In some circumstances getlogin(2) will return "root" even when running as an unprivileged user. This causes opiepasswd(1) to allow an unpriviled user to configure OPIE authentication for the root user.
In certain cases an attacker able to run commands as a non privileged users which have not explicitly logged in, for example CGI scripts run by a web server, is able to configure OPIE access for the root user. If the attacker is able to authenticate as root using OPIE authentication, for example if "PermitRootLogin" is set to "yes" in sshd_config or the attacker has access to a local user in the "wheel" group, the attacker can gain root privileges.
Disable OPIE authentication in PAM:
# sed -i "" -e /opie/s/^/#/ /etc/pam.d/*
or
Remove the setuid bit from opiepasswd:
# chflags noschg /usr/bin/opiepasswd
# chmod 555 /usr/bin/opiepasswd
# chflags schg /usr/bin/opiepasswd
IPsec provides an anti-replay service which when enabled prevents an attacker from successfully executing a replay attack. This is done through the verification of sequence numbers. A programming error in the fast_ipsec(4) implementation results in the sequence number associated with a Security Association not being updated, allowing packets to unconditionally pass sequence number verification checks.
An attacker able to intercept IPSec packets can replay them. If higher level protocols which do not provide any protection against packet replays (e.g., UDP) are used, this may have a variety of effects.
No workaround is available.
Daniel Stone of X.Org reports:
During the analysis of results from the Coverity code review of X.Org, we discovered a flaw in the server that allows local users to execute arbitrary code with root privileges, or cause a denial of service by overwriting files on the system, again with root privileges.
A Project heimdal Security Advisory reports:
The telnet client program in Heimdal has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution.
The telnetd server program in Heimdal has buffer overflows in the function getterminaltype, which may lead to remote code execution.
The rshd server in Heimdal has a privilege escalation bug when storing forwarded credentials. The code allowes a user to overwrite a file with its credential cache, and get ownership of the file.
A Project cURL Security Advisory reports:
libcurl uses the given file part of a TFTP URL in a manner that allows a malicious user to overflow a heap-based memory buffer due to the lack of boundary check.
This overflow happens if you pass in a URL with a TFTP protocol prefix ("tftp://"), using a valid host and a path part that is longer than 512 bytes.
The affected flaw can be triggered by a redirect, if curl/libcurl is told to follow redirects and an HTTP server points the client to a tftp URL with the characteristics described above.
Drupal reports:
Mail header injection vulnerability.
Linefeeds and carriage returns were not being stripped from email headers, raising the possibility of bogus headers being inserted into outgoing email.
This could lead to Drupal sites being used to send unwanted email.
Session fixation vulnerability.
If someone creates a clever enough URL and convinces you to click on it, and you later log in but you do not log off then the attacker may be able to impersonate you.
XSS vulnerabilities.
Some user input sanity checking was missing. This could lead to possible cross-site scripting (XSS) attacks.
XSS can lead to user tracking and theft of accounts and services.
Security bypass in menu.module.
If you use menu.module to create a menu item, the page you point to will be accessible to all, even if it is an admin page.
Secunia advisory SA19246:
Paul Craig has discovered a vulnerability in Horde, which can be exploited by malicious people to disclose sensitive information. Input passed to the "url" parameter in "services/go.php" isn't properly verified, before it is used in a "readfile()" call. This can be exploited to disclose the content of arbitrary files via e.g. the "php://" protocol wrapper.
The vulnerability has been confirmed in version 3.0.9 and has also been reported in prior versions.
Provided and/or discovered by: Paul Craig, Security-Assessment.com.
Adobe reports:
Critical vulnerabilities have been identified in Flash Player that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these vulnerabilities.
Flash Player 8 update (8.0.24.0), and Flash Player 7 update (7.0.63.0) address security vulnerabilities in previous versions of Flash Player, which could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the users web browser, email client, or other applications that include or reference the Flash Player.
A part of the NFS server code charged with handling incoming RPC messages via TCP had an error which, when the server received a message with a zero-length payload, would cause a NULL pointer dereference which results in a kernel panic. The kernel will only process the RPC messages if a userland nfsd daemon is running.
