Super Site Searcher is prone to remote command execution. Shell metacharacters are not adequately filtered from query string parameters in a request to the vulnerable search engine script. The parameters are then used in a function which passes commands directly through the shell. A remote attacker may exploit this condition to execute arbitrary commands on the shell with the privileges of the webserver process.
NullLogic Null HTTPd is a small multithreaded webserver for Linux and Windows. It is possible for attackers to construct a URL that will cause scripting code to be embedded in error pages. As a result, when an innocent user follows such a link, the script code will execute within the context of the hosted site.
FactoSystem Weblog is a freely available, open source software package for weblogging and managing content. It is available for Microsoft Windows operating systems. FactoSystem does not adequately filter special characters from requests. Because of this, it may be possible for a remote user to submit a request containing encoded special characters and SQL, and execute arbitrary commands. This could lead to execution of SQL commands in the security context of web database user.
In cases where users of Webmin do not have root access on the underlying host, it may be possible to mount privilege escalation attacks on the underlying host. This normally occurs in configurations where multiple Webmin client systems have access to a centralized Webmin server. Webmin allows commands to be executed remotely on the underlying host from other Webmin client systems via the RPC module. However, the script that provides this facility does not sufficiently check the permissions of the source of the remote commands. As a result, it is possible for remote authenticated Webmin users to abuse this facility to execute commands (as root) on the underlying host.
The Microsoft Word and Excel INCLUDETEXT Field Code may be used to insert an arbitrary local file into a document. The INCLUDETEXT Field Code is reported to, under some circumstances, present a security threat. If the INCLUDETEXT Field Code is included in a document and references a file on the local system of the recipient, then the file will also be included when the document is sent out. It is possible for an attacker to abuse this functionality in a situation where documents are constantly being shared and updated. The recipient of the malicious document must still pass along the updated version of the document for the attacker to receive the imported local file. Reports indicate that using a 'dde' link group field may be able to bypass the functionality of the Microsoft patch for this issue.
A buffer overflow vulnerability has been reported for Linuxconf. The vulnerability is due to insufficent bounds checking of the LINUXCONF_LANG environment variable. An attacker who sets the LINUXCONF_LANG environment variable with an overly large string will be able to cause the buffer overflow condition.
The GDAM123 command-line MP3 player is prone to a buffer overflow condition when handling overly long filenames. Under some circumstances, the player may be installed setuid root to allow unprivileged users to run the player if access to certain devices is required. In a situation such as this, the buffer overflow may be exploited to gain elevated privileges via the execution of arbitrary code.
A buffer overflow vulnerability has been reported in the $asctime identifier, a function in the mIRC scripting language. The error lies in the handling over oversized format specifier strings. Exploitation will rely on a script passing untrusted input to this function. Reportedly, no such script is included in the default installation of mIRC.
Caldera's X Server implementation invokes external commands without dropping existing privilege levels. Xserver calls xkbcomp, and other related utilities, in an unsecure manner using the popen() or system() calls. This weakness can be exploited by local attacker to execute arbitrary commands with elevated privileges.
A HTML injection vulnerability has been reported in the '/cgi-bin/redir.exe' sample CGI included with OmniHTTPD. Reportedly, it is possible for an attacker to URL encode the newline character (%0D) and insert malicious HTML code. A vulnerable server receiving a malformed request will return a 302 redirect HTTP response containing the malicious attacker-supplied code.