The ProFTPD Project team reports:
The security issue is caused due to the distribution of compromised ProFTPD 1.3.3c source code packages via the project's main FTP server and all of the mirror servers, which contain a backdoor allowing remote root access.
phpMyAdmin team reports:
It was possible to conduct a XSS attack using spoofed request on the db search script.
ISC reports:
If the server receives a DHCPv6 packet containing one or more Relay-Forward messages, and none of them supply an address in the Relay-Forward link-address field, then the server will crash. This can be used as a single packet crash attack vector.
The OpenTTD Team reports:
When a client disconnects, without sending the "quit" or "client error" message, the server has a chance of reading and writing a just freed piece of memory. The writing can only happen while the server is sending the map. Depending on what happens directly after freeing the memory there is a chance of segmentation fault, and thus a denial of service.
The Horde team reports:
The major changes compared to Horde version 3.3.10 are:
* Fixed XSS vulnerability when viewing details of a vCard.
Tippingpoint reports:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of ProFTPD. Authentication is not required to exploit this vulnerability.
The flaw exists within the proftpd server component which listens by default on TCP port 21. When reading user input if a TELNET_IAC escape sequence is encountered the process miscalculates a buffer length counter value allowing a user controlled copy of data to a stack buffer. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the proftpd process.
OpenSSL Team reports:
Rob Hulswit has found a flaw in the OpenSSL TLS server extension code parsing which on affected servers can be exploited in a buffer overrun attack.
Any OpenSSL based TLS server is vulnerable if it is multi-threaded and uses OpenSSL's internal caching mechanism. Servers that are multi-process and/or disable internal session caching are NOT affected.
In particular the Apache HTTP server (which never uses OpenSSL internal caching) and Stunnel (which includes its own workaround) are NOT affected.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux, and Solaris, and Adobe Flash Player 10.1.95.1 for Android. These vulnerabilities, including CVE-2010-3654 referenced in Security Advisory APSA10-05, could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Secunia reports:
A vulnerability has been discovered in Wireshark, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an infinite recursion error in the "dissect_unknown_ber()" function in epan/dissectors/packet-ber.c and can be exploited to cause a stack overflow e.g. via a specially crafted SNMP packet.
The vulnerability is confirmed in version 1.4.0 and reported in version 1.2.11 and prior and version 1.4.0 and prior.
Secunia reports:
Two vulnerabilities have been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.
Certain input passed via the list descriptions is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
Successful exploitation requires "list owner" permissions.
OTRS Security Advisory reports:
- Multiple Cross Site Scripting issues: Missing HTML quoting allows authenticated agents or customers to inject HTML tags. This vulnerability allows an attacker to inject script code into the OTRS web-interface which will be loaded and executed in the browsers of system users.
- Possible Denial of Service Attack: Perl's regular expressions consume 100% CPU time on the server if an agent or customer views an affected article. To exploit this vulnerability the malicious user needs to send extremely large HTML emails to your system address.
AgentTicketZoom is vulnerable to XSS attacks from HTML e-mails:
Whenever a customer sends an HTML e-mail and RichText is enabled in OTRS, javascript contained in the email can do everything in the OTRS agent interface that the agent himself could do.
Most relevant is that this type of exploit can be used in such a way that the agent won't even detect he is being exploited.
The Mozilla Project reports:
MFSA 2010-73 Heap buffer overflow mixing document.write and DOM insertion
The Opera Desktop Team reports:
- Fixed an issue that allowed cross-domain checks to be bypassed, allowing limited data theft using CSS, as reported by Isaac Dawson.
- Fixed an issue where manipulating the window could be used to spoof the page address.
- Fixed an issue with reloads and redirects that could allow spoofing and cross-site scripting.
- Fixed an issue that allowed private video streams to be intercepted, as reported by Nirankush Panchbhai of Microsoft Vulnerability Research.
- Fixed an issue that caused JavaScript to run in the wrong security context after manual interaction.
Secunia reports:
A vulnerability has been reported in bzip2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
The vulnerability is caused due to an integer overflow in the "BZ2_decompress()" function in decompress.c and can be exploited to cause a crash or potentially execute arbitrary code.
When decompressing data, the run-length encoded values are not adequately sanity-checked, allowing for an integer overflow.
The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption.
The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted.
A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer.
The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants.
When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes.
If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response.
If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag.
When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates.
The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory.
When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing.
The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters.
The monotone developers report:
Running "mtn ''" or "mtn ls ''" doesn't cause an internal error anymore. In monotone 0.48 and earlier this behavior could be used to crash a server remotely (but only if it was configured to allow execution of remote commands).
The Mozilla Project reports:
MFSA 2010-64 Miscellaneous memory safety hazards (rv:1.9.2.11/ 1.9.1.14)
MFSA 2010-65 Buffer overflow and memory corruption using document.write
MFSA 2010-66 Use-after-free error in nsBarProp
MFSA 2010-67 Dangling pointer vulnerability in LookupGetterOrSetter
MFSA 2010-68 XSS in gopher parser when parsing hrefs
MFSA 2010-69 Cross-site information disclosure via modal calls
MFSA 2010-70 SSL wildcard certificate matching IP addresses
MFSA 2010-71 Unsafe library loading vulnerabilities
MFSA 2010-72 Insecure Diffie-Hellman key exchange
Gustavo Noronha Silva reports:
The patches to fix the following CVEs are included with help from Vincent Danen and other members of the Red Hat security team:
Secunia reports:
Multiple vulnerabilities have been reported in APR-util, which can be exploited by malicious people to cause a DoS (Denial of Service).
Two XML parsing vulnerabilities exist in the bundled version of expat.
An error within the "apr_brigade_split_line()" function in buckets/apr_brigade.c can be exploited to cause high memory consumption.
The phpMyFAQ project reports:
The phpMyFAQ Team has learned of a security issue that has been discovered in phpMyFAQ 2.6.x: phpMyFAQ doesn't sanitize some variables in different pages correctly. With a properly crafted URL it is e.g. possible to inject JavaScript code into the output of a page, which could result in the leakage of domain cookies (f.e. session identifiers)..
The Horde team reports:
The major changes compared to Gollem version H3 (1.1.1) are:
* Fixed an XSS vulnerability in the file viewer.
The Horde team reports:
Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.
The major changes compared to IMP version H3 (4.3.7) are:
* Fixed an XSS vulnerability in the Fetchmail configuration.
The Horde team reports:
Thanks to Naumann IT Security Consulting for reporting the XSS vulnerability.
Thanks to Secunia for releasing an advisory for the new CSRF protection in the preference interface
The major changes compared to Horde version 3.3.8 are:
* Fixed XSS vulnerability in util/icon_browser.php.
* Protected preference forms against CSRF attacks.
The OpenX project reported:
It has been brought to our attention that there is a vulnerability in the 2.8 downloadable version of OpenX that can result in a server running the downloaded version of OpenX being compromised.
This vulnerability exists in the file upload functionality and allows attackers to upload and execute PHP code of their choice.
Squid security advisory 2010:3 reports:
Due to an internal error in string handling Squid is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any trusted client to perform a denial of service attack on the Squid service.
Adobe Product Security Incident Response Team reports:
A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris, and Adobe Flash Player 10.1.92.10 for Android. This vulnerability also affects Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2884) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows. Adobe is not aware of any attacks exploiting this vulnerability against Adobe Reader or Acrobat to date.
Django project reports:
The provided template tag for inserting the CSRF token into forms -- {% csrf_token %} -- explicitly trusts the cookie value, and displays it as-is. Thus, an attacker who is able to tamper with the value of the CSRF cookie can cause arbitrary content to be inserted, unescaped, into the outgoing HTML of the form, enabling cross-site scripting (XSS) attacks.
Gustavo Noronha Silva reports:
With help from Vincent Danen and other members of the Red Hat security team, the following CVE's where fixed.
Description for CVE-2008-3432 says:
Heap-based buffer overflow in the mch_expand_wildcards function in os_unix.c in Vim 6.2 and 6.3 allows user-assisted attackers to execute arbitrary code via shell metacharacters in filenames, as demonstrated by the netrw.v3 test case.
The Mozilla Project reports:
MFSA 2010-49 Miscellaneous memory safety hazards (rv:1.9.2.9/ 1.9.1.12)
MFSA 2010-50 Frameset integer overflow vulnerability
MFSA 2010-51 Dangling pointer vulnerability using DOM plugin array
MFSA 2010-52 Windows XP DLL loading vulnerability
MFSA 2010-53 Heap buffer overflow in nsTextFrameUtils::TransformText
MFSA 2010-54 Dangling pointer vulnerability in nsTreeSelection
MFSA 2010-55 XUL tree removal crash and remote code execution
MFSA 2010-56 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-57 Crash and remote code execution in normalizeDocument
MFSA 2010-58 Crash on Mac using fuzzed font in data: URL
MFSA 2010-59 SJOW creates scope chains ending in outer object
MFSA 2010-60 XSS using SJOW scripted function
MFSA 2010-61 UTF-7 XSS by overriding document charset using object type attribute
MFSA 2010-62 Copy-and-paste or drag-and-drop into designMode document allows XSS
MFSA 2010-63 Information leak via XMLHttpRequest statusText
Todd Miller reports:
Beginning with sudo version 1.7.0 it has been possible to grant permission to run a command using a specified group via sudo -g option (run as group). A flaw exists in the logic that matches Runas groups in the sudoers file when the -u option is also specified (run as user). This flaw results in a positive match for the user specified via -u so long as the group specified via -g is allowed by the sudoers file.
Exploitation of the flaw requires that Sudo be configured with sudoers entries that contain a Runas group. Entries that do not contain a Runas group, or only contain a Runas user are not affected.
The get1 command, as used by lftpget, in LFTP before 4.0.6 does not properly validate a server-provided filename before determining the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
GNU Wget version 1.12 and earlier uses a server-provided filename instead of the original URL to determine the destination filename of a download, which allows remote servers to create or overwrite arbitrary files via a 3xx redirect to a URL with a .wgetrc filename followed by a 3xx redirect to a URL with a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
lwp-download in libwww-perl before 5.835 does not reject downloads to filenames that begin with a `.' (dot) character, which allows remote servers to create or overwrite files via a 3xx redirect to a URL with a crafted filename or a Content-Disposition header that suggests a crafted filename, and possibly execute arbitrary code as a consequence of writing to a dotfile in a home directory.
The Red Hat security team reported two vulnerabilities:
A stack buffer overflow flaw was found in the way Quagga's bgpd daemon processed Route-Refresh messages. A configured Border Gateway Protocol (BGP) peer could send a Route-Refresh message with specially-crafted Outbound Route Filtering (ORF) record, which would cause the master BGP daemon (bgpd) to crash or, possibly, execute arbitrary code with the privileges of the user running bgpd.
A NULL pointer dereference flaw was found in the way Quagga's bgpd daemon parsed paths of autonomous systems (AS). A configured BGP peer could send a BGP update AS path request with unknown AS type, which could lead to denial of service (bgpd daemon crash).
A Bugzilla Security Advisory reports:
- Remote Information Disclosure: An unprivileged user is normally not allowed to view other users' group membership. But boolean charts let the user use group-based pronouns, indirectly disclosing group membership. This security fix restricts the use of pronouns to groups the user belongs to.
- Notification Bypass: Normally, when a user is impersonated, he receives an email informing him that he is being impersonated, containing the identity of the impersonator. However, it was possible to impersonate a user without this notification being sent.
- Remote Information Disclosure: An error message thrown by the "Reports" and "Duplicates" page confirmed the non-existence of products, thus allowing users to guess confidential product names. (Note that the "Duplicates" page was not vulnerable in Bugzilla 3.6rc1 and above though.)
- Denial of Service: If a comment contained the phrases "bug X" or "attachment X", where X was an integer larger than the maximum 32-bit signed integer size, PostgreSQL would throw an error, and any page containing that comment would not be viewable. On most Bugzillas, any user can enter a comment on any bug, so any user could have used this to deny access to one or all bugs. Bugzillas running on databases other than PostgreSQL are not affected.
OpenTTD project reports:
When multiple commands are queued (at the server) for execution in the next game tick and an client joins the server can get into an infinite loop. With the default settings triggering this bug is difficult (if not impossible), however the larger value of the "frame_freq" setting is easier it is to trigger the bug.
The affected corkscrew versions use sscanf calls without proper bounds checking. In the authentication file parsing routine this can cause an exploitable buffer overflow condition. A similar but issue exists in the server response code but appears to be non-exploitable.
phpMyAdmin Team reports:
It was possible to conduct a XSS attack using crafted URLs org POST parameters on several pages.
SLiM assigns logged on users a PATH in which the current working directory ("./") is included. This PATH can allow unintentional code execution through planted binaries and has therefore been fixed SLiM version 1.3.2.
The official ruby site reports:
WEBrick have had a cross-site scripting vulnerability that allows an attacker to inject arbitrary script or HTML via a crafted URI. This does not affect user agents that strictly implement HTTP/1.1, however, some user agents do not.
Isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!
VideoLAN project reports:
VLC fails to perform sufficient input validation when trying to extract some meta-informations about input media through ID3v2 tags. In the failure case, VLC attempt dereference an invalid memory address, and a crash will ensure.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.1.53.64 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
The Opera Destkop Team reports:
- Fixed an issue where heap buffer overflow in HTML5 canvas could be used to execute arbitrary code, as reported by Kuzzcc.
- Fixed an issue where unexpected changes in tab focus could be used to run programs from the Internet, as reported by Jakob Balle and Sven Krewitt of Secunia.
- Fixed an issue where news feed preview could subscribe to feeds without interaction, as reported by Alexios Fakos.
The Mozilla Project reports:
MFSA 2010-48 Dangling pointer crash regression from plugin parameter array fix
Piwik versions 0.6 through 0.6.3 are vulnerable to arbitrary, remote file inclusion using a directory traversal pattern infinite a crafted request for a data renderer.
A vulnerability has been reported in Piwik, which can before exploited by malicious people to disclose potentially sensitive information. Input passed to unspecified parameters when requesting a data renderer is not properly verified before being used to include files. This can be exploited to includes arbitrary files from local resources via directory traversal attacks.
There is a denial of service vulnerability in libmspack. The libmspack code is built into cabextract, so it is also vulnerable.
Secunia reports:
The vulnerability is caused due to an error when copying data from an uncompressed block (block type 0) and can be exploited to trigger an infinite loop by tricking an application using the library into processing specially crafted MS-ZIP archives.
Apache ChangeLog reports:
mod_dav, mod_cache: Fix Handling of requests without a path segment.
Greg Brockman reports:
If an attacker were to create a crafted working copy where the user runs any git command, the attacker could force execution of arbitrary code.
Derek Jones reports:
A fix has been implemented for a security flaw in CodeIgniter 1.7.2. All applications using the File Upload class should install the patch to ensure that their application is not subject to a vulnerability.
The Mozilla Project reports:
MFSA 2010-34 Miscellaneous memory safety hazards (rv:1.9.2.7/ 1.9.1.11)
MFSA 2010-35 DOM attribute cloning remote code execution vulnerability
MFSA 2010-36 Use-after-free error in NodeIterator
MFSA 2010-37 Plugin parameter EnsureCachedAttrParamArrays remote code execution vulnerability
MFSA 2010-38 Arbitrary code execution using SJOW and fast native function
MFSA 2010-39 nsCSSValue::Array index integer overflow
MFSA 2010-40 nsTreeSelection dangling pointer remote code execution vulnerability
MFSA 2010-41 Remote code execution using malformed PNG image
MFSA 2010-42 Cross-origin data disclosure via Web Workers and importScripts
MFSA 2010-43 Same-origin bypass using canvas context
MFSA 2010-44 Characters mapped to U+FFFD in 8 bit encodings cause subsequent character to vanish
MFSA 2010-45 Multiple location bar spoofing vulnerabilities
MFSA 2010-46 Cross-domain data theft using CSS
MFSA 2010-47 Cross-origin data leakage from script filename in error messages
Kees Cook reports:
Janne Snabb discovered that applications using VTE, such as gnome-terminal, did not correctly filter window and icon title request escape codes. If a user were tricked into viewing specially crafted output in their terminal, a remote attacker could execute arbitrary commands with user privileges.
Gustavo Noronha reports:
Debian's Michael Gilbert has done a great job going through all CVEs released about WebKit, and including patches in the Debian package. 1.2.3 includes all of the commits from trunk to fix those, too.
Eric Davis reports:
This security release addresses some security vulnerabilities found in the advanced subversion integration module (Redmine.pm perl script).
Julius Plenz reports:
I found a bug in the base64_decode function which may cause memory corruption when the function is executed on a malformed base64 encoded string.
If a string starting with an equal-sign is passed to the base64_decode function it triggers a memory corruption that in some cases makes bogofilter crash.
A Bugzilla Security Advisory reports:
- Normally, information about time-tracking (estimated hours, actual hours, hours worked, and deadlines) is restricted to users in the "time-tracking group". However, any user was able, by crafting their own search URL, to search for bugs based using those fields as criteria, thus possibly exposing sensitive time-tracking information by a user seeing that a bug matched their search.
- If $use_suexec was set to "1" in the localconfig file, then the localconfig file's permissions were set as world-readable by checksetup.pl. This allowed any user with local shell access to see the contents of the file, including the database password and the site_wide_secret variable used for CSRF protection.
Two security vulnerabilities have been discovered:
Multiple format string vulnerabilities in the DCC functionality in KVIrc 3.4 and 4.0 have unspecified impact and remote attack vectors.
Directory traversal vulnerability in the DCC functionality in KVIrc 3.4 and 4.0 allows remote attackers to overwrite arbitrary files via unknown vectors.
The PNG project describes the problem in an advisory:
Several versions of libpng through 1.4.2 (and through 1.2.43 in the older series) contain a bug whereby progressive applications such as web browsers (or the rpng2 demo app included in libpng) could receive an extra row of image data beyond the height reported in the header, potentially leading to an out-of-bounds write to memory (depending on how the application is written) and the possibility of execution of an attacker's code with the privileges of the libpng user (including remote compromise in the case of a libpng-based browser visiting a hostile web site).
The Moodle release notes report multiple vulnerabilities which could allow cross site scripting, XSS attacks, unauthorised deletion of attempts in some instances.
Juli Mallett reports:
mdnsd will crash on some systems with a corrupt stack and once that's fixed it will still leak a file descriptor when parsing resolv.conf. The crash is because scanf is used with %10s for a buffer that is only 10 chars long. The buffer size needs increased to 11 chars to hold the trailing NUL. To fix the leak, an fclose needs added.
The Opera Desktop Team reports:
Data URIs are allowed to run scripts that manipulate pages from the site that directly opened them. In some cases, the opening site is not correctly detected. In these cases, Data URIs may erroneously be able to run scripts so that they interact with sites that did not directly cause them to be opened.
Multiple vulnerabilities have been reported to exist in older version of Cacti. The release notes of Cacti 0.8.7f summarizes the problems as follows:
- SQL injection and shell escaping issues
- Cross-site scripting issues
- Cacti Graph Viewer SQL injection vulnerability
Mozilla Project reports:
MFSA 2010-33 User tracking across sites using Math.random()
MFSA 2010-32 Content-Disposition: attachment ignored if Content-Type: multipart also present
MFSA 2010-31 focus() behavior can be used to inject or steal keystrokes
MFSA 2010-30 Integer Overflow in XSLT Node Sorting
MFSA 2010-29 Heap buffer overflow in nsGenericDOMDataNode::SetTextInternal
MFSA 2010-28 Freed object reuse across plugin instances
MFSA 2010-27 Use-after-free error in nsCycleCollector::MarkRoots()
MFSA 2010-26 Crashes with evidence of memory corruption (rv:1.9.2.4/ 1.9.1.10)
MFSA 2010-25 Re-use of freed object due to scope confusion
Daniel Mealha Cabrita reports:
Fixed security vulnerability (heap-related) in PNG decoder. (new bug from 3.1.0)
Tielei Wang:
Multiple integer overflows in inter-color spaces conversion tools in libtiff 3.8 through 3.8.2, 3.9, and 4.0 allow context-dependent attackers to execute arbitrary code via a TIFF image with large (1) width and (2) height values, which triggers a heap-based buffer overflow in the (a) cvt_whole_image function in tiff2rgba and (b) tiffcvt function in rgb2ycbcr.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.45.2 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
Kevin Finisterre reports:
Multiple integer overflows in the handling of TIFF files may result in a heap buffer overflow. Opening a maliciously crafted TIFF file may lead to an unexpected application termination or arbitrary code execution. The issues are addressed through improved bounds checking. Credit to Kevin Finisterre of digitalmunition.com for reporting these issues.
Todd Miller reports:
Most versions of the C library function getenv() return the first instance of an environment variable to the caller. However, some programs, notably the GNU Bourne Again SHell (bash), do their own environment parsing and may choose the last instance of a variable rather than the first one.
An attacker may manipulate the environment of the process that executes Sudo such that a second PATH variable is present. When Sudo runs a bash script, it is this second PATH variable that is used by bash, regardless of whether or not Sudo has overwritten the first instance of PATH. This may allow an attacker to subvert the program being run under Sudo and execute commands he/she would not otherwise be allowed to run.
Ziproxy 3.0.1 release fixes a security vulnerability related to atypical huge picture files (>4GB of size once expanded).
Two security vulnerabilities were discovered:
Noncompliant CSS parsing behaviour in Internet Explorer allows attackers to construct CSS strings which are treated as safe by previous versions of MediaWiki, but are decoded to unsafe strings by Internet Explorer.
A CSRF vulnerability was discovered in our login interface. Although regular logins are protected as of 1.15.3, it was discovered that the account creation and password reset reset features were not protected from CSRF. This could lead to unauthorised access to private wikis.
The Redmine release announcement reports that several cross side scripting vulnerabilities and a potential data disclosure vulnerability have been fixed in the latest release.
A vulnerability found in the DOCSIS dissector can cause Wireshark to crash when a malformed packet trace file is opened. This means that an attacker will have to trick a victim into opening such a trace file before being able to crash the application
The Piwik security advisory reports:
A non-persistent, cross-site scripting vulnerability (XSS) was found in Piwik's Login form that reflected the form_url parameter without being properly escaped or filtered.
The spamassassin milter plugin contains a vulnerability that can allow remote attackers to execute commands on affected systems.
The vulnerability can be exploited trough a special-crafted email header when the plugin was started with the '-x' (expand) flag.
A MediaWiki security announcement reports:
MediaWiki was found to be vulnerable to login CSRF. An attacker who controls a user account on the target wiki can force the victim to log in as the attacker, via a script on an external website.
If the wiki is configured to allow user scripts, say with "$wgAllowUserJs = true" in LocalSettings.php, then the attacker can proceed to mount a phishing-style attack against the victim to obtain their password.
Dan Rosenberg reports:
There are several cross-site scripting vulnerabilities in LXR. These vulnerabilities could allow an attacker to execute scripts in a user's browser, steal cookies associated with vulnerable domains, redirect the user to malicious websites, etc.
VideoLAN project reports:
VLC media player suffers from various vulnerabilities when attempting to parse malformatted or overly long byte streams.
Joomla! reported the following vulnerabilities:
If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system..
The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server.
Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.
When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
Bonsai information security reports:
A Vulnerability has been discovered in Cacti, which can be exploited by any user to conduct SQL Injection attacks. Input passed via the "export_item_id" parameter to "templates_export.php" script is not properly sanitized before being used in a SQL query.
The same source also reported a command execution vulnerability. This second issue can be exploited by Cacti users who have the rights to modify device or graph configurations.
The Moodle release notes report multiple vulnerabilities which could allow remote attackers to perform, amongst others, cross site scripting, user enumeration and SQL injection attacks.
The Apache software foundation reports:
The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate one.
In some circumstances this can expose the local hostname or IP address of the machine running Tomcat.
The MIT Kerberos team reports:
An authenticated remote attacker can crash the KDC by inducing the KDC to perform a double free. Under some circumstances on some platforms, this could also allow malicious code execution.
Secunia Research reported two vulnerabilities in e107:
The first problem affects installations that have the Content Manager plugin enabled. This plugin does not sanitize the "content_heading" parameter correctly and is therefore vulnerable to a cross site scripting attack.
The second vulnerability is related to the avatar upload functionality. Images containing PHP code can be uploaded and executed.
Fetchmail developer Matthias Andree reported a vulnerability that allows remote attackers to crash the application when it is runs in verbose mode.
Fetchmail before release 6.3.17 did not properly sanitize external input (mail headers and UID). When a multi-character locale (such as UTF-8) was in use, this could cause memory exhaustion and thus a denial of service.
Three denial of service vulnerabilities where found in pidgin and allow remote attackers to crash the application. The developers summarized these problems as follows:
Pidgin can become unresponsive when displaying large numbers of smileys
Certain nicknames in group chat rooms can trigger a crash in Finch
Failure to validate all fields of an incoming message can trigger a crash
A vulnerability in libpng can result in denial of service conditions when a remote attacker tricks a victim to open a specially-crafted PNG file.
The PNG project describes the problem in an advisory:
Because of the efficient compression method used in Portable Network Graphics (PNG) files, a small PNG file can expand tremendously, acting as a "decompression bomb".
Malformed PNG chunks can consume a large amount of CPU and wall-clock time and large amounts of memory, up to all memory available on a system
The cURL project reports in a security advisory:
Using the affected libcurl version to download compressed content over HTTP, an application can ask libcurl to automatically uncompress data. When doing so, libcurl can wrongly send data up to 64K in size to the callback which thus is much larger than the documented maximum size.
An application that blindly trusts libcurl's max limit for a fixed buffer size or similar is then a possible target for a buffer overflow vulnerability.
The Red Hat security response team reports:
A remotely exploitable DoS from XMPP client to ejabberd server via too many "client2server" messages (causing the message queue on the server to get overloaded, leading to server crash) has been found.
Two vulnerabilities have found in irssi. The first issue could allow man-in-the-middle attacks due to a missing comparison of SSL server hostnames and the certificate domain names (e.g. CN).
A second vulnerability, related to the nick matching code, could be triggered by remote attackers in order to crash an irssi client when leaving a channel.
An authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports.
The MIT Kerberos team also reports the cause:
The Kerberos administration daemon (kadmind) can crash due to referencing freed memory.
Two vulnerabilities in krb5 can be used by remote attackers in denial of service attacks. The MIT security advisories report this as follows:
An unauthenticated remote attacker can send an invalid request to a KDC process that will cause it to crash due to an assertion failure, creating a denial of service.
An unauthenticated remote attacker could cause a GSS-API application, including the Kerberos administration daemon (kadmind) to crash.
The Debian security team reports:
It was discovered that mahara, an electronic portfolio, weblog, and resume builder is not properly escaping input when generating a unique username based on a remote user name from a single sign-on application. An attacker can use this to compromise the mahara database via crafted user names.
Todd Miller reports:
Sudo's command matching routine expects actual commands to include one or more slash ('/') characters. The flaw is that sudo's path resolution code did not add a "./" prefix to commands found in the current working directory. This creates an ambiguity between a "sudoedit" command found in the cwd and the "sudoedit" pseudo-command in the sudoers file. As a result, a user may be able to run an arbitrary command named "sudoedit" in the current working directory. For the attack to be successful, the PATH environment variable must include "." and may not include any other directory that contains a "sudoedit" command.
KDE Security Advisory reports:
KDM contains a race condition that allows local attackers to make arbitrary files on the system world-writeable. This can happen while KDM tries to create its control socket during user login. A local attacker with a valid local account can under certain circumstances make use of this vulnerability to execute arbitrary code as root.
The Dojo Toolkit team reports:
Some PHP files did not properly escape input.
Some files could operate like "open redirects". A bad actor could form an URL that looks like it came from a trusted site, but the user would be redirected or load content from the bad actor's site.
A file exposed a more serious cross-site scripting vulnerability with the possibility of executing code on the domain where the file exists.
The Dojo build process defaulted to copying over tests and demos, which are normally not needed and just increased the number of files that could be targets of attacks.
The Zend Framework team reports:
Several files in the bundled Dojo library were identified as having potential exploits, and the Dojo team also advised disabling or removing any PHP scripts in the Dojo library tree when deploying to production.
Mozilla Project reports:
MFSA 2009-25 Re-use of freed object due to scope confusion
Mozilla Project reports:
MFSA 2010-24 XMLDocument::load() doesn't check nsIContentPolicy
MFSA 2010-23 Image src redirect to mailto: URL opens email editor
MFSA 2010-22 Update NSS to support TLS renegotiation indication
MFSA 2010-21 Arbitrary code execution with Firebug XMLHttpRequestSpy
MFSA 2010-20 Chrome privilege escalation via forced URL drag and drop
MFSA 2010-19 Dangling pointer vulnerability in nsPluginArray
MFSA 2010-18 Dangling pointer vulnerability in nsTreeContentView
MFSA 2010-17 Remote code execution with use-after-free in nsTreeSelection
MFSA 2010-16 Crashes with evidence of memory corruption (rv:1.9.2.2/ 1.9.1.9/ 1.9.0.19)
BugTraq reports:
PostgreSQL is prone to a buffer-overflow vulnerability because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit this issue to execute arbitrary code with elevated privileges or crash the affected application.
Jakob Lell reports:
The rmt client implementation of GNU Tar/Cpio contains a heap-based buffer overflow which possibly allows arbitrary code execution.
The problem can be exploited when using an untrusted/compromised rmt server.
Mozilla Project reports:
MFSA 2010-08 WOFF heap corruption due to integer overflow
Mozilla Project reports:
MFSA 2010-07 Fixes for potentially exploitable crashes ported to the legacy branch
MFSA 2010-06 Scriptable plugin execution in SeaMonkey mail
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-49 TreeColumns dangling pointer vulnerability
Egroupware Team report:
Nahuel Grisolia from CYBSEC S.A. Security Systems found two security problems in EGroupware:
Serious remote command execution (allowing to run arbitrary command on the web server by simply issuing a HTTP request!).
A reflected cross-site scripting (XSS).
Both require NO valid EGroupware account and work without being logged in!
Drupal Team reports:
A user-supplied value is directly output during installation allowing a malicious user to craft a URL and perform a cross-site scripting attack. The exploit can only be conducted on sites not yet installed.
The API function drupal_goto() is susceptible to a phishing attack. An attacker could formulate a redirect in a way that gets the Drupal site to send the user to an arbitrarily provided URL. No user submitted data will be sent to that URL.
Locale module and dependent contributed modules do not sanitize the display of language codes, native and English language names properly. While these usually come from a preselected list, arbitrary administrator input is allowed. This vulnerability is mitigated by the fact that the attacker must have a role with the 'administer languages' permission.
