A flaw in the WebDav extensions of Microsoft IIS 5.0 allows a remote attacker to carry out a Denial of Service attack by repeatedly requesting nonexistent files via the HTTP LOCK method. This leads to a complete consumption of memory resources, eventually crashing the host and requiring a restart.
By sending a specially crafted request (composed of at least 2000 characters) it is possible to cause a buffer overflow. This could cause the termination of the affected service, requiring a restart and enabling a remote attacker to effect a denial of service attack. If the submitted buffer is properly structured, it may yield a remote system shell. Successful exploitation of this vulnerability could lead to a complete compromise of the host.
When the X Window System is started via the xhost script, insufficient xhost access control allows a user to execute commands on the desktop. This can be exploited by setting the display environment variable, and using the tellxdt3 program, which makes it possible for a local user to execute commands as root.
DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums. Versions of DCForum are vulnerable to attacks which can yield an elevation of privileges and remote execution of arbitrary commands. DCForum maintains a file containing its user account information, including hashed user passwords and other potentially sensitive information. When a new user account is created, the user's information is written to this file. Fields within each record are delimited by pipe ('|') and newline characters. DCForum fails to properly validate this user-supplied account information. As a result, an attacker can cause a corruption of the script's user records by providing a value for the last name field which includes URL-encoded pipes and newlines. By appending desired values to the last name field, an attacker can insert account information for a new user, and specify admin privileges. This newly-created admin account allows a remote attacker to issue arbitrary commands with the privilege level of the webserver process.
PHPSlash contains a vulnerability which may disclose files readable to the webserver process on the underlying host to PHPSlash users who can 'edit' URL blocks. Exploitation may result in attackers gaining local access to the webserver or information which could assist in further attacks. Login as admin with GOD permissions, access the BLOCKS admin section (blockAdmin.php3) and create a new block with the following information: Title: notTrusted, Type: url, Site Location: whatever, Source URL: ./config.php3, Expire Length: 0, Owned by section: home, Data: (empty), Order number: whatever. It will display the content of the config.php3 as text in the block of the main page.
Due to a flaw in the pattern-matching function used by FTP commands, denial of service attacks can be successfully launched. If a user submits an FTP command along with a filename containing specially placed wildcard sequences, the pattern-matching function will not allocate sufficent memory. Resulting in IIS experiencing denial of service condition.
Rumpus FTP Server is an implementation for MacOS which allows file-sharing across TCP/IP connections. It is possible to log in remotely to the server and shut down the service by making a directory with a name that is 65 characters long. Users must be authenticated to engage this attack.
Apple Personal Web Sharing is a utility that allows users to extend file-sharing abilities across a small intranet. A user may craft a URL which contains excess characters to cause the file-sharing system to shut down, resulting in a denial of service. The file sharing system must then be restarted to regain its functionality once again.
A heap overflow vulnerability exists in the 'man' system manual pager program due to a length check error when the -S option is given. As a result, it may be possible for a local user to execute arbitrary code with group 'man' privileges.
When IIS receives a CGI filename request, it automatically performs two actions before completing the request. A flaw in IIS involves a third undocumented action: Typically, IIS decodes only the CGI parameter at this point, yet the previously decoded CGI filename is mistakenly decoded twice. If a malformed filename is submitted and circumvents the initial security check, the undocumented procedure will decode the malformed request, possibly allowing the execution of arbitrary commands.
Services By CQR