It is possible for an attacker to cause a buffer overflow condition on the vulnerable SQL server with a malformed login request. This may allow a remote attacker to execute arbitrary code as the SQL Server process.
A flaw has been reported in the handling of X.509 certificates by a number of products, including several web browsers. It may be possible for a malicious party to create certificates for arbitrary domains, which will be treated as trusted by the vulnerable browser. The flaw lies in the handling of intermediate certificate authorities. Normally, intermediate certificates should possess a Basic Constraints field which states the certificate may be used as a signing authority. Vulnerable products do not require the Basic Constraints field be properly defined. A malicious party with one valid certificate may sign a new certificate for an arbitrary domain. This may allow the attacker to spoof a sensitive domain, or to attempt a man-in-the-middle attack against encrypted communications.
Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. A paper, entitled 'Win32 Message Vulnerabilities Redux' has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Another proof-of-concept has been released by Brett Moore in a paper entitled 'Shattering SEH III' which demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled 'Shattering By Example' which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages.
The qmailadmin utility, developed by Inter7, is vulnerable to a buffer overflow condition. It is meant to run as a CGI program and is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing an environment variable, resulting in a buffer overrun condition. It is likely that this can be exploited by malicious local users to elevate privileges.
When viewing the contents of a FTP site as web content from a ftp:// URL, the directory name is included in the HTML representation. It is not adequately sanitized before this occurs. An attacker may embed javascript as this value between opening and closing "<title>" tags in a FTP URL.
When viewing the contents of an FTP site as web content, the data within <title> tags is not sanitized. An attacker may embed javascript between open and closing <title> tags in a FTP URL.
A buffer overflow vulnerability has been reported in Qualcomm's Eudora mail client for Windows systems. The condition occurs if a MIME multipart boundary is of excessive length. Remote attackers may exploit this vulnerability to execute arbitrary code.
Dispair fails to sufficiently validate user-supplied input before it is passed to the shell via the Perl open() function. This allows an attacker to inject arbitrary commands into the vulnerable application, which are then executed on the underlying system with the privileges of the webserver process. An example of this is demonstrated in the URL provided, which executes the 'id' command on the underlying system.
Sun Microsystems AnswerBook2 allows users to view Sun documentation through a web browser, and is available for Solaris. AnswerBook2 includes an administrative web interface. Reportedly, it is possible to access these scripts without authorization, and add a new administrative user of the AnswerBook2 system.
Gallery is prone to a remote file inclusion vulnerability which allows attackers to include arbitrary files located on remote servers. This vulnerability is present in several PHP script files provided with Gallery. An attacker can exploit this by supplying a path to a file on a remote host as a value for the 'GALLERY_BASEDIR' parameter.
Services By CQR