Under certain circumstances, a user with an open session that is blocked can maintain his/her session on the Drupal site, despite being blocked.
Todd Miller reports:
When sudo performs its command matching, there is a special case for pseudo-commands in the sudoers file (currently, the only pseudo-command is sudoedit). Unlike a regular command, pseudo-commands do not begin with a slash ('/'). The flaw is that sudo's the matching code would only check against the list of pseudo-commands if the user-specified command also contained no slashes. As a result, if the user ran "sudo ./sudoedit" the normal matching code path was followed, which uses stat(2) to verify that the user-specified command matches the one in sudoers. In this case, it would compare the "./sudoedit" specified by the user with "sudoedit" from the sudoers file, resulting in a positive match.
OpenOffice.org Security Team reports:
Fixed in OpenOffice.org 3.2
CVE-2006-4339: Potential vulnerability from 3rd party libxml2 libraries
CVE-2009-0217: Potential vulnerability from 3rd party libxmlsec libraries
CVE-2009-2493: OpenOffice.org 3 for Windows bundles a vulnerable version of MSVC Runtime
CVE-2009-2949: Potential vulnerability related to XPM file processing
CVE-2009-2950: Potential vulnerability related to GIF file processing
CVE-2009-3301/2: Potential vulnerability related to MS-Word document processing
Mozilla Project reports:
MFSA 2010-05 XSS hazard using SVG document and binary Content-Type
MFSA 2010-04 XSS due to window.dialogArguments being readable cross-domain
MFSA 2010-03 Use-after-free crash in HTML parser
MFSA 2010-02 Web Worker Array Handling Heap Corruption Vulnerability
MFSA 2010-01 Crashes with evidence of memory corruption (rv:1.9.1.8/ 1.9.0.18)
Lighttpd security advisory reports:
If you send the request data very slow (e.g. sleep 0.01 after each byte), lighttpd will easily use all available memory and die (especially for parallel requests), allowing a DoS within minutes.
Squid security advisory 2010:2 reports:
Due to incorrect processing Squid is vulnerable to a denial of service attack when receiving specially crafted HTCP packets.
This problem allows any machine to perform a denial of service attack on the Squid service when its HTCP port is open.
Adobe Product Security Incident Response Team reports:
A critical vulnerability has been identified in Adobe Flash Player version 10.0.42.34 and earlier. This vulnerability (CVE-2010-0186) could subvert the domain sandbox and make unauthorized cross-domain requests. This update also resolves a potential Denial of Service issue (CVE-2010-0187).
Ray Strode reports:
Under certain circumstances it is possible to circumvent the security of screen locking functionality of gnome-screensaver by changing the systems physical monitor configuration.
gnome-screensaver can lose its keyboard grab when locked, exposing the system to intrusion by adding and removing monitors.
Matthias Andree reports:
In verbose mode, fetchmail prints X.509 certificate subject and issuer information to the user, and counts and allocates a malloc() buffer for that purpose.
If the material to be displayed contains characters with high bit set and the platform treats the "char" type as signed, this can cause a heap buffer overrun because non-printing characters are escaped as \xFF..FFnn, where nn is 80..FF in hex.
Wireshark project reports:
Babi discovered several buffer overflows in the LWRES dissector.
It may be possible to make Wireshark crash remotely or by convincing someone to read a malformed packet trace file.
OTRS Security Advisory reports:
Missing security quoting for SQL statements allows agents and customers to manipulate SQL queries. So it's possible for authenticated users to inject SQL queries via string manipulation of statements.
A malicious user may be able to manipulate SQL queries to read or modify records in the database. This way it could also be possible to get access to more permissions (e. g. administrator permissions).
To use this vulnerability the malicious user needs to have a valid Agent- or Customer-session.
Apache ChangeLog reports:
Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.
Squid security advisory 2010:1 reports:
Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted DNS packets.
This problem allows any trusted client or external server who can determine the squid receiving port to perform a short-term denial of service attack on the Squid service.
A Bugzilla Security Advisory reports:
When moving a bug from one product to another, an intermediate page is displayed letting you select the groups the bug should be restricted to in the new product. However, a regression in the 3.4.x series made it ignore all groups which are not available in both products. As a workaround, you had to move the bug to the new product first and then restrict it to the desired groups, in two distinct steps, which could make the bug temporarily public.
SecurityFocus reports:
The first affects the /quote HELP module and allows a user to trigger an IRCD crash on some platforms.
The second affects the /links processing module when the flatten_links configuration option is not enabled.
Dokuwiki reports:
The plugin does no checks against cross-site request forgeries (CSRF) which can be exploited to e.g. change the access control rules by tricking a logged in administrator into visiting a malicious web site.
The bug allows listing the names of arbitrary file on the webserver - not their contents. This could leak private information about wiki pages and server structure.
The Zend Framework team reports:
Potential XSS or HTML Injection vector in Zend_Json.
Potential XSS vector in Zend_Service_ReCaptcha_MailHide.
Potential MIME-type Injection in Zend_File_Transfer Executive Summary.
Potential XSS vector in Zend_Filter_StripTags when comments allowed.
Potential XSS vector in Zend_Dojo_View_Helper_Editor.
Potential XSS vectors due to inconsistent encodings.
XSS vector in Zend_Filter_StripTags.
LFI vector in Zend_View::setScriptPath() and render().
PowerDNS Security Advisory reports:
PowerDNS Recursor up to and including 3.1.7.1 can be brought down and probably exploited.
PowerDNS Recursor up to and including 3.1.7.1 can be spoofed into accepting bogus data
PEAR Security Advisory reports:
Multiple remote arbitrary command injections have been found in the Net_Ping and Net_Traceroute.
When input from forms are used directly, the attacker could pass variables that would allow him to execute remote arbitrary command injections.
Drupal Team reports:
The Contact module does not correctly handle certain user input when displaying category information. Users privileged to create contact categories can insert arbitrary HTML and script code into the contact module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.
The Menu module does not correctly handle certain user input when displaying the menu administration overview. Users privileged to create new menus can insert arbitrary HTML and script code into the menu module administration page. Such a cross-site scripting attack may lead to the malicious user gaining administrative access.
Denis Barov reports:
sysutils/fuser allows user to send any signal to any process when installed with suid bit.
Census Labs reports:
We have discovered a remotely exploitable "improper input validation" vulnerability in the Monkey web server that allows an attacker to perform denial of service attacks by repeatedly crashing worker threads that process HTTP requests.
PHP developers reports:
This release focuses on improving the stability of the PHP 5.2.x branch with over 60 bug fixes, some of which are security related. All users of PHP 5.2 are encouraged to upgrade to this release.
Security Enhancements and Fixes in PHP 5.2.12:
- Fixed a safe_mode bypass in tempnam() identified by Grzegorz Stachowiak. (CVE-2009-3557, Rasmus)
- Fixed a open_basedir bypass in posix_mkfifo() identified by Grzegorz Stachowiak. (CVE-2009-3558, Rasmus)
- Added "max_file_uploads" INI directive, which can be set to limit the number of file uploads per-request to 20 by default, to prevent possible DOS via temporary file exhaustion, identified by Bogdan Calin. (CVE-2009-4017, Ilia)
- Added protection for $_SESSION from interrupt corruption and improved "session.save_path" check, identified by Stefan Esser. (CVE-2009-4143, Stas)
- Fixed bug #49785 (insufficient input string validation of htmlspecialchars()). (CVE-2009-4142, Moriyoshi, hello at iwamot dot com)
PostgreSQL project reports:
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly handle a '\0' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based PostgreSQL servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended client-hostname restrictions via a crafted client certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
PostgreSQL 7.4.x before 7.4.27, 8.0.x before 8.0.23, 8.1.x before 8.1.19, 8.2.x before 8.2.15, 8.3.x before 8.3.9, and 8.4.x before 8.4.2 does not properly manage session-local state during execution of an index function by a database superuser, which allows remote authenticated users to gain privileges via a table with crafted index functions, as demonstrated by functions that modify (1) search_path or (2) a prepared statement, a related issue to CVE-2007-6600 and CVE-2009-3230.
SecurityFocus reports:
TPTEST is prone to a remote stack-based buffer-overflow vulnerability. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
Mozilla Project reports:
MFSA 2009-71 GeckoActiveXObject exception messages can be used to enumerate installed COM objects
MFSA 2009-70 Privilege escalation via chrome window.opener
MFSA 2009-69 Location bar spoofing vulnerabilities
MFSA 2009-68 NTLM reflection vulnerability
MFSA 2009-67 Integer overflow, crash in libtheora video library
MFSA 2009-66 Memory safety fixes in liboggplay media library
MFSA 2009-65 Crashes with evidence of memory corruption (rv:1.9.1.6/ 1.9.0.16)
freeRADIUS Vulnerability Notifications reports:
2009.09.09 v1.1.7 - Anyone who can send packets to the server can crash it by sending a Tunnel-Password attribute in an Access-Request packet. This vulnerability is not otherwise exploitable. We have released 1.1.8 to correct this vulnerability.
This issue is similar to the previous Tunnel-Password issue noted below. The vulnerable versions are 1.1.3 through 1.1.7. Version 2.x is not affected.
secunia reports:
Russ McRee has discovered some vulnerabilities in Pligg, which can be exploited by malicious people to conduct cross-site scripting and request forgery attacks.
Input passed via the "Referer" HTTP header to various scripts (e.g. admin/admin_config.php, admin/admin_modules.php, delete.php, editlink.php, submit.php, submit_groups.php, user_add_remove_links.php, and user_settings.php) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create an arbitrary user with administrative privileges if a logged-in administrative user visits a malicious web site.
secunia reports:
Stefan Esser has reported a vulnerability in Piwik, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the core/Cookie.php script using "unserialize()" with user controlled input. This can be exploited to e.g. execute arbitrary PHP code via the "__wakeup()" or "__destruct()" methods of a serialized object passed via an HTTP cookie.
Dovecot author reports:
Dovecot v1.2.x had been creating base_dir (and its parents if necessary) with 0777 permissions. The base_dir's permissions get changed to 0755 automatically at startup, but you may need to chmod the parent directories manually.
Adobe Product Security Incident Response Team reports:
Critical vulnerabilities have been identified in Adobe Flash Player version 10.0.32.18 and earlier. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.
The official ruby site reports:
There is a heap overflow vulnerability in String#ljust, String#center and String#rjust. This has allowed an attacker to run arbitrary code in some rare cases.
Secunia reports:
A vulnerability has been reported in RT, which can be exploited by malicious people to conduct session fixation attacks. The vulnerability is caused due to an error in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.
CVE reports:
The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read.
CVE reports:
The big2_toUtf8 function in lib/xmltok.c in libexpat in Expat 2.0.1, as used in the XML-Twig module for Perl, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with malformed UTF-8 sequences that trigger a buffer over-read, related to the doProlog function in lib/xmlparse.c.
Opera Team reports:
- Fixed a heap buffer overflow in string to number conversion
- Fixed an issue where error messages could leak onto unrelated sites
- Fixed a moderately severe issue, as reported by Chris Evans of the Google Security Team; details will be disclosed at a later date.
Secunia.com
Do not attempt to load an unqualified module.la file from the current directory (by default) since doing so is insecure and is not compliant with the documentation.
The Ubuntu security team reports:
It was discovered that libvorbis did not correctly handle certain malformed vorbis files. If a user were tricked into opening a specially crafted vorbis file with an application that uses libvorbis, an attacker could cause a denial of service or possibly execute arbitrary code with the user's privileges.
A Bugzilla Security Advisory reports:
When a bug is in a group, none of its information (other than its status and resolution) should be visible to users outside that group. It was discovered that as of 3.3.2, Bugzilla was showing the alias of the bug (a very short string used as a shortcut for looking up the bug) to users outside of the group, if the protected bug ended up in the "Depends On" or "Blocks" list of any other bug.
The cacti development team reports:
The Cross-Site Scripting patch has been posted.
This patch addresses cross-site scripting issues reported by Moritz Naumann.
secunia reports:
The security issue is caused due to the wp_check_filetype() function in /wp-includes/functions.php improperly validating uploaded files. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script with multiple extensions.
Successful exploitation of this vulnerability requires that Apache is not configured to handle the mime-type for media files with an e.g. "gif", "jpg", "png", "tif", "wmv" extension.
Input passed via certain parameters to press-this.php is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.
CVE reports:
The decode_entities function in util.c in HTML-Parser before 3.63 allows context-dependent attackers to cause a denial of service (infinite loop) via an incomplete SGML numeric character reference, which triggers generation of an invalid UTF-8 character.
CVE reports:
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293.
TYPO3 develop team reports:
Affected versions: TYPO3 versions 4.0.13 and below, 4.1.12 and below, 4.2.9 and below, 4.3.0beta1 and below.
SQL injection, Cross-site scripting (XSS), Information disclosure, Frame hijacking, Remote shell command execution and Insecure Install Tool authentication/session handling.
VideoLAN reports:
When parsing a MP4, ASF or AVI file with an overly deep box structure, a stack overflow might occur. It would overwrite the return address and thus redirect the execution flow.
If successful, a malicious third party could trigger execution of arbitrary code within the context of the VLC media player.
oCERT reports:
Ark input sanitization errors: The KDE archiving tool, Ark, performs insufficient validation which leads to specially crafted archive files, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.
IO Slaves input sanitization errors: KDE protocol handlers perform insufficient input validation, an attacker can craft malicious URI that would trigger JavaScript execution. Additionally the 'help://' protocol handler suffer from directory traversal. It should be noted that the scope of this issue is limited as the malicious URIs cannot be embedded in Internet hosted content.
KMail input sanitization errors: The KDE mail client, KMail, performs insufficient validation which leads to specially crafted email attachments, using unknown MIME types, to be rendered using a KHTML instance, this can trigger uncontrolled XMLHTTPRequests to remote sites.
The exploitation of these vulnerabilities is unlikely according to Portcullis and KDE but the execution of active content is nonetheless unexpected and might pose a threat.
Opera Team Reports:
- Fixed an issue where certain domain names could allow execution of arbitrary code, as reported by Chris Weber of Casaba Security
- Fixed an issue where scripts can run on the feed subscription page, as reported by Inferno
Securityfocus reports:
cTorrent and dTorrent are prone to a remote buffer-overflow vulnerability because the software fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Successful exploits allow remote attackers to execute arbitrary machine code in the context of a vulnerable application. Failed exploit attempts will likely result in denial-of-service conditions.
Mozilla Foundation reports:
MFSA 2009-64 Crashes with evidence of memory corruption (rv:1.9.1.4/ 1.9.0.15)
MFSA 2009-63 Upgrade media libraries to fix memory safety bugs
MFSA 2009-62 Download filename spoofing with RTL override
MFSA 2009-61 Cross-origin data theft through document.getSelection()
MFSA 2009-59 Heap buffer overflow in string to number conversion
MFSA 2009-57 Chrome privilege escalation in XPCVariant::VariantDataToJS()
MFSA 2009-56 Heap buffer overflow in GIF color map parser
MFSA 2009-55 Crash in proxy auto-configuration regexp parsing
MFSA 2009-54 Crash with recursive web-worker calls
MFSA 2009-53 Local downloaded file tampering
MFSA 2009-52 Form history vulnerable to stealing
SecurityFocus reports:
ELinks is prone to an off-by-one buffer-overflow vulnerability because the application fails to accurately reference the last element of a buffer.
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
SquidGuard website reports:
Patch 20091015 fixes one buffer overflow problem in sgLog.c when overlong URLs are requested. SquidGuard will then go into emergency mode were no blocking occurs. This is not required in this situation.
Patch 20091019 fixes two bypass problems with URLs which length is close to the limit defined by MAX_BUF (default: 4096) in squidGuard and MAX_URL (default: 4096 in squid 2.x and 8192 in squid 3.x) in squid. For this kind of URLs the proxy request exceeds MAX_BUF causing squidGuard to complain about not being able to parse the squid request. Increasing the buffer limit to be higher than the one defined in MAX_URL solves the issue.
SecurityFocus reports:
Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system.
1) Multiple integer overflows in "SplashBitmap::SplashBitmap()" can be exploited to cause heap-based buffer overflows.
2) An integer overflow error in "ObjectStream::ObjectStream()" can be exploited to cause a heap-based buffer overflow.
3) Multiple integer overflows in "Splash::drawImage()" can be exploited to cause heap-based buffer overflows.
4) An integer overflow error in "PSOutputDev::doImageL1Sep()" can be exploited to cause a heap-based buffer overflow when converting a PDF document to a PS file.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code by tricking a user into opening a specially crafted PDF file.
Django project reports:
Django's forms library includes field types which perform regular-expression-based validation of email addresses and URLs. Certain addresses/URLs could trigger a pathological performance case in these regular expression, resulting in the server process/thread becoming unresponsive, and consuming excessive CPU over an extended period of time. If deliberately triggered, this could result in an effectively denial-of-service attack.
phpMyAdmin Team reports:
Cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via a crafted MySQL table name.
SQL injection vulnerability allows remote attackers to inject SQL via various interface parameters of the PDF schema generator feature.
Vendor reports
Security Enhancements and Fixes in PHP 5.2.11: Fixed certificate validation inside php_openssl_apply_verification_policy. Fixed sanity check for the color index in imagecolortransparent. Added missing sanity checks around exif processing. Fixed bug 44683 popen crashes when an invalid mode is passed.
Sun reports:
A security vulnerability in the VBoxNetAdpCtl configuration tool for certain Sun VirtualBox 3.0 packages may allow local unprivileged users who are authorized to run VirtualBox to execute arbitrary commands with root privileges.
Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer.
Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system.
An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.
A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results.
Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash.
To exploit this vulnerability, an attacker must be able to run code on the target system.
An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available.
mybb team reports:
Input passed via avatar extensions is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by uploading specially named avatars.
The script allows to sign up with usernames containing zero width space characters, which can be exploited to e.g. conduct spoofing attacks.
Drupal Team reports:
The core OpenID module does not correctly implement Form API for the form that allows one to link user accounts with OpenID identifiers. A malicious user is therefore able to use cross site request forgeries to add attacker controlled OpenID identities to existing accounts. These OpenID identities can then be used to gain access to the affected accounts.
The OpenID module is not a compliant implementation of the OpenID Authentication 2.0 specification. An implementation error allows a user to access the account of another user when they share the same OpenID 2.0 provider.
File uploads with certain extensions are not correctly processed by the File API. This may lead to the creation of files that are executable by Apache. The .htaccess that is saved into the files directory by Drupal should normally prevent execution. The files are only executable when the server is configured to ignore the directives in the .htaccess file.
Drupal doesn't regenerate the session ID when an anonymous user follows the one time login link used to confirm email addresses and reset forgotten passwords. This enables a malicious user to fix and reuse the session id of a victim under certain circumstances.
Firewall Builder release notes reports:
Vadim Kurland (vadim.kurland@fwbuilder.org) reports:
Fwbuilder and libfwbuilder 3.0.4 through to 3.0.6 generate iptables scripts with a security issue when also used to generate static routing configurations.
A Bugzilla Security Advisory reports:
- It is possible to inject raw SQL into the Bugzilla database via the "Bug.create" and "Bug.search" WebService functions.
- When a user would change his password, his new password would be exposed in the URL field of the browser if he logged in right after changing his password.
The Horde team reports:
An error within the form library when handling image form fields can be exploited to overwrite arbitrary local files.
An error exists within the MIME Viewer library when rendering unknown text parts. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.
The preferences system does not properly sanitise numeric preference types. This can be exploited to execute arbitrary HTML and script code in a user's browser session in contact of an affected site.
nginx development team reports:
A segmentation fault might occur in worker process while specially crafted request handling.
The IkiWiki development team reports:
IkiWikis teximg plugin's blacklisting of insecure TeX commands is insufficient; it can be bypassed and used to read arbitrary files.
Olly Betts reports:
There's a cross-site scripting issue in Omega - exception messages don't currently get HTML entities escaped, but can contain CGI parameter values in some cases.
Mozilla Foundation reports:
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-48 Insufficient warning for PKCS11 module installation and removal
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)
The Cyrus IMAP Server ChangeLog states:
Fixed CERT VU#336053 - Potential buffer overflow in Sieve.
SILC Changlog reports:
An unspecified format string vulnerability exists in silc-toolkit.
Opera Team Reports:
- Issue where sites using revoked intermediate certificates might be shown as secure
- Issue where the collapsed address bar didn't show the current domain
- Issue where pages could trick users into uploading files
- Some IDNA characters not correctly displaying in the address bar
- Issue where Opera accepts nulls and invalid wild-cards in certificates
Simon Kelley reports:
Fix security problem which allowed any host permitted to do TFTP to possibly compromise dnsmasq by remote buffer overflow when TFTP enabled.
Fix a problem which allowed a malicious TFTP client to crash dnsmasq.
Apache ChangeLog reports:
CVE-2009-1891: Fix a potential Denial-of-Service attack against mod_deflate or other modules.
CVE-2009-1195: Prevent the "Includes" Option from being enabled in an .htaccess file if the AllowOverride restrictions do not permit it.
CVE-2009-1890: Fix a potential Denial-of-Service attack against mod_proxy in a reverse proxy configuration.
CVE-2009-1191: mod_proxy_ajp: Avoid delivering content from a previous request which failed to send a request body.
CVE-2009-0023, CVE-2009-1955, CVE-2009-1956: The bundled copy of the APR-util library has been updated, fixing three different security issues which may affect particular configurations and third-party modules (was already fixed in 2.2.11_5).
Secunia reports:
A vulnerability has been reported in Pidgin, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused due to an error in the "msn_slplink_process_msg()" function when processing MSN SLP messages and can be exploited to corrupt memory.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions 2.5.8 and prior. Other versions may also be affected.
SecurityFocus reports:
GnuTLS is prone to multiple remote vulnerabilities:
- A remote code-execution vulnerability.
- A denial-of-service vulnerability.
- A signature-generation vulnerability.
- A signature-verification vulnerability.
An attacker can exploit these issues to potentially execute arbitrary code, trigger denial-of-service conditions, carry out attacks against data signed with weak signatures, and cause clients to accept expired or invalid certificates from servers.
GnuTLS reports:
By using a NUL byte in CN/SAN fields, it was possible to fool GnuTLS into 1) not printing the entire CN/SAN field value when printing a certificate and 2) cause incorrect positive matches when matching a hostname against a certificate.
Secunia reports:
A weakness has been reported in memcached, which can be exploited by malicious people to disclose system information.
The weakness is caused due to the application disclosing the content of /proc/self/maps if a stats maps command is received. This can be exploited to disclose e.g. the addresses of allocated memory regions.
WordPress reports:
A specially crafted URL could be requested that would allow an attacker to bypass a security check to verify a user requested a password reset. As a result, the first account without a key in the database (usually the admin account) would have its password reset and a new password would be emailed to the account owner.
Matthias Andree reports:
Moxie Marlinspike demonstrated in July 2009 that some CAs would sign certificates that contain embedded NUL characters in the Common Name or subjectAltName fields of ITU-T X.509 certificates.
Applications that would treat such X.509 strings as NUL-terminated C strings (rather than strings that contain an explicit length field) would only check the part up to and excluding the NUL character, so that certificate names such as www.good.example\0www.bad.example.com would be mistaken as a certificate name for www.good.example. fetchmail also had this design and implementation flaw.
Joomla! Security Center reports:
In com_mailto, it was possible to bypass timeout protection against sending automated emails.
A Subversion Security Advisory reports:
Subversion clients and servers have multiple heap overflow issues in the parsing of binary deltas. This is related to an allocation vulnerability in the APR library used by Subversion.
Clients with commit access to a vulnerable server can cause a remote heap overflow; servers can cause a heap overflow on vulnerable clients that try to do a checkout or update.
This can lead to a DoS (an exploit has been tested) and to arbitrary code execution (no exploit tested, but the possibility is clear).
A Bugzilla Security Advisory reports:
Normally, users are only supposed to see products that they can file bugs against in the "Product" drop-down on the bug-editing page. Instead, users were being shown all products, even those that they normally could not see. Any user who could edit any bug could see all product names.
Mozilla Project reports:
MFSA 2009-38: Data corruption with SOCKS5 reply containing DNS name longer than 15 characters
MFSA 2009-42: Compromise of SSL-protected communication
MFSA 2009-43: Heap overflow in certificate regexp parsing
MFSA 2009-44: Location bar and SSL indicator spoofing via window.open() on invalid URL
MFSA 2009-45: Crashes with evidence of memory corruption (rv:1.9.1.2/1.9.0.13)
MFSA 2009-46: Chrome privilege escalation due to incorrectly cached wrapper
SILC changelog reports:
An unspecified format string vulnerability exists in silc-client.
The SquirrelMail Web Server has been compromised, and three plugins are affected.
The port of squirrelmail-sasql-plugin is safe (right MD5), and change_pass is not in the FreeBSD ports tree, but multilogin has a wrong MD5.
When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit.
To trigger the problem, the dynamic update message must contains a record of type "ANY" and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server.
An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation.
No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver.
NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability.
Secunia reports:
A security issue has been reported in Mono, which can be exploited by malicious people to conduct spoofing attacks.
The security issue is caused due to an error when processing certain XML signatures.
Squid security advisory 2009:2 reports:
Due to incorrect buffer limits and related bound checks Squid is vulnerable to a denial of service attack when processing specially crafted requests or responses.
Due to incorrect data validation Squid is vulnerable to a denial of service attack when processing specially crafted responses.
These problems allow any trusted client or external server to perform a denial of service attack on the Squid service.
Squid-2.x releases are not affected.
Mozilla Project reports:
Firefox user zbyte reported a crash that we determined could result in an exploitable memory corruption problem. In certain cases after a return from a native function, such as escape(), the Just-in-Time (JIT) compiler could get into a corrupt state. This could be exploited by an attacker to run arbitrary code such as installing malware.
This vulnerability does not affect earlier versions of Firefox which do not support the JIT feature.
US-CERT reports:
The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.
The Drupal Security Team reports:
Cross-site scripting
The Forum module does not correctly handle certain arguments obtained from the URL. By enticing a suitably privileged user to visit a specially crafted URL, a malicious user is able to insert arbitrary HTML and script code into forum pages. Such a cross-site scripting attack may lead to the malicious user gaining administrative access. Wikipedia has more information about cross-site scripting (XSS).
User signatures have no separate input format, they use the format of the comment with which they are displayed. A user will no longer be able to edit a comment when an administrator changes the comment's input format to a format that is not accessible to the user. However they will still be able to modify their signature, which will then be processed by the new input format.
If the new format is very permissive, via their signature, the user may be able to insert arbitrary HTML and script code into pages or, when the PHP filter is enabled for the new format, execute PHP code. This issue affects Drupal 6.x only.
When an anonymous user fails to login due to mistyping his username or password, and the page he is on contains a sortable table, the (incorrect) username and password are included in links on the table. If the user visits these links the password may then be leaked to external sites via the HTTP referer.
In addition, if the anonymous user is enticed to visit the site via a specially crafted URL while the Drupal page cache is enabled, a malicious user might be able to retrieve the (incorrect) username and password from the page cache.
nfsen reports:
Due to double input checking, a remote command execution security bug exists in all NfSen versions 1.3 and 1.3.1. Users are requested to update to nfsen-1.3.2.
The phpMyAdmin project reports:
It was possible to conduct an XSS attack via a crafted SQL bookmark.
All 3.x releases on which the "bookmarks" feature is active are affected, previous versions are not.
Secunia reports:
A vulnerability has been reported in Nagios, which can be exploited by malicious users to potentially compromise a vulnerable system.
Input passed to the "ping" parameter in statuswml.cgi is not properly sanitised before being used to invoke the ping command. This can be exploited to inject and execute arbitrary shell commands.
Successful exploitation requires access to the ping feature of the WAP interface.
The Tor Project reports:
A malicious exit relay could convince a controller that the client's DNS question resolves to an internal IP address.
Secunia reports:
Some vulnerabilities have been reported in Cscope, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerabilities are caused due to various boundary errors, which can be exploited to cause buffer overflows when parsing specially crafted files or directories.
SecurityFocus reports:
Attackers may leverage this issue to execute arbitrary code in the context of the application. Failed attacks will cause denial-of-service conditions.
Secunia reports:
Some vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct script insertion attacks and by malicious people to conduct cross-site scripting attacks.
Certain unspecified input is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site when the malicious data is displayed.
Certain unspecified input passed to the user view of the com_users core component is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Input passed via certain parameters to the "JA_Purity" template is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Secunia reports:
Some vulnerabilities and weaknesses have been reported in Pidgin, which can be exploited by malicious people to cause a DoS or to potentially compromise a user's system.
A truncation error in the processing of MSN SLP messages can be exploited to cause a buffer overflow.
A boundary error in the XMPP SOCKS5 "bytestream" server when initiating an outgoing file transfer can be exploited to cause a buffer overflow.
A boundary error exists in the implementation of the "PurpleCircBuffer" structure. This can be exploited to corrupt memory and cause a crash via specially crafted XMPP or Sametime packets.
A boundary error in the "decrypt_out()" function can be exploited to cause a stack-based buffer overflow with 8 bytes and crash the application via a specially crafted QQ packet.
SecurityFocus reports:
Git is prone to a denial-of-service vulnerability because it fails to properly handle some client requests.
Attackers can exploit this issue to cause a daemon process to enter an infinite loop. Repeated exploits may consume excessive system resources, resulting in a denial of service condition.
The official ruby site reports:
A denial of service (DoS) vulnerability was found on the BigDecimal standard library of Ruby. Conversion from BigDecimal objects into Float numbers had a problem which enables attackers to effectively cause segmentation faults.
An attacker can cause a denial of service by causing BigDecimal to parse an insanely large number, such as:
BigDecimal("9E69999999").to_s("F")
Mozilla Foundation reports:
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
Secunia reports:
Some vulnerabilities have been reported in APR-util, which can be exploited by malicious users and malicious people to cause a DoS (Denial of Service).
A vulnerability is caused due to an error in the processing of XML files and can be exploited to exhaust all available memory via a specially crafted XML file containing a predefined entity inside an entity definition.
A vulnerability is caused due to an error within the "apr_strmatch_precompile()" function in strmatch/apr_strmatch.c, which can be exploited to crash an application using the library.
RedHat reports:
A single NULL byte buffer overflow flaw was found in apr-util's apr_brigade_vprintf() function.
DokuWiki reports:
A security hole was discovered which allows an attacker to include arbitrary files located on the attacked DokuWiki installation. The included file is executed in the PHP context. This can be escalated by introducing malicious code through uploading file via the media manager or placing PHP code in editable pages.
