When popauth is executed with the trace option, it does not correctly handle user-supplied input. A user can supply data to the popauth program through the trace flag which will cause the program to execute shell commands, and follow symbolic links. This problem could be exploited to gain privilege elevation equal to that of the setuid bit on popauth, typically setuid as the pop user.
When debug mode is enabled, the Agora.cgi script does not adequately filter HTML tags when debug information is being output. As a result, it is possible for an attacker to construct a link to the script that includes maliciously constructed script code. When the link is clicked by a web user, the script code will be executed by the client in the context of the site running Agora.cgi. This issue may be exploited to by an attacker to steal cookie-based authentication credentials, permitting the attacker to hijack an Agora.cgi session and perform actions as a legitimate user. A number of other cross-site scripting attacks are also possible.
Webmin does not adequately filter '../' sequences from web requests, making it prone to directory traversal attacks. Furthermore, since Webmin is a facility for remote web-based administration of Unix systems, it requires root privileges. This vulnerability could be exploited to effectively disclose any file on a host running the affected software. It may also be possible to edit files or place files on the server. This may lead to a remote root compromise.
Novell Groupwise Servlet Gateway is vulnerable to an authentication bypass vulnerability due to the use of default credentials. An attacker can exploit this vulnerability by entering the default username “servlet” and password “manager” into the Servlet Manager interface.
An issue which affects users of multiple web browsers on Microsoft Windows platforms has been discovered. An unusually high image count may cause a denial of services to users who view the webpage containing the offending image. Malicious webmasters may construct webpages which exploit this vulnerability.
The 'login' program is used in UNIX systems to authenticate users with a username and password. Versions of 'login' descended from System V UNIX contain a buffer overflow when handling environment variables. Unauthenticated clients can exploit this issue to execute arbitrary code as root. On systems where 'login' is installed setuid root, local attackers can elevate privileges.
MAILTO is a program maintained by Brian Dorricott which enables web servers to allow forms to be converted into mail messages that can be sent to numerous recipients. An issue exists in MAILTO which could allow an attacker to send emails through a remote host's server. Sites that utilize or provide MAILTO are susceptible to this issue, typically their mail server information is published when providing install and usage instructions. This information can allow a user to include the mail server information into an HTML file and submit it via MAILTO. This email will then be delivered to the specified recipient with the appearance of originating from the victim web host. This problem makes it possible for a user with malicious intentions to socially engineer, mailbomb, or spam from as though it's coming from the victim web host.
Microsoft IIS 5.0 may be prone to a denial of service condition when sent a specially crafted malformed HTTP GET header. If an IIS 5.0 web server is sent a crafted HTTP GET request which contains a falsified and excessive 'Content-Length' field, it behaves in an unusual manner. The server keeps the connection open and does not time out, but does not respond otherwise. It is possible that this may be used to cause a denial of service to the web server.
Under some circumstances, pending reads from an input socket may persist through a call to execve. Eventually the read will continue, and write to the memory space of the new process. If a local user is able to create and execute a malicious program calling a suid program, it may be possible to overwrite arbitrary memory locations in the suid process with arbitrary data.
Winsock RSHD/NT is a Remote Shell Daemon for Windows NT and Windows 2000. It uses the standard Unix rsh and rcp commands. Upon connecting to the daemon, rsh will supply a port number for the daemon to send standard error data. If the port number specified is invalid, Winsock RSHD/NT will attempt to connect to the invalid port and all port numbers below 1024 (including negative port numbers). Potentially consuming CPU resources and leading to a denial of service.
Services By CQR