It has been reported that Opera is vulnerable to a directory traversal issue that may allow an attacker to access sensitive information. The problem presents itself due to insufficient sanitization of user-supplied data through the 'Opera:' URI handler. The issue may allow an attacker to traverse outside a directory by using '..%5c' or '..%2f' character sequences.
PHP-Coolfile is vulnerable to an error in the way access is evaluated in the action.php file, which could allow a remote user to obtain the administrative username and password for the site. This can be done by accessing the URL www.site.com/php-coolfile/action.php?action=edit&file=config.php.
Hylafax hfaxd (daemon) has been reported prone to an unspecified format string vulnerability that may be exploited under non-standard configurations to execute arbitrary instructions remotely as the root user. The phrack 59 (www.phrack.org !) article about format strings on the heap helped a lot. Thanks to gera, fozzy and juliano for hints. How to get the right n$ values from syslog: Sep 29 05:16:22 linux HylaFAX[2704]: command: site trigger %350$x Sep 29 05:16:22 linux HylaFAX[2704]: ??? bfffff24 So, %350$n is a good choice since a write would located on valid stack. Sep 29 05:05:24 linux HylaFAX[2644]: command: site trigger %959$x Sep 29 05:05:24 linux HylaFAX[2644]: ??? 4f464e49 At 0xbffff24 you find the value 0x4f464e49 via gdb, and brute forcing %1$x to %1000$x shows that at %959$x (see syslog output above) the value of the 0xbffff24 pointer can be found. Thus we first write the GOT address we want to modify to 0xbffff24 via the %350$n and then using the value of *0xbffff24 (which is the address of the GOT entry we want to modify) as a pointer again to finally write the GOT entry.
nCUBE Server Manager has been reported prone to a directory traversal vulnerability. The issue presents itself likely due to a lack of sufficient sanitization performed on URI parameters. A remote attacker may exploit this condition by supplying directory traversal sequences as a value for the affected URI parameter passed to a Server Manager script. Ultimately this may allow the attacker to break out of the webserver root and view arbitrary directory listings and potentially arbitrary files on the vulnerable system.
UnAce has been reported to be prone to a buffer overflow vulnerability. The issue presents itself when UnAce handles ace filenames that are of excessive length. When this filename is passed to the UnAce utility as an argument, the string is copied into a reserved buffer in memory. Data that exceeds the size of the reserved buffer will overflow its bounds and will trample any saved data that is adjacent to the affected buffer. Ultimately this may lead to the execution of arbitrary instructions in the context of the user who is running UnAce.
It has been reported that DailyDose may be prone to a remote command execution vulnerability due to insufficient sanitization of $temp variable in dose.pl script. An attacker may submit arbitrary commands that will be executed in the context of the web server hosting the vulnerable script.
A remotely exploitable buffer overrun has been reported in Epic. This issue may reportedly be exploited by a malicious server that supplies an overly long nickname in a CTCP messages, potentially allowing for execution of arbitrary code in the context of the client user. It may be also be possible for a malicious client to send such a message, but it is likely that the server will limit the length.
It has been reported that SimpleWebserver may be prone to a directory traversal vulnerability that may allow an attacker to gain access to sensitive information. The issue presents itself due to insufficient sanitization of user-supplied input. An attacker may traverse outside the server root directory by using '.../' character sequences.
wmapm has been reported prone to a local privilege escalation vulnerability. The vulnerability has been conjectured to result from a lack of relative path usage while the vulnerable dock app is invoking a third party binary. As a result of this, a local attacker may manipulate local path settings and have the setuid wmapm dock app erroneously invoke a trojan binary that is located in a directory that the attacker has permissions to write to.
A SQL injection vulnerability has been reported for phpBB systems. phpBB, in some cases, does not sufficiently sanitize user-supplied input, which is used when constructing SQL queries to execute on the underlying database. As a result, it is possible to manipulate SQL queries. This may allow a remote attacker to modify query logic or potentially corrupt the database. SQL injection attacks may also potentially be used to exploit latent vulnerabilities in the underlying database implementation.
Services By CQR