Secunia reports:
Some vulnerabilities have been reported in OpenSSL, which can be exploited by malicious people to cause a DoS.
The library does not limit the number of buffered DTLS records with a future epoch. This can be exploited to exhaust all available memory via specially crafted DTLS packets.
An error when processing DTLS messages can be exploited to exhaust all available memory by sending a large number of out of sequence handshake messages.
Secunia reports:
The vulnerability is caused due to an error in the processing of private messages within the server module (/mod/server.mod/servrmsg.c). This can be exploited to cause a crash by sending a specially crafted message to the bot.
Secunia reports:
A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS.
The vulnerability is caused due to an error in the PCNFSD dissector and can be exploited to cause a crash via a specially crafted PCNFSD packet.
Secunia reports:
Two vulnerabilities have been reported in libsndfile, which can be exploited by malicious people to compromise an application using the library.
A boundary error exists within the "voc_read_header()" function in src/voc.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted VOC file.
A boundary error exists within the "aiff_read_header()" function in src/aiff.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted AIFF file.
Secunia reports:
A security issue has been reported in SLiM, which can be exploited by malicious, local users to disclose sensitive information.
The security issue is caused due to the application generating the X authority file by passing the X authority cookie via the command line to "xauth". This can be exploited to disclose the X authority cookie by consulting the process list and e.g. gain access the user's display.
US-CERT reports:
ntpd contains a stack buffer overflow which may allow a remote unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.
SecurityFocus reports:
University of Washington IMAP c-client is prone to a remote format-string vulnerability because the software fails to adequately sanitize user-supplied input before passing it as the format-specifier to a formatted-printing function.
NLnet Labs:
A one-byte buffer overflow has been reported in NSD. The problem affects all versions 2.0.0 to 3.2.1. The bug allows a carefully crafted exploit to bring down your DNS server. It is highly unlikely that this one byte overflow can lead to other (system) exploits.
xine developers report:
- Fix another possible int overflow in the 4XM demuxer. (ref. TKADV2009-004, CVE-2009-0385)
- Fix an integer overflow in the Quicktime demuxer.
Multiple vulnerabilities were fixed in libxine 1.1.16.2.
Tobias Klein reports:
FFmpeg contains a type conversion vulnerability while parsing malformed 4X movie files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of FFmpeg or an application using the FFmpeg library.
Note: A similar issue also affects xine-lib < version 1.1.16.2.
xine developers report:
- Fix broken size checks in various input plugins (ref. CVE-2008-5239).
- More malloc checking (ref. CVE-2008-5240).
securityfocus research reports:
A bug that leads to the emptying of the INI file contents if the database key was not found exists in PHP dba extension in versions 5.2.6, 4.4.9 and earlier.
Function dba_replace() are not filtering strings key and value. There is a possibility for the destruction of the file.
Secunia reports:
A vulnerability has been reported in libwmf, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library.
The vulnerability is caused due to a use-after-free error within the embedded GD library, which can be exploited to cause a crash or potentially to execute arbitrary code via a specially crafted WMF file.
Secunia reports:
infamous41md has reported a vulnerability in libwmf, which potentially can be exploited by malicious people to compromise an application using the vulnerable library.
The vulnerability is caused due to an integer overflow error when allocating memory based on a value taken directly from a WMF file without performing any checks. This can be exploited to cause a heap-based buffer overflow when a specially crafted WMF file is processed.
Secunia reports:
Input passed via multiple parameters to action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Secunia reports:
Certain input passed to the "Apache::Status" and "Apache2::Status" modules is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website.
The Drupal Security Team reports:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the <meta http-equiv="Content-Type" /> tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This enables attackers to execute cross site scripting attacks with UTF-7. SA-CORE-2009-005 - Drupal core - Cross site scripting contained an incomplete fix for the issue. HTML exports of books are still vulnerable, which means that anyone with edit permissions for pages in outlines is able to insert arbitrary HTML and script code in these exports.
Additionally, the taxonomy module allows users with the 'administer taxonomy' permission to inject arbitrary HTML and script code in the help text of any vocabulary.
US-CERT reports:
The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.
Secunia reports:
Some vulnerabilities have been reported in MoinMoin, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
SecurityFocus reports:
Ghostscript is prone to a remote buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before copying it into a finite-sized buffer.
Exploiting this issue allows remote attackers to overwrite a sensitive memory buffer with arbitrary data, potentially allowing them to execute malicious machine code in the context of the affected application. This vulnerability may facilitate the compromise of affected computers.
oCERT reports:
Pango suffers from a multiplicative integer overflow which may lead to a potentially exploitable, heap overflow depending on the calling conditions.
For example, this vulnerability is remotely reachable in Firefox by creating an overly large document.location value but only results in a process-terminating, allocation error (denial of service).
The affected function is pango_glyph_string_set_size. An overflow check when doubling the size neglects the overflow possible on the subsequent allocation.
Wireshark team reports:
Wireshark 1.0.7 fixes the following vulnerabilities:
- The PROFINET dissector was vulnerable to a format string overflow. (Bug 3382) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1210.
- The Check Point High-Availability Protocol (CPHAP) dissector could crash. (Bug 3269) Versions affected: 0.9.6 to 1.0.6; CVE-2009-1268.
- Wireshark could crash while loading a Tektronix .rf5 file. (Bug 3366) Versions affected: 0.99.6 to 1.0.6, CVE-2009-1269.
Gentoo security team summarizes:
The following issues were reported in CUPS:
- iDefense reported an integer overflow in the _cupsImageReadTIFF() function in the "imagetops" filter, leading to a heap-based buffer overflow (CVE-2009-0163).
- Aaron Siegel of Apple Product Security reported that the CUPS web interface does not verify the content of the "Host" HTTP header properly (CVE-2009-0164).
- Braden Thomas and Drew Yao of Apple Product Security reported that CUPS is vulnerable to CVE-2009-0146, CVE-2009-0147 and CVE-2009-0166, found earlier in xpdf and poppler.
A remote attacker might send or entice a user to send a specially crafted print job to CUPS, possibly resulting in the execution of arbitrary code with the privileges of the configured CUPS user -- by default this is "lp", or a Denial of Service. Furthermore, the web interface could be used to conduct DNS rebinding attacks.
The function ASN1_STRING_print_ex does not properly validate the lengths of BMPString or UniversalString objects before attempting to print them.
An application which attempts to print a BMPString or UniversalString which has an invalid length will crash as a result of OpenSSL accessing invalid memory locations. This could be used by an attacker to crash a remote application.
No workaround is available, but applications which do not use the ASN1_STRING_print_ex function (either directly or indirectly) are not affected.
Debian Security Team reports:
It was discovered that Quagga, an IP routing daemon, could no longer process the Internet routing table due to broken handling of multiple 4-byte AS numbers in an AS path. If such a prefix is received, the BGP daemon crashes with an assert failure leading to a denial of service.
Secunia reports:
A vulnerability has been reported in Openfire which can be exploited by malicious users to bypass certain security restrictions. The vulnerability is caused due to Openfire not properly respecting the no password changes setting which can be exploited to change passwords by sending jabber:iq:auth passwd_change requests to the server.
Drupal Security Team reports:
When outputting user-supplied data Drupal strips potentially dangerous HTML attributes and tags or escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are valid in the UTF-8 specification are potentially dangerous when interpreted as UTF-7. Internet Explorer 6 and 7 may decode these characters as UTF-7 if they appear before the meta http-equiv="Content-Type" tag that specifies the page content as UTF-8, despite the fact that Drupal also sends a real HTTP header specifying the content as UTF-8. This behaviour enables malicious users to insert and execute Javascript in the context of the website if site visitors are allowed to post content.
In addition, Drupal core also has a very limited information disclosure vulnerability under very specific conditions. If a user is tricked into visiting the site via a specially crafted URL and then submits a form (such as the search box) from that page, the information in their form submission may be directed to a third-party site determined by the URL and thus disclosed to the third party. The third party site may then execute a CSRF attack against the submitted form.
Mozilla Foundation reports:
MFSA 2009-22: Firefox allows Refresh header to redirect to javascript: URIs
MFSA 2009-21: POST data sent to wrong site when saving web page with embedded frame
MFSA 2009-20: Malicious search plugins can inject code into arbitrary sites
MFSA 2009-19: Same-origin violations in XMLHttpRequest and XPCNativeWrapper.toString
MFSA 2009-18: XSS hazard using third-party stylesheets and XBL bindings
MFSA 2009-17: Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-16: jar: scheme ignores the content-disposition: header on the inner URI
MFSA 2009-15: URL spoofing with box drawing character
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)
Secunia reports:
Some vulnerabilities have been reported in Poppler which can be exploited by malicious people to potentially compromise an application using the library.
Secunia reports:
Some vulnerabilities have been reported in Xpdf, which can be exploited by malicious people to potentially compromise a user's system.
A boundary error exists when decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow and potentially execute arbitrary code.
Multiple integer overflows in the JBIG2 decoder can be exploited to potentially execute arbitrary code.
Multiple boundary errors in the JBIG2 decoder can be exploited to cause buffer overflows and potentially execute arbitrary code.
Multiple errors in the JBIG2 decoder can be exploited can be exploited to free arbitrary memory and potentially execute arbitrary code.
Multiple unspecified input validation errors in the JBIG2 decoder can be exploited to potentially execute arbitrary code.
Secunia reports:
Some vulnerabilities have been reported in FreeType, which can be exploited by malicious people to potentially compromise an application using the library.
An integer overflow error within the "cff_charset_compute_cids()" function in cff/cffload.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font.
Multiple integer overflow errors within validation functions in sfnt/ttcmap.c can be exploited to bypass length validations and potentially cause buffer overflows via specially crafted fonts.
An integer overflow error within the "ft_smooth_render_generic()" function in smooth/ftsmooth.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font.
SecurityFocus reports:
The ejabberd application is prone to a cross-site scripting vulnerability.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials.
Ziproxy Developers reports:
Multiple HTTP proxy implementations are prone to an information-disclosure vulnerability related to the interpretation of the 'Host' HTTP header. Specifically, this issue occurs when the proxy makes a forwarding decision based on the 'Host' HTTP header instead of the destination IP address.
Attackers may exploit this issue to obtain sensitive information such as internal intranet webpages. Additional attacks may also be possible.
phpMyAdmin Team reports:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file. Combined with ability to save files on server, this can allow unauthenticated users to execute arbitrary PHP code. This issue is on different parameters than PMASA-2009-3 and it was missed out of our radar because it was not existing in 2.11.x branch.
Drupal CCK plugin developer reports:
The Node reference and User reference sub-modules, which are part of the Content Construction Kit (CCK) project, lets administrators define node fields that are references to other nodes or to users. When displaying a node edit form, the titles of candidate referenced nodes or names of candidate referenced users are not properly filtered, allowing malicious users to inject arbitrary code on those pages. Such a cross site scripting (XSS) attack may lead to a malicious user gaining full administrative access.
Secunia reports:
A vulnerability has been discovered in Pivot, which can be exploited by malicious people to delete certain files.
Input passed to the "refkey" parameter in extensions/bbclone_tools/count.php is not properly sanitised before being used to delete files. This can be exploited to delete files with the permissions of the web server via directory traversal sequences passed within the "refkey" parameter.
NOTE: Users with the "Advanced" user level are able to include and execute uploaded PHP code via the "pivot_path" parameter in extensions/bbclone_tools/getkey.php when extensions/bbclone_tools/hr_conf.php can be deleted.
phpMyAdmin reports:
Setup script used to generate configuration can be fooled using a crafted POST request to include arbitrary PHP code in generated configuration file.
Secunia reports:
Tobias Klein has reported some vulnerabilities in Amarok, which potentially can be exploited by malicious people to compromise a user's system.
Two integer overflow errors exist within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp. These can be exploited to cause heap-based buffer overflows via specially crafted Audible Audio files.
Two errors within the "Audible::Tag::readTag()" function in src/metadata/audible/audibletag.cpp can be exploited to corrupt arbitrary memory via specially crafted Audible Audio files.
Vendor reports:
On non-Windows systems Wireshark could crash if the HOME environment variable contained sprintf-style string formatting characters. Wireshark could crash while reading a malformed NetScreen snoop file. Wireshark could crash while reading a Tektronix K12 text capture file.
Secunia reports:
A vulnerability has been reported in Netatalk, which potentially can be exploited by malicious users to compromise a vulnerable system.
The vulnerability is caused due to the papd daemon improperly sanitising several received parameters before passing them in a call to popen(). This can be exploited to execute arbitrary commands via a specially crafted printing request.
Successful exploitation requires that a printer is configured to pass arbitrary values as parameters to a piped command.
Secunia reports:
Tobias Klein has reported some vulnerabilities in GStreamer Good Plug-ins, which can potentially be exploited by malicious people to compromise a vulnerable system.
A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "ctts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.
An array indexing error exists in the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stss" Atom parsing. This can be exploited to corrupt memory via a specially crafted QuickTime media file.
A boundary error occurs within the "qtdemux_parse_samples()" function in gst/gtdemux/qtdemux.c when performing QuickTime "stts" Atom parsing. This can be exploited to cause a heap-based buffer overflow via a specially crafted QuickTime media file.
Secunia reports:
The vulnerability is caused due to an integer overflow error in the processing of CAF description chunks. This can be exploited to cause a heap-based buffer overflow by tricking the user into processing a specially crafted CAF audio file.
Secunia reports:
Tobias Klein has reported a vulnerability in FFmpeg, which potentially can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to a signedness error within the "fourxm_read_header()" function in libavformat/4xm.c. This can be exploited to corrupt arbitrary memory via a specially crafted 4xm file.
Secunia reports:
Some vulnerabilities have been reported in RoundCube Webmail, which can be exploited by malicious users to compromise a vulnerable system and by malicious people to conduct script insertion attacks and compromise a vulnerable system.
The HTML "background" attribute within e.g. HTML emails is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if a malicious email is viewed.
Input passed via a vCard is not properly sanitised before being used in a call to "preg_replace()" with the "e" modifier in program/include/rcube_vcard.php. This can be exploited to inject and execute arbitrary PHP code by e.g. tricking a user into importing a malicious vCard file.
Secunia reports:
Some vulnerabilities have been reported in ProFTPD, which can be exploited by malicious people to conduct SQL injection attacks.
The application improperly sets the character encoding prior to performing SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code in an environment using a multi-byte character encoding.
An error exists in the "mod_sql" module when processing e.g. user names containing '%' characters. This can be exploited to bypass input sanitation routines and manipulate SQL queries by injecting arbitrary SQL code.
Secunia reports:
Some vulnerabilities have been reported in the ZABBIX PHP frontend, which can be exploited by malicious people to conduct cross-site request forgery attacks and malicious users to disclose sensitive information and compromise a vulnerable system.
Input appended to and passed via the "extlang" parameter to the "calc_exp2()" function in include/validate.inc.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. create users by enticing a logged in administrator to visit a malicious web page.
Input passed to the "srclang" parameter in locales.php (when "next" is set to a non-NULL value) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
SecurityFocus reports:
PHP is prone to a buffer-overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The issue affects the 'mbstring' extension included in the standard distribution.
An attacker can exploit this issue to execute arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the webserver, denying service to legitimate users.
Secunia reports:
Dun has discovered a vulnerability in phpPgAdmin, which can be exploited by malicious people to disclose sensitive information.
Input passed via the "_language" parameter to libraries/lib.inc.php is not properly sanitised before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.
Opera Team reports:
An unspecified error in the processing of JPEG images can be exploited to trigger a memory corruption.
An error can be exploited to execute arbitrary script code in a different domain via unspecified plugins.
An unspecified error has a "moderately severe" impact. No further information is available.
CVE Mitre reports:
Untrusted search path vulnerability in the Python interface in Epiphany 2.22.3, and possibly other versions, allows local users to execute arbitrary code via a Trojan horse Python file in the current working directory, related to a vulnerability in the PySys_SetArgv function (CVE-2008-5983).
CVE Mitre reports:
Cross-site scripting (XSS) vulnerability in proxy_ftp.c in the mod_proxy_ftp module in Apache 2.0.63 and earlier, and mod_proxy_ftp.c in the mod_proxy_ftp module in Apache 2.2.9 and earlier 2.2 versions, allows remote attackers to inject arbitrary web script or HTML via a wildcard in the last directory component in the pathname in an FTP URI.
Secunia reports:
A vulnerability has been reported in Pngcrush, which can be exploited by malicious people to potentially compromise a user's system.
The vulnerability is caused due to the use of vulnerable libpng code.
Secunia reports:
The security issue is caused due to cURL following HTTP Location: redirects to e.g. scp:// or file:// URLs which can be exploited by a malicious HTTP server to overwrite or disclose the content of arbitrary local files and potentially execute arbitrary commands via specially crafted redirect URLs.
Matthew Weier O'Phinney reports:
A potential Local File Inclusion (LFI) vulnerability exists in the Zend_View::render() method. If user input is used to specify the script path, then it is possible to trigger the LFI.
Note that Zend Framework applications that never call the Zend_View::render() method with a user-supplied parameter are not affected by this vulnerability.
Security Focus reports:
An attacker could exploit this issue by enticing an unsuspecting victim to execute the vulnerable application in a directory containing a malicious Python file. A successful exploit will allow arbitrary Python commands to run within the privileges of the currently logged-in user.
Dwayne C. Litzenberger reports:
pycrypto is exposed to a buffer overflow issue because it fails to adequately verify user-supplied input. This issue resides in the ARC2 module. This issue can be triggered with specially crafted ARC2 keys in excess of 128 bytes.
SecurityFocus reports:
Varnish is prone to a remote denial-of-service vulnerability because the application fails to handle certain HTTP requests.
Successfully exploiting this issue allows remote attackers to crash the affected application denying further service to legitimate users.
Secunia reports:
Some vulnerabilities have been reported in Tor, where one has an unknown impact and others can be exploited by malicious people to cause a DoS.
An error when running Tor as a directory authority can be exploited to trigger the execution of an infinite loop.
An unspecified error exists when running on Windows systems prior to Windows XP. No further information is currently available.
Mozilla Foundation reports:
MFSA 2009-06: Directives to not cache pages ignored
MFSA 2009-05: XMLHttpRequest allows reading HTTPOnly cookies
MFSA 2009-04: Chrome privilege escalation via local .desktop files
MFSA 2009-03: Local file stealing with SessionStore
MFSA 2009-02: XSS using a chrome XBL method and window.eval
MFSA 2009-01: Crashes with evidence of memory corruption (rv:1.9.0.6)
znirkel reports:
The eval() function in _reset_post_array crashes when posting certain data. By passing in carefully-crafted input data, the eval() function could also execute malicious PHP code.
Note that CodeIgniter applications that either do not use the new Form Validation class or use the old Validation class are not affected by this vulnerability.
Security Focus reports:
PyBlosxom is prone to multiple XML-injection vulnerabilities because the application fails to properly sanitize user-supplied input before using it in dynamically generated content.
Attacker-supplied XML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible.
Secunia reports:
Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to conduct cross-site scripting attacks and disclose sensitive information.
Input passed via unspecified fields to the backend user interface is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
An error in the "jumpUrl" mechanism can be exploited to read arbitrary files from local resources by disclosing a hash secret used to restrict file access.
Secunia reports:
A boundary error when processing "div" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long "id" parameter.
A boundary error exists when processing overly long links. This can be exploited to cause a stack-based buffer overflow by tricking the user into e.g. editing a malicious link.
A boundary error when processing e.g. a "bdo" HTML tag having an overly long "dir" attribute can be exploited to cause a stack-based buffer overflow.
A boundary error when processing "input" HTML tags can be exploited to cause a stack-based buffer overflow via an overly long e.g. "type" attribute.
Secunia reports:
Some vulnerabilities have been reported in WebSVN, which can be exploited by malicious users to disclose sensitive information, and by malicious people to conduct cross-site scripting attacks and manipulate data.
Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Input passed to the "rev" parameter in rss.php is not properly sanitised before being used. This can be exploited to overwrite arbitrary files via directory traversal attacks.
Access to restricted repositories is not properly enforced, which can be exploited to disclose potentially sensitive information by accessing the repository via "listing.php" and using the "compare with previous" and "show changed files" links.
Secunia reports:
Input passed to the "_SERVER[ConfigFile]" parameter in admin/index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Squid security advisory 2009:1 reports:
Due to an internal error Squid is vulnerable to a denial of service attack when processing specially crafted requests.
This problem allows any client to perform a denial of service attack on the Squid service.
Secunia reports:
Some vulnerabilities have been reported in Typo3, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting and session fixation attacks, and compromise a vulnerable system.
The "Install tool" system extension uses insufficiently random entropy sources to generate an encryption key, resulting in weak security.
The authentication library does not properly invalidate supplied session tokens, which can be exploited to hijack a user's session.
Certain unspecified input passed to the "Indexed Search Engine" system extension is not properly sanitised before being used to invoke commands. This can be exploited to inject and execute arbitrary shell commands.
Input passed via the name and content of files to the "Indexed Search Engine" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Certain unspecified input passed to the Workspace module is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Note: It is also reported that certain unspecified input passed to test scripts of the "ADOdb" system extension is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected website.
Todd Miller reports:
A bug was introduced in Sudo's group matching code in version 1.6.9 when support for matching based on the supplemental group vector was added. This bug may allow certain users listed in the sudoers file to run a command as a different user than their access rule specifies.
Drupal Team reports:
The Content Translation module for Drupal 6.x enables users to make a translation of an existing item of content (a node). In that proces the existing node's content is copied into the new node's submission form.
The module contains a flaw that allows a user with the 'translate content' permission to potentially bypass normal viewing access restrictions, for example allowing the user to see the content of unpublished nodes even if they do not have permission to view unpublished nodes.
When user profile pictures are enabled, the default user profile validation function will be bypassed, possibly allowing invalid user names or e-mail addresses to be submitted.
Secunia reports:
Paul Szabo has reported a vulnerability in Perl File::Path::rmtree, which potentially can be exploited by malicious, local users to gain escalated privileges.
The vulnerability is caused due to a race condition in the way File::Path::rmtree handles directory permissions when cleaning up directories. This can be exploited by replacing an existing sub directory in the directory tree with a symbolic link to an arbitrary file.
Successful exploitation may allow changing permissions of arbitrary files, if root uses an application using the vulnerable code to delete files in a directory having a world-writable sub directory.
Secunia reports:
Input passed to multiple parameters in action/AttachFile.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Certain input passed to security/antispam.py is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site.
Secunia reports:
Spike Spiegel has discovered a vulnerability in Ganglia which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the process_path function in gmetad/server.c. This can be exploited to cause a stack-based buffer overflow by e.g. sending a specially crafted message to the gmetad service.
The vulnerability is confirmed in version 3.1.1. Other versions may also be affected.
Secunia reports:
A vulnerability with an unknown impact has been reported in Tor.
The vulnerability is caused due to an unspecified error and can be exploited to trigger a heap corruption. No further information is currently available.
The GLPI project reports:
Input passed via unspecified parameters is not properly sanitised before being used in SQL queries. This can be exploited to manipulateSQL queries by injecting arbitrary SQL code.
Core Security Technologies reports:
Multiple cross-site scripting vulnerabilities have been found which may lead to arbitrary remote code execution on the server running the application due to unauthorized upload of Java plugin code.
SecurityFocus reports:
IPsec-Tools is affected by multiple remote denial-of-service vulnerabilities because the software fails to properly handle certain network packets.
A successful attack allows a remote attacker to crash the software, denying further service to legitimate users.
SecurityFocus reports:
TeamSpeak is prone to a directory-traversal vulnerability because it fails to sufficiently sanitize user-supplied input data. Exploiting the issue may allow an attacker to obtain sensitive information that could aid in further attacks.
Secunia reports:
A vulnerability has been reported in OptiPNG, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the BMP reader and can be exploited to cause a buffer overflow by tricking a user into processing a specially crafted file.
Successful exploitation may allow execution of arbitrary code.
Git maintainers report:
gitweb has a possible local privilege escalation bug that allows a malicious repository owner to run a command of his choice by specifying diff.external configuration variable in his repository and running a crafted gitweb query.
SecurityFocus reports:
GNUs tar and cpio utilities are prone to a denial-of-service vulnerability because of insecure use of the alloca() function.
Successfully exploiting this issue allows attackers to crash the affected utilities and possibly to execute code but this has not been confirmed.
Secunia reports:
The vulnerability is caused due to a boundary error within the "str_read_packet()" function in libavformat/psxstr.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted STR file.
Secunia reports:
A vulnerability has been reported in CGIWrap, which can be exploited by malicious people to conduct cross-site scripting attacks.
The vulnerability is caused due to the application generating error messages without specifying a charset. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation may require that the victim uses Internet Explorer or a browser based on Internet Explorer components.
securityfocus reports:
An attacker with low-level privileges may exploit this issue to bypass authorization and cause arbitrary commands to run within the context of the Nagios server. This may aid in further attacks.
Secunia reports:
Some security issues have been reported in PDFjam, which can be exploited by malicious, local users to perform certain actions with escalated privileges.
The security issues are caused due to the "pdf90", "pdfjoin", and "pdfnup" scripts using temporary files in an insecure manner. This can be exploited to overwrite arbitrary files via symlink attacks.
securityfocus reports:
An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to delete or corrupt sensitive files, which may result in a denial of service. Other attacks may also be possible.
Verlihub is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.
Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
MySQL reports:
The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement.
MySQL reports:
Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information by replacing the symbolic link points. the file to which the symlink points.
MySQL reports:
A malformed password packet in the connection protocol could cause the server to crash.
MySQL reports:
The requirement of the DROP privilege for RENAME TABLE was not enforced.
SANS reports:
The University of Washington IMAP library is a library implementing the IMAP mail protocol. University of Washington IMAP is exposed to a buffer overflow issue that occurs due to a boundary error within the rfc822_output_char function in the c-client library. The University of Washington IMAP library versions prior to 2007e are affected.
SANS reports:
University of Washington "tmail" and "dmail" are mail deliver agents. "tmail" and "dmail" are exposed to local buffer overflow issues because they fail to perform adequate boundary checks on user-supplied data.
securityfocus reports:
The 'libcdaudio' library is prone to a remote heap code in the context of an application that uses the library. Failed attacks will cause denial-of-service conditions.
A buffer-overflow in Grip occurs when the software processes a response to a CDDB query that has more than 16 matches.
To exploit this issue, an attacker must be able to influence the response to a CDDB query, either by controlling a malicious CDDB server or through some other means. Successful exploits will allow arbitrary code to run.
Some function pointers for netgraph and bluetooth sockets are not properly initialized.
A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail.
No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel.
Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails.
If the command
# kldstat -v | grep ng_
produces no output, the system is not vulnerable.
The ftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command.
This could, with a specifically crafted command, be used in a cross-site request forgery attack.
FreeBSD systems running ftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites.
No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD ftp(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs.
IPv6 routers may allow "on-link" IPv6 nodes to create and update the router's neighbor cache and forwarding information. A malicious IPv6 node sharing a common router but on a different physical segment from another node may be able to spoof Neighbor Discovery messages, allowing it to update router information for the victim node.
An attacker on a different physical network connected to the same IPv6 router as another node could redirect IPv6 traffic intended for that node. This could lead to denial of service or improper access to private network traffic.
Firewall packet filters can be used to filter incoming Neighbor Solicitation messages but may interfere with normal IPv6 operation if not configured carefully.
Reverse path forwarding checks could be used to make gateways, such as routers or firewalls, drop Neighbor Solicitation messages from nodes with unexpected source addresses on a particular interface.
IPv6 router administrators are encouraged to read RFC 3756 for further discussion of Neighbor Discovery security implications.
When the arc4random(9) random number generator is initialized, there may be inadequate entropy to meet the needs of kernel systems which rely on arc4random(9); and it may take up to 5 minutes before arc4random(9) is reseeded with secure entropy from the Yarrow random number generator.
All security-related kernel subsystems that rely on a quality random number generator are subject to a wide range of possible attacks for the 300 seconds after boot or until 64k of random data is consumed. The list includes:
* GEOM ELI providers with onetime keys. When a provider is configured in a way so that it gets attached at the same time during boot (e.g. it uses the rc subsystem to initialize) it might be possible for an attacker to recover the encrypted data.
* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared secret between two providers so that it can be recovered when both of them are present. This is done by writing the random sequence to one of providers while appending the result of the random sequence on the other host to the original data. If the provider was created within the first 300 seconds after booting, it might be possible for an attacker to extract the original data with access to only one of the two providers between which the secret data is split.
* System processes started early after boot may receive predictable IDs.
* The 802.11 network stack uses arc4random(9) to generate initial vectors (IV) for WEP encryption when operating in client mode and WEP authentication challenges when operating in hostap mode, which may be insecure.
* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality random number generator to produce unpredictable IP packet identifiers, initial TCP sequence numbers and outgoing port numbers. During the first 300 seconds after booting, it may be easier for an attacker to execute IP session hijacking, OS fingerprinting, idle scanning, or in some cases DNS cache poisoning and blind TCP data injection attacks.
* The kernel RPC code uses arc4random(9) to retrieve transaction identifiers, which might make RPC clients vulnerable to hijacking attacks.
No workaround is available for affected systems.
SecurityFocus reports:
The xterm program is prone to a remote command-execution vulnerability because it fails to sufficiently validate user input.
Successfully exploiting this issue would allow an attacker to execute arbitrary commands on an affected computer in the context of the affected application.
According to CVE-2008-5498 entry:
Array index error in the "imageRotate" function in PHP 5.2.8 and earlier allows context-dependent attackers to read the contents of arbitrary memory locations via a crafted value of the third argument (aka the "bgd_color" or "clrBack" argument) for an indexed image.
Secunia reports:
Morgan Todd has discovered a vulnerability in AWStats, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed in the URL to awstats.pl is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation requires that the application is running as a CGI script.
Jan Lieskovsky reports:
perl-File-Path rmtree race condition (CVE-2005-0448 was assigned to address this)
This vulnerability was fixed in 5.8.4-7 but re-introduced in 5.8.8-1. It's also present in File::Path 2.xx, up to and including 2.07 which has only a partial fix.
Jan Minar reports:
Applying the ``D'' to a file with a crafted file name, or inside a directory with a crafted directory name, can lead to arbitrary code execution.
Lack of sanitization throughout Netrw can lead to arbitrary code execution upon opening a directory with a crafted name.
The Vim Netrw Plugin shares the FTP user name and password across all FTP sessions. Every time Vim makes a new FTP connection, it sends the user name and password of the previous FTP session to the FTP server.
