FUDForum is vulnerable to arbitrary file disclosure due to a lack of path validation. An attacker can make malicious requests via URI parameters to access sensitive files.
A CRLF injection vulnerability has been reported for Lynx that may allow an attacker to include extra HTTP headers when viewing web pages. If Lynx is called from the command line, carriage return and line feed (CRLF) characters may be included in the specified URL. These characters are not escaped when the input is used to construct a HTTP request. Exploitation of this flaw may allow an attacker to inject additional HTTP headers into a request. Abuse of the 'Host' header may cause the request to be served as if made to a different domain, possibly providing the attacker with more control over the content returned.
Fam is a freely available, open source file alteration monitor maintained and distributed by SGI. It is possible for a user to execute fam to discover a list of monitored files. This list, while it may have been created by a user of elevated privileges, could leak information to an attacker that may be sensitive. This vulnerability requires only that the directory being 'fammed' already have had the program executed against it by a privileged user.
It is possible to reproduce this condition on vulnerable systems by making a request for certain types of files (such as error documents) that have been mapped by the server by type but fail to be served due to failure of MIME negotiation. When this request is made, the server will respond with the full path to the requested file.
Microsoft SQL Server 2000 uses an Agent which is responsible for restarting the SQL Server service, replication, and running scheduled jobs. Some of the jobs that the Agent executes have weak permissions, which could allow a user with low permissions to perform actions on the database in the context of the SQL Server Service Account when used in conjunction with the Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability.
Microsoft Internet Explorer on Windows XP comes equipped with a protocol handler for the 'Help and Support Center' application. The protocol handler may be specified in links, and when such a link is submitted by the browser, the Help and Control Center will load an appropriate page. However, it has been demonstrated that this behavior may be abused. The browser runs requests to the HCP URI handler with relaxed Security Zone restrictions. One of the Help and Support Center application files (uplddrvinfo.htm) contains an ActiveX control which may be used to delete local files. Since the ActiveX control accepts filenames from the HCP URIs, it is possible for an attacker to abuse this situation via a malicious link. A number of other files are included in the Help and Support Center application which may also be used by a remote attacker to perform various actions on the client system via a maliciously constructed HCP URI.
When the Google Toolbar receives a search query it may cause Microsoft Internet Explorer to crash. When a user views a malicious web page it will cause the Google Toolbar to throw an exception in 'oleaut32.dll'.
Microsoft Outlook Express introduced a URL handler called MHTML (MIME Encapsulation of Aggregate HTML). This allows Internet Explorer to pass MHTML files to Outlook Express for rendering. The MHTML URL handler does not validate the file type it is rendering. This could allow a file type that is normally considered to be a 'safe file type', such as a .txt file, to be opened and have any script contained within rendered. This script would then be rendered in the Local Computer Zone.
MyWebServer is an application and web server for Microsoft Windows operating systems. If an oversized HTTP request is received by MyWebServer, some content provided as a URL is included in the page generated. An attacker may construct a malicious URL, and entice a user of the site into following it. Injected content will then be rendered in the context of the vulnerable site.
L-Forum is vulnerable to SQL injection attacks. The vulnerability lies in the file 'search.php' which does not properly sanitize user input that is used as part of the search parameter. SQL code may be inserted into the requests and executed by the database server. Postgres: http://localhost/search.php?search=a%27%20order%20by%20time%20desc%3b%20[query] MySQL: http://localhost/search.php?search=a%25%27%20order%20by%20time%20desc%3b%20[query]
Services By CQR