The vulnerability exists in situations where a filtering rule permits packets through if they are part of an established connection. It is possible for packets that are not part of an established connection to be allowed through. These packets must have the ECE flag set, which is in the TCP reserved options field. Exploitation of this vulnerability may allow for unauthorized remote access to otherwise protected services.
A problem with Oracle on the Windows 2000 platform could allow users access to restricted information. This problem in the handling of input by the Oracle software may result in remote users being permitted read access to files on the same partition as the webroot directory. Upon generating a custom crafted request to either the a.jsp file or the bb.sqljsp file, it is possible to force the JSP and JSPSQL handlers to ascend the directory tree outside of the webroot, and attempt to read the contents of the specified file in the request. Successful execution results in the files being moved to the http://host/_pages subdirectory, and the extension of the file being changed to a .java file.
Netscape Enterprise Server with Web Publishing enabled will disclose the directory listing of the server to unauthenticated users who submit an INDEX request.
A maliciously-formed packet sent to Iris by a remote attacker, upon opening in the program for analysis by a user, will cause Iris to terminate. The crash is caused by an inability of Iris to handle packets with malformed values in its headers.
A problem with the package allows users access to any resources within the bulletin board system. Any file that is access controlled by the auth.php3 script may be accessed, due to a backdoor password written into the script auth.php3. The password 'boogieman' will permit users to access files controlled by auth.php3 by simply appending the variable PHP_AUTH_USER=boogieman to the URL. This makes it possible for users with malicious intentions to access any file under the access control of auth.php3, and potentially gain elevated privileges, including access to the local system.
Due to the way violation.php3 handles URL's as arguments, it is possible to create a custom crafted URL request to the script which will allow a remote user to send email through the hosts MTA. This email will then be delivered to the specified person with the appearance of coming from the web host. This problem makes it possible for a user with malicious intentions to socially engineer, mailbomb, or spam from the web host, and potentially get the host blacklisted in one of such lists.
A problem with Phorum can allow remote users access to restricted files on the local system. This is due to the handling of passwords by the program. By sending a custom crafted string to the admin.php3 script, it's possible to change the administrative password of the board without verification of the users credentials. The "default .langname name" field in the Master settings can then be changed to any file of the users liking, which upon reload, will be output as the page. This problem makes it possible for a user with malicious motives to take control of the message board, read any file on the system, and potentially gain remote access.
LocalWEB2000 is vulnerable to a directory traversal attack, which allows an attacker to gain read access to files on the server. This is achieved by sending a specially crafted HTTP request with a known filename. For example, an attacker can send a request for the file "autoexec.bat" located in the root directory of the server, by sending the following request: http://target/../../../autoexec.bat
textcounter.pl is distributed through Matt's Scripts archive, and provides added features to httpd servers such as counters, guestbooks, and http cookie management. Due to insufficient checking of entered characters, it is possible for a remote user to input custom formatted strings into the $DOCUMENT_URI environment variable which, which when parsed can be executed as the UID of the httpd process. This makes it possible for a user with malicious intentions to execute arbitrary commands, and potentially gain access to the local host.
Versions of MS Outlook are vulnerable to receiving a hidden, potentially hostile attachment. An arbitrary string of characters, supplied by the sender to the 'subject:' field, will be received and interpreted by vulnerable versions of Outlook as an attachment to the message. If this string is properly constructed, it can be executable and capable of performing hostile actions on the vulnerable host. This can also be used to circumvent Outlook's dangerous file security feature.
Services By CQR