CORE Security Technologies reports:
A format string error has been found on the vinagre_utils_show_error() function that can be exploited via commands issued from a malicious server containing format string specifiers on the VNC name.
In a web based attack scenario, the user would be required to connect to a malicious server. Successful exploitation would then allow the attacker to execute arbitrary code with the privileges of the Vinagre user.
Marc Schoenefeld and Steve Milner of RedHat SRT and Peter Allor of IBM ISS report:
XSS vulnerability with URLPARAM variable
SEARCH variable allows arbitrary shell command execution
Entry for CVE-2008-5619 says:
html2text.php in RoundCube Webmail (roundcubemail) 0.2-1.alpha and 0.2-3.beta allows remote attackers to execute arbitrary code via crafted input that is processed by the preg_replace function with the eval switch.
MySQL Team reports:
Additional corrections were made for the symlink-related privilege problem originally addressed. The original fix did not correctly handle the data directory pathname if it contained symlinked directories in its path, and the check was made only at table-creation time, not at table-opening time later.
A trapkit reports:
MPlayer contains a stack buffer overflow vulnerability while parsing malformed TwinVQ media files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of MPlayer.
Secunia reports:
A security issue has been reported in Ampache, which can be exploited by malicious, local users to perform certain actions with escalated privileges.
The security issue is caused due to the "gather-messages.sh" script handling temporary files in an insecure manner. This can be exploited via symlink attacks to overwrite arbitrary files with the privileges of the user running the script.
The Opera Team reports:
Manipulating certain text-area contents can cause a buffer overflow, which may be exploited to execute arbitrary code.
Certain HTML constructs can cause the resulting DOM to change unexpectedly, which triggers a crash. To inject code, additional techniques will have to be employed.
Exceptionally long host names in file: URLs can cause a buffer overflow, which may be exploited to execute arbitrary code. Remote Web pages cannot refer to file: URLs, so successful exploitation involves tricking users into manually opening the exploit URL, or a local file that refers to it.
When Opera is previewing a news feed, some scripted URLs are not correctly blocked. These can execute scripts which are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information.
Built-in XSLT templates incorrectly handle escaped content and can cause it to be treated as markup. If a site accepts content from untrusted users, which it then displays using XSLT as escaped strings, this can allow scripted markup to be injected. The scripts will then be executed in the security context of that site.
The MediaWiki development team reports:
Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Certain unspecified input related to uploads is not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious data is opened. Successful exploitation may require that uploads are enabled and the victim uses an Internet Explorer based browser.
Certain SVG scripts are not properly sanitised before being used. This can be exploited to inject arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when a malicious data is opened. Successful exploitation may require that SVG uploads are enabled and the victim uses a browser supporting SVG scripting.
The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain operations when a logged in user visits a malicious site.
The Drupal Project reports:
The update system is vulnerable to Cross site request forgeries. Malicious users may cause the superuser (user 1) to execute old updates that may damage the database.
When an input format is deleted, not all existing content on a site is updated to reflect this deletion. Such content is then displayed unfiltered. This may lead to cross site scripting attacks when harmful tags are no longer stripped from 'malicious' content that was posted earlier.
The Mozilla Foundation reports:
MFSA 2008-69 XSS vulnerabilities in SessionStore
MFSA 2008-68 XSS and JavaScript privilege escalation
MFSA 2008-67 Escaped null characters ignored by CSS parser
MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters
MFSA 2008-65 Cross-domain data theft via script redirect error message
MFSA 2008-64 XMLHttpRequest 302 response disclosure
MFSA 2008-62 Additional XSS attack vectors in feed preview
MFSA 2008-61 Information stealing via loadBindingDocument
MFSA 2008-60 Crashes with evidence of memory corruption (rv:1.9.0.5/1.8.1.19)
The phpMyAdmin Team reports:
A logged-in user can be subject of SQL injection through cross site request forgery. Several scripts in phpMyAdmin are vulnerable and the attack can be made through table parameter.
PHP Developers reports:
Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on.
Secunia reports:
A vulnerability has been reported in Wireshark, which can be exploited by malicious people to cause a DoS.
The vulnerability is caused due to an error in the SMTP dissector and can be exploited to trigger the execution of an infinite loop via a large SMTP packet.
Secunia reports:
Some vulnerabilities have been reported in PHP, where some have an unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
An input validation error exists within the "ZipArchive::extractTo()" function when extracting ZIP archives. This can be exploited to extract files to arbitrary locations outside the specified directory via directory traversal sequences in a specially crafted ZIP archive.
An error in the included PCRE library can be exploited to cause a buffer overflow.
The problem is that the "BG(page_uid)" and "BG(page_gid)" variables are not initialized. No further information is currently available.
The problem is that the "php_value" order is incorrect for Apache configurations. No further information is currently available.
An error in the GD library can be exploited to cause a crash via a specially crafted font file.
Debian reports:
Faxspool in mgetty 1.1.36 allows local users to overwrite arbitrary files via a symlink attack on a /tmp/faxsp.#### temporary file.
Secunia reports:
The security issue is caused due to an input validation error when processing script names. This can be exploited to read or modify arbitrary files having ".sieve" extensions via directory traversal attacks, with the privileges of the attacker's user id.
Secunia reports:
Input passed via the "habari_username" parameter when logging in is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Tobias Klein from TrapKit reports:
The VLC media player contains an integer overflow vulnerability while parsing malformed RealMedia (.rm) files. The vulnerability leads to a heap overflow that can be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player.
Secunia reports:
EgiX has discovered a vulnerability in Mantis, which can be exploited by malicious users to compromise a vulnerable system.
Input passed to the "sort" parameter in manage_proj_page.php is not properly sanitised before being used in a "create_function()" call. This can be exploited to execute arbitrary PHP code.
Secunia reports:
Some vulnerabilities have been reported in Mantis, which can be exploited by malicious users to compromise a vulnerable system and malicious people to conduct cross-site scripting and request forgery attacks.
Input passed to the "filter_target" parameter in return_dynamic_filters.php is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
A vulnerability is caused due to the application allowing users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add a new user with administrative privileges by enticing a logged-in administrator to visit a malicious site.
Input passed to the "value" parameter in adm_config_set.php is not properly sanitised before being used in an "eval()" statement. This can be exploited to e.g. execute arbitrary PHP commands via a specially crafted request.
Input passed to the "language" parameter in account_prefs_update.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Squirrelmail team reports:
An issue was fixed that allowed an attacker to send specially- crafted hyperlinks in a message that could execute cross-site scripting (XSS) when the user viewed the message in SquirrelMail.
The OpenOffice Team reports:
A security vulnerability with the way OpenOffice 2.x process WMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.
A security vulnerability with the way OpenOffice 2.x process EMF files may allow a remote unprivileged user who provides a StarOffice/StarSuite document that is opened by a local user to execute arbitrary commands on the system with the privileges of the user running StarOffice/StarSuite. No working exploit is known right now.
Secunia reports:
Input passed via the HTTP "Host" header is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site if malicious data is viewed.
Samba Team reports:
Samba 3.0.29 and beyond contain a change to deal with gcc 4 optimizations. Part of the change modified range checking for client-generated offsets of secondary trans, trans2 and nttrans requests. These requests are used to transfer arbitrary amounts of memory from clients to servers and back using small SMB requests and contain two offsets: One offset (A) pointing into the PDU sent by the client and one (B) to direct the transferred contents into the buffer built on the server side. While the range checking for offset (B) is correct, a cut and paste error lets offset (A) pass completely unchecked against overflow.
The buffers passed into trans, trans2 and nttrans undergo higher-level processing like DCE/RPC requests or listing directories. The missing bounds check means that a malicious client can make the server do this higher-level processing on arbitrary memory contents of the smbd process handling the request. It is unknown if that can be abused to pass arbitrary memory contents back to the client, but an important barrier is missing from the affected Samba versions.
Secunia reports:
A security issue has been reported in hplip, which can be exploited by malicious, local users to cause a DoS.
The security issue is caused due to an error within hpssd.py when parsing certain requests. This can be exploited to crash the service by sending specially crafted requests to the default port 2207/TCP.
CUPS reports:
The PNG image reading code did not validate the image size properly, leading to a potential buffer overflow (STR #2974)
Secunia reports:
A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library.
The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file.
Successful exploitation may allow execution of arbitrary code.
Secunia reports:
A boundary error exists within http_parse_sc_header() in lib/http.c when parsing an overly long HTTP header starting with "Zwitterion v".
A boundary error exists within http_get_pls() in lib/http.c when parsing a specially crafted pls playlist containing an overly long entry.
A boundary error exists within http_get_m3u() in lib/http.c when parsing a specially crafted m3u playlist containing an overly long "File" entry.
The mantis Team reports:
When configuring a web application to use only ssl (e. g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible. Though, for this to be secure, one needs to set the session cookie to have the secure flag. Else the cookie will be transferred through http if the victim's browser does a single http-request on the same domain.
Timo Sirainen reports in dovecot 1.1.4 release notes:
ACL plugin fixes: Negative rights were actually treated as positive rights. 'k' right didn't prevent creating parent/child/child mailbox. ACL groups weren't working.
Secunia reports:
Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service) or to potentially compromise an application using the library.
1) An integer overflow error in the "xmlSAX2Characters()" function can be exploited to trigger a memory corruption via a specially
Successful exploitation may allow execution of arbitrary code, but requires e.g. that the user is tricked into processing an overly large XML file (2GB or more).
2) An integer overflow error in the "xmlBufferResize()" function can be exploited to trigger the execution of an infinite loop. The vulnerabilities are reported in version 2.7.2.
Other versions may also be affected.
Andreas Kurtz reports:
The jabber server Openfire (<= version 3.6.0a) contains several serious vulnerabilities. Depending on the particular runtime environment these issues can potentially even be used by an attacker to execute code on operating system level.
- Authentication bypass - This vulnerability provides an attacker full access to all functions in the admin webinterface without providing any user credentials. The Tomcat filter which is responsible for authentication could be completely circumvented.
- SQL injection - It is possible to pass SQL statements to the backend database through a SQL injection vulnerability. Depending on the particular runtime environment and database permissions it is even possible to write files to disk and execute code on operating system level.
- Multiple Cross-Site Scripting - Permits arbitrary insertion of HTML- and JavaScript code in login.jsp. An attacker could also manipulate a parameter to specify a destination to which a user will be forwarded to after successful authentication.
Florian Grandel reports:
I have not had the time to analyze all of syslog-ng code. But by reading the code section near the chroot call and looking at strace results I believe that syslog-ng does not chdir to the chroot jail's location before chrooting into it.
This opens up ways to work around the chroot jail.
Ulf Harnhammar of Secunia Research reports:
Stack-based buffer overflow in the read_special_escape function in src/psgen.c in GNU Enscript 1.6.1 and 1.6.4 beta, when the -e (aka special escapes processing) option is enabled, allows user-assisted remote attackers to execute arbitrary code via a crafted ASCII file, related to the setfilename command.
SecurityFocus reports:
GnuTLS is prone to a security-bypass vulnerability because the application fails to properly validate chained X.509 certificates. Successfully exploiting this issue allows attackers to perform man-in-the-middle attacks by impersonating trusted servers. Unsuspecting users may be under a false sense of security that can aid attackers in launching further attacks.
Wes Hardaker reports through sourceforge.net forum:
SECURITY ISSUE: A bug in the getbulk handling code could let anyone with even minimal access crash the agent. If you have open access to your snmp agents (bad bad bad; stop doing that!) or if you don't trust everyone that does have access to your agents you should updated immediately to prevent potential denial of service attacks.
Description at cve.mitre.org additionally clarifies:
Integer overflow in the netsnmp_create_subtree_cache function in agent/snmp_agent.c in net-snmp 5.4 before 5.4.2.1, 5.3 before 5.3.2.3, and 5.2 before 5.2.5.1 allows remote attackers to cause a denial of service (crash) via a crafted SNMP GETBULK request, which triggers a heap-based buffer overflow, related to the number of responses or repeats.
The Mozilla Foundation reports:
MFSA 2008-58 Parsing error in E4X default namespace
MFSA 2008-57 -moz-binding property bypasses security checks on codebase principals
MFSA 2008-56 nsXMLHttpRequest::NotifyEventListeners() same-origin violation
MFSA 2008-55 Crash and remote code execution in nsFrameManager
MFSA 2008-54 Buffer overflow in http-index-format parser
MFSA 2008-53 XSS and JavaScript privilege escalation via session restore
MFSA 2008-52 Crashes with evidence of memory corruption (rv:1.9.0.4/1.8.1.18)
MFSA 2008-51 file: URIs inherit chrome privileges when opened from chrome
MFSA 2008-50 Crash and remote code execution via __proto__ tampering
MFSA 2008-49 Arbitrary code execution via Flash Player dynamic module unloading
MFSA 2008-48 Image stealing via canvas and HTTP redirect
MFSA 2008-47 Information stealing via local shortcut files
MFSA 2008-46 Heap overflow when canceling newsgroup message
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation
MFSA 2008-37 UTF-8 URL stack buffer overflow
CVE reports:
Heap-based buffer overflow in the decodeMP4file function (frontend/main.c) in FAAD2 2.6.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted MPEG-4 (MP4) file.
Emacs developers report:
The Emacs command `run-python' launches an interactive Python interpreter. After the Python process starts up, Emacs automatically sends it the line:
import emacs
which normally imports a script named emacs.py which is distributed with Emacs. This script, which is typically located in a write-protected installation directory with other Emacs program files, defines various functions to help the Python process communicate with Emacs.
The vulnerability arises because Python, by default, prepends '' to the module search path, so modules are looked for in the current directory. If the current directory is world-writable, an attacker may insert malicious code by adding a fake Python module named emacs.py into that directory.
Advisory from Moritz Jodeit, November 8th, 2008:
ClamAV contains an off-by-one heap overflow vulnerability in the code responsible for parsing VBA project files. Successful exploitation could allow an attacker to execute arbitrary code with the privileges of the `clamd' process by sending an email with a prepared attachment.
A VBA project file embedded inside an OLE2 office document send as an attachment can trigger the off-by-one.
Entry from Thu Oct 30 13:52:42 CET 2008 (acab) in ChangeLog:
libclamav/vba_extract.c: get_unicode_name off-by-one, bb#1239 reported by Moritz Jodeit >moritz*jodeit.org<
Trac development team reports:
0.11.2 is a new stable maintenance release. It contains several security fixes and everyone is recommended to upgrade their installations.
Bug fixes:
Fixes potential DOS vulnerability with certain wiki markup.
The VLC Team reports:
The VLC media player contains a stack overflow vulnerability while parsing malformed cue files. The vulnerability may be exploited by a (remote) attacker to execute arbitrary code in the context of VLC media player.
Opera reports:
When certain parameters are passed to Opera's History Search, they can cause content not to be correctly sanitized. This can allow scripts to be injected into the History Search results page. Such scripts can then run with elevated privileges and interact with Opera's configuration, allowing them to execute arbitrary code.
The links panel shows links in all frames on the current page, including links with JavaScript URLs. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting.
Aurelien Jarno reports:
CVE-2008-4539: fix a heap overflow in Cirrus emulation
The code in hw/cirrus_vga.c has changed a lot between CVE-2007-1320 has been announced and the patch has been applied. As a consequence it has wrongly applied and QEMU is still vulnerable to this bug if using VNC.
SecurityFocus reports:
phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied data.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Opera reports:
Certain constructs are not escaped correctly by Opera's History Search results. These can be used to inject scripts into the page, which can then be used to look through the user's browsing history, including the contents of the pages they have visited. These may contain sensitive information.
If a link that uses a JavaScript URL triggers Opera's Fast Forward feature, when the user activates Fast Forward, the script should run on the current page. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting.
When Opera is previewing a news feed, some scripts are not correctly blocked. These scripts are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information.
CVE reports:
Heap-based buffer overflow in the SPF_dns_resolv_lookup function in Spf_dns_resolv.c in libspf2 before 1.2.8 allows remote attackers to execute arbitrary code via a long DNS TXT record with a modified length field.
Secunia reports:
OpenX can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "bannerid" parameter in www/delivery/ac.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The Flyspray Project reports:
Flyspray is affected by a Cross Site scripting Vulnerability due to an error escaping PHP's $_SERVER['QUERY_STRING'] superglobal, that can be maliciously used to inject arbitrary code into the savesearch() javascript function.
There is an XSS problem in the history tab, the application fails to sanitize the "details" parameter correctly, leading to the possibility of arbitrary code injection into the getHistory() javascript function.
Flyspray is affected by a Cross Site scripting Vulnerability due missing escaping of SQL error messages. By including HTML code in a query and at the same time causing it to fail by submitting invalid data, an XSS hole can be exploited.
There is an XSS problem in the task history attached to comments, since the application fails to sanitize the old_value and new_value database fields for changed task summaries.
Input passed via the "item_summary" parameter to "index.php?do=details" is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The Wordpress development team reports:
A vulnerability in the Snoopy library was announced today. WordPress uses Snoopy to fetch the feeds shown in the Dashboard. Although this seems to be a low risk vulnerability for WordPress users, we wanted to get an update out immediately.
The Drupal Project reports:
On a server configured for IP-based virtual hosts, Drupal may be caused to include and execute specifically named files outside of its root directory. This bug affects both Drupal 5 and Drupal 6.
The title of book pages is not always properly escaped, enabling users with the "create book content" permission or the permission to edit any node in the book hierarchy to insert arbitrary HTML and script code into pages. Such a Cross site scripting attack may lead to the attacker gaining administrator access. This bug affects Drupal 6.
xine team reports:
A new xine-lib version is now available. This release contains some security fixes, notably a DoS via corrupted Ogg files (CVE-2008-3231), some related fixes, and fixes for a few possible buffer overflows.
Adobe Product Security Incident Response Team reports:
Potential vulnerabilities have been identified in Adobe Flash Player 9.0.124.0 and earlier that could allow an attacker who successfully exploits these potential vulnerabilities to bypass Flash Player security controls. Adobe recommends users update to the most current version of Flash Player available for their platform.
Secunia reports:
Two vulnerabilities have been reported in Libxml2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.
1) A recursion error exists when processing certain XML content. This can be exploited to e.g. exhaust all available memory and CPU resources by tricking an application using Libxml2 into processing specially crafted XML documents.
2) A boundary error in the processing of long XML entity names in parser.c can be exploited to cause a heap-based buffer overflow when specially crafted XML content is parsed.
Successful exploitation may allow execution of arbitrary code.
The Drupal Project reports:
A logic error in the core upload module validation allowed unprivileged users to attach files to content. Users can view files attached to content which they do not otherwise have access to. If the core upload module is not enabled, your site will not be affected.
A deficiency in the user module allowed users who had been blocked by access rules to continue logging into the site under certain conditions. If you do not use the 'access rules' functionality in core, your site will not be affected.
The BlogAPI module does not implement correct validation for certain content fields, allowing for values to be set for fields which would otherwise be inaccessible on an internal Drupal form. We have hardened these checks in BlogAPI module for this release, but the security team would like to re-iterate that the 'Administer content with BlogAPI' permission should only be given to trusted users. If the core BlogAPI module is not enabled, your site will not be affected.
A weakness in the node module API allowed for node validation to be bypassed in certain circumstances for contributed modules implementing the API. Additional checks have been added to ensure that validation is performed in all cases. This vulnerability only affects sites using one of a very small number of contributed modules, all of which will continue to work correctly with the improved API. None of them were found vulnerable, so our correction is a preventative measure.
The release note of cups 1.3.9 reports:
It contains the following fixes:
- SECURITY: The HP-GL/2 filter did not range check pen numbers (STR #2911)
- SECURITY: The SGI image file reader did not range check 16-bit run lengths (STR #2918)
- SECURITY: The text filter did not range check cpi, lpi, or column values (STR #2919)
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the affected service.
Opera reports:
If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.
Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.
Thomas Henlich reports:
The mysql command-line client does not quote HTML special characters like < in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site scripting or cross-site request forgery attacks.
The oCERT team reports:
The MPlayer multimedia player suffers from a vulnerability which could result in arbitrary code execution and at the least, in unexpected process termination. Three integer underflows located in the Real demuxer code can be used to exploit a heap overflow, a specific video file can be crafted in order to make the stream_read function reading or writing arbitrary amounts of memory.
Lighttpd seurity annoucement:
lighttpd 1.4.19, and possibly other versions before 1.5.0, does not decode the url before matching against rewrite and redirect patterns, which allows attackers to bypass rewrites rules. this can be a security problem in certain configurations if these rules are used to hide certain urls.
lighttpd 1.4.19, and possibly other versions before 1.5.0, does not lowercase the filename after generating it from the url in mod_userdir on case insensitive (file)systems.
As other modules are case sensitive, this may lead to information disclosure; for example if one configured php to handle files ending on ".php", an attacker will get the php source with http://example.com/~user/file.PHP
lighttpd 1.4.19 does not always release a header if it triggered a 400 (Bad Request) due to a duplicate header.
Secunia reports:
Some security issues have been reported in BitlBee, which can be exploited by malicious people to bypass certain security restrictions and hijack accounts.
The security issues are caused due to unspecified errors, which can be exploited to overwrite existing accounts.
The Mozilla Foundation reports:
MFSA 2008-37
UTF-8 URL stack buffer overflowMFSA 2008-38
nsXMLDocument::OnChannelRedirect() same-origin violationMFSA 2008-39
Privilege escalation using feed preview page and XSS flawMFSA 2008-40
Forced mouse dragMFSA 2008-41
Privilege escalation via XPCnativeWrapper pollutionMFSA 2008-42
Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)MFSA 2008-43
BOM characters stripped from JavaScript before executionMFSA 2008-44
resource: traversal vulnerabilitiesMFSA 2008-45
XBM image uninitialized memory reading
Hanno Boeck reports:
When configuring a web application to use only ssl (e.g. by forwarding all http-requests to https), a user would expect that sniffing and hijacking the session is impossible.
Though, for this to be secure, one needs to set the session cookie to have the secure flag. Otherwise the cookie will be transferred through HTTP if the victim's browser does a single HTTP request on the same domain.
Squirrelmail does not set that flag. It is fixed in the 1.5 test versions, but current 1.4.15 is vulnerable.
Secunia reports:
The vulnerability is caused due to the application truncating an overly long FTP command, and improperly interpreting the remainder string as a new FTP command. This can be exploited to execute arbitrary FTP commands with the privileges of another user by e.g. tricking the user into following malicious link.
Secunia reports:
An error exists in the "PMA_escapeJsString()" function in libraries/js_escape.lib.php, which can be exploited to bypass certain filters and execute arbitrary HTML and script code in a user's browser session in context of an affected site when e.g. Microsoft Internet Explorer is used.
Secunia reports:
An error in the handing of ZIP archives with symbolic links can be exploited to disclose the contents of arbitrary files.
Input from uploaded Flash animations is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.
A phpMyAdmin security announcement:
The server_databases.php script was vulnerable to an attack coming from a user who is already logged-on to phpMyAdmin, where he can execute shell code (if the PHP configuration permits commands like exec).
Th1nk3r reports:
The version of TWiki installed on the remote host allows access to the 'configure' script and fails to sanitize the 'image' parameter of that script of directory traversal sequences before returning the file contents when the 'action' parameter is set to 'image'. An unauthenticated attacker can leverage this issue to view arbitrary files on the remote host subject to the privileges of the web server user id. .
Joe Orton reports:
A NULL pointer deference in the Digest authentication support in neon versions 0.28.0 through 0.28.2 inclusive allows a malicious server to crash a client application, resulting in possible denial of service.
Hanno Boeck reports:
A fuzzing test showed weakness in the chm parser of clamav, which can possibly be exploited. The clamav team has disabled the chm module in older versions though freshclam updates and has released 0.94 with a fixed parser.
Secunia reports:
Some vulnerabilities have been reported in various Horde products, which can be exploited by malicious people to conduct script insertion attacks
Input via MIME attachment linking is not properly sanitised in the MIME library before being used. This can be exploited to execute arbitrary HTML and script code in a user's browser session if e.g. a malicious email is viewed.
Certain unspecified input in HTML messages is not properly sanitised before being used. This can be exploited to execute arbitrary HTML and script in a user's browser session if e.g. a malicious HTML email is viewed.
Secunia reports:
Some vulnerabilities have been reported in Python, where some have unknown impact and others can potentially be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.
Various integer overflow errors exist in core modules e.g. stringobject, unicodeobject, bufferobject, longobject, tupleobject, stropmodule, gcmodule, mmapmodule.
An integer overflow in the hashlib module can lead to an unreliable cryptographic digest results.
Integer overflow errors in the processing of unicode strings can be exploited to cause buffer overflows on 32-bit systems.
An integer overflow exists in the PyOS_vsnprintf() function on architectures that do not have a "vsnprintf()" function.
An integer underflow error in the PyOS_vsnprintf() function when passing zero-length strings can lead to memory corruption.
SecurityFocus reports:
MySQL is prone to a security-bypass vulnerability. An attacker can exploit this issue to overwrite existing table files in the MySQL data directory, bypassing certain security restrictions.
Jonathan Weiss reports, that it is possible to perform an SQL injection in Rails applications via not correctly sanitized :limit and :offset parameters. It is possible to change arbitrary values in affected tables or gain access to the sensitive data.
The Wordpress development team reports:
With open registration enabled, it is possible in WordPress versions 2.6.1 and earlier to craft a username such that it will allow resetting another users password to a randomly generated password. The randomly generated password is not disclosed to the attacker, so this problem by itself is annoying but not a security exploit. However, this attack coupled with a weakness in the random number seeding in mt_rand() could be used to predict the randomly generated password.
In case of an incoming ICMPv6 'Packet Too Big Message', there is an insufficient check on the proposed new MTU for a path to the destination.
When the kernel is configured to process IPv6 packets and has active IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big Message' could cause the TCP stack of the kernel to panic.
Systems without INET6 / IPv6 support are not vulnerable and neither are systems which do not listen on any IPv6 TCP sockets and have no active IPv6 connections.
Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this will at the same time break PMTU support for IPv6 connections.
Various user defined input such as mount points, devices, and mount options are prepared and passed as arguments to nmount(2) into the kernel. Under certain error conditions, user defined data will be copied into a stack allocated buffer stored in the kernel without sufficient bounds checking.
If the system is configured to allow unprivileged users to mount file systems, it is possible for a local adversary to exploit this vulnerability and execute code in the context of the kernel.
It is possible to work around this issue by allowing only privileged users to mount file systems by running the following sysctl(8) command:
# sysctl vfs.usermount=0
If a General Protection Fault happens on a FreeBSD/amd64 system while it is returning from an interrupt, trap or system call, the swapgs CPU instruction may be called one extra time when it should not resulting in userland and kernel state being mixed.
A local attacker can by causing a General Protection Fault while the kernel is returning from an interrupt, trap or system call while manipulating stack frames and, run arbitrary code with kernel privileges.
The vulnerability can be used to gain kernel / supervisor privilege. This can for example be used by normal users to gain root privileges, to break out of jails, or bypass Mandatory Access Control (MAC) restrictions.
No workaround is available, but only systems running the 64 bit FreeSD/amd64 kernels are vulnerable.
Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable.
The Opera Team reports:
Scripts are able to change the addresses of framed pages that come from the same site. Due to a flaw in the way that Opera checks what frames can be changed, a site can change the address of frames on other sites inside any window that it has opened. This allows sites to open pages from other sites, and display misleading information on them.
Custom shortcut and menu commands can be used to activate external applications. In some cases, the parameters passed to these applications are not prepared correctly, and may be created from uninitialized memory. These may be misinterpreted as additional parameters, and depending on the application, this could allow execution of arbitrary code.
Successful exploitation requires convincing the user to modify their shortcuts or menu files appropriately, pointing to an appropriate target application, then to activate that shortcut at an appropriate time. To inject code, additional means will have to be employed.
When insecure pages load content from secure sites into a frame, they can cause Opera to incorrectly report the insecure site as being secure. The padlock icon will incorrectly be shown, and the security information dialog will state that the connection is secure, but without any certificate information.
As a security precaution, Opera does not allow Web pages to link to files on the user's local disk. However, a flaw exists that allows Web pages to link to feed source files on the user's computer. Suitable detection of JavaScript events and appropriate manipulation can unreliably allow a script to detect the difference between successful and unsuccessful subscriptions to these files, to allow it to discover if the file exists or not. In most cases the attempt will fail.
It has been reported that when a user subscribes to a news feed using the feed subscription button, the page address can be changed. This causes the address field not to update correctly. Although this can mean that that misleading information can be displayed in the address field, it can only leave the attacking page's address in the address bar, not a trusted third party address.
Secunia reports:
A vulnerability has been reported in GnuTLS, which can potentially be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to a use-after-free error when an application calls "gnutls_handshake()" for an already valid session and can potentially be exploited, e.g. during re-handshakes.
Joomla project reports:
A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).
NASA Goddard Space Flight Center reports:
The libraries for the scientific data file format, Common Data Format (CDF) version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.
The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).
The Drupal Project reports:
A bug in the output filter employed by Drupal makes it possible for malicious users to insert script code into pages (cross site scripting or XSS). A bug in the private filesystem trusts the MIME type sent by the browser, enabling malicious users with the ability to upload files to execute cross site scripting attacks.
The BlogAPI module does not validate the extension of uploaded files, enabling users with the "administer content with blog api" permission to upload harmful files. This bug affects both Drupal 5.x and 6.x.
Drupal forms contain a token to protect against cross site request forgeries (CSRF). The token may not be validated properly for cached forms and forms containing AHAH elements. This bug affects Drupal 6.x.
User access rules can be added or deleted upon accessing a properly formatted URL, making such modifications vulnerable to cross site request forgeries (CSRF). This may lead to unintended addition or deletion of an access rule when a sufficiently privileged user visits a page or site created by a malicious person. This bug affects both Drupal 5.x and 6.x.
The Upload module in Drupal 6 contains privilege escalation vulnerabilities for users with the "upload files" permission. This can lead to users being able to edit nodes which they are normally not allowed to, delete any file to which the webserver has sufficient rights, and download attachments of nodes to which they have no access. Harmful files may also be uploaded via cross site request forgeries (CSRF). These bugs affect Drupal 6.x.
The official ruby site reports:
Several vulnerabilities in safe level have been discovereds:.
- untrace_var is permitted at safe level 4;
- $PROGRAM_NAME may be modified at safe level 4;
- insecure methods may be called at safe level 1-3;
- syslog operations are permitted at safe level 4;
- dl doesn't check taintness, so it could allow attackers to call dangerous functions.
