Webdirectory Pro contains an input validation vulnerability which may lead to disclosure of sensitive information to attackers. The value of the 'show' variable is not properly validated and can be used to force 'directorypro.cgi' to output the contents of an arbitrary webserver-readable file to a remote attacker. This is due to a lack of checks for NULL bytes in user-supplied data. Submit a request such as this to a vulnerable webserver: http://target/cgi-bin/directorypro.cgi?want=showcat&show=../../../..//etc/motd%00 This will result in the contents of '/etc/motd' being output.
CesarFTP on Windows 98/Me platforms contains a 'directory traversal' vulnerability. If a user requests to change directories to '...' from within a mapped directory, they will change into the directory above the 'real' directory on the filesystem. At this point they can traverse the filesystem and will have read access to almost every file.
A problem with the chat server makes it possible to deny service to legitmate users. By submitting a request to the webserver including the 'AUX' MS-DOS device name, the webserver can be made to cease functioning.
Freestyle Chat server from Faust Informatics incorporates interactive chat functionality into websites. Versions of Freestyle Chat are vulnerable to directory traversal attacks. This can allow a remote user to request files from outside the normal webserver directory scope. Properly exploited, this could provide information useful in further attacks on the vulnerable host.
The IPC@Chip is a single-chip embedded webserver from Beck GmbH. The device's inbuilt telnetd service may allow a remote user to repeatedly attempt to login to a given account, without logging or responding to repeated failed login attempts. This could permit an attacker to brute-force a known account name, potentially leading to a compromise of the device's accounts and/or allowing a compromise of its function.
A buffer overrun vulnerability has been discovered in the rpc.yppasswdd utility distributed by multiple vendors. The problem occurs due to insufficient bounds checking before copying remotely-supplied user information into a static memory buffer. As a result, a malicious user may be capable of exploiting this issue to overwrite sensitive locations in memory and thus execute arbitrary code with superuser privileges.
MIMAnet Source Viewer is a freely available CGI script which allows users to view the source code of files located elsewhere on the server. Unfortunately, it does not filter '..' and '/' characters, which can be misinterpreted by the script and cause files outside of the intended directory to be opened. As a result, it may be possible for attackers to view the contents of arbitrary webserver-readable files on the filesystem.
An html file may be crafted to bypass the script-filtering feature offered by eSafe Gateway. This is done by simply changing the syntax of the <SCRIPT> function in such a way as to trick the filter into generating html that still includes a call to execute the script.
ARCservIT from Computer Associates contains a vulnerability which may allow malicious local users to corrupt arbitrary files. When it runs with the parameters 'inet add', 'asagent', it opens (and overwrites it if it exists) a file in /tmp called 'inetd.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file. This may allow malicious local users to corrupt critical system files.
When it runs for the first time, 'asagent', opens (and truncates it if it exists) a file in /tmp called 'asagent.tmp'. 'asagent' does not check to make sure that this file already exists or that is a symbolic link to another file. This may allow malicious local users to overwrite critical system files.
Services By CQR