The NULL pointer deference allows a remote attacker capable of sending RPC messages to an affected FreeBSD system to crash the FreeBSD system.
Disable the NFS server: set the nfs_server_enable variable to "NO" in /etc/rc.conf, and reboot.
Alternatively, if there are no active NFS clients (as listed by the showmount(8) utility), simply killing the mountd and nfsd processes should suffice.
Add firewall rules to block RPC traffic to the NFS server from untrusted hosts.
Because OpenSSH and OpenPAM have conflicting designs (one is event- driven while the other is callback-driven), it is necessary for OpenSSH to fork a child process to handle calls to the PAM framework. However, if the unprivileged child terminates while PAM authentication is under way, the parent process incorrectly believes that the PAM child also terminated. The parent process then terminates, and the PAM child is left behind.
Due to the way OpenSSH performs internal accounting, these orphaned PAM children are counted as pending connections by the master OpenSSH server process. Once a certain number of orphans has accumulated, the master decides that it is overloaded and stops accepting client connections.
By repeatedly connecting to a vulnerable server, waiting for a password prompt, and closing the connection, an attacker can cause OpenSSH to stop accepting client connections until the system restarts or an administrator manually kills the orphaned PAM processes.
The following command will show a list of orphaned PAM processes:
# pgrep -lf 'sshd.*\[pam\]'
The following command will kill orphaned PAM processes:
# pkill -f 'sshd.*\[pam\]'
To prevent OpenSSH from leaving orphaned PAM processes behind, perform one of the following:
Disable PAM authentication in OpenSSH. Users will still be able to log in using their Unix password, OPIE or SSH keys.
To do this, execute the following commands as root:
# echo 'UsePAM no' >>/etc/ssh/sshd_config
# echo 'PasswordAuthentication yes' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart
If disabling PAM is not an option - if, for instance, you use RADIUS authentication, or store user passwords in an SQL database - you may instead disable privilege separation. However, this may leave OpenSSH vulnerable to hitherto unknown bugs, and should be considered a last resort.
To do this, execute the following commands as root:
# echo 'UsePrivilegeSeparation no' >>/etc/ssh/sshd_config
# /etc/rc.d/sshd restart
Werner Koch reports:
In the aftermath of the false positive signature verfication bug (announced 2006-02-15) more thorough testing of the fix has been done and another vulnerability has been detected. This new problem affects the use of *gpg* for verification of signatures which are _not_ detached signatures. The problem also affects verification of signatures embedded in encrypted messages; i.e. standard use of gpg for mails.
The Mplayer team reports:
A potential buffer overflow was found in the ASF demuxer. Arbitrary remote code execution is possible (under the user ID running the player) when streaming an ASF file from a malicious server or local code execution (under the user ID running the player) if a malicious ASF file is played locally.
SSH Communications Security Corp reports a format string vulnerability in their SFTP server. This vulnerability could cause a user with SCP/SFTP access only to get permission to execute also other commands. It could also allow user A to create a special file that when accessed by user B allows user A to execute commands as user B.
GNU tar is vulnerable to a buffer overflow, caused by improper bounds checking of the PAX extended headers. By tricking an user into processing a specially crafted tar archive, this could be exploited to execute arbitrary code with the privileges of the user.
Some vulnerabilities have been reported in Bugzilla, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose sensitive information and conduct script insertion attacks.
Multiple vulnerabilities has been discovered since 1.4.5, including IMAP injection as well as some XSS issues.
Yan Feng reports a format string vulnerability in gedit. This vulnerability could cause a denial of service with a binary file that contains format string characters within the filename. It had been reported that web browsers and email clients can be configured to provide a filename as an argument to gedit.:
SecurityFocus reports that WebCalendar is affected by an unauthorized access vulnerability. The vulnerability is caused by improper checking of the authentication mechanism before access is being permitted to the "assistant_edit.php" file.
Chris Evans reports that AbiWord is vulnerable to multiple stack-based buffer overflow vulnerabilities. This is caused by improper checking of the user-supplied data before it is being copied to an too small buffer. The vulnerability is triggered when someone is importing RTF files.