The official ruby site reports:
WEBrick::HTTP::DefaultFileHandler is faulty of exponential time taking requests due to a backtracking regular expression in WEBrick::HTTPUtils.split_header_value.
The official ruby site reports:
resolv.rb allow remote attackers to spoof DNS answers. This risk can be reduced by randomness of DNS transaction IDs and source ports.
A Bugzilla Security Advisory reports:
When importing bugs using importxml.pl, the --attach_path option can be specified, pointing to the directory where attachments to import are stored. If the XML file being read by importxml.pl contains a malicious
../relative_path/to/local_filenode, the script follows this relative path and attaches the local file pointed by it to the bug, making the file public. The security fix makes sure the relative path is always ignored.
James Yonan reports:
Security Fix - affects non-Windows OpenVPN clients running OpenVPN 2.1-beta14 through 2.1-rc8 (OpenVPN 2.0.x clients are NOT vulnerable nor are any versions of the OpenVPN server vulnerable).
An OpenVPN client connecting to a malicious or compromised server could potentially receive an "lladdr" or "iproute" configuration directive from the server which could cause arbitrary code execution on the client. A successful attack requires that (a) the client has agreed to allow the server to push configuration directives to it by including "pull" or the macro "client" in its configuration file, (b) the client succesfully authenticates the server, (c) the server is malicious or has been compromised and is under the control of the attacker, and (d) the client is running a non-Windows OS.
A phpMyAdmin security announcement:
A logged-in user, if abused into clicking a crafted link or loading an attack page, would create a database he did not intend to, or would change his connection character set.
The Drupal Project reports:
Free tagging taxonomy terms can be used to insert arbitrary script and HTML code (cross site scripting or XSS) on node preview pages. A successful exploit requires that the victim selects a term containing script code and chooses to preview the node. This issue affects Drupal 6.x only. Some values from OpenID providers are output without being properly escaped, allowing malicious providers to insert arbitrary script and HTML code (XSS) into user pages. This issue affects Drupal 6.x only. filter_xss_admin() has been hardened to prevent use of the object HTML tag in administrator input.
Translated strings (5.x, 6.x) and OpenID identities (6.x) are immediately deleted upon accessing a properly formatted URL, making such deletion vulnerable to cross site request forgeries (CSRF). This may lead to unintended deletion of translated strings or OpenID identities when a sufficiently privileged user visits a page or site created by a malicious person.
When contributed modules such as Workflow NG terminate the current request during a login event, user module is not able to regenerate the user's session. This may lead to a session fixation attack, when a malicious user is able to control another users' initial session ID. As the session is not regenerated, the malicious user may use the 'fixed' session ID after the victim authenticates and will have the same access. This issue affects both Drupal 5 and Drupal 6.
Schema API uses an inappropriate placeholder for 'numeric' fields enabling SQL injection when user-supplied data is used for such fields.This issue affects Drupal 6 only.
The BIND DNS implementation does not randomize the UDP source port when doing remote queries, and the query id alone does not provide adequate randomization.
The lack of source port randomization reduces the amount of data the attacker needs to guess in order to successfully execute a DNS cache poisoning attack. This allows the attacker to influence or control the results of DNS queries being returned to users from target systems.
Limiting the group of machines that can do recursive queries on the DNS server will make it more difficult, but not impossible, for this vulnerability to be exploited.
To limit the machines able to perform recursive queries, add an ACL in named.conf and limit recursion like the following:
acl example-acl {
192.0.2.0/24;
};
options {
recursion yes;
allow-recursion { example-acl; };
};
Felipe Andres Manzano reports:
The libpoppler pdf rendering library, can free uninitialized pointers, leading to arbitrary code execution. This vulnerability results from memory management bugs in the Page class constructor/destructor.
Pylons team reports:
The error.py controller uses paste.fileapp to serve the static resources to the browser. The default error.py controller uses os.path.join to combine the id from Routes with the media path. Routes prior to 1.8 double unquoted the PATH_INFO, resulting in FileApp returning files from the filesystem that can be outside of the intended media path directory.
An attacker can craft URL's which utilize the double escaping to pass in a name to the error.py controller which contains a leading slash thus escaping the intended media path and serving files from any location on the filesystem that the Pylons application has access to.
Secunia reports:
- An integer overflow error exists in the processing of PFB font files. This can be exploited to cause a heap-based buffer overflow via a PFB file containing a specially crafted "Private" dictionary table.
- An error in the processing of PFB font files can be exploited to trigger the "free()" of memory areas that are not allocated on the heap.
- An off-by-one error exists in the processing of PFB font files. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted PFB file.
- An off-by-one error exists in the implementation of the "SHC" instruction while processing TTF files. This can be exploited to cause a one-byte heap-based buffer overflow via a specially crafted TTF file.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Matthias Andree reports:
2008-06-24 1.2 also fixed issue in report_complete (reported by Petr Uzel)
Secunia report:
Some vulnerabilities have been reported in phpMyAdmin, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed via unspecified parameters to files in /libraries is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation requires that "register_globals" is enabled and support for ".htaccess" files is disabled.
Apache HTTP server project reports:
The following potential security flaws are addressed:
- CVE-2008-2364: mod_proxy_http: Better handling of excessive interim responses from origin server to prevent potential denial of service and high memory usage. Reported by Ryujiro Shibuya.
- CVE-2007-6420: mod_proxy_balancer: Prevent CSRF attacks against the balancer-manager interface
According to Maksymilian Arciemowicz research,
it is possible to bypass security restrictions
of safe_mode in various
functions via directory traversal vulnerability. The attacker
can use this attack to gain access to sensitive
information. Functions utilizing
expand_filepath() may be affected.
It should be noted that this vulnerability is not
considered to be serious by the FreeBSD Security Team,
since safe_mode and open_basedir
are insecure by design and should not be relied upon.
Rdancer.org reports:
Improper quoting in some parts of Vim written in the Vim Script can lead to arbitrary code execution upon opening a crafted file.
The official ruby site reports:
Multiple vulnerabilities in Ruby may lead to a denial of service (DoS) condition or allow execution of arbitrary code.
Matthias Andree reports:
Gunter Nau reported fetchmail crashing on some messages; further debugging by Petr Uzel and Petr Cerny at Novell/SUSE Czech Republic dug up that this happened when fetchmail was trying to print, in -v -v verbose level, headers exceeding 2048 bytes. In this situation, fetchmail would resize the buffer and fill in further parts of the message, but forget to reinitialize its va_list typed source pointer, thus reading data from a garbage address found on the stack at addresses above the function arguments the caller passed in; usually that would be the caller's stack frame.
Matthieu Herrb of X.Org reports:
Several vulnerabilities have been found in the server-side code of some extensions in the X Window System. Improper validation of client-provided data can cause data corruption.
Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code.
When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges.
All these vulnerabilities, to be exploited successfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed.
MoinMoin team reports:
A check in the userform processing was not working as expected and could be abused for ACL and superuser privilege escalation.
Secunia reports:
A vulnerability has been reported in the Courier Authentication Library, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed via e.g. the username to the library is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and e.g. potentially bypass authentication.
Successful exploitation requires that a MySQL database is used for authentication and that a Non-Latin character set is selected.
The ikiwiki development team reports:
Until version 2.48, ikiwiki stored passwords in cleartext in the userdb. That risks exposing all users' passwords if the file is somehow exposed. To pre-emtively guard against that, current versions of ikiwiki store password hashes (using Eksblowfish).
The ikiwiki development team reports:
This hole allowed ikiwiki to accept logins using empty passwords to openid accounts that didn't use a password.
Upgrading to a non-vulnerable ikiwiki version immediatly is recommended if your wiki allows both password and openid logins.
Adobe Product Security Incident Response Team reports:
An exploit appears to be taking advantage of a known vulnerability, reported by Mark Dowd of the ISS X-Force and wushi of team509, that was resolved in Flash Player 9.0.124.0 (CVE-2007-0071). This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere - customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit.
Secunia reports:
A vulnerability has been reported in Nagios, which can be exploited by malicious people to conduct cross-site scripting attacks.
Spamdyke Team reports:
Fixed smtp_filter() to reject the DATA command if no valid recipients have been specified. Otherwise, a specific scenario could result in every spamdyke installation being used as an open relay. If the remote server connects and gives one or more recipients that are rejected (for relaying or blacklisting), then gives the DATA command, spamdyke will ignore all other commands, assuming that message data is being transmitted. However, because all of the recipients were rejected, qmail will reject the DATA command. From that point on, the remote server can give as many recipients as it likes and spamdyke will ignore them all -- they will not be filtered at all. After that, the remote server can give the DATA command and send the actual message data. Because spamdyke is controlling relaying, the RELAYCLIENT environment variable is set and qmail won't check for relaying either. Thanks to Mirko Buffoni for reporting this one.
Nico Golde discovered that PeerCast, a P2P audio and video streaming server, is vulnerable to a buffer overflow in the HTTP Basic Authentication code, allowing a remote attacker to crash PeerCast or execure arbitrary code.
Red Hat reports:
Will Drewry of the Google Security Team reported several flaws in the way libvorbis processed audio data. An attacker could create a carefully crafted [Vorbis] audio file in such a way that it could cause an application linked with libvorbis to crash, or execute arbitrary code when it was opened.
Django project reports:
The Django administration application will, when accessed by a user who is not sufficiently authenticated, display a login form and ask the user to provide the necessary credentials before displaying the requested page. This form will be submitted to the URL the user attempted to access, by supplying the current request path as the value of the form's "action" attribute.
The value of the request path was not being escaped, creating an opportunity for a cross-site scripting (XSS) attack by leading a user to a URL which contained URL-encoded HTML and/or JavaScript in the request path.
Secunia reports:
A vulnerability has been reported in vorbis-tools, which can potentially be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error when processing Speex headers, which can be exploited via a specially crafted Speex stream containing a negative "modeID" field in the header.
Successful exploitation may allow execution of arbitrary code.
Secunia reports:
A vulnerability has been reported in QEMU, which can be exploited by malicious, local users to bypass certain security restrictions.
The vulnerability is caused due to the "drive_init()" function in vl.c determining the format of a disk from data contained in the disk's header. This can be exploited by a malicious user in a guest system to e.g. read arbitrary files on the host by writing a fake header to a raw formatted disk image.
Secunia reports:
A vulnerability has been reported in swfdec, which can be exploited by malicious people to disclose sensitive information.
The vulnerability is caused due to swfdec not properly restricting untrusted sandboxes from reading local files, which can be exploited to disclose the content of arbitrary local files by e.g. tricking a user into visiting a malicious website.
FrSIRT reports:
A vulnerability has been identified in mt-daapd which could be exploited by remote attackers to cause a denial of service or compromise an affected system. This issue is caused by a buffer overflow error in the ws_getpostvars() function when processing a negative Content-Length: header value, which could be exploited by remote unauthenticated attackers to crash an affected application or execute arbitrary code.
Secunia reports:
Two vulnerabilities have been reported in SDL_image, which can be exploited by malicious people to cause a Denial of Service or potentially compromise an application using the library.
A boundary error within the LWZReadByte() function in IMG_gif.c can be exploited to trigger the overflow of a static buffer via a specially crafted GIF file.
A boundary error within the "IMG_LoadLBM_RW()" function in IMG_lbm.c can be exploited to cause a heap-based buffer overflow via a specially crafted IFF ILBM file.
Secunia reports:
A vulnerability has been reported in GnuPG, which can potentially be exploited to compromise a vulnerable system.
The vulnerability is caused due to an error when importing keys with duplicated IDs. This can be exploited to cause a memory corruption when importing keys via --refresh-keys or --import.
Successful exploitation potentially allows execution of arbitrary code, but has not been proven yet.
Extmail team reports:
Emergency update #4 fixes a serious security vulnerability.
Successful exploit of this vulnerability would allow attacker to change user's password without knowing it by using specifically crafted HTTP request.
Secunia reports:
A vulnerability has been reported in Mailman, which can be exploited by malicious users to conduct script insertion attacks.
Certain input when editing the list templates and the list info attribute is not properly sanitised before being stored. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious website is accessed.
Secunia reports:
The vulnerability is caused due to an error when attaching to a TTY via the -T command line switch. This can be exploited to execute arbitrary commands with the privileges of the user running mksh via characters previously written to the attached virtual console.
Hanno Boeck reports:
The installer of serendipity 1.3 has various Cross Site Scripting issues. This is considered low priority, as attack scenarios are very unlikely.
Various path fields are not escaped properly, thus filling them with javascript code will lead to XSS. MySQL error messages are not escaped, thus the database host field can also be filled with javascript.
In the referrer plugin of the blog application serendipity, the referrer string is not escaped, thus leading to a permanent XSS.
Mozilla Foundation reports:
Fixes for security problems in the JavaScript engine described in MFSA 2008-15 introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.
Secunia reports:
Tavis Ormandy has reported a vulnerability in libpng, which can be exploited by malicious people to cause a Denial of Service, disclose potentially sensitive information, or potentially compromise an application using the library.
The vulnerability is caused due to the improper handling of PNG chunks unknown to the library. This can be exploited to trigger the use of uninitialized memory in e.g. a free() call via unknown PNG chunks having a length of zero.
Successful exploitation may allow execution of arbitrary code, but requires that the application calls the png_set_read_user_chunk_fn() function or the png_set_keep_unknown_chunks() function under specific conditions.
Secunia reports:
A vulnerability has been reported in Openfire, which can be exploited by malicious people to cause a Denial of Service.
The vulnerability is caused due to an unspecified error and can be exploited to cause a Denial of Service.
CVE reports:
Integer overflow in PHP 5.2.5 and earlier allows context-dependent attackers to cause a denial of service and possibly have unspecified other impact via a printf format parameter with a large width specifier, related to the php_sprintf_appendstring function in formatted_print.c and probably other functions for formatted strings (aka *printf functions).
Justin Ferguson reports:
Integer signedness error in the zlib extension module in Python 2.5.2 and earlier allows remote attackers to execute arbitrary code via a negative signed integer, which triggers insufficient memory allocation and a buffer overflow.
The PostgreSQL developers report:
PostgreSQL allows users to create indexes on the results of user-defined functions, known as "expression indexes". This provided two vulnerabilities to privilege escalation: (1) index functions were executed as the superuser and not the table owner during VACUUM and ANALYZE, and (2) that SET ROLE and SET SESSION AUTHORIZATION were permitted within index functions. Both of these holes have now been closed.
PostgreSQL allowed malicious users to initiate a denial-of-service by passing certain regular expressions in SQL queries. First, users could create infinite loops using some specific regular expressions. Second, certain complex regular expressions could consume excessive amounts of memory. Third, out-of-range backref numbers could be used to crash the backend.
DBLink functions combined with local trust or ident authentication could be used by a malicious user to gain superuser privileges. This issue has been fixed, and does not affect users who have not installed DBLink (an optional module), or who are using password authentication for local access. This same problem was addressed in the previous release cycle, but that patch failed to close all forms of the loophole.
A phpMyAdmin security announcement report:
It is possible to read the contents of any file that the web server's user can access. The exact mechanism to achieve this won't be disclosed. If a user can upload on the same host where phpMyAdmin is running a PHP script that can read files with the rights of the web server's user, the current advisory does not describe an additional threat.
A phpMyAdmin security announcement report:
phpMyAdmin saves sensitive information like the MySQL username and password and the Blowfish secret key in session data, which might be unprotected on a shared host.
xine Team reports:
A new xine-lib version is now available. This release contains a security fix (an unchecked array index that could allows remote attackers to execute arbitrary code via a header structure containing a negative offset, which is used to dereference a function pointer.)
Secunia reports:
Some vulnerabilities have been reported in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service) or to compromise a vulnerable system.
1) A boundary error exists within the "cli_scanpe()" function in libclamav/pe.c. This can be exploited to cause a heap-based buffer overflow via a specially crafted "Upack" executable.
Successful exploitation allows execution of arbitrary code.
2) A boundary error within the processing of PeSpin packed executables in libclamav/spin.c can be exploited to cause a heap-based buffer overflow.
Successful exploitation may allow execution of arbitrary code.
3) An unspecified error in the processing of ARJ files can be exploited to hang ClamAV.
Secunia reports:
A vulnerability has been reported in lighttpd, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to lighttpd not properly clearing the OpenSSL error queue. This can be exploited to close concurrent SSL connections of lighttpd by terminating one SSL connection.
The ikiwiki development team reports:
Cross Site Request Forging could be used to construct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user.
postfix-policyd-weight does not check for symlink for its working directory. If the working directory is not already setup by the super root, an unprivileged user can link it to another directories in the system. This results in ownership/permission changes on the target directory.
If the system random number generator can be predicted by its past output, then an attacker may spoof Recursor to accept mallicious data. This leads to DNS cache poisoning and client redirection.
Multiple local privilege escalation are found in the symlink verification code. An attacker may use it to run a PHP script with the victim's privilege. This attack is a little harder when suphp operates in paranoid mode. For suphp that runs in owner mode which is the default in ports, immediate upgrade to latest version is advised.
Opera Software reports of multiple security issues in Opera. All of them can lead to arbitrary code execution. Details are as the following:
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2008-19 XUL popup spoofing variant (cross-tab popups)
- MFSA 2008-18 Java socket connection to any local port via LiveConnect
- MFSA 2008-17 Privacy issue with SSL Client Authentication
- MFSA 2008-16 HTTP Referrer spoofing with malformed URLs
- MFSA 2008-15 Crashes with evidence of memory corruption (rv:1.8.1.13)
- MFSA 2008-14 JavaScript privilege escalation and arbitrary code execution
Core Security Technologies reports:
A remote buffer overflow vulnerability found in a library used by both the SILC server and client to process packets containing cryptographic material may allow an un-authenticated client to executearbitrary code on the server with the privileges of the user account running the server, or a malicious SILC server to compromise client systems and execute arbitrary code with the privileges of the user account running the SILC client program.
SecurityFocus reports:
The 'bzip2' application is prone to a remote file-handling vulnerability because the application fails to properly handle malformed files.
Exploit attempts likely result in application crashes.
Ian Jackson reports on the debian-security mailinglist:
When a block device read or write request is made by the guest, nothing checks that the request is within the range supported by the backend, but the code in the backend typically assumes that the request is sensible.
Depending on the backend, this can allow the guest to read and write arbitrary memory locations in qemu, and possibly gain control over the qemu process, escaping from the emulation/virtualisation.
Dovecot reports:
Security hole in blocking passdbs (MySQL always. PAM, passwd and shadow if blocking=yes) where user could specify extra fields in the password. The main problem here is when specifying "skip_password_check" introduced in v1.0.11 for fixing master user logins, allowing the user to log in as anyone without a valid password.
The Mplayer team reports:
A buffer overflow was found in the code used to extract album titles from CDDB server answers. When parsing answers from the CDDB server, the album title is copied into a fixed-size buffer with insufficient size checks, which may cause a buffer overflow. A malicious database entry could trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
A buffer overflow was found in the code used to escape URL strings. The code used to skip over IPv6 addresses can be tricked into leaving a pointer to a temporary buffer with a non-NULL value; this causes the unescape code to reuse the buffer, and may lead to a buffer overflow if the old buffer is smaller than required. A malicious URL string may be used to trigger a buffer overflow in the program, that can lead to arbitrary code execution with the UID of the user running MPlayer.
A buffer overflow was found in the code used to parse MOV file headers. The code read some values from the file and used them as indexes into as array allocated on the heap without performing any boundary check. A malicious file may be used to trigger a buffer overflow in the program. That can lead to arbitrary code execution with the UID of the user running MPlayer.
Chris Evans from the Google Security Team reports:
Severity: parsing of evil PostScript file will result in arbitrary code execution.
A stack-based buffer overflow in the zseticcspace() function in zicc.c allows remote arbitrary code execution via a malicious PostScript file (.ps) that contains a long Range array.
A phpMyAdmin security announcement report:
phpMyAdmin used the $_REQUEST superglobal as a source for its parameters, instead of $_GET and $_POST. This means that on most servers, a cookie with the same name as one of phpMyAdmin's parameters can interfere.
Another application could set a cookie for the root path "/" with a "sql_query" name, therefore overriding the user-submitted sql_query because by default, the $_REQUEST superglobal imports first GET, then POST then COOKIE data.
Mitigation factor
An attacker must trick the victim into visiting a page on the same web server where he has placed code that creates a malicious cookie.
PCRE developers report:
A character class containing a very large number of characters with codepoints greater than 255 (in UTF-8 mode, of course) caused a buffer overflow.
xine Team reports:
A new xine-lib version is now available. This release contains a security fix (array index vulnerability which may lead to a stack buffer overflow.
Coppermine Security advisory
The development team is releasing a security update for Coppermine in order to counter a recently discovered cross-site-scripting vulnerability.
MoinMoin Security advisory
XSS issue in login action
XSS issue in AttachFile action
XSS issue in RenamePage/DeletePage action
XSS issue in gui editor
Opera Software ASA reports about multiple security fixes:
- Fixed an issue where simulated text inputs could trick users into uploading arbitrary files, as reported by Mozilla.
- Image properties can no longer be used to execute scripts, as reported by Max Leonov.
- Fixed an issue where the representation of DOM attribute values could allow cross site scripting, as reported by Arnaud.lb.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- Web forgery overwrite with div overlay
- URL token stealing via stylesheet redirect
- Mishandling of locally-saved plain text files
- File action dialog tampering
- Possible information disclosure in BMP decoder
- Web browsing history and forward navigation stealing
- Directory traversal via chrome: URI
- Stored password corruption
- Privilege escalation, XSS, Remote Code Execution
- Multiple file input focus stealing vulnerabilities
- Crashes with evidence of memory corruption (rv:1.8.1.12)
Secunia Advisory reports:
A vulnerability has been reported in OpenLDAP, which can be exploited by malicious users to cause a DoS (Denial of Service).
iDefense Security Advisory 02.12.08:
Remote exploitation of an integer overflow vulnerability in Clam AntiVirus' ClamAV, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code with the privileges of the affected process.
The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.
Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned. This results in an exploitable memory corruption condition.
Exploitation of this vulnerability results in the execution of arbitrary code with the privileges of the process using libclamav. In the case of the clamd program, this will result in code execution with the privileges of the clamav user. Unsuccessful exploitation results in the clamd process crashing.
Disabling the scanning of PE files will prevent exploitation.
If using clamscan, this can be done by running clamscan with the '--no-pe' option.
If using clamdscan, set the 'ScanPE' option in the clamd.conf file to 'no'.
The cacti development team reports:
Multiple security vulnerabilities have been discovered in Cacti's web interface:
- XSS vulnerabilities
- Path disclosure vulnerabilities
- SQL injection vulnerabilities
- HTTP response splitting vulnerabilities
The ikiwiki development team reports:
The htmlscrubber did not block javascript in uris. This was fixed by adding a whitelist of valid uri types, which does not include javascript. Some urls specifyable by the meta plugin could also theoretically have been used to inject javascript; this was also blocked.
zenphoto project reports:
A new zenphoto version is now available. This release contains security fixes for HTML, XSS, and SQL injection vulnerabilities.
Greg Wilkins reports:
jetty allows remote attackers to bypass protection mechanisms and read the source of files via multiple '/' characters in the URI.
xine project reports:
A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2006-1664). (This is not the first time that that bug has been fixed...) It also fixes a few more recent bugs, such as the audio output problems in 1.1.9.
Matthieu Herrb of X.Org reports:
Several vulnerabilities have been identified in server code of the X window system caused by lack of proper input validation on user controlled data in various parts of the software, causing various kinds of overflows.
Exploiting these overflows will crash the X server or, under certain circumstances allow the execution of arbitray machine code.
When the X server is running with root privileges (which is the case for the Xorg server and for most kdrive based servers), these vulnerabilities can thus also be used to raise privileges.
All these vulnerabilities, to be exploited succesfully, require either an already established connection to a running X server (and normally running X servers are only accepting authenticated connections), or a shell access with a valid user on the machine where the vulnerable server is installed.
Gentoo reports:
A remote attacker could entice a user to install a specially crafted "rc" file to execute arbitrary code via long strings in the "Name" and "Comment" fields or via unspecified vectors involving the second vulnerability.
Nico Golde reports:
A local attacker could exploit this vulnerability to conduct symlink attacks to overwrite files with the privileges of the user running Claws Mail.
Secunia reports:
A vulnerability has been reported in IRC Services, which can be exploited by malicious people to cause a Denial of Service. The vulnerability is caused due to the improper handling of overly long passwords within the "default_encrypt()" function in encrypt.c and can be exploited to crash an affected server.
xine project reports:
A new xine-lib version is now available. This release contains a security fix (remotely-expoitable buffer overflow, CVE-2008-0225). It also contains a read-past-end fix for an internal library function which is only used if the OS does not supply it and a rendering fix for Darwin/PPC.
Geeklog reports:
MustLive pointed out a possible XSS in the form to email an article to a friend that we're fixing with this release.
Please note that this problem only exists in Geeklog 1.4.0 - neither Geeklog 1.4.1 nor any older versions (1.3.x series) have that problem.
The Drupal Project reports:
The aggregator module fetches items from RSS feeds and makes them available on the site. The module provides an option to remove items from a particular feed. This has been implemented as a simple GET request and is therefore vulnerable to cross site request forgeries. For example: Should a privileged user view a page containing an <img> tag with a specially constructed src pointing to a remove items URL, the items would be removed.
The Drupal Project reports:
When outputting plaintext Drupal strips potentially dangerous HTML tags and attributes from HTML, and escapes characters which have a special meaning in HTML. This output filtering secures the site against cross site scripting attacks via user input.
Certain byte sequences that are invalid in the UTF8 specification are not handled properly by Internet Explorer 6 and may lead it to see a multibyte start character where none is present. Internet Explorer 6 then consumes a number of subsequent UTF-8 characters. This may lead to unsafe attributes that were outside a tag for the filter to appear inside a tag for Internet Explorer 6. This behaviour can then be used to insert and execute javascript in the context of the website.
The Drupal Project reports:
When theme .tpl.php files are accessible via the web and the PHP setting register_globals is set to enabled, anonymous users are able to execute cross site scripting attacks via specially crafted links.
Drupal's .htaccess attempts to set register_globals to disabled and also prevents access to .tpl.php files. Only when both these measures are not effective and your PHP interpreter is configured with register_globals set to enabled, will this issue affect you.
Secunia reports:
A vulnerability has been reported in MaraDNS, which can be exploited by malicious people to cause a Denial of Service.
The vulnerability is caused due to an error within the handling of certain DNS packets. This can be exploited to cause a resource rotation by sending specially crafted DNS packets, which cause an authoritative CNAME record to not resolve, resulting in a Denial of Sevices.
Secunia reports:
Multiple vulnerabilities have been reported in RealPlayer/RealOne/HelixPlayer, which can be exploited by malicious people to compromise a user's system.
An input validation error when processing .RA/.RAM files can be exploited to cause a heap corruption via a specially crafted .RA/.RAM file with an overly large size field in the header.
An error in the processing of .PLS files can be exploited to cause a memory corruption and execute arbitrary code via a specially crafted .PLS file.
An input validation error when parsing .SWF files can be exploited to cause a buffer overflow via a specially crafted .SWF file with malformed record headers.
A boundary error when processing rm files can be exploited to cause a buffer overflow.
Adobe Security bulletin:
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.
Dovecot reports:
If two users with the same password and same pass_filter variables log in within auth_cache_ttl seconds (1h by default), the second user may get logged in with the first user's cached pass_attrs. For example if pass_attrs contained the user's home/mail directory, this would mean that the second user will be accessing the first user's mails.
The Gallery team reports:
Gallery 2.2.4 addresses the following security vulnerabilities:
- Publish XP module - Fixed unauthorized album creation and file uploads.
- URL rewrite module - Fixed local file inclusion vulnerability in unsecured admin controller and information disclosure in hotlink protection.
- Core / add-item modules - Fixed Cross Site Scripting (XSS) vulnerabilities through malicious file names.
- Installation (Gallery application) - Update web-accessibility protection of the storage folder for Apache 2.2.
- Core (Gallery application) / MIME module - Fixed vulnerability in checks for disallowed file extensions in file uploads.
- Gallery Remote module - Added missing permissions checks for some GR commands.
- WebDAV module - Fixed Cross Site Scripting (XSS) vulnerability through HTTP PROPPATCH.
- WebDAV module - Fixed information (item data) disclosure in a WebDAV view.
- Comment module - Fixed information (item data) disclosure in comment views.
- Core module (Gallery application) - Improved resilience against item information disclosure attacks.
- Slideshow module - Fixed information (item data) disclosure in the slideshow.
- Print modules - Fixed information (item data) disclosure in several print modules.
- Core / print modules - Fixed arbitrary URL redirection (phishing attacks) in the core module and several print modules.
- WebCam module - Fixed proxied request weakness.
Theodore Y. Ts'o reports:
Fix a potential security vulnerability where an untrusted filesystem can be corrupted in such a way that a program using libext2fs will allocate a buffer which is far too small. This can lead to either a crash or potentially a heap-based buffer overflow crash. No known exploits exist, but main concern is where an untrusted user who possesses privileged access in a guest Xen environment could corrupt a filesystem which is then accessed by thus allowing the untrusted user to gain privileged access in the host OS. Thanks to the McAfee AVERT Research group for reporting this issue.
The Wireshark team reports of multiple vulnerabilities:
- Wireshark could crash when reading an MP3 file.
- Beyond Security discovered that Wireshark could loop excessively while reading a malformed DNP packet.
- Stefan Esser discovered a buffer overflow in the SSL dissector.
- The ANSI MAP dissector could be susceptible to a buffer overflow on some platforms.
- The Firebird/Interbase dissector could go into an infinite loop or crash.
- The NCP dissector could cause a crash.
- The HTTP dissector could crash on some systems while decoding chunked messages.
- The MEGACO dissector could enter a large loop and consume system resources.
- The DCP ETSI dissector could enter a large loop and consume system resources.
- Fabiodds discovered a buffer overflow in the iSeries (OS/400) Communication trace file parser.
- The PPP dissector could overflow a buffer.
- The Bluetooth SDP dissector could go into an infinite loop.
- A malformed RPC Portmap packet could cause a crash.
- The IPv6 dissector could loop excessively.
- The USB dissector could loop excessively or crash.
- The SMB dissector could crash.
- The RPL dissector could go into an infinite loop.
- The WiMAX dissector could crash due to unaligned access on some platforms.
- The CIP dissector could attempt to allocate a huge amount of memory and crash.
Impact
It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Opera Software ASA reports about multiple security fixes:
- Fixed an issue where plug-ins could be used to allow cross domain scripting, as reported by David Bloom. Details will be disclosed at a later date.
