Snes9x is a free Super Nintendo emulator that runs on a number of platforms. Snes9x is prone to a buffer overflow due to improper bounds checking of rom names. In this case, 4089 characters are required to overwrite the EIP. If this buffer is overrun, it may be possible for a local attacker to execute arbitrary code on the host. This may be a security concern on some systems because Snes9x documentation suggests setting the utilities setuid root. Successful exploitation will lead to a full compromise of the host.
PostNuke versions 0.62 to 0.64 suffer from a vulnerability that allows a remote user to log-in as any user with known username and ID without authentication. The problem lies in a failure to filter inappropriate characters from variables that can be passed to the program's components by a remote attacker. This allows the attacker to alter a mysql query to the user database, bypassing password checking and assuming the identity of a specified user. The component 'article.php' calls a routine in 'mainfile2.php' to update user information (i.e., log the user on) when the variable 'save=1' (and the appropriate user ID and name) is specified in the URL. This routine, getusrinfo(), performs a mysql query to load user information from the database. Since part of this query is taken from insecure input that can be passed (in base64 encoded form) to 'article.php' by a remote attacker, this query can be altered with the use of a properly placed single quote character followed by mysql statements.
Microsoft Internet Explorer contains a security-setting feature that can be modified according to a user's preferences. These settings control what actions a web site can take on a user's system. A vulnerability exists in Internet Explorer, which could allow a web site to be viewed in the Local Intranet Zone, rather than the Internet Zone. Thus, allowing content to be viewed with less-restrictive security settings. Converting the IP address of the target web site into a dotless IP address, and submitting it, will cause Internet Explorer to view the web site in the Local Intranet zone.
Progress is a commercial database for Microsoft Windows and Unix systems. Locally exploitable buffer overflows are prevalent throughout many Progress Database programs. This is largely due to insufficient bounds checking of data which is externally supplied to strcpy functions. These problems could be exploited to allow a local attacker to execute arbitrary code on a host with the privileges of each individual affected program. This situation could be leveraged by the attacker to gain root privileges on the host.
A vulnerability exists in Homebet which could enable a non-registered user to confirm the validity of possible legitimate users and their PIN numbers.
AmTote Homebet is an Internet-based account wagering interface. Homebet stores all account and corresponding PIN numbers in the homebet.log file stored in the Homebet virtual directory. On a default installation, the homebet.log file is world readable. This could allow an attacker to steal the log file and strip out the account and PIN numbers.
A vulnerability in FreeBSD allows a user with access to a system via SSH to gain access to privileged information. This is caused by a mixture of problems with login capabilities, the FreeBSD OpenSSH port not dropping privileges during part of the login process, and login not dropping privileges at the correct time. A user could make a malicious entry in the .login.conf file in their home directoy, and read files such as the master.passwd file and gain access to encrypted passwords on the system.
Versions of Apache webserver shipping with Red Hat Linux 7.0 (and possibly other Apache distributions) install with a default misconfiguration which could allow remote users to determine whether a give username exists on the vulnerable system. When a remote user makes a request for a possible user's default home page, the server returns one of three responses: In a case where <username> is a valid user account, and has been configured with a homepage, the server responds with the user's homepage. When <username> exists on the system, but has not been assigned a homepage document, the server returns the message 'You don't have permission to access /~username on this server.' However, if the tested username does not exist as an account on the system, the Apache server's response includes the message 'The requested URL /~username was not found on this server.' Because the server responds differently in the latter two cases, a remote user can test and enumerate possible usernames. Properly exploited, this information could be used in further attacks on the vulnerable host.
A user can confirm the existence and location of files and directory structure information, by submitting a 'size' or 'mdtm' command of a file. If the command is carried out by the vulnerable service, the attacker can confirm the location of the file. Submitting a 'size' or 'mdtm' command for a file outside of the FTP root could disclose directory structure information of unpublished filesystems on the host. If the requested command is fulfilled by the vulnerable service, the attacker can confirm the relative path to the file.
The msgchk utility under certain versions of Digital Unix contains an information disclosure vulnerability which could yield root privilege. Because msgchk fails to check file permissions before opening user configuration files in the user's home directory, a symbolic link to a target file can permit a local user to read the first line of data contained in any file readable by the msgchk user. Where msgchk is run setuid root, this allows limited information to be read from any file on the host.
Services By CQR