The PostgreSQL team reports:
Due to inadequate validity checking, a user could exploit the special case that SET ROLE normally uses to restore the previous role setting after an error. This allowed ordinary users to acquire superuser status, for example.
Werner Koch reports:
The Gentoo project identified a security related bug in GnuPG. When using any current version of GnuPG for unattended signature verification (e.g. by scripts and mail programs), false positive signature verification of detached signatures may occur.
This problem affects the tool *gpgv*, as well as using "gpg --verify" to imitate gpgv, if only the exit code of the process is used to decide whether a detached signature is valid. This is a plausible mode of operation for gpgv.
If, as suggested, the --status-fd generated output is used to decide whether a signature is valid, no problem exists. In particular applications making use of the GPGME library[2] are not affected.
Pizzashack reports:
Max Vozeler has reported a problem whereby rssh can allow users who have shell access to systems where rssh is installed (and rssh_chroot_helper is installed SUID) to gain root access to the system, due to the ability to chroot to arbitrary locations. There are a lot of potentially mitigating factors, but to be safe you should upgrade immediately.
Roger Dingledine reports:
If you offer a Tor hidden service, an adversary who can run a fast Tor server and who knows some basic statistics can find the location of your hidden service in a matter of minutes to hours.
Tavis Ormandy reports:
The bash shell uses the value of the PS4 environment variable (after expansion) as a prefix for commands run in execution trace mode. Execution trace mode (xtrace) is normally set via bash's -x command line option or interactively by running "set -o xtrace". However, it may also be enabled by placing the string "xtrace" in the SHELLOPTS environment variable before bash is started.
A malicious user with sudo access to a shell script that uses bash can use this feature to run arbitrary commands for each line of the script.
The Secure Science Corporation reports that libtomcrypt is vulnerable to a weak signature scheme. This allows an attacker to create a valid random signature and use that to sign arbitrary messages without requiring the private key.
r0t reports:
Mantis contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to "target_field" parameter in "view_filters_page.php" is not properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
Multiple vulnerabilities have been reported within phpbb. phpbb is proven vulnerable to:
The postgresql development team reports:
The more severe of the two errors is that the functions that support client-to-server character set conversion can be called from SQL commands by unprivileged users, but these functions are not designed to be safe against malicious choices of argument values. This problem exists in PostgreSQL 7.3.* through 8.0.*. The recommended fix is to disable public EXECUTE access for these functions. This does not affect normal usage of the functions for character set conversion, but it will prevent misuse.
The other error is that the contrib/tsearch2 module misdeclares several functions as returning type "internal" when they do not have any "internal" argument. This breaks the type safety of "internal" by allowing users to construct SQL commands that invoke other functions accepting "internal" arguments. The consequences of this have not been investigated in detail, but it is certainly at least possible to crash the backend.
Eric Romang reports a temporary file creation vulnerability within heartbeat. The vulnerability is caused by hardcoded temporary file usage. This can cause an attacker to create an arbitrary symlink causing the application to overwrite the symlinked file with the permissions of the user executing the application.
The KDE team reports:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a heap based buffer overflow in the splash rasterizer engine that can crash kpdf or even execute arbitrary code.
The Perl Development page reports:
Dyad Security recently released a security advisory explaining how in certain cases, a carefully crafted format string passed to sprintf can cause a buffer overflow. This buffer overflow can then be used by an attacker to execute code on the machine. This was discovered in the context of a design problem with the Webmin administration package that allowed a malicious user to pass unchecked data into sprintf.
Francesco Ongaro reports that phpicalendar is vulnerable for a cross site scripting attack. The vulnerability is caused by improper validation of the index.php file allowing attackers to include an arbitrary file with the .php extension
The phpicalendar team reports that there is an unspecified vulnerability within phpicalendar. This seems to be a file disclosure vulnerability caused by improper checking of the template parsing function. This would allow an attacker to disclose any file readable by the user under which the webserver runs.