- Fixed an issue with TLS certificates that could be used to execute arbitrary code, as reported by Alexander Klink (Cynops GmbH). Details will be disclosed at a later date.
- Rich text editing can no longer be used to allow cross domain scripting, as reported by David Bloom. See our advisory.
- Prevented bitmaps from revealing random data from memory, as reported by Gynvael Coldwind. Details will be disclosed at a later date.
Luigi Auriemma reports that peercast is vulnerable to a buffer overflow which could lead to a DoS or potentially remote code execution:
The handshakeHTTP function which handles all the requests received by the other clients is vulnerable to a heap overflow which allows an attacker to fill the loginPassword and loginMount buffers located in the Servent class with how much data he wants.
The Ganglia project reports:
The Ganglia development team is pleased to release Ganglia 3.0.6 (Foss) which is available[...]. This release includes a security fix for web frontend cross-scripting vulnerability.
SecurityFocus reports:
QEMU is prone to a local denial-of-service vulnerability because it fails to perform adequate boundary checks when handling user-supplied input.
Attackers can exploit this issue to cause denial-of-service conditions. Given the nature of the issue, attackers may also be able to execute arbitrary code, but this has not been confirmed.
The Drupal Project reports:
The function taxonomy_select_nodes() directly injects variables into SQL queries instead of using placeholders. While taxonomy module itself validates the input passed to taxonomy_select_nodes(), this is a weakness in Drupal core. Several contributed modules, such as taxonomy_menu, ajaxLoader, and ubrowser, directly pass user input to taxonomy_select_nodes(), enabling SQL injection attacks by anonymous users.
Secuna Research reports:
Secunia Research has discovered a vulnerability in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to a boundary error within the "send_mailslot()" function. This can be exploited to cause a stack-based buffer overflow with zero bytes via a specially crafted "SAMLOGON" domain logon packet containing a username string placed at an odd offset followed by an overly long GETDC string. Successful exploitation allows execution of arbitrary code, but requires that the "domain logons" option is enabled.
Secunia reports:
Format string vulnerability in the SMBDirList function in dirlist.c in SmbFTPD 0.96 allows remote attackers to execute arbitrary code via format string specifiers in a directory name.
Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty before 6.1.6rc1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters and cookies.
Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote sequences" in HTML cookie parameters, which allows remote attackers to hijack browser sessions via unspecified vectors.
CRLF injection vulnerability in Mortbay Jetty before 6.1.6rc0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.
The live555 development team reports:
Fixed a bounds-checking error in "parseRTSPRequestString()" caused by an int vs. unsigned problem.
The function which handles the incoming queries from the clients is affected by a vulnerability which allows an attacker to crash the server remotely using the smallest RTSP query possible to use.
GNU security announcement:
GNU Finger unfortunately has not been updated in many years, and has known security vulnerabilities. Please do not use it in production environments.
Squid secuirty advisory reports:
Due to incorrect bounds checking Squid is vulnerable to a denial of service check during some cache update reply processing.
This problem allows any client trusted to use the service to perform a denial of service attack on the Squid service.
Rails core team reports:
The rails core team has released ruby on rails 1.2.6 to address a bug in the fix for session fixation attacks (CVE-2007-5380). The CVE Identifier for this new issue is CVE-2007-6077.
Rails core team reports:
All users of Rails 1.2.4 or earlier are advised to upgrade to 1.2.5, though it isn't strictly necessary if you aren't working with JSON. For more information the JSON vulnerability, see CVE-2007-3227.
The ikiwiki development team reports:
Ikiwiki did not check if path to the srcdir to contained a symlink. If an attacker had commit access to the directories in the path, they could change it to a symlink, causing ikiwiki to read and publish files that were not intended to be published. (But not write to them due to other checks.)
Mozilla Foundation reports:
The Firefox 2.0.0.10 update contains fixes for three bugs that improve the stability of the product. These crashes showed some evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.
phpMyAdmin security announcement:
The login page auth_type cookie was vulnerable to XSS via the convcharset parameter. An attacker could use this to execute malicious code on the visitors computer
The Samba Team reports:
Secunia Research reported a vulnerability that allows for the execution of arbitrary code in nmbd. This defect may only be exploited when the "wins support" parameter has been enabled in smb.conf.
Samba developers have discovered what is believed to be a non-exploitable buffer over in nmbd during the processing of GETDC logon server requests. This code is only used when the Samba server is configured as a Primary or Backup Domain Controller.
PHP project reports:
Security Enhancements and Fixes in PHP 5.2.5:
- Fixed dl() to only accept filenames. Reported by Laurent Gaffie.
- Fixed dl() to limit argument size to MAXPATHLEN (CVE-2007-4887). Reported by Laurent Gaffie.
- Fixed htmlentities/htmlspecialchars not to accept partial multibyte sequences. Reported by Rasmus Lerdorf
- Fixed possible triggering of buffer overflows inside glibc implementations of the fnmatch(), setlocale() and glob() functions. Reported by Laurent Gaffie.
- Fixed "mail.force_extra_parameters" php.ini directive not to be modifiable in .htaccess due to the security implications. Reported by SecurityReason.
- Fixed bug #42869 (automatic session id insertion adds sessions id to non-local forms).
- Fixed bug #41561 (Values set with php_admin_* in httpd.conf can be overwritten with ini_set()).
US-CERT reports:
webserver.c in mt-dappd in Firefly Media Server 0.2.4 and earlier allows remote attackers to cause a denial of service (NULL dereference and daemon crash) via a stats method action to /xml-rpc with (1) an empty Authorization header line, which triggers a crash in the ws_decodepassword function; or (2) a header line without a ':' character, which triggers a crash in the ws_getheaders function.
CVE reports:
The SNMP agent (snmp_agent.c) in net-snmp before 5.4.1 allows remote attackers to cause a denial of service (CPU and memory consumption) via a GETBULK request with a large max-repeaters value.
iDefense Laps reports:
Remote exploitation of multiple integer overflow vulnerabilities in libFLAC, as included with various vendor's software distributions, allows attackers to execute arbitrary code in the context of the currently logged in user.
These vulnerabilities specifically exist in the handling of malformed FLAC media files. In each case, an integer overflow can occur while calculating the amount of memory to allocate. As such, insufficient memory is allocated for the data that is subsequently read in from the file, and a heap based buffer overflow occurs.
Secunia Research reports:
Secunia Research has discovered some vulnerabilities in Xpdf, which can be exploited by malicious people to compromise a user's system.
- An array indexing error within the "DCTStream::readProgressiveDataUnit()" method in xpdf/Stream.cc can be exploited to corrupt memory via a specially crafted PDF file.
- An integer overflow error within the "DCTStream::reset()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file.
- A boundary error within the "CCITTFaxStream::lookChar()" method in xpdf/Stream.cc can be exploited to cause a heap-based buffer overflow by tricking a user into opening a PDF file containing a specially crafted "CCITTFaxDecode" filter.
Successful exploitation may allow execution of arbitrary code.
Plone projectreports:
This hotfix corrects a vulnerability in the statusmessages and linkintegrity modules, where unsafe network data was interpreted as python pickles. This allows an attacker to run arbitrary python code within the Zope/Plone process.
The DigiTrust Group reports:
When creating a new database, a malicious user can use a client-side Web proxy to place malicious code in the db parameter of the POST request. Since db_create.php does not properly sanitize user-supplied input, an administrator could face a persistent XSS attack when the database names are displayed.
Gallery project reports:
Gallery 2.2.3 addresses the following security vulnerabilities:
- Unauthorized renaming of items possible with WebDAV (reported by Merrick Manalastas)
- Unauthorized modification and retrieval of item properties possible with WebDAV
- Unauthorized locking and replacing of items possible with WebDAV
- Unauthorized editing of data file possible via linked items with Reupload and WebDAV (reported by Nicklous Roberts)
Secunia reports:
Some vulnerabilities have been reported in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting and script insertion attacks and disclose potentially sensitive information.
Input passed to the username parameter in tiki-remind_password.php (when remind is set to send me my password) is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code (for example with meta refreshes to a javascript: URL) in a user's browser session in context of an affected site.
Input passed to the local_php and error_handler parameters in tiki-index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Input passed to the imp_language parameter in tiki-imexport_languages.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources.
Certain img src elements are not properly santised before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when the malicious data is viewed.
Secunia reports:
Secunia Research has discovered a vulnerability in CUPS, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to a boundary error within the "ippReadIO()" function in cups/ipp.c when processing IPP (Internet Printing Protocol) tags. This can be exploited to overwrite one byte on the stack with a zero by sending an IPP request containing specially crafted "textWithLanguage" or "nameWithLanguage" tags.
Successful exploitation allows execution of arbitrary code.
Red Hat reports:
A flaw was found in Perl's regular expression engine. Specially crafted input to a regular expression can cause Perl to improperly allocate memory, possibly resulting in arbitrary code running with the permissions of the user running Perl.
Debian project reports:
Tavis Ormandy of the Google Security Team has discovered several security issues in PCRE, the Perl-Compatible Regular Expression library, which potentially allow attackers to execute arbitrary code by compiling specially crafted regular expressions.
SEC-Consult reports:
Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.
Gentoo reports:
Kalle Olavi Niemitalo discovered two boundary errors in fsplib code included in gFTP when processing overly long directory or file names.
A remote attacker could trigger these vulnerabilities by enticing a user to download a file with a specially crafted directory or file name, possibly resulting in the execution of arbitrary code or a Denial of Service.
Securiweb reports:
dircproxy allows remote attackers to cause a denial of service (segmentation fault) via an ACTION command without a parameter, which triggers a NULL pointer dereference, as demonstrated using a blank /me message from irssi.
A Secunia Advisory report:
Input passed to the "posts_columns" parameter in wp-admin/edit-post-rows.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
BugTraq reports:
OpenLDAP is prone to multiple remote denial-of-service vulnerabilities because of an incorrect NULL-termination issue and a double-free issue.
Django project reports:
A per-process cache used by Django's internationalization ("i18n") system to store the results of translation lookups for particular values of the HTTP Accept-Language header used the full value of that header as a key. An attacker could take advantage of this by sending repeated requests with extremely large strings in the Accept-Language header, potentially causing a denial of service by filling available memory.
Due to limitations imposed by Web server software on the size of HTTP header fields, combined with reasonable limits on the number of requests which may be handled by a single server process over its lifetime, this vulnerability may be difficult to exploit. Additionally, it is only present when the "USE_I18N" setting in Django is "True" and the i18n middleware component is enabled*. Nonetheless, all users of affected versions of Django are encouraged to update.
An advisory from Opera reports:
If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code.
When accesing frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.
The Drupal Project reports:
In some circumstances Drupal allows user-supplied data to become part of response headers. As this user-supplied data is not always properly escaped, this can be exploited by malicious users to execute HTTP response splitting attacks which may lead to a variety of issues, among them cache poisoning, cross-user defacement and injection of arbitrary code.
The Drupal installer allows any visitor to provide credentials for a database when the site's own database is not reachable. This allows attackers to run arbitrary code on the site's server. An immediate workaround is the removal of the file install.php in the Drupal root directory.
The allowed extension list of the core Upload module contains the extension HTML by default. Such files can be used to execute arbitrary script code in the context of the affected site when a user views the file. Revoking upload permissions or removing the .html extension from the allowed extension list will stop uploads of malicious files. but will do nothing to protect your site againstfiles that are already present. Carefully inspect the file system path for any HTML files. We recommend you remove any HTML file you did not update yourself. You should look for , CSS includes, Javascript includes, and onerror="" attributes if you need to review files individually.
The Drupal Forms API protects against cross site request forgeries (CSRF), where a malicous site can cause a user to unintentionally submit a form to a site where he is authenticated. The user deletion form does not follow the standard Forms API submission model and is therefore not protected against this type of attack. A CSRF attack may result in the deletion of users.
The publication status of comments is not passed during the hook_comments API operation, causing various modules that rely on the publication status (such as Organic groups, or Subscriptions) to mail out unpublished comments.
Ganael Laplanche reports:
Up to now, each ldap* command was called with the -w parameter, which allows to specify the bind password on the command line. Unfortunately, this could make the password appear to anybody performing a `ps` during the call. This is now avoided by using the -y parameter and a password file.
RedHat reports:
Several flaws were found in the way in which Firefox displayed malformed web content. A web page containing specially-crafted content could potentially trick a user into surrendering sensitive information. (CVE-2007-1095, CVE-2007-3844, CVE-2007-3511, CVE-2007-5334)
The DigiTrust Group discovered serious XSS vulnerability in the phpMyAdmin server_status.php script. According to their report
vulnerability can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
SecurityFocus reports:
phpMyAdmin is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal potentially sensitive information and launch other attacks.
A Secunia Advisory reports:
The vulnerability is caused due to a boundary error within the redir() function in check_http.c when processing HTTP Location: header information. This can be exploited to cause a buffer overflow by returning an overly long string in the "Location:" header to a vulnerable system.
A Secunia Advisory reports:
Some vulnerabilities have been reported in libpng, which can be exploited by malicious people to cause a DoS (Denial of Service).
Certain errors within libpng, including a logical NOT instead of a bitwise NOT in pngtrtran.c, an error in the 16bit cheap transparency extension, and an incorrect use of sizeof() may be exploited to crash an application using the library.
Various out-of-bounds read errors exist within the functions png_handle_pCAL(), png_handle_sCAL(), png_push_read_tEXt(), png_handle_iTXt(), and png_handle_ztXt(), which may be exploited by exploited to crash an application using the library.
The vulnerability is caused due to an off-by-one error within the ICC profile chunk handling, which potentially can be exploited to crash an application using the library.
Multiple vulnerabilities have been discovered in ImageMagick.
ImageMagick before 6.3.5-9 allows context-dependent attackers to cause a denial of service via a crafted image file that triggers (1) an infinite loop in the ReadDCMImage function, related to ReadBlobByte function calls; or (2) an infinite loop in the ReadXCFImage function, related to ReadBlobMSBLong function calls.
Multiple integer overflows in ImageMagick before 6.3.5-9 allow context-dependent attackers to execute arbitrary code via a crafted (1) .dcm, (2) .dib, (3) .xbm, (4) .xcf, or (5) .xwd image file, which triggers a heap-based buffer overflow.
Off-by-one error in the ReadBlobString function in blob.c in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted image file, which triggers the writing of a '\0' character to an out-of-bounds address.
Sign extension error in the ReadDIBImage function in ImageMagick before 6.3.5-9 allows context-dependent attackers to execute arbitrary code via a crafted width value in an image file, which triggers an integer overflow and a heap-based buffer overflow.
SUN reports:
A vulnerability in the Java Runtime Environment (JRE) with applet caching may allow an untrusted applet that is downloaded from a malicious website to make network connections to network services on machines other than the one that the applet was downloaded from. This may allow network resources (such as web pages) and vulnerabilities (that exist on these network services) which are not otherwise normally accessible to be accessed or exploited.
Matthieu Herrb reports:
Problem Description:
Several vulnerabilities have been identified in xfs, the X font server. The QueryXBitmaps and QueryXExtents protocol requests suffer from lack of validation of their 'length' parameters.
Impact:
On most modern systems, the font server is accessible only for local clients and runs with reduced privileges, but on some systems it may still be accessible from remote clients and possibly running with root privileges, creating an opportunity for remote privilege escalation.
A Buffer overflow in the ReadImage function in generic/tkImgGIF.c in Tcl/Tk, allows remote attackers to execute arbitrary code via multi-frame interlaced GIF files in which later frames are smaller than the first.
RISE Security reports:
There exists multiple vulnerabilities within functions of Firebird Relational Database, which when properly exploited can lead to remote compromise of the vulnerable system.
Debian Bug report log reports:
When tagging file $foo, a temporary copy of the file is created, and for some reason, libid3 doesn't use mkstemp but just creates $foo.XXXXXX literally, without any checking.
This would silently truncate and overwrite an existing $foo.XXXXXX.
The MediaWiki development team reports:
A possible HTML/XSS injection vector in the API pretty-printing mode has been found and fixed.
The vulnerability may be worked around in an unfixed version by simply disabling the API interface if it is not in use, by adding this to LocalSettings.php:
$wgEnableAPI = false;
(This is the default setting in 1.8.x.)
Alexander Concha reports:
While testing WordPress, it has been discovered a SQL Injection vulnerability that allows an attacker to retrieve remotely any user credentials from a vulnerable site, this bug is caused because of early database escaping and the lack of validation in query string like parameters.
The Samba development team reports:
The idmap_ad.so library provides an nss_info extension to Winbind for retrieving a user's home directory path, login shell and primary group id from an Active Directory domain controller. This functionality is enabled by defining the "winbind nss info" smb.conf option to either "sfu" or "rfc2307".
Both the Windows "Identity Management for Unix" and "Services for Unix" MMC plug-ins allow a user to be assigned a primary group for Unix clients that differs from the user's Windows primary group. When the rfc2307 or sfu nss_info plugin has been enabled, in the absence of either the RFC2307 or SFU primary group attribute, Winbind will assign a primary group ID of 0 to the domain user queried using the getpwnam() C library call.
A Bugzilla Security Advisory reports:
This advisory covers three security issues that have recently been fixed in the Bugzilla code:
- A possible cross-site scripting (XSS) vulnerability when filing bugs using the guided form.
- When using email_in.pl, insufficiently escaped data may be passed to sendmail.
- Users using the WebService interface may access Bugzilla's time-tracking fields even if they normally cannot see them.
We strongly advise that 2.20.x and 2.22.x users should upgrade to 2.20.5 and 2.22.3 respectively. 3.0 users, and users of 2.18.x or below, should upgrade to 3.0.1.
BugTraq reports:
ClamAV is prone to multiple denial-of-service vulnerabilities.
A successful attack may allow an attacker to crash the application and deny service to users.
The coppermine development team reports two vulnerabilities with the coppermine application. These vulnerabilities are caused by improper checking of the log variable in "viewlog.php" and improper checking of the referer variable in "mode.php". This could allow local file inclusion, potentially disclosing valuable information and could lead to an attacker conducting a cross site scripting attack against the targeted site.
iDefense reports:
Remote exploitation of multiple integer overflow vulnerabilities within OpenOffice, as included in various vendors' operating system distributions, allows attackers to execute arbitrary code.
These vulnerabilities exist within the TIFF parsing code of the OpenOffice suite. When parsing the TIFF directory entries for certain tags, the parser uses untrusted values from the file to calculate the amount of memory to allocate. By providing specially crafted values, an integer overflow occurs in this calculation. This results in the allocation of a buffer of insufficient size, which in turn leads to a heap overflow.
The Bugzilla development team reports:
Bugzilla::WebService::User::offer_account_by_email does not check the "createemailregexp" parameter, and thus allows users to create accounts who would normally be denied account creation. The "emailregexp" parameter is still checked. If you do not have the SOAP::Lite Perl module installed on your Bugzilla system, your system is not vulnerable (because the Bugzilla WebService will not be enabled).
The KDE development team reports:
The Konqueror address bar is vulnerable to spoofing attacks that are based on embedding white spaces in the url. In addition the address bar could be tricked to show an URL which it is intending to visit for a short amount of time instead of the current URL.
The KDE development team reports:
KDM can be tricked into performing a password-less login even for accounts with a password set under certain circumstances, namely autologin to be configured and "shutdown with password" enabled.
The Flyspray Project reports:
Flyspray authentication system can be bypassed by sending a carefully crafted post request.
To be vulnerable, PHP configuration directive output_buffering has to be disabled or set to a low value.
The Mozilla Foundation reports a vulnerability within the mozilla browser. This vulnerability also affects various other browsers like firefox and seamonkey. The vulnerability is caused by QuickTime Media-Link files that contain a qtnext attribute. This could allow an attacker to start the browser with arbitrary command-line options. This could allow the attacker to install malware, steal local data and possibly execute and/or do other arbitrary things within the users context.
The PHP development team reports:
Security Enhancements and Fixes in PHP 5.2.4:
- Fixed a floating point exception inside wordwrap() (Reported by Mattias Bengtsson)
- Fixed several integer overflows inside the GD extension (Reported by Mattias Bengtsson)
- Fixed size calculation in chunk_split() (Reported by Gerhard Wagner)
- Fixed integer overflow in str[c]spn(). (Reported by Mattias Bengtsson)
- Fixed money_format() not to accept multiple %i or %n tokens. (Reported by Stanislav Malyshev)
- Fixed zend_alter_ini_entry() memory_limit interruption vulnerability. (Reported by Stefan Esser)
- Fixed INFILE LOCAL option handling with MySQL extensions not to be allowed when open_basedir or safe_mode is active. (Reported by Mattias Bengtsson)
- Fixed session.save_path and error_log values to be checked against open_basedir and safe_mode (CVE-2007-3378) (Reported by Maksymilian Arciemowicz)
- Fixed a possible invalid read in glob() win32 implementation (CVE-2007-3806) (Reported by shinnai)
- Fixed a possible buffer overflow in php_openssl_make_REQ (Reported by zatanzlatan at hotbrev dot com)
- Fixed an open_basedir bypass inside glob() function (Reported by dr at peytz dot dk)
- Fixed a possible open_basedir bypass inside session extension when the session file is a symlink (Reported by c dot i dot morris at durham dot ac dot uk)
- Improved fix for MOPB-03-2007.
- Corrected fix for CVE-2007-2872.
Apache HTTP server project reports:
The following potential security flaws are addressed:
- CVE-2007-3847: mod_proxy: Prevent reading past the end of a buffer when parsing date-related headers.
- CVE-2007-1863: mod_cache: Prevent a segmentation fault if attributes are listed in a Cache-Control header without any value.
- CVE-2007-3304: prefork, worker, event MPMs: Ensure that the parent process cannot be forced to kill processes outside its process group.
- CVE-2006-5752: mod_status: Fix a possible XSS attack against a site with a public server-status page and ExtendedStatus enabled, for browsers which perform charset "detection". Reported by Stefan Esser.
- CVE-2006-1862: mod_mem_cache: Copy headers into longer lived storage; header names and values could previously point to cleaned up storage.
lighttpd maintainer reports:
Lighttpd is prone to a header overflow when using the mod_fastcgi extension, this can lead to arbitrary code execution in the fastcgi application. For a detailed description of the bug see the external reference.
This bug was found by Mattias Bengtsson and Philip Olausson
Gentoo reports:
Sune Kloppenborg Jeppesen and Tavis Ormandy of the Gentoo Linux Security Team have reported that the check_update.sh script and the main rkhunter script insecurely creates several temporary files with predictable filenames.
A local attacker could create symbolic links in the temporary files directory, pointing to a valid file somewhere on the filesystem. When rkhunter or the check_update.sh script runs, this would result in the file being overwritten with the rights of the user running the utility, which could be the root user.
Secunia reports:
A vulnerability has been reported in LSH, which potentially can be exploited by malicious people to cause a DoS (Denial of Service).
Matthias Andree reports:
fetchmail will generate warning messages in certain circumstances (for instance, when leaving oversized messages on the server or login to the upstream fails) and send them to the local postmaster or the user running it.
If this warning message is then refused by the SMTP listener that fetchmail is forwarding the message to, fetchmail crashes and does not collect further messages until it is restarted.
Red Hat reports:
A path traversal flaw was discovered in the way GNU tar extracted archives. A malicious user could create a tar archive that could write to arbitrary files to which the user running GNU tar had write access.
Red Hat credits Dmitry V. Levin for reporting the issue.
A Secunia Advisory reports:
A format string error in the "inc_put_error()" function in src/inc.c when displaying a POP3 server's error response can be exploited via specially crafted POP3 server replies containing format specifiers.
Successful exploitation may allow execution of arbitrary code, but requires that the user is tricked into connecting to a malicious POP3 server.
BugTraq reports:
The rsync utility is prone to an off-by-one buffer-overflow vulnerability. This issue is due to a failure of the application to properly bounds-check user-supplied input.
Successfully exploiting this issue may allow arbitrary code-execution in the context of the affected utility.
An advisory from Opera reports:
A specially crafted JavaScript can make Opera execute arbitrary code.
A Secunia Advisory reports:
fsplib can be exploited to compromise an application using the library.
A boundary error exists in the processing of file names in fsp_readdir_native, which can be exploited to cause a stack-based buffer overflow if the defined MAXNAMLEN is bigger than 256.
A boundary error exists in the processing of directory entries in fsp_readdir, which can be exploited to cause a stack-based buffer overflow on systems with an insufficient size allocated for the d_name field of directory entries.
A Secunia Advisory reports:
joomla can be exploited to conduct session fixation attacks, cross-site scripting attacks or HTTP response splitting attacks.
Certain unspecified input passed in com_search, com_content and mod_login is not properly sanitised before being returned to a user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Input passed to the url parameter is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which will be included in a response sent to the user, allowing for execution of arbitrary HTML and script code in a user's browser session in context of an affected site.
An error exists in the handling of sessions and can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.
An un-checked return value in the BGP dissector code can result in an integer overflow. This value is used in subsequent buffer management operations, resulting in a stack based buffer overflow under certain circumstances.
By crafting malicious BGP packets, an attacker could exploit this vulnerability to execute code or crash the tcpdump process on the target system. This code would be executed in the context of the user running tcpdump(1). It should be noted that tcpdump(1) requires privileges in order to open live network interfaces.
No workaround is available.
When named(8) is operating as a recursive DNS server or sending NOTIFY requests to slave DNS servers, named(8) uses a predictable query id.
An attacker who can see the query id for some request(s) sent by named(8) is likely to be able to perform DNS cache poisoning by predicting the query id for other request(s).
No workaround is available.
The KDE Team reports:
kpdf, the KDE pdf viewer, shares code with xpdf. xpdf contains a vulnerability that can cause a stack based buffer overflow via a PDF file that exploits an integer overflow in StreamPredictor::StreamPredictor(). Remotely supplied pdf files can be used to disrupt the kpdf viewer on the client machine and possibly execute arbitrary code.
Securityfocus reports:
Mutt is prone to a local buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input before using it in a memory copy operation. An attacker can exploit this issue to execute arbitrary code with the with the privileges of the victim. Failed exploit attempts will result in a denial of service.
A Secunia Advisory reports:
An error exists in the handling of DNS queries where IDs are incremented with a fixed value and are additionally used for child processes in a forking server. This can be exploited to poison the DNS cache of an application using the module if a valid ID is guessed.
An error in the PP implementation within the "dn_expand()" function can be exploited to cause a stack overflow due to an endless loop via a specially crafted DNS packet.
Doz reports:
A Input passed in the URL to index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The Drupal Project reports:
Several parts in Drupal core are not protected against cross site request forgeries due to inproper use of the Forms API, or by taking action solely on GET requests. Malicious users are able to delete comments and content revisions and disable menu items by enticing a privileged users to visit certain URLs while the victim is logged-in to the targeted site.
The Drupal Project reports:
Some server variables are not escaped consistently. When a malicious user is able to entice a victim to visit a specially crafted link or webpage, arbitrary HTML and script code can be injected and executed in the context of the victim's session on the targeted website.
Custom content type names are not escaped consistently. A malicious user with the 'administer content types' permission would be able to inject and execute arbitrary HTML and script code on the website. Revoking the 'administer content types' permission provides an immediate workaround.
A Secunia Advisory reports:
A format string error in the "helptags_one()" function in src/ex_cmds.c when running the "helptags" command can be exploited to execute arbitrary code via specially crafted help files.
isecpartners reports:
libvorbis contains several vulnerabilities allowing heap overwrite, read violations and a function pointer overwrite. These bugs cause a at least a denial of service, and potentially code execution.
The Apache Project reports:
The JSP and Servlet included in the sample application within the Tomcat documentation webapp did not escape user provided data before including it in the output. This enabled a XSS attack. These pages have been simplified not to use any user provided data in the output.
Apache Project reports:
The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, A small number of bug fixes and two important security fixes.
DokuWiki reports:
The spellchecker tests the UTF-8 capabilities of the used browser by sending an UTF-8 string to the backend, which will send it back unfiltered. By comparing string length the spellchecker can work around broken implementations. An attacker could construct a form to let users send JavaScript to the spellchecker backend, resulting in malicious JavaScript being executed in their browser.
Affected are all versions up to and including 2007-06-26 even when the spell checker is disabled.
Secunia Advisory reports:
Some vulnerabilities have been reported in lighttpd, which can be exploited by malicious people to bypass certain security restrictions or cause a DoS (Denial of Service).
Opera Software ASA reports of multiple security fixes in Opera, including an arbitrary code execute vulnerability:
Opera for Linux, FreeBSD, and Solaris has a flaw in the createPattern function that leaves old data that was in the memory before Opera allocated it in the new pattern. The pattern can be read and analyzed by JavaScript, so an attacker can get random samples of the user's memory, which may contain data.
Removing a specially crafted torrent from the download manager can crash Opera. The crash is caused by an erroneous memory access.
An attacker needs to entice the user to accept the malicious BitTorrent download, and later remove it from Opera's download manager. To inject code, additional means will have to be employed.
Users clicking a BitTorrent link and rejecting the download are not affected.
data: URLs embed data inside them, instead of linking to an external resource. Opera can mistakenly display the end of a data URL instead of the beginning. This allows an attacker to spoof the URL of a trusted site.
Opera's HTTP authentication dialog is displayed when the user enters a Web page that requires a login name and a password. To inform the user which server it was that asked for login credentials, the dialog displays the server name.
The user has to see the entire server name. A truncated name can be misleading. Opera's authentication dialog cuts off the long server names at the right hand side, adding an ellipsis (...) to indicate that it has been cut off.
The dialog has a predictable size, allowing an attacker to create a server name which will look almost like a trusted site, because the real domain name has been cut off. The three dots at the end will not be obvious to all users.
This flaw can be exploited by phishers who can set up custom sub-domains, for example by hosting their own public DNS.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2007-25 XPCNativeWrapper pollution
- MFSA 2007-24 Unauthorized access to wyciwyg:// documents
- MFSA 2007-21 Privilege escalation using an event handler attached to an element not in the document
- MFSA 2007-20 Frame spoofing while window is loading
- MFSA 2007-19 XSS using addEventListener and setTimeout
- MFSA 2007-18 Crashes with evidence of memory corruption
Adobe reports:
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities.
wireshark Team reports:
It may be possible to make Wireshark or Ethereal crash or use up available memory by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file.
