Apache Web Server 1.2 and previous versions are subject to a denial of service. By requesting a malformed GET request composed of an unusually large number of '/' characters, an attacker can cause CPU usage to spike. A restart of the service is required to gain normal functionality.
Due to the implementation of 'statsconfig.pl' multiple vulnerabilities exist in OmniHTTPD. It is possible to corrupt various known filenames and execute arbitrary commands. By appending a known filename to the 'cgidir' form variable accompanied with a null argument, the known filename will be corrupt. In addition, it is possible to execute commands on the target server. This is due to statsconfig.pl creating a perl script on the file. When the perl script is created, user supplied data (the mostbrowsers form variable if it is present) is written directly to the perl script file. If an attacker sets this value to semi-colon separated perl commands, they will be executed when statsconfig runs the script. This can result in an attacker gaining interactive access on the victim host with the privilege level of the webserver/cgi process.
A problem in the program could allow for a format string attack. The problem occurs in the handling of format strings by the -rcfile command line flag. By placing shellcode in the $HOME environment variable, and generating a custom crafted request to the splitvt program it is possible to overwrite variables on the stack, and arbitrarily execute code contained in the $HOME environment variable. This makes it possible for a user with malicious motives to execute arbitrary code, and in implementations with the splitvt binary installed SUID root, gain administrative privileges.
A race condition in the rctab script could allow an attacker to either gain elevated privileges, or append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, does not check for an already existing rctmpdir.[pid of rctab process] directory. Additionally, the use of the -p flag with mkdir does not generate an error when the directory already exists, allowing the script to continue executing.
A race condition in the rctab script could allow an attacker to either gain elevated privileges, or append to and corrupt system files. This problem exists due to the insecure creation of files in the /tmp directory by the rctab script. Upon execution of the rctab script, rctab creates a subdirectory in the /tmp directory, using directory name rctmpdir.[pid of rctab process]. The script, which is normally run by root, does not check for an already existing rctmpdir.[pid of rctab process] directory. Additionally, the use of the -p flag with mkdir does not generate an error when the directory already exists, allowing the script to continue executing.
A vulnerability has been reported in Microsoft Windows Media Player 7 which is exploitable through Internet Explorer and Java. Skins for Windows Media Player are installed to a known location: 'C:/Program files/Windows Media Player/Skins/skin.wmz'. As a result, a remote HTML document, visited by the victim user, can lead the user's browser to download an arbitrary file matching the the name 'skin.wmz' to this known location. A malicious remote user could exploit this to upload a file containing executable java code disguised as a Windows Media Player skin file. An applet tag in the remote HTML document can then execute the 'skin.wmz' file as Java code. Properly exploited, this could provide an attacker with complete control of the vulnerable system. On multiuser Windows NT or 2000 systems, this vulnerability can only provide the attacker with access to the system that is within the security context of the user who was exploited.
This bug involves Jscript's ability to handle multiple window objects. If a window object is deleted after it receives data and then re-initalized, the library will reportedly crash. This behavior has been attributed to a stack overflow by its discoverer. It is reportedly not exploitable in any way that may permit an attacker to gain access to the victim host.
A vulnerability has been reported in basilix webmail v. 0.9.7b. Basilix Webmail ships with several configuration files that have the file extensions '.class' and '.inc'. Among other things, these files contain the authentication information for the MySQL database that the product uses. These files reside in directories accessible via http. If the webserver is not configured to treat .class and .inc files as PHP scripts, they can be retrieved by remote users. Properly exploited, this information can allow further attacks on the affected host.
This exploit allows an attacker to send a malicious DHCP response packet to a vulnerable Windows client. The malicious packet contains a specially crafted DHCP option that contains a shellcode. The shellcode is executed with the privileges of the DHCP client service.
Interbase is an open source relational database offered by Borland Inprise Corporation. It contains a backdoor user account and password called 'LOCKSMITH'. When accessed this account will eliminate all implemented security allowing full control of any database and contents within the database, this level of access will allow any function to be performed including modification of objects, root access and execution of arbitrary functions.
Services By CQR