Problem description:
When insufficient memory is available to handle an incoming selective acknowledgement, the TCP/IP stack may enter an infinite loop.
Impact:
By opening a TCP connection and sending a carefully crafted series of packets, an attacker may be able to cause a denial of service.
Workaround:
On FreeBSD 5.4, the net.inet.tcp.sack.enable sysctl can be used to disable the use of SACK:
# sysctl net.inet.tcp.sack.enable=0
No workaround is available for FreeBSD 5.3.
Problem description:
A logic bug in pf's IP fragment cache may result in a packet fragment being inserted twice, violating a kernel invariant.
Impact:
By sending carefully crafted sequence of IP packet fragments, a remote attacker can cause a system running pf with a ruleset containing a 'scrub fragment crop' or 'scrub fragment drop-ovl' rule to crash.
Workaround:
Do not use 'scrub fragment crop' or 'scrub fragment drop-ovl' rules on systems running pf. In most cases, such rules can be replaced by 'scrub fragment reassemble' rules; see the pf.conf(5) manual page for more details.
Systems which do not use pf, or use pf but do not use the aforementioned rules, are not affected by this issue.
Problem description:
A buffer allocated from the kernel stack may not be completely initialized before being copied to userland. [CVE-2006-0379]
A logic error in computing a buffer length may allow too much data to be copied into userland. [CVE-2006-0380]
Impact:
Portions of kernel memory may be disclosed to local users. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password.
Workaround:
No workaround is available.
Problem description:
An integer overflow in the handling of corrupt IEEE 802.11 beacon or probe response frames when scanning for existing wireless networks can result in the frame overflowing a buffer.
Impact:
An attacker able broadcast a carefully crafted beacon or probe response frame may be able to execute arbitrary code within the context of the FreeBSD kernel on any system scanning for wireless networks.
Workaround:
No workaround is available, but systems without IEEE 802.11 hardware or drivers loaded are not vulnerable.
Problem description:
The firewall maintains a pointer to layer 4 header information in the event that it needs to send a TCP reset or ICMP error message to discard packets. Due to incorrect handling of IP fragments, this pointer fails to get initialized.
Impact:
An attacker can cause the firewall to crash by sending ICMP IP fragments to or through firewalls which match any reset, reject or unreach actions.
Workaround:
Change any reset, reject or unreach actions to deny. It should be noted that this will result in packets being silently discarded.
Mitre CVE reports:
Format string vulnerability in main.cpp in kpopup 0.9.1-0.9.5pre2 allows local users to cause a denial of service (segmentation fault) and possibly execute arbitrary code via format string specifiers in command line arguments.
misc.cpp in KPopup 0.9.1 trusts the PATH variable when executing killall, which allows local users to elevate their privileges by modifying the PATH variable to reference a malicious killall program.
SecurityFocus credits "b0f" b0fnet@yahoo.com
Problem description:
A number of issues has been discovered in cpio:
When creating a new file, cpio closes the file before setting its permissions. (CVE-2005-1111)
When extracting files cpio does not properly sanitize file names to filter out ".." components, even if the --no-absolute-filenames option is used. (CVE-2005-1229)
When adding large files (larger than 4 GB) to a cpio archive on 64-bit platforms an internal buffer might overflow. (CVE-2005-4268)
Impact
The first problem can allow a local attacker to change the permissions of files owned by the user executing cpio providing that they have write access to the directory in which the file is being extracted. (CVE-2005-1111)
The lack of proper file name sanitation can allow an attacker to overwrite arbitrary local files when extracting files from a cpio archive. (CVE-2005-1229)
The buffer-overflow on 64-bit platforms could lead cpio to a Denial-of-Service situation (crash) or possibly execute arbitrary code with the permissions of the user running cpio. (CVE-2005-4268)
Workaround
Use a different utility to create and extract cpio archives, for example pax(1) or (on FreeBSD 5.3 or later) tar(1). If this is not possible, do not extract untrusted archives and when running on 64-bit platforms do not add untrusted files to cpio archives.