Debian reports:
Ulf Härnhammar from the Debian Security Audit Project discovered a problem in typespeed, a touch-typist trainer disguised as game. This could lead to a local attacker executing arbitrary code.
isecpartners reports:
VLC is vulnerable to a format string attack in the parsing of Vorbis comments in Ogg Vorbis and Ogg Theora files, CDDA data or SAP/SDP service discovery messages. Additionally, there are two errors in the handling of wav files, one a denial of service due to an uninitialized variable, and one integer overflow in sampling frequency calculations.
isecpartners reports:
flac123, also known as flac-tools, is vulnerable to a buffer overflow in vorbis comment parsing. This allows for the execution of arbitrary code.
gd had been reported vulnerable to several vulnerabilities:
Debian project reports:
It was discovered that the IMAP code in the Evolution Data Server performs insufficient sanitising of a value later used an array index, which can lead to the execution of arbitrary code.
Debian Project reports:
Erik Sjolund discovered a buffer overflow in pcdsvgaview, an SVGA PhotoCD viewer. xpcd-svga is part of xpcd and uses svgalib to display graphics on the Linux console for which root permissions are required. A malicious user could overflow a fixed-size buffer and may cause the program to execute arbitrary code with elevated privileges.
Clamav had been found vulnerable to multiple vulnerabilities:
SpamAssassin website reports:
A local user symlink-attack DoS vulnerability in SpamAssassin has been found, affecting versions 3.1.x, 3.2.0, and SVN trunk.
Secunia reports:
CUPS is not using multiple workers to handle connections. This can be exploited to stop CUPS from accepting new connections by starting but never completing an SSL negotiation.
Secunia reports:
The vulnerability is caused due to predictable DNS "Transaction ID" field in DNS queries and can be exploited to poison the DNS cache of an application using the library if a valid ID is guessed.
Secunia reports:
Slappter has discovered a vulnerability in WordPress, which can be exploited by malicious users to conduct SQL injection attacks.
Input passed to the "wp.suggestCategories" method in xmlrpc.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation allows e.g. retrieving usernames and password hashes, but requires valid user credentials and knowledge of the database table prefix.
Blogsecurity reports:
An attacker can read comments on posts that have not been moderated. This can be a real security risk if blog admins are using unmoderated comments (comments that have not been made public) to hide sensitive notes regarding posts, future work, passwords etc. So please be careful if you are one of these blog admins.
Secunia reports:
Input passed to unspecified parameters in pam_login.cgi is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Mplayer Team reports:
A stack overflow was found in the code used to handle cddb queries. When copying the album title and category, no checking was performed on the size of the strings before storing them in a fixed-size array. A malicious entry in the database could trigger a stack overflow in the program, leading to arbitrary code execution with the uid of the user running MPlayer.
Kazu Nambo reports:
URL decoding the the Apache webserver prior to decoding in the Tomcat server could pypass access control rules and give access to pages on a different AJP by sending a crafted URL.
Olivier Dobberkau, Andreas Otto, and Thorsten Kahler report:
An unspecified error in the internal form engine can be used for sending arbitrary mail headers, using it for purposes which it is not meant for, e.g. sending spam messages.
SecurityFocus reports about phppgadmin:
Exploiting this vulnerability may allow an attacker to perform cross-site scripting attacks on unsuspecting users in the context of the affected website. As a result, the attacker may be able to steal cookie-based authentication credentials and to launch other attacks.
James Youngman reports:
When GNU locate reads filenames from an old-format locate database, they are read into a fixed-length buffer allocated on the heap. Filenames longer than the 1026-byte buffer can cause a buffer overrun. The overrunning data can be chosen by any person able to control the names of filenames created on the local system. This will normally include all local users, but in many cases also remote users (for example in the case of FTP servers allowing uploads).
Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.
When writing data into a buffer in the file_printf function, the length of the unused portion of the buffer is not correctly tracked, resulting in a buffer overflow when processing certain files.
An attacker who can cause file(1) to be run on a maliciously constructed input can cause file(1) to crash. It may be possible for such an attacker to execute arbitrary code with the privileges of the user running file(1).
The above also applies to any other applications using the libmagic(3) library.
No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable.
The SquirrelMail developers report:
Multiple cross-site scripting (XSS) vulnerabilities in the HTML filter in SquirrelMail 1.4.0 through 1.4.9a allow remote attackers to inject arbitrary web script or HTML via the (1) data: URI in an HTML e-mail attachment or (2) various non-ASCII character sets that are not properly filtered when viewed with Microsoft Internet Explorer.
A Libpng Security Advisory reports:
A grayscale PNG image with a malformed (bad CRC) tRNS chunk will crash some libpng applications.
This vulnerability could be used to crash a browser when a user tries to view such a malformed PNG file. It is not known whether the vulnerability could be exploited otherwise.
The Samba Team reports:
A bug in the local SID/Name translation routines may potentially result in a user being able to issue SMB/CIFS protocol operations as root.
When translating SIDs to/from names using Samba local list of user and group accounts, a logic error in the smbd daemon's internal security stack may result in a transition to the root user id rather than the non-root user. The user is then able to temporarily issue SMB/CIFS protocol operations as the root user. This window of opportunity may allow the attacker to establish additional means of gaining root access to the server.
Various bugs in Samba's NDR parsing can allow a user to send specially crafted MS-RPC requests that will overwrite the heap space with user defined data.
Unescaped user input parameters are passed as arguments to /bin/sh allowing for remote command execution.
This bug was originally reported against the anonymous calls to the SamrChangePassword() MS-RPC function in combination with the "username map script" smb.conf option (which is not enabled by default).
After further investigation by Samba developers, it was determined that the problem was much broader and impacts remote printer and file share management as well. The root cause is passing unfiltered user input provided via MS-RPC calls to /bin/sh when invoking externals scripts defined in smb.conf. However, unlike the "username map script" vulnerability, the remote file and printer management scripts require an authenticated user session.
The PHP development team reports:
Security Enhancements and Fixes in PHP 5.2.2 and PHP 4.4.7:
- Fixed CVE-2007-1001, GD wbmp used with invalid image size
- Fixed asciiz byte truncation inside mail()
- Fixed a bug in mb_parse_str() that can be used to activate register_globals
- Fixed unallocated memory access/double free in in array_user_key_compare()
- Fixed a double free inside session_regenerate_id()
- Added missing open_basedir & safe_mode checks to zip:// and bzip:// wrappers.
- Limit nesting level of input variables with max_input_nesting_level as fix for.
- Fixed CRLF injection inside ftp_putcmd().
- Fixed a possible super-global overwrite inside import_request_variables().
- Fixed a remotely trigger-able buffer overflow inside bundled libxmlrpc library.
Security Enhancements and Fixes in PHP 5.2.2 only:
- Fixed a header injection via Subject and To parameters to the mail() function
- Fixed wrong length calculation in unserialize S type.
- Fixed substr_compare and substr_count information leak.
- Fixed a remotely trigger-able buffer overflow inside make_http_soap_request().
- Fixed a buffer overflow inside user_filter_factory_create().
Security Enhancements and Fixes in PHP 4.4.7 only:
- XSS in phpinfo()
The Debian Security Team reports:
Several vulnerabilities have been discovered in the QEMU processor emulator, which may lead to the execution of arbitrary code or denial of service. The Common Vulnerabilities and Exposures project identifies the following problems:
CVE-2007-1320
Tavis Ormandy discovered that a memory management routine of the Cirrus video driver performs insufficient bounds checking, which might allow the execution of arbitrary code through a heap overflow.CVE-2007-1321
Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow.CVE-2007-1322
Tavis Ormandy discovered that the "icebp" instruction can be abused to terminate the emulation, resulting in denial of service.CVE-2007-1323
Tavis Ormandy discovered that the NE2000 network driver and the socket code perform insufficient input validation, which might allow the execution of arbitrary code through a heap overflow.CVE-2007-1366
Tavis Ormandy discovered that the "aam" instruction can be abused to crash qemu through a division by zero, resulting in denial of service.
Imager 0.56 and all earlier versions with BMP support have a security issue when reading compressed 8-bit per pixel BMP files where either a compressed run of data or a literal run of data overflows the scan-line.
Such an overflow causes a buffer overflow in a malloc() allocated memory buffer, possibly corrupting the memory arena headers.
The effect depends on your system memory allocator, with glibc this typically results in an abort, but with other memory allocators it may be possible to cause local code execution.
There is no mechanism for preventing IPv6 routing headers from being used to route packets over the same link(s) many times.
An attacker can "amplify" a denial of service attack against a link between two vulnerable hosts; that is, by sending a small volume of traffic the attacker can consume a much larger amount of bandwidth between the two vulnerable hosts.
An attacker can use vulnerable hosts to "concentrate" a denial of service attack against a victim host or network; that is, a set of packets sent over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less over a period of 30 seconds or more could be constructed such that they all arrive at the victim within a period of 1 second or less.
Other attacks may also be possible.
No workaround is available.
Mandriva reports:
PerlRun.pm in Apache mod_perl 1.29 and earlier, and RegistryCooker.pm in mod_perl 2.x, does not properly escape PATH_INFO before use in a regular expression, which allows remote attackers to cause a denial of service (resource consumption) via a crafted URI.
CVE reports:
The APOP protocol allows remote attackers to guess the first 3 characters of a password via man-in-the-middle (MITM) attacks that use crafted message IDs and MD5 collisions.
Lighttpd SA:
Lighttpd caches the rendered string for mtime. The cache key has as a default value 0. At that point the pointer to the string are still NULL. If a file with an mtime of 0 is requested it tries to access the pointer and crashes.
The bug requires that a malicious user can either upload files or manipulate the mtime of the files.
The bug was reported by cubiq and fixed by Marcus Rueckert.
Lighttpd SA:
If the connection aborts during parsing "\r\n\r\n" the server might get into a infinite loop and use 100% of the CPU time. lighttpd still responses to other requests. This can be repeated until either the server limit for concurrent connections or file descriptors is reached.
The bug was reported and fixed by Robert Jakabosky.
The freeradius development team reports:
A malicous 802.1x supplicant could send malformed Diameter format attributes inside of an EAP-TTLS tunnel. The server would reject the authentication request, but would leak one VALUE_PAIR data structure, of approximately 300 bytes. If an attacker performed the attack many times (e.g. thousands or more over a period of minutes to hours), the server could leak megabytes of memory, potentially leading to an "out of memory" condition, and early process exit.
Matthias Andree reports:
The POP3 standard, currently RFC-1939, has specified an optional, MD5-based authentication scheme called "APOP" which no longer should be considered secure.
Additionally, fetchmail's POP3 client implementation has been validating the APOP challenge too lightly and accepted random garbage as a POP3 server's APOP challenge. This made it easier than necessary for man-in-the-middle attackers to retrieve by several probing and guessing the first three characters of the APOP secret, bringing brute forcing the remaining characters well within reach.
CVE reports:
Buffer overflow in eject.c in Jason W. Bacon mcweject 0.9 on FreeBSD, and possibly other versions, allows local users to execute arbitrary code via a long command line argument, possibly involving the device name.
Secunia reports:
A vulnerability has been discovered in WebCalendar, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to unspecified parameters is not properly verified before being used with the "noSet" parameter set. This can be exploited to overwrite certain variables, and allows e.g. the inclusion of arbitrary PHP files from internal or external resources.
The Zope Team reports:
A vulnerability has been discovered in Zope, where by certain types of misuse of HTTP GET, an attacker could gain elevated privileges. All Zope versions up to and including 2.10.2 are affected.
Squid advisory 2007:1 notes:
Due to an internal error Squid-2.6 is vulnerable to a denial of service attack when processing the TRACE request method.
Workarounds:
To work around the problem deny access to using the TRACE method by inserting the following two lines before your first http_access rule.
acl TRACE method TRACE
http_access deny TRACE
Chris Travers reports:
George Theall of Tenable Security notified the LedgerSMB core team today of an authentication bypass vulnerability allowing full access to the administrator interface of LedgerSMB 1.1 and SQL-Ledger 2.x. The problem is caused by the password checking routine failing to enforce a password check under certain circumstances. The user can then create accounts or effect denial of service attacks.
This is not related to any previous CVE.
We have coordinated with the SQL-Ledger vendor and today both of us released security patches correcting the problem. SQL-Ledger users who can upgrade to 2.6.26 should do so, and LedgerSMB 1.1 or 1.0 users should upgrade to 1.1.9. Users who cannot upgrade should configure their web servers to use http authentication for the admin.pl script in the main root directory.
The Samba Team reports:
Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never removed from the deferred open queue. smbd will then become stuck is a loop trying to service the open request.
This bug may allow an authenticated user to exhaust resources such as memory and CPU on the server by opening multiple CIFS sessions, each of which will normally spawn a new smbd process, and sending each connection into an infinite loop.
The Samba Team reports:
NOTE: This security advisory only impacts Samba servers that share AFS file systems to CIFS clients and which have been explicitly instructed in smb.conf to load the afsacl.so VFS module.
The source defect results in the name of a file stored on disk being used as the format string in a call to snprintf(). This bug becomes exploitable only when a user is able to write to a share which utilizes Samba's afsacl.so library for setting Windows NT access control lists on files residing on an AFS file system.
Two problems have been found in KTorrent:
"Moritz Jodeit reports:
There's an exploitable buffer overflow in the current version of MPlayer (v1.0rc1) which can be exploited with a maliciously crafted video file. It is hidden in the DMO_VideoDecoder() function of `loader/dmo/DMO_VideoDecoder.c' file.
Secunia reports:
The vulnerability is caused due to an error within the "download wiki page as text" function, which can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Successful exploitation may require that the victim uses IE.
TippingPoint and The Zero Day Initiative reports:
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apache Tomcat JK Web Server Connector. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the URI handler for the mod_jk.so library, map_uri_to_worker(), defined in native/common/jk_uri_worker_map.c. When parsing a long URL request, the URI worker map routine performs an unsafe memory copy. This results in a stack overflow condition which can be leveraged to execute arbitrary code.
A type * (ANY) query response containing multiple RRsets can trigger an assertion failure.
Certain recursive queries can cause the nameserver to crash by using memory which has already been freed.
A remote attacker sending a type * (ANY) query to an authoritative DNS server for a DNSSEC signed zone can cause the named(8) daemon to exit, resulting in a Denial of Service.
A remote attacker sending recursive queries can cause the nameserver to crash, resulting in a Denial of Service.
There is no workaround available, but systems which are not authoritative servers for DNSSEC signed zones are not affected by the first issue; and systems which do not permit untrusted users to perform recursive DNS resolution are not affected by the second issue. Note that the default configuration for named(8) in FreeBSD allows local access only (which on many systems is equivalent to refusing access to untrusted users).
In multiple situations the host's jail rc.d(8) script does not check if a path inside the jail file system structure is a symbolic link before using the path. In particular this is the case when writing the output from the jail start-up to /var/log/console.log and when mounting and unmounting file systems inside the jail directory structure.
Due to the lack of handling of potential symbolic links the host's jail rc.d(8) script is vulnerable to "symlink attacks". By replacing /var/log/console.log inside the jail with a symbolic link it is possible for the superuser (root) inside the jail to overwrite files on the host system outside the jail with arbitrary content. This in turn can be used to execute arbitrary commands with non-jailed superuser privileges.
Similarly, by changing directory mount points inside the jail file system structure into symbolic links, it may be possible for a jailed attacker to mount file systems which were meant to be mounted inside the jail at arbitrary points in the host file system structure, or to unmount arbitrary file systems on the host system.
NOTE WELL: The above vulnerabilities occur only when a jail is being started or stopped using the host's jail rc.d(8) script; once started (and until stopped), running jails cannot exploit this.
If the sysctl(8) variable security.jail.chflags_allowed is set to 0 (the default), setting the "sunlnk" system flag on /var, /var/log, /var/log/console.log, and all file system mount points and their parent directories inside the jail(s) will ensure that the console log file and mount points are not replaced by symbolic links. If this is done while jails are running, the administrator must check that an attacker has not replaced any directories with symlinks after setting the "sunlnk" flag.
Symlinks created using the "GNUTYPE_NAMES" tar extension can be absolute due to lack of proper sanity checks.
If an attacker can get a user to extract a specially crafted tar archive the attacker can overwrite arbitrary files with the permissions of the user running gtar. If file system permissions allow it, this may allow the attacker to overwrite important system file (if gtar is being run as root), or important user configuration files such as .tcshrc or .bashrc, which would allow the attacker to run arbitrary commands.
Use "bsdtar", which is the default tar implementation in FreeBSD 5.3 and higher. For FreeBSD 4.x, bsdtar is available in the FreeBSD Ports Collection as ports/archivers/libarchive.
In the FW_GCROM ioctl, a signed integer comparison is used instead of an unsigned integer comparison when computing the length of a buffer to be copied from the kernel into the calling application.
A user in the "operator" group can read the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password.
No workaround is available, but systems without IEEE 1394 ("FireWire") interfaces are not vulnerable. (Note that systems with IEEE 1394 interfaces are affected regardless of whether any devices are attached.)
Note also that FreeBSD does not have any non-root users in the "operator" group by default; systems on which no users have been added to this group are therefore also not vulnerable.
If the end of an archive is reached while attempting to "skip" past a region of an archive, libarchive will enter an infinite loop wherein it repeatedly attempts (and fails) to read further data.
An attacker able to cause a system to extract (via "tar -x" or another application which uses libarchive) or list the contents (via "tar -t" or another libarchive-using application) of an archive provided by the attacker can cause libarchive to enter an infinite loop and use all available CPU time.
No workaround is available.
Several problems have been found in OpenSSL:
In addition, many applications using OpenSSL do not perform any validation of the lengths of public keys being used.
Servers which parse ASN1 data from untrusted sources may be vulnerable to a denial of service attack.
An attacker accessing a server which uses SSL version 2 may be able to execute arbitrary code with the privileges of that server.
A malicious SSL server can cause clients connecting using SSL version 2 to crash.
Applications which perform public key operations using untrusted keys may be vulnerable to a denial of service attack.
No workaround is available, but not all of the vulnerabilities mentioned affect all applications.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2007-08 onUnload + document.write() memory corruption
- MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
- MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
- MFSA 2007-05 XSS and local file access by opening blocked popups
- MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
- MFSA 2007-03 Information disclosure through cache collisions
- MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
- MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
A IBM Internet Security Systems Protection Advisory reports:
Snort is vulnerable to a stack-based buffer overflow as a result of DCE/RPC reassembly. This vulnerability is in a dynamic-preprocessor enabled in the default configuration, and the configuration for this preprocessor allows for auto-recognition of SMB traffic to perform reassembly on. No checks are performed to see if the traffic is part of a valid TCP session, and multiple Write AndX requests can be chained in the same TCP segment. As a result, an attacker can exploit this overflow with a single TCP PDU sent across a network monitored by Snort or Sourcefire.
Snort users who cannot upgrade immediately are advised to disable the DCE/RPC preprocessor by removing the DCE/RPC preprocessor directives from snort.conf and restarting Snort. However, be advised that disabling the DCE/RPC preprocessor reduces detection capabilities for attacks in DCE/RPC traffic. After upgrading, customers should re-enable the DCE/RPC preprocessor.
iDefense reports:
Remote exploitation of a stack based buffer overflow vulnerability in RARLabs Unrar may allow an attacker to execute arbitrary code with the privileges of the user opening the archive.
Unrar is prone to a stack based buffer overflow when processing specially crafted password protected archives.
If users are using the vulnerable command line based unrar, they still need to interact with the program in order to trigger the vulnerability. They must respond to the prompt asking for the password, after which the vulnerability will be triggered. They do not need to enter a correct password, but they must at least push the enter key.
Multiple vulnerabilities have been found in PHP, including: buffer overflows, stack overflows, format string, and information disclosure vulnerabilities.
The session extension contained safe_mode and
open_basedir bypasses, but the FreeBSD Security
Officer does not consider these real security
vulnerabilities, since safe_mode and
open_basedir are insecure by design and should
not be relied upon.
Secunia reports:
Some vulnerabilities have been reported in Joomla!, where some have unknown impacts and one can be exploited by malicious people to conduct cross-site scripting attacks.
- Input passed to an unspecified parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
- The vulnerabilities are caused due to unspecified errors in Joomla!. The vendor describes them as "several low level security issues". No further information is currently available.
Secunia reports:
A vulnerability in sircd can be exploited by a malicious person to compromise a vulnerable system. The vulnerability is caused by a boundary error in the code handling reverse DNS lookups, when a user connects to the service. If the FQDN (Fully Qualified Domain Name) returned is excessively long, the allocated buffer is overflowed making it possible to execute arbitrary code on the system with the privileges of the sircd daemon.
Secunia reports:
A vulnerability has been reported in sircd, which can be exploited by malicious users to gain operator privileges. The problem is that any user reportedly can set their usermode to operator. The vulnerability has been reported in versions 0.5.2 and 0.5.3. Other versions may also be affected.
Secunia reports:
rgod has discovered four vulnerabilities in Cacti, which can be exploited by malicious people to bypass certain security restrictions, manipulate data and compromise vulnerable systems.
A potential buffer overflow was found in the code used to handle RealMedia RTSP streams. When checking for matching asm rules, the code stores the results in a fixed-size array, but no boundary checks are performed. This may lead to a buffer overflow if the user is tricked into connecting to a malicious server. Since the attacker can not write arbitrary data into the buffer, creating an exploit is very hard; but a DoS attack is easily made. A fix for this problem was committed to SVN on Sun Dec 31 13:27:53 2006 UTC as r21799. The fix involves three files: stream/realrtsp/asmrp.c, stream/realrtsp/asmrp.h and stream/realrtsp/real.c.
Matthias Andree reports:
When delivering messages to a message delivery agent by means of the "mda" option, fetchmail can crash (by passing a NULL pointer to ferror() and fflush()) when refusing a message. SMTP and LMTP delivery modes aren't affected.
Matthias Andree reports:
Fetchmail has had several longstanding password disclosure vulnerabilities.
- sslcertck/sslfingerprint options should have implied "sslproto tls1" in order to enforce TLS negotiation, but did not.
- Even with "sslproto tls1" in the config, fetches would go ahead in plain text if STLS/STARTTLS wasn't available (not advertised, or advertised but rejected).
- POP3 fetches could completely ignore all TLS options whether available or not because it didn't reliably issue CAPA before checking for STLS support - but CAPA is a requisite for STLS. Whether or not CAPAbilities were probed, depended on the "auth" option. (Fetchmail only tried CAPA if the auth option was not set at all, was set to gssapi, kerberos, kerberos_v4, otp, or cram-md5.)
- POP3 could fall back to using plain text passwords, even if strong authentication had been configured.
- POP2 would not complain if strong authentication or TLS had been requested.
iDefense reports:
The vulnerability specifically exists due to Opera improperly processing a JPEG DHT marker. The DHT marker is used to define a Huffman Table which is used for decoding the image data. An invalid number of index bytes in the DHT marker will trigger a heap overflow with partially user controlled data.
Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious image and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.
A flaw exists within Opera's Javascript SVG implementation. When processing a createSVGTransformFromMatrix request Opera does not properly validate the type of object passed to the function. Passing an incorrect object to this function can result in it using a pointer that is user controlled when it attempts to make the virtual function call.
Exploitation of this vulnerability would allow an attacker to execute arbitrary code on the affected host. The attacker would first need to construct a website containing the malicious JavaScript and trick the vulnerable user into visiting the site. This would trigger the vulnerability and allow the code to execute with the privileges of the local user.
The Drupal security team reports:
A few arguments passed via URLs are not properly sanitized before display. When an attacker is able to entice an administrator to follow a specially crafted link, arbitrary HTML and script code can be injected and executed in the victim's session. Such an attack may lead to administrator access if certain conditions are met.
The way page caching was implemented allows a denial of service attack. An attacker has to have the ability to post content on the site. He or she would then be able to poison the page cache, so that it returns cached 404 page not found errors for existing pages.
If the page cache is not enabled, your site is not vulnerable. The vulnerability only affects sites running on top of MySQL.
An anonymous person reports:
w3m-0.5.1 crashes when using the -dump or -backend options to open a HTTPS URL with a SSL certificate where the CN contains "%n%n%n%n%n%n".
Plone.org reports:
PlonePAS-using Plone releases (Plone 2.5 and Plone 2.5.1) has a potential vulnerability that allows a user to masquerade as a group. Please update your sites.
The proftpd development team reports that several remote buffer overflows had been found in the proftpd server.
Multiple programming errors have been found in gzip which can be triggered when gzip is decompressing files. These errors include insufficient bounds checks in buffer use, a NULL pointer dereference, and a potential infinite loop.
The insufficient bounds checks in buffer use can cause gzip to crash, and may permit the execution of arbitrary code. The NULL pointer deference can cause gzip to crash. The infinite loop can cause a Denial-of-Service situation where gzip uses all available CPU time.
No workaround is available.
For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a recursive DNS server, an assertion failure can occur when processing a query whose reply will contain more than one SIG(covered) RRset.
For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response.
An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service.
An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server.
A possible workaround is to only allow trusted clients to perform recursive queries.
When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes.
OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature.
No workaround is available.
The Debian security Team reports:
Several remote vulnerabilities have been discovered in SQL Ledger, a web based double-entry accounting program, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems:
Chris Travers discovered that the session management can be tricked into hijacking existing sessions.
Chris Travers discovered that directory traversal vulnerabilities can be exploited to execute arbitrary Perl code.
It was discovered that missing input sanitising allows execution of arbitrary Perl code.
Secunia reports:
D-Bus have a weakness, which can be exploited by malicious, local users to cause a DoS (Denial of Service).
An error within the "match_rule_equal()" function can be exploited to disable the ability of other processes to receive messages by removing their matches from D-Bus.
Secunia reports:
A vulnerability has been discovered in Evince, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error within the "get_next_text()" function in ps/ps.c. This can be exploited to cause a buffer overflow by e.g. tricking a user into opening a specially crafted PostScript file.
An undisclosed eRuby injection vulnerability had been discovered in tDiary.
Secunia reports:
Some vulnerabilities have been reported in wvWare, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise an application using the library.
The vulnerabilities are caused due to integer overflows within the "wvGetLFO_records()" and "wvGetLFO_PLF()" functions. These can be exploited to cause heap-based buffer overflows by e.g. tricking a user to open a specially crafted Microsoft Word document with an application using the library.
Secunia reports:
A vulnerability has been reported in wvWare wv2 Library, which potentially can be exploited by malicious people to compromise an application using the library.
The vulnerability is caused due to an integer overflow error in "word_helper.h" when handling a Word document. This can be exploited to cause a buffer overflow and may allow arbitrary code execution via a specially crafted Word document.
The tnftpd port suffer from a remote stack overrun, which can lead to a root compromise.
Secunia reports:
Clam AntiVirus have a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to a stack overflow when scanning messages with deeply nested multipart content. This can be exploited to crash the service by sending specially crafted emails to a vulnerable system.
The libxine development team reports that several vulnerabilities had been found in the libxine library. The first vulnerability is caused by improper checking of the src/input/libreal/real.c "real_parse_sdp()" function. A remote attacker could exploit this by tricking an user to connect to a preparated server potentially causing a buffer overflow. Another buffer overflow had been found in the libmms library, potentially allowing a remote attacker to cause a denial of service vulnerability, and possible remote code execution through the following functions: send_command, string_utf16, get_data and get_media_packets. Other functions might be affected as well.
Werner Koch reports:
GnuPG uses data structures called filters to process OpenPGP messages. These filters are used in a similar way as a pipelines in the shell. For communication between these filters context structures are used. These are usually allocated on the stack and passed to the filter functions. At most places the OpenPGP data stream fed into these filters is closed before the context structure gets deallocated. While decrypting encrypted packets, this may not happen in all cases and the filter may use a void contest structure filled with garbage. An attacker may control this garbage. The filter context includes another context used by the low-level decryption to access the decryption algorithm. This is done using a function pointer. By carefully crafting an OpenPGP message, an attacker may control this function pointer and call an arbitrary function of the process. Obviously an exploit needs to prepared for a specific version, compiler, libc, etc to be successful - but it is definitely doable.
Fixing this is obvious: We need to allocate the context on the heap and use a reference count to keep it valid as long as either the controlling code or the filter code needs it.
We have checked all other usages of such a stack based filter contexts but fortunately found no other vulnerable places. This allows to release a relatively small patch. However, for reasons of code cleanness and easier audits we will soon start to change all these stack based filter contexts to heap based ones.
The official ruby site reports:
Another vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS).
A specific HTTP request for any web application using cgi.rb causes CPU consumption on the machine on which the web application is running. Many such requests result in a denial of service.
SecurityFocus reports about libmusicbrainz:
The libmusicbrainz library is prone to multiple buffer-overflow vulnerabilities because the application fails to check the size of the data before copying it into a finite-sized internal memory buffer.
An attacker can exploit these issues to execute arbitrary code within the context of the application or to cause a denial-of-service condition.
tDiary was vulnerable to an unspecified Cross-Site Scripting vulnerability
SecurityFocus reports about ImageMagick:
ImageMagick is prone to a remote heap-based buffer-overflow vulnerability because the application fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.
Exploiting this issue allows attackers to execute arbitrary machine code in the context of applications that use the ImageMagick library.
Teemu Salmela reports:
There is a tar record type, called GNUTYPE_NAMES (an obsolete GNU extension), that allows the creation of symbolic links pointing to arbitrary locations in the filesystem, which makes it possible to create/overwrite arbitrary files.
iDefense Labs reports:
Remote exploitation of a design error in Horde's Kronolith could allow an authenticated web mail user to execute arbitrary PHP code under the security context of the running web server.
The vulnerability specifically exists due to a design error in the way it includes certain files. Specifically, the 'lib/FBView.php' file contains a function 'Kronolith_FreeBusy_View::factory' which will include local files that are supplied via the 'view' HTTP GET request parameter.
Werner Koch reports:
When running GnuPG interactively, special crafted messages may be used to crash gpg or gpg2. Running gpg in batch mode, as done by all software using gpg as a backend (e.g. mailers), is not affected by this bug.
Exploiting this overflow seems to be possible.
gpg-agent, gpgsm, gpgv or other tools from the GnuPG suite are not affected.
FrSIRT reports:
A vulnerability has been identified in ProFTPD, which could be exploited by attackers to cause a denial of service or execute arbitrary commands. This flaw is due to a buffer overflow error in the "main.c" file where the "cmd_buf_size" size of the buffer used to handle FTP commands sent by clients is not properly set to the size configured via the "CommandBufferSize" directive, which could be exploited by attackers to compromise a vulnerable server via a specially crafted FTP command.
Secunia reports:
Doubles has discovered a vulnerability in Unzoo, which potentially can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to an input validation error when unpacking archives. This can be exploited via a directory traversal attack to overwrite files outside the directory, where the files are extracted to, if a user is tricked into extracting a malicious archive using Unzoo.