Problem description
The ispell_op function used by ee(1) while executing spell
check operations employs an insecure method of temporary file
generation. This method produces predictable file names based
on the process ID and fails to confirm which path will be over
written with the user.
It should be noted that ispell does not have to be installed
in order for this to be exploited. The option simply needs to
be selected.
Impact
These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could allow them to overwrite files on the system in the context of the user running the ee(1) editor.
Workaround
Instead of invoking ispell through ee(1), invoke it directly.
Problem description
The "sort_offline" function used by texindex(1) employs the "maketempname" function, which produces predictable file names and fails to validate that the paths do not exist.
Impact
These predictable temporary file names are problematic because they allow an attacker to take advantage of a race condition in order to execute a symlink attack, which could enable them to overwrite files on the system in the context of the user running the texindex(1) utility.
Workaround
No workaround is available, but the problematic code is only executed if the input file being processed is 500kB or more in length; as a result, users working with documents of less than several hundred pages are very unlikely to be affected.
Problem description
A temporary file is created, used, deleted, and then
re-created with the same name. This creates a window during
which an attacker could replace the file with a link to
another file. While cvsbug(1) is based on the send-pr(1)
utility, this problem does not exist in the version of
send-pr(1) distributed with FreeBSD.
In FreeBSD 4.10 and 5.3, some additional problems exist
concerning temporary file usage in both cvsbug(1) and
send-pr(1).
Impact
A local attacker could cause data to be written to any file to which the user running cvsbug(1) (or send-pr(1) in FreeBSD 4.10 and 5.3) has write access. This may cause damage in itself (e.g., by destroying important system files or documents) or may be used to obtain elevated privileges.
Workaround
Do not use the cvsbug(1) utility on any system with untrusted
users.
Do not use the send-pr(1) utility on a FreeBSD 4.10 or 5.3
system with untrusted users.
Sun Microsystems reports:
The SGE 6.0u7_1 release fixes a security bug which can allow malicious users to gain root access.
Matthias Andree reports:
Fetchmail contains a bug that causes itself to crash when bouncing a message to the originator or to the local postmaster. The crash happens after the bounce message has been sent, when fetchmail tries to free the dynamic array of failed addresses, and calls the free() function with an invalid pointer.
The Zero Day Initiative reports:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable Clam AntiVirus installations. Authentication is not required to exploit this vulnerability.
This specific flaw exists within libclamav/upx.c during the unpacking of executable files compressed with UPX. Due to an invalid size calculation during a data copy from the user-controlled file to heap allocated memory, an exploitable memory corruption condition is created.
Juan J. Marítnez reports:
The milter crashes while processing a headerless message
Impact: bogom crashes and sendmail moves it to error state
Matthias Andree reports:
Bogofilter's/bogolexer's input handling in version 0.96.2 was not keeping track of its output buffers properly and could overrun a heap buffer if the input contained words whose length exceeded 16,384 bytes, the size of flex's input buffer. A "word" here refers to a contiguous run of input octets that was not '_' and did not match at least one of ispunct(), iscntrl() or isspace().
Matthias Andree reports:
When using Unicode databases (default in more recent bogofilter installations), upon encountering invalid input sequences, bogofilter or bogolexer could overrun a malloc()'d buffer, corrupting the heap, while converting character sets. Bogofilter would usually be processing untrusted data received from the network at that time.
This problem was aggravated by an unrelated bug that made bogofilter process binary attachments as though they were text, and attempt charset conversion on them. Given the MIME default character set, US-ASCII, all input octets in the range 0x80...0xff were considered invalid input sequences and could trigger the heap corruption.
A rxvt-unicode changelog reports:
SECURITY FIX: on systems using openpty, permissions were not correctly updated on the tty device and were left as world-readable and world-writable (likely in original rxvt, too), and were not restored properly. Affected are only systems where non-unix ptys were used (such as most BSDs). Found, patched and debugged by Ryan Beasley.
The Apache HTTP Server Project reports:
A flaw in mod_imap when using the Referer directive with image maps. In certain site configurations a remote attacker could perform a cross-site scripting attack if a victim can be forced to visit a malicious URL using certain web browsers.