A Bugzilla Security Advisory reports:
- Sometimes the information put into the <h1> and <h2> tags in Bugzilla was not properly escaped, leading to a possible XSS vulnerability.
- Bugzilla administrators were allowed to put raw, unfiltered HTML into many fields in Bugzilla, leading to a possible XSS vulnerability. Now, the HTML allowed in those fields is limited.
- attachment.cgi could leak the names of private attachments
- The "deadline" field was visible in the XML format of a bug, even to users who were not a member of the "timetrackinggroup."
- A malicious user could pass a URL to an admin, and make the admin delete or change something that he had not intended to delete or change.
- It is possible to inject arbitrary HTML into the showdependencygraph.cgi page, allowing for a cross-site scripting attack.
Secunia reports:
Some vulnerabilities have been reported in imlib2, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise an application using the library.
The vulnerabilities are caused due to unspecified errors within the processing of JPG, ARGB, PNG, LBM, PNM, TIFF, and TGA images. This may be exploited to execute arbitrary code by e.g. tricking a user into opening a specially crafted image file with an application using imlib2.
Official ruby site reports:
A vulnerability has been discovered in the CGI library (cgi.rb) that ships with Ruby which could be used by a malicious user to create a denial of service attack (DoS). The problem is triggered by sending the library an HTTP request that uses multipart MIME encoding and as an invalid boundary specifier that begins with "-" instead of "--". Once triggered it will exhaust all available memory resources effectively creating a DoS condition.
A vulnerability in the handling handling of combined UTF-8 characters in screen may allow an user-assisted attacker to crash screen or potentially allow code execution as the user running screen. To exploit this issue the user running scren must in some way interact with the attacker.
Dmitri Lenev reports a privilege escalation in MySQL. MySQL evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote and local authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.
Michal Prokopiuk reports a privilege escalation in MySQL. The vulnerability causes MySQL, when run on case-sensitive filesystems, to allow remote and local authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions.
The Serendipity Team reports:
Serendipity failed to correctly sanitize user input on the media manager administration page. The content of GET variables were written into JavaScript strings. By using standard string evasion techniques it was possible to execute arbitrary JavaScript.
Additionally Serendipity dynamically created a HTML form on the media manager administration page that contained all variables found in the URL as hidden fields. While the variable values were correctly escaped it was possible to break out by specifying strange variable names.
Red Hat reports:
An integer overflow flaw was found in the way Qt handled pixmap images. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious web page that when viewed by a victim in the Konqueror browser would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the victim.
iDefense Labs reports:
Remote exploitation of a heap overflow vulnerability within version 9 of Opera Software's Opera Web browser could allow an attacker to execute arbitrary code on the affected host.
A flaw exists within Opera when parsing a tag that contains a URL. A heap buffer with a constant size of 256 bytes is allocated to store the URL, and the tag's URL is copied into this buffer without sufficient bounds checking of its length.
Adam Boileau of Security-Assessment.com reports:
The Asterisk Skinny channel driver for Cisco SCCP phones (chan_skinny.so) incorrectly validates a length value in the packet header. An integer wrap-around leads to heap overwrite, and arbitrary remote code execution as root.
The Plone Team reports:
Plone 2.0.5, 2.1.2, and 2.5-beta1 does not restrict access to the:
- changeMemberPortrait
- deletePersonalPortrait
- testCurrentPassword
methods, which allows remote attackers to modify portraits.
The Drupal Team reports:
A malicious user may entice users to visit a specially crafted URL that may result in the redirection of Drupal form submission to a third-party site. A user visiting the user registration page via such a url, for example, will submit all data, such as his/her e-mail address, but also possible private profile data, to a third-party site.
The Drupal Team reports:
Visiting a specially crafted page, anywhere on the web, may allow that page to post forms to a Drupal site in the context of the visitor's session. To illustrate; suppose one has an active user 1 session, the most powerful administrator account for a site, to a Drupal site while visiting a website created by an attacker. This website will now be able to submit any form to the Drupal site with the privileges of user 1, either by enticing the user to submit a form or by automated means.
An attacker can exploit this vulnerability by changing passwords, posting PHP code or creating new users, for example. The attack is only limited by the privileges of the session it executes in.
The Drupal Team reports:
A bug in input validation and lack of output validation allows HTML and script insertion on several pages.
Drupal's XML parser passes unescaped data to watchdog under certain circumstances. A malicious user may execute an XSS attack via a specially crafted RSS feed. This vulnerability exists on systems that do not use PHP's mb_string extension (to check if mb_string is being used, navigate to admin/settings and look under "String handling"). Disabling the aggregator module provides an immediate workaround.
The aggregator module, profile module, and forum module do not properly escape output of certain fields.
Note: XSS attacks may lead to administrator access if certain conditions are met.
The Horde team reports a vulnerability within Ingo, the filter management suite. The vulnerability is caused due to inadequete escaping, possibly allowing a local user to execute arbitrary shell commands via procmail.
Rapid7 reports:
The NVIDIA Binary Graphics Driver for Linux is vulnerable to a buffer overflow that allows an attacker to run arbitrary code as root. This bug can be exploited both locally or remotely (via a remote X client or an X client which visits a malicious web page). A working proof-of-concept root exploit is included with this advisory.
The NVIDIA drivers for Solaris and FreeBSD are also likely to be vulnerable.
Disabling Render acceleration in the "nvidia" driver, via the "RenderAccel" X configuration option, can be used as a workaround for this issue.
Secunia reports:
Two vulnerabilities have been reported in Clam AntiVirus, which potentially can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.
1) An unspecified error in the CHM unpacker in chmunpack.c can be exploited to cause a DoS.
2) An unspecified error in rebuildpe.c when rebuilding PE files after unpacking can be exploited to cause a heap-based buffer overflow.
Javier Fernández-Sanguino Peña reports a vulnerability in tkdiff which allows local users to gain priveleges of the user running tkdiff due to insecure temporary file creation.
Dedi Dwianto a.k.a the_day reports:
Input passed to the "$calpath" parameter in update.php is not properly verified before being used. This can be exploited to execute arbitrary PHP code by including files from local or external resources.
JAAScois reports:
While processing KML/KMZ data Google Earth fails to verify its size prior to copying it into a fixed-sized buffer. This can be exploited as a buffer-overflow vulnerability to cause the application to crash and/or to execute arbitrary code.
Steven Roddis reports that User-Agent string is not properly escaped when handled by torrentflux. This allows for arbitrary code insertion.
Benjamin C. Wiley Sittler reports:
I discovered a [buffer overrun in repr() for unicode strings]. This causes an unpatched non-debug wide (UTF-32/UCS-4) build of python to abort.
Ubuntu security team reports:
If an application uses repr() on arbitrary untrusted data, this [bug] could be exploited to execute arbitrary code with the privileges of the python application.
Stefan Esser reports:
The PHP 5 branch of the PHP source code lacks the protection against possible integer overflows inside ecalloc() that is present in the PHP 4 branch and also for several years part of our Hardening-Patch and our new Suhosin-Patch.
It was discovered that such an integer overflow can be triggered when user input is passed to the unserialize() function. Earlier vulnerabilities in PHP's unserialize() that were also discovered by one of our audits in December 2004 are unrelated to the newly discovered flaw, but they have shown, that the unserialize() function is exposed to user-input in many popular PHP applications. Examples for applications that use the content of COOKIE variables with unserialize() are phpBB and Serendipity.
The successful exploitation of this integer overflow will result in arbitrary code execution.
James Bercegay reports:
Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function.
Omid reports:
There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe other versions):
- When a user edits a content, the "id" parameter is not checked properly in /components/com_content/content.php, which can cause 2 sql injections.
- The "limit" parameter in the administration section is not checked. This affects many pages of administration section
- In the administration section, while editing/creating a user, the "gid" parameter is not checked properly.
Urs Janssen and Aleksey Salow report possible buffer overflows in tin versions 1.8.0 and 1.8.1.
OpenPKG project elaborates there is an allocation off-by-one bug in version 1.8.0 which can lead to a buffer overflow.
Howard Chu reports:
An ACL of the form 'access to dn.subtree="ou=groups, dc=example,dc=com" attr=member by * selfwrite' is intended to only allow users to add/delete their own DN to the target attribute. Currently it allows any DNs to be modified.
Sebastian Krahmer reports:
Sebastian Krahmer of the SuSE security team discovered that the System.CodeDom.Compiler classes used temporary files in an insecure way. This could allow a symbolic link attack to create or overwrite arbitrary files with the privileges of the user invoking the program. Under some circumstances, a local attacker could also exploit this to inject arbitrary code into running Mono processes.
Stefan Esser reports:
PHP's open_basedir feature is meant to disallow scripts to access files outside a set of configured base directories. The checks for this are placed within PHP functions dealing with files before the actual open call is performed.
Obviously there is a little span of time between the check and the actual open call. During this time span the checked path could have been altered and point to a file that is forbidden to be accessed due to open_basedir restrictions.
Because the open_basedir restrictions often not call PHP functions but 3rd party library functions to actually open the file it is impossible to close this time span in a general way. It would only be possible to close it when PHP handles the actual opening on it's own.
While it seems hard to change the path during this little time span it is very simple with the use of the symlink() function combined with a little trick. PHP's symlink() function ensures that source and target of the symlink operation are allowed by open_basedir restrictions (and safe_mode). However it is possible to point a symlink to any file by the use of mkdir(), unlink() and at least two symlinks.
Secunia reports:
ShAnKaR has discovered a vulnerability in phpBB, which can be exploited by malicious users to compromise a vulnerable system.
Input passed to the "avatar_path" parameter in admin/admin_board.php is not properly sanitised before being used as a configuration variable to store avatar images. This can be exploited to upload and execute arbitrary PHP code by changing "avatar_path" to a file with a trailing NULL byte.
Successful exploitation requires privileges to the administration section.
ISS X-Force reports:
PostNuke is vulnerable to SQL injection. A remote attacker could send specially-crafted SQL statements to the admin section using the hits parameter, which could allow the attacker to view, add, modify or delete information in the back-end database.
SecurityTracker reports:
A vulnerability was reported in FreeType. A remote user can cause arbitrary code to be executed on the target user's system.
A remote user can create a specially crafted font file that, when loaded by the target user's system, will trigger an integer underflow or integer overflow and crash the application or execute arbitrary code on the target system.
Chris Evans reported these vulnerabilities.
Impact: A remote user can create a file that, when loaded by the target user, will execute arbitrary code on the target user's system.
Secunia reports:
Will Drewry has reported some vulnerabilities in Cscope, which potentially can be exploited by malicious people to compromise a vulnerable system.
Various boundary errors within the parsing of file lists or the expansion of environment variables can be exploited to cause stack-based buffer overflows when parsing specially crafted "cscope.lists" files or directories.
A boundary error within the parsing of command line arguments can be exploited to cause a stack-based buffer overflow when supplying an overly long "reffile" argument.
Successful exploitation may allow execution of arbitrary code.
Secunia reports:
A vulnerability has been reported in GnuTLS, which can be exploited by malicious people to bypass certain security restrictions.
The vulnerability is caused due to an error in the verification of certain signatures. If a RSA key with exponent 3 is used, it may be possible to forge PKCS #1 v1.5 signatures signed with that key.
Secunia reports:
Arai has reported a vulnerability in Movable Type and Movable Type Enterprise, which can be exploited by malicious people to conduct cross-site scripting attacks.
Some unspecified input passed via the search functionality isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
phpMyAdmin team reports:
We received a security advisory from Stefan Esser (sesser@hardened-php.net) and we wish to thank him for his work.
It was possible to inject arbitrary SQL commands by forcing an authenticated user to follow a crafted link.
The CRC compensation attack detector in the sshd(8) daemon, upon receipt of duplicate blocks, uses CPU time cubic in the number of duplicate blocks received. [CVE-2006-4924]
A race condition exists in a signal handler used by the sshd(8) daemon to handle the LoginGraceTime option, which can potentially cause some cleanup routines to be executed multiple times. [CVE-2006-5051]
An attacker sending specially crafted packets to sshd(8) can cause a Denial of Service by using 100% of CPU time until a connection timeout occurs. Since this attack can be performed over multiple connections simultaneously, it is possible to cause up to MaxStartups (10 by default) sshd processes to use all the CPU time they can obtain. [CVE-2006-4924]
The OpenSSH project believe that the race condition can lead to a Denial of Service or potentially remote code execution, but the FreeBSD Security Team has been unable to verify the exact impact. [CVE-2006-5051]
The attack against the CRC compensation attack detector can be avoided by disabling SSH Protocol version 1 support in sshd_config(5).
There is no workaround for the second issue.
Secunia reports:
rgod has discovered a vulnerability in DokuWiki, which can be exploited by malicious people to compromise a vulnerable system.
Input passed to the "TARGET_FN" parameter in bin/dwpage.php is not properly sanitised before being used to copy files. This can be exploited via directory traversal attacks in combination with DokuWiki's file upload feature to execute arbitrary PHP code.
CVE Mitre reports:
Direct static code injection vulnerability in doku.php in DokuWiki before 2006-03-09c allows remote attackers to execute arbitrary PHP code via the X-FORWARDED-FOR HTTP header, which is stored in config.php.
Unrestricted file upload vulnerability in lib/exe/media.php in DokuWiki before 2006-03-09c allows remote attackers to upload executable files into the data/media folder via unspecified vectors.
DokuWiki before 2006-03-09c enables the debug feature by default, which allows remote attackers to obtain sensitive information by calling doku.php with the X-DOKUWIKI-DO HTTP header set to "debug".
Secunia reports:
Some vulnerabilities have been reported in DokuWiki, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.
Input passed to the "w" and "h" parameters in lib/exec/fetch.php is not properly sanitised before being passed as resize parameters to the "convert" application. This can be exploited to cause a DoS due to excessive CPU and memory consumption by passing very large numbers, or to inject arbitrary shell commands by passing specially crafted strings to the "w" and "h" parameter.
Successful exploitation requires that the "$conf[imconvert]" option is set.
Secunia reports:
Thomas Pollet has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to conduct cross-site scripting attacks.
Input passed to the "highlight" parameter in tiki-searchindex.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
rgod has discovered a vulnerability in TikiWiki, which can be exploited by malicious people to compromise a vulnerable system.
The vulnerability is caused due to the "jhot.php" script not correctly verifying uploaded files. This can e.g. be exploited to execute arbitrary PHP code by uploading a malicious PHP script to the "img/wiki" directory.
CVE Mitre reports:
PunBB 1.2.12 does not properly handle an avatar directory pathname ending in %00, which allows remote authenticated administrative users to upload arbitrary files and execute code, as demonstrated by a query to admin_options.php with an avatars_dir parameter ending in %00. NOTE: this issue was originally disputed by the vendor, but the dispute was withdrawn on 20060926.
Secunia reports:
Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service).
An error in the "generic_handle_player_attribute_chunk()" function in common/packets.c can be exploited to crash the service via a specially crafted PACKET_PLAYER_ATTRIBUTE_CHUNK packet sent to the server.
An error in the "handle_unit_orders()" function in server/unithand.c can be exploited to crash the service via a specially crafted packet.
Secunia reports:
Luigi Auriemma has reported a vulnerability in Freeciv, which can be exploited by malicious people to cause a DoS (Denial of Service).
The vulnerability is caused due to an error within the handling of the packet length in "common/packets.c". This can be exploited to crash the Freeciv server via a specially- crafted packet with the size set to "0xffff".
Secunia reports:
A vulnerability has been reported in Plans, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed to the "evt_id" parameter in "plans.cgi" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation requires that SQL database support has been enabled in "plans_config.pl" (the default setting is flat files).
Some vulnerabilities have been reported in Plans, which can be exploited by malicious people to conduct cross-site scripting attacks or gain knowledge of sensitive information.
Input passed to various unspecified parameters is not properly sanitised before being returned to users. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of a vulnerable site.
An unspecified error can be exploited to gain knowledge of the MySQL password.
eyeOS team reports:
[EyeOS 0.9.1] release fixes two XSS security bugs, so we recommend all users to upgrade to this new version in order to have the best security. These two bugs were discovered by Jose Carlos Norte, who is a new eyeOS developer.
Secunia reports:
A vulnerability has been reported in Zope, which can be exploited by malicious people to disclose potentially sensitive information.
The vulnerability is caused due to an error in the use of the docutils module to parse and render "restructured" text. This can be exploited to disclose certain information via the "csv_table" reStructuredText directive.
Mitre CVE reports:
Stack-based buffer overflow in libmms, as used by (a) MiMMS 0.0.9 and (b) xine-lib 1.1.0 and earlier, allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via the (1) send_command, (2) string_utf16, (3) get_data, and (4) get_media_packet functions, and possibly other functions.
Opera reports:
A specially crafted digital certificate can bypass Opera's certificate signature verification. Forged certificates can contain any false information the forger chooses, and Opera will still present it as valid. Opera will not present any warning dialogs in this case, and the security status will be the highest possible (3). This defeats the protection against "man in the middle", the attacks that SSL was designed to prevent.
There is a flaw in OpenSSL's RSA signature verification that affects digital certificates using 3 as the public exponent. Some of the certificate issuers that are on Opera's list of trusted signers have root certificates with 3 as the public exponent. The forged certificate can appear to be signed by one of these.
The Mozilla Foundation reports of multiple security issues in Firefox, Seamonkey, and Thunderbird. Several of these issues can probably be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2006-64 Crashes with evidence of memory corruption (rv:1.8.0.7)
- MFSA 2006-63 JavaScript execution in mail via XBL
- MFSA 2006-62 Popup-blocker cross-site scripting (XSS)
- MFSA 2006-61 Frame spoofing using document.open()
- MFSA 2006-60 RSA Signature Forgery
- MFSA 2006-59 Concurrency-related vulnerability
- MFSA 2006-58 Auto-Update compromise through DNS and SSL spoofing
- MFSA 2006-57 JavaScript Regular Expression Heap Corruption
The Apple Security Team reports that there are multiple vulnerabilities within QuickTime (one of the plugins for win32-codecs). A remote attacker capable of creating a malicious SGI image, FlashPix, FLC movie, or a QuickTime movie can possibly lead to execution of arbitrary code or cause a Denial of Service (application crash).
Users who have QuickTime (/win32-codecs) as a browser plugin may be vulnerable to remote code execution by visiting a website containing a malicious SGI image, FlashPix, FLC movie or a QuickTime movie.
The PHP development team reports:
- Added missing safe_mode/open_basedir checks inside the error_log(), file_exists(), imap_open() and imap_reopen() functions.
- Fixed overflows inside str_repeat() and wordwrap() functions on 64bit systems.
- Fixed possible open_basedir/safe_mode bypass in cURL extension and with realpath cache.
- Fixed overflow in GD extension on invalid GIF images.
- Fixed a buffer overflow inside sscanf() function.
- Fixed an out of bounds read inside stripos() function.
- Fixed memory_limit restriction on 64 bit system.
The Drupal Project reports:
It is possible for a malicious user to spoof a user's identity by bypassing the login redirection mechanism in the pubcookie module. The malicious user may gain the privileges of the user they are spoofing, including the administrative user.
Adobe reports:
Multiple input validation errors have been identified in Flash Player 8.0.24.0 and earlier versions that could lead to the potential execution of arbitrary code. These vulnerabilities could be accessed through content delivered from a remote location via the user?s web browser, email client, or other applications that include or reference the Flash Player. (CVE-2006-3311, CVE-2006-3587, CVE-2006-3588)
These updates include changes to prevent circumvention of the "allowScriptAccess" option. (CVE-2006-4640)
Secunia reports:
Mailman can be exploited by malicious people to conduct cross-site scripting and phishing attacks, and cause a DoS (Denial of Service).
1) An error in the logging functionality can be exploited to inject a spoofed log message into the error log via a specially crafted URL.
Successful exploitation may trick an administrator into visiting a malicious web site.
2) An error in the processing of malformed headers which does not follow the RFC 2231 standard can be exploited to cause a DoS (Denial of Service).
3) Some unspecified input isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Kefka reports multiple cross site scripting vulnerabilities within hlstats. The vulnerabilities are caused due to improper checking of variables, allowing an attacker to perform cross site scripting.
The Debian Security Team reports:
Michael Gehring discovered several potential out-of-bounds index accesses in gtetrinet, a multiplayer Tetris-like game, which may allow a remote server to execute arbitrary code
The Joomla development team reports multiple vulnerabilities within the joomla application. Joomla is vulnerable to the following vulnerabilities:
While processing Link Control Protocol (LCP) configuration options received from the remote host, sppp(4) fails to correctly validate option lengths. This may result in data being read or written beyond the allocated kernel memory buffer.
An attacker able to send LCP packets, including the remote end of a sppp(4) connection, can cause the FreeBSD kernel to panic. Such an attacker may also be able to obtain sensitive information or gain elevated privileges.
No workaround is available, but systems which do not use sppp(4) are not vulnerable.
Secunia reports:
Some vulnerabilities have been reported in Horde, which can be exploited by malicious people to conduct phishing and cross-site scripting attacks.
- Input passed to the "url" parameter in index.php isn't properly verified before it is being used to include an arbitrary web site in a frameset. This can e.g. be exploited to trick a user into believing certain malicious content is served from a trusted web site.
- Some unspecified input passed in index.php isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
The Globus Alliance reports:
The proxy generation tool (grid-proxy-init) creates the file, secures the file to provide access only to owner and writes proxy to the file. A race condition exists between the opening of the proxy credentials file, and making sure it is safe file to write to. The checks to ensure this file is accessible only to the owner take place using the filename after the file is opened for writing, but before any data is written.
Various components of the toolkit use files in shared directories to store information, some being sensitive information. For example, the tool to create proxy certificates, stores the generated proxy certificate by default in /tmp. Specific vulnerabilities in handling such files were reported in myproxy-admin-adduser, grid-ca-sign and grid-security-config.
Ludwig Nussel reports that x11vnc is vulnerable to an authentication bypass vulnerability. The vulnerability is caused by an error in auth.c. This could allow a remote attacker to gain unauthorized and unauthenticated access to the system.
Luigi Auriemma reports three vulnerabilities within alsaplayer:
- The function which handles the HTTP connections is vulnerable to a buffer-overflow that happens when it uses sscanf for copying the URL in the Location's field received from the server into the redirect buffer of only 1024 bytes declared in http_open.
- A buffer-overflow exists in the functions which add items to the playlist when the GTK interface is used (so the other interfaces are not affected by this problem): new_list_item and CbUpdated in interface/gtk/PlaylistWindow.cpp.
- AlsaPlayer automatically queries the CDDB server specified in its configuration (by default freedb.freedb.org) when the user choices the CDDA function for playing audio CDs. The function which queries the server uses a buffer of 20 bytes and one of 9 for storing the category and ID strings received from the server while the buffer which contains this server's response is 32768 bytes long. Naturally for exploiting this bug the attacker must have control of the freedb server specified in the AlsaPlayer's configuration.
These vulnerabilities could allow a remote attacker to execute arbitrary code, possibly gaining access to the system.
The PostgreSQL development team reports:
An attacker able to submit crafted strings to an application that will embed those strings in SQL commands can use invalidly-encoded multibyte characters to bypass standard string-escaping methods, resulting in possible injection of hostile SQL commands into the database. The attacks covered here work in any multibyte encoding.
The widely-used practice of escaping ASCII single quote "'" by turning it into "\'" is unsafe when operating in multibyte encodings that allow 0x5c (ASCII code for backslash) as the trailing byte of a multibyte character; this includes at least SJIS, BIG5, GBK, GB18030, and UHC. An application that uses this conversion while embedding untrusted strings in SQL commands is vulnerable to SQL-injection attacks if it communicates with the server in one of these encodings. While the standard client libraries used with PostgreSQL have escaped "'" in the safe, SQL-standard way of "''" for some time, the older practice remains common.
Multiple vulnerabilities had been reported in various versions of PostgreSQL:
Jean-David Maillefer reports a Denial of Service vulnerability
within MySQL. The vulnerability is caused by improper checking
of the data_format routine, which cause the MySQL server to
crash. The crash is triggered by the following code:
"SELECT date_format('%d%s', 1);
The SquirrelMail developers report:
A logged in user could overwrite random variables in compose.php, which might make it possible to read/write other users' preferences or attachments.
The Ruby on Rails blog reports:
With Rails 1.1.0 through 1.1.5 (minus the short-lived 1.1.3), you can trigger the evaluation of Ruby code through the URL because of a bug in the routing code of Rails. This means that you can essentially take down a Rails process by starting something like /script/profiler, as the code will run for a long time and that process will be hung while it happens. Other URLs can even cause data loss.
Clamav team reports:
A heap overflow vulnerability was discovered in libclamav which could cause a denial of service or allow the execution of arbitrary code.
The problem is specifically located in the PE file rebuild function used by the UPX unpacker.
Relevant code from libclamav/upx.c:
memcpy(dst, newbuf, foffset); *dsize = foffset; free(newbuf); cli_dbgmsg("UPX: PE structure rebuilt from compressed file\n"); return 1;
Due to improper validation it is possible to overflow the above memcpy() beyond the allocated memory block.
The Drupal project reports:
A malicious user can execute a cross site scripting attack by enticing someone to visit a Drupal site via a specially crafted link.
Author reports:
Fixed 2 more possible memory allocation attacks. They are similar to the problem we fixed with 1.4.4. This bug can easily be be exploted for a DoS; remote code execution is not entirely impossible.
Secunia reports:
Two vulnerabilities have been reported in Ruby, which can be exploited by malicious people to bypass certain security restrictions.
- An error in the handling of the "alias" functionality can be exploited to bypass the safe level protection and replace methods called in the trusted level.
- An error caused due to directory operations not being properly checked can be exploited to bypass the safe level protection and close untainted directory streams.
The Apache Software Foundation and The Apache HTTP Server Project reports:
An off-by-one flaw exists in the Rewrite module, mod_rewrite, as shipped with Apache 1.3 since 1.3.28, 2.0 since 2.0.46, and 2.2 since 2.2.0.
Depending on the manner in which Apache HTTP Server was compiled, this software defect may result in a vulnerability which, in combination with certain types of Rewrite rules in the web server configuration files, could be triggered remotely. For vulnerable builds, the nature of the vulnerability can be denial of service (crashing of web server processes) or potentially allow arbitrary code execution. This issue has been rated as having important security impact by the Apache HTTP Server Security Team.
This flaw does not affect a default installation of Apache HTTP Server. Users who do not use, or have not enabled, the Rewrite module mod_rewrite are not affected by this issue. This issue only affects installations using a Rewrite rule with the following characteristics:
- The RewriteRule allows the attacker to control the initial part of the rewritten URL (for example if the substitution URL starts with $1)
- The RewriteRule flags do NOT include any of the following flags: Forbidden (F), Gone (G), or NoEscape (NE).
Please note that ability to exploit this issue is dependent on the stack layout for a particular compiled version of mod_rewrite. If the compiler used to compile Apache HTTP Server has added padding to the stack immediately after the buffer being overwritten, it will not be possible to exploit this issue, and Apache HTTP Server will continue operating normally.
The Apache HTTP Server project thanks Mark Dowd of McAfee Avert Labs for the responsible reporting of this vulnerability.
A Mozilla Foundation Security Advisory reports of multiple issues. Several of which can be used to run arbitrary code with the privilege of the user running the program.
- MFSA 2006-56 chrome: scheme loading remote content
- MFSA 2006-55 Crashes with evidence of memory corruption (rv:1.8.0.5)
- MFSA 2006-54 XSS with XPCNativeWrapper(window).Function(...)
- MFSA 2006-53 UniversalBrowserRead privilege escalation
- MFSA 2006-52 PAC privilege escalation using Function.prototype.call
- MFSA 2006-51 Privilege escalation using named-functions and redefined "new Object()"
- MFSA 2006-50 JavaScript engine vulnerabilities
- MFSA 2006-49 Heap buffer overwrite on malformed VCard
- MFSA 2006-48 JavaScript new Function race condition
- MFSA 2006-47 Native DOM methods can be hijacked across domains
- MFSA 2006-46 Memory corruption with simultaneous events
- MFSA 2006-45 Javascript navigator Object Vulnerability
- MFSA 2006-44 Code execution through deleted frame reference
Zope team reports:
Unspecified vulnerability in (Zope2) allows local users to obtain sensitive information via unknown attack vectors related to the docutils module and "restructured text".
The Drupal team reports:
Vulnerability: XSS Vulnerability in taxonomy module
It is possible for a malicious user to insert and execute XSS into terms, due to lack of validation on output of the page title. The fix wraps the display of terms in check_plain().
Goober's advisory reports reports that shoutcast is vulnerable to an arbitrary file reading vulnerability:
Impact of the vulnerability depends on the way the product was installed. In general, the vulnerability allows the attacker to read any file which can be read by the Shoutcast server process.
The Samba Team reports:
The smbd daemon maintains internal data structures used track active connections to file and printer shares. In certain circumstances an attacker may be able to continually increase the memory usage of an smbd process by issuing a large number of share connection requests. This defect affects all Samba configurations.
A TWiki Security Alert reports:
The TWiki upload filter already prevents executable scripts such as .php, .php1, .phps, .pl from potentially getting executed by appending a .txt suffix to the uploaded filename. However, PHP and some other types allows additional file suffixes, such as .php.en, .php.1, and .php.2. TWiki does not check for these suffixes, e.g. it is possible to upload php scripts with such suffixes without the .txt filename padding.
This issue can also be worked around with a restrictive web server configuration. See the TWiki Security Alert for more information about how to do this.
The Trac 0.9.6 Release Notes reports:
Fixed reStructuredText breach of privacy and denial of service vulnerability found by Felix Wiemann.
The discovered vulnerability requires docutils to be installed and enabled. Systems that do not have docutils installed or enabled are not vulnerable. As of this version version 0.3.9 or greater of docutils is required for using reStructuredText markup in Trac.
Horde 3.1.2 release announcement:
Security Fixes:
- Closed XSS problems in dereferrer (IE only), help viewer and problem reporting screen.
- Removed unused image proxy code from dereferrer.
The Team Mambo reports that two SQL injection
vulnerabilities have been found in Mambo. The
vulnerabilities exists due to missing sanitation of the
title and catid parameters in the
weblinks.php page and can lead to execution of
arbitrary SQL code.
phpmyadmin Site reports:
It was possible to craft a request that contains XSS by attacking the "table" parameter.
The webmin development team reports:
An attacker without a login to Webmin can read the contents of any file on the server using a specially crafted URL. All users should upgrade to version 1.290 as soon as possible, or setup IP access